diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 7257c2a16e..34795cc2da 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -5367,6 +5367,28 @@ export {
 	option sampling_duration = 10min;
 }
 
+module UnknownProtocol;
+export {
+	## How many reports for an analyzer/protocol pair will be allowed to
+	## raise events before becoming rate-limited.
+	const sampling_threshold : count = 3 &redef;
+
+	## The rate-limiting sampling rate. One out of every of this number of
+	## rate-limited pairs of a given type will be allowed to raise events
+	## for further script-layer handling. Setting the sampling rate to 0
+	## will disable all output of rate-limited pairs.
+	const sampling_rate : count = 100000 &redef;
+
+	## How long an analyzer/protocol pair is allowed to keep state/counters in
+	## in memory. Once the threshold has been hit, this is the amount of time
+	## before the rate-limiting for a pair expires and is reset.
+	const sampling_duration = 1hr &redef;
+
+	## The number of bytes to extract from the next header and log in the
+	## first bytes field.
+	const first_bytes_count = 10 &redef;
+}
+
 module BinPAC;
 export {
 	## Maximum capacity, in bytes, that the BinPAC flowbuffer is allowed to
diff --git a/scripts/policy/misc/unknown-protocols.zeek b/scripts/policy/misc/unknown-protocols.zeek
index 000fc02107..df510d9846 100644
--- a/scripts/policy/misc/unknown-protocols.zeek
+++ b/scripts/policy/misc/unknown-protocols.zeek
@@ -26,25 +26,6 @@ export {
 		## header.
 		first_bytes:  string   &log;
 	};
-
-	## How many reports for an analyzer/protocol pair will be allowed to
-	## raise events before becoming rate-limited.
-	const sampling_threshold : count = 3 &redef;
-
-	## The rate-limiting sampling rate. One out of every of this number of
-	## rate-limited pairs of a given type will be allowed to raise events
-	## for further script-layer handling. Setting the sampling rate to 0
-	## will disable all output of rate-limited pairs.
-	const sampling_rate : count = 100000 &redef;
-
-	## How long an analyzer/protocol pair is allowed to keep state/counters in
-	## in memory. Once the threshold has been hit, this is the amount of time
-	## before the rate-limiting for a pair expires and is reset.
-	const sampling_duration = 1hr &redef;
-
-	## The number of bytes to extract from the next header and log in the
-	## first bytes field.
-	const first_bytes_count = 10 &redef;
 }
 
 event unknown_protocol(analyzer_name: string, protocol: count, first_bytes: string)
diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc
index b95c60a972..a6ea761331 100644
--- a/src/packet_analysis/Manager.cc
+++ b/src/packet_analysis/Manager.cc
@@ -44,13 +44,10 @@ void Manager::InitPostScript()
 		                                          detail::pkt_profile_freq,
 		                                          pkt_profile_file->AsFile());
 
-	if ( unknown_protocol )
-		{
-		unknown_sampling_rate = id::find_val("UnknownProtocol::sampling_rate")->AsCount();
-		unknown_sampling_threshold = id::find_val("UnknownProtocol::sampling_threshold")->AsCount();
-		unknown_sampling_duration = id::find_val("UnknownProtocol::sampling_duration")->AsInterval();
-		unknown_first_bytes_count = id::find_val("UnknownProtocol::first_bytes_count")->AsCount();
-		}
+	unknown_sampling_rate = id::find_val("UnknownProtocol::sampling_rate")->AsCount();
+	unknown_sampling_threshold = id::find_val("UnknownProtocol::sampling_threshold")->AsCount();
+	unknown_sampling_duration = id::find_val("UnknownProtocol::sampling_duration")->AsInterval();
+	unknown_first_bytes_count = id::find_val("UnknownProtocol::first_bytes_count")->AsCount();
 	}
 
 void Manager::Done()
diff --git a/testing/btest/Baseline/core.unknown-protocol-event/out b/testing/btest/Baseline/core.unknown-protocol-event/out
new file mode 100644
index 0000000000..0cdfa29213
--- /dev/null
+++ b/testing/btest/Baseline/core.unknown-protocol-event/out
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ETHERNET, 35020, 02070400222d81db1004
diff --git a/testing/btest/Traces/lldp.pcap b/testing/btest/Traces/lldp.pcap
new file mode 100644
index 0000000000..b74c247ebb
Binary files /dev/null and b/testing/btest/Traces/lldp.pcap differ
diff --git a/testing/btest/core/unknown-protocol-event.zeek b/testing/btest/core/unknown-protocol-event.zeek
new file mode 100644
index 0000000000..c043217da4
--- /dev/null
+++ b/testing/btest/core/unknown-protocol-event.zeek
@@ -0,0 +1,6 @@
+# @TEST-EXEC: zeek -b -r $TRACES/lldp.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event unknown_protocol(analyzer_name: string, protocol: count, first_bytes: string)
+	{ print analyzer_name, protocol, bytestring_to_hexstr(first_bytes); }
+