Merge remote-tracking branch 'origin/master' into topic/johanna/config-cluster

CHANGES

@@ -1,4 +1,139 @@
 
+2.5-679 | 2018-06-21 16:00:48 -0500
+
+  * Add support for bitwise operations (&, |, ^, ~) on "count" values.
+    (Vern Paxson)
+
+2.5-671 | 2018-06-21 11:55:39 -0500
+
+  * Add ability for BroControl to skip cluster setup (Corelight)
+
+  * BIT-1938: fix crash in Broker manager shutdown (Corelight)
+
+  * Disable broxygen when running unit tests (Daniel Thayer)
+
+2.5-668 | 2018-06-15 17:14:33 -0500
+
+  * Make old comm. system usages an error unless old_comm_usage_is_ok is set
+    (Corelight)
+
+2.5-667 | 2018-06-15 15:30:11 -0500
+
+  * Add --disable-broker-tests configure option (Corelight)
+
+2.5-663 | 2018-06-14 12:51:28 -0500
+
+  * Add Broker::max_threads and Broker::max_sleep tuning options,
+    remove Broker::max_live_threads and Broker::max_pcap threads (Corelight)
+
+  * Minor optimization to bro_broker::Manager::FlushPendingQueries (Corelight)
+
+2.5-660 | 2018-06-12 13:49:39 -0500
+
+  * Add Broker::max_live_threads and Broker::max_pcap_threads tunables
+    (Corelight)
+
+2.5-658 | 2018-06-08 16:41:07 +0000
+
+  * Allow BRO_DEFAULT_LISTEN_ADDRESS to control broker listen address.
+    This environment variable is now set to listen only on IPv4
+    loopback when running unit tests (instead of using the default
+    INADDR_ANY). (Corelight)
+
+  * Move some of the @loads out from init-bare.bro into a new
+    init-frameworks-and-bifs.bro in order to better support calling BIFs
+    (like `getenv`) from variable initializations in those particular
+    frameworks. (Corelight)
+
+2.5-655 | 2018-06-08 10:43:03 -0500
+
+  * Correct conn history field documentation (Corelight)
+
+2.5-652 | 2018-06-07 13:57:23 -0500
+
+  * GH-131: disable krb ticket decryption on non-Linux (Corelight)
+
+2.5-651 | 2018-06-07 09:57:29 -0500
+
+  * Fix signed/unsigned comparison compiler warning (Corelight)
+
+2.5-650 | 2018-06-06 16:20:18 -0500
+
+  * Improve Broker performance (Corelight)
+
+2.5-648 | 2018-06-05 17:32:47 -0500
+
+  * BIT-1936: improve Broxygen warnings (Corelight)
+
+2.5-647 | 2018-06-05 15:19:16 -0500
+
+  * Update `make doc`: don't copy broker docs (Corelight)
+
+2.5-646 | 2018-06-05 11:31:43 -0500
+
+  * Add NCP::max_frame_size tuning option (Corelight)
+
+  * Migrate NCP analyzer to use latest analyzer API (Corelight)
+
+  * Fix read at invalid address in X509 extension parser (Johanna Amann)
+
+2.5-642 | 2018-06-04 13:52:46 -0500
+
+  * Make 0 be a valid packet source timestamp (Corelight)
+
+2.5-641 | 2018-06-04 09:18:59 -0700
+
+  * Add Broker::publish_and_relay BIF
+
+    Like Broker::relay, except the relaying-node also calls event handlers. (Corelight)
+
+  * Document variable argument list BIFs using ellipsis. (Corelight).
+
+  * Support unserializing broker data into type 'any'
+
+    The receiver side will wrap the data as a Broker::Data value, which
+    can then be type-checked/cast via 'is' or 'as' operators to a specific
+    Bro type. For example:
+
+    Sender:
+
+        Broker::publish("topic", my_event, "hello")
+
+    Receiver:
+
+        event my_event(arg: any)
+            {
+            if ( arg is string )
+                print arg as string;
+            }
+
+     (Corelight)
+
+  * Fix a bug in broker data type-casting check (Corelight)
+
+  * Remove dead code in broker data/val conversion function (Corelight)
+
+  * SSH protocol now assesses the packet length at an earlier stage within binpac
+    (Andrew Woodford).
+
+  * Remove some UTF-8 characters that snuck into a few scripts. (Corelight)
+
+  * Decrypt the krb ticket and extract authentication data. (Julien Wallior)
+
+2.5-619 | 2018-06-01 11:29:15 -0500
+
+  * Relocate temporary script coverage files (Corelight)
+
+2.5-618 | 2018-06-01 10:03:24 -0500
+
+  * BIT-1635: fix `make doc` warnings (Corelight)
+
+  * Add smb2_file_sattr event (Devin Trejo)
+
+  * Add bad ARP tests (Pierre LATET)
+
+  * Fix SCT validation when invalid certificates are in chain. (Johanna Amann)
+
 2.5-611 | 2018-05-29 10:13:17 -0500
 
   * Fix NEWS file formatting (Corelight)

CMakeLists.txt

@@ -143,6 +143,15 @@ if (LIBGEOIP_FOUND)
     list(APPEND OPTLIBS ${LibGeoIP_LIBRARY})
 endif ()
 
+set(USE_KRB5 false)
+if ( ${CMAKE_SYSTEM_NAME} MATCHES Linux )
+  find_package(LibKrb5)
+  if (LibKrb5_FOUND)
+     set(USE_KRB5 true)
+     list(APPEND OPTLIBS ${LibKrb5_LIBRARY})
+  endif ()
+endif ()
+
 set(HAVE_PERFTOOLS false)
 set(USE_PERFTOOLS_DEBUG false)
 set(USE_PERFTOOLS_TCMALLOC false)
@@ -294,6 +303,7 @@ message(
     "\nAux. Tools:        ${INSTALL_AUX_TOOLS}"
     "\n"
     "\nGeoIP:             ${USE_GEOIP}"
+    "\nKerberos:          ${USE_KRB5}"
     "\ngperftools found:  ${HAVE_PERFTOOLS}"
     "\n        tcmalloc:  ${USE_PERFTOOLS_TCMALLOC}"
     "\n       debugging:  ${USE_PERFTOOLS_DEBUG}"

NEWS

@@ -242,6 +242,13 @@ New Functionality
 - Added new SMB events: smb1_transaction_secondary_request,
   smb1_transaction2_secondary_request, smb1_transaction_response
 
+- Bro can now decrypt Kerberos tickets, and retrieve the authentication from
+  them, given a suitable keytab file.
+
+- Added support for bitwise operations on "count" values.  '&', '|' and
+  '^' are binary "and", "or" and "xor" operators, and '~' is a unary
+  ones-complement operator.
+
 Changed Functionality
 ---------------------
 

VERSION

@@ -1 +1 @@
-2.5-611
+2.5-679

aux/binpac

@@ -1 +1 @@
-Subproject commit 0b2ef114fdac4c135d357693d7e74a441dee8db3
+Subproject commit 951aeae8e4a08c598203cf61387f015ec4e0849d

aux/bro-aux

@@ -1 +1 @@
-Subproject commit ad99dc534f2574a47a808d677fc76098f42a1b54
+Subproject commit eeb677ff696f8ea3eaa43a765fe40da07ed5281d

aux/broccoli

@@ -1 +1 @@
-Subproject commit 701a539f295f138bb1c44953310e083a4210fe1b
+Subproject commit d9041cc95d2232dbbcf36647f34537da22e360ff

aux/broctl

@@ -1 +1 @@
-Subproject commit 7e68ad436e122fa95c87b6caca0e2e7b20dd5b97
+Subproject commit c5dd2ba83dda185d2008731a5cd25b2b8131ac78

aux/broker

@@ -1 +1 @@
-Subproject commit 7b84848bded443637fa34e76f7d8558bd1cafbee
+Subproject commit 08f41ccc2497f4c6567da0b95488593c39a12a01

bro-config.h.in

@@ -108,6 +108,9 @@
 /* GeoIP geographic lookup functionality */
 #cmakedefine USE_GEOIP
 
+/* Define if KRB5 is available */
+#cmakedefine USE_KRB5
+
 /* Whether the found GeoIP API supports IPv6 Country Edition */
 #cmakedefine HAVE_GEOIP_COUNTRY_EDITION_V6
 

cmake

@@ -1 +1 @@
-Subproject commit 5080aef1aeeea5bc6b0d8c481ef42f5be2b391a9
+Subproject commit 1600554d1d907f4f252f19cf1f55e13d368a936f

configure

@@ -55,6 +55,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --disable-auxtools     don't build or install auxiliary tools
     --disable-perftools    don't try to build with Google Perftools
     --disable-python       don't try to build python bindings for broker
+    --disable-broker-tests don'e try to build Broker unit tests
 
   Required Packages in Non-Standard Locations:
     --with-openssl=PATH    path to OpenSSL install root
@@ -72,6 +73,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
 
   Optional Packages in Non-Standard Locations:
     --with-geoip=PATH      path to the libGeoIP install root
+    --with-krb5=PATH       path to krb5 install root
     --with-perftools=PATH  path to Google Perftools install root
     --with-jemalloc=PATH   path to jemalloc install root
     --with-python-lib=PATH path to libpython
@@ -226,6 +228,9 @@ while [ $# -ne 0 ]; do
         --disable-python)
             append_cache_entry DISABLE_PYTHON_BINDINGS     BOOL   true
             ;;
+        --disable-broker-tests)
+            append_cache_entry BROKER_DISABLE_TESTS     BOOL   true
+            ;;
         --with-openssl=*)
             append_cache_entry OPENSSL_ROOT_DIR PATH $optarg
             ;;
@@ -250,6 +255,9 @@ while [ $# -ne 0 ]; do
         --with-geoip=*)
             append_cache_entry LibGeoIP_ROOT_DIR PATH $optarg
             ;;
+        --with-krb5=*)
+            append_cache_entry LibKrb5_ROOT_DIR PATH $optarg
+            ;;
         --with-perftools=*)
             append_cache_entry GooglePerftools_ROOT_DIR PATH $optarg
             ;;

doc/CMakeLists.txt

@@ -4,8 +4,6 @@ set(BROXYGEN_SCRIPT_OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/broxygen_script_output)
 set(BROXYGEN_CACHE_DIR ${CMAKE_CURRENT_BINARY_DIR}/broxygen_cache)
 set(BROCCOLI_DOCS_SRC ${CMAKE_BINARY_DIR}/aux/broccoli/doc/html)
 set(BROCCOLI_DOCS_DST ${CMAKE_BINARY_DIR}/html/broccoli-api)
-set(BROKER_DOCS_SRC ${CMAKE_BINARY_DIR}/aux/broker/doc/html)
-set(BROKER_DOCS_DST ${CMAKE_BINARY_DIR}/html/broker-manual)
 
 # Find out what BROPATH to use when executing bro.
 execute_process(COMMAND ${CMAKE_BINARY_DIR}/bro-path-dev
@@ -63,9 +61,6 @@ add_custom_target(sphinxdoc
     COMMAND "${CMAKE_COMMAND}" -E create_symlink
             ${SPHINX_OUTPUT_DIR}/html
             ${CMAKE_BINARY_DIR}/html
-    # Copy Broker manual into output dir.
-    COMMAND rm -rf ${BROKER_DOCS_DST} &&
-            cp -r ${BROKER_DOCS_SRC} ${BROKER_DOCS_DST}
     WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
     COMMENT "[Sphinx] Generate HTML documentation in ${CMAKE_BINARY_DIR}/html")
 

doc/conf.py.in

@@ -195,8 +195,6 @@ html_sidebars = {
 # Output file base name for HTML help builder.
 htmlhelp_basename = 'Broxygen'
 
-html_add_permalinks = None
-
 # -- Options for LaTeX output --------------------------------------------------
 
 # The paper size ('letter' or 'a4').

doc/frameworks/broker.rst

@@ -50,6 +50,13 @@ General Porting Tips
 - The ``&synchronized`` and ``&persistent`` attributes are deprecated,
   consider using `Data Stores`_ instead.
 
+- Usages of the old communications system features are all deprecated,
+  however, they also do not work in the default Bro configuration unless
+  you manually take action to set up the old communication system.
+  To aid in porting, such usages will default to raising a fatal error
+  unless you explicitly acknowledge that such usages of the old system
+  are ok.  Set the :bro:see:`old_comm_usage_is_ok`` flag in this case.
+
 - Instead of using e.g. ``Cluster::manager2worker_events`` (and all
   permutations for every node type), what you'd now use is either 
   :bro:see:`Broker::publish` or :bro:see:`Broker::auto_publish` with

doc/script-reference/types.rst

@@ -91,6 +91,10 @@ Here is a more detailed description of each type:
     type, but a unary plus or minus applied to a "count" results in an
     "int".
 
+    In addition, "count" types support bitwise operations.  You can use
+    ``&``, ``|``, and ``^`` for bitwise ``and'', ``or'', and ``xor''.  You
+    can also use ``~`` for bitwise (one's) complement.
+
 .. bro:type:: double
 
     A numeric type representing a double-precision floating-point
@@ -233,6 +237,14 @@ Here is a more detailed description of each type:
     is false since "oob" does not appear at the start of "foobar".  The
     ``!in`` operator would yield the negation of ``in``.
 
+    Finally, you can create a disjunction (either-or) of two literal patterns
+    using the ``|`` operator.  For example::
+
+	/foo/ | /bar/ in "foobar"
+
+    yields true, like in the similar example above.  (This does not presently
+    work for variables whose values are patterns, however.)
+
 .. bro:type:: port
 
     A type representing transport-level port numbers (besides TCP and
@@ -585,6 +597,9 @@ Here is a more detailed description of each type:
     The resulting vector of bool is the logical "and" (or logical "or") of
     each element of the operand vectors.
 
+    Vectors of type ``count`` can also be operands for the bitwise and/or/xor
+    operators, ``&``, ``|`` and ``^``.
+
     See the :bro:keyword:`for` statement for info on how to iterate over
     the elements in a vector.
 

scripts/base/files/pe/consts.bro

@@ -65,7 +65,7 @@ export {
 		[9]  = "WINDOWS_CE_GUI",
 		[10] = "EFI_APPLICATION",
 		[11] = "EFI_BOOT_SERVICE_DRIVER",
-		[12] = "EFI_RUNTIME_
DRIVER",
+		[12] = "EFI_RUNTIME_DRIVER",
 		[13] = "EFI_ROM",
 		[14] = "XBOX"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };

scripts/base/frameworks/broker/main.bro

@@ -14,7 +14,7 @@ export {
 	## Default address on which to listen.
 	##
 	## .. bro:see:: Broker::listen
-	const default_listen_address = "" &redef;
+	const default_listen_address = getenv("BRO_DEFAULT_LISTEN_ADDRESS") &redef;
 
 	## Default interval to retry connecting to a peer if it cannot be made to work
 	## initially, or if it ever becomes disconnected.
@@ -51,6 +51,16 @@ export {
 	## all peers.
 	const ssl_keyfile = "" &redef;
 
+	## Max number of threads to use for Broker/CAF functionality.
+	## Using zero will cause this to be automatically determined
+	## based on number of available CPUs.
+	const max_threads = 0 &redef;
+
+	## Max number of microseconds for under-utilized Broker/CAF
+	## threads to sleep.  Using zero will cause this to be automatically
+	## determined or just use CAF's default setting.
+	const max_sleep = 0 &redef;
+
 	## Forward all received messages to subscribing peers.
 	const forward_messages = F &redef;
 

scripts/base/frameworks/cluster/setup-connections.bro

@@ -44,6 +44,9 @@ function connect_peers_with_type(node_type: NodeType)
 
 event bro_init() &priority=-10
 	{
+	if ( getenv("BROCTL_CHECK_CONFIG") != "" )
+		return;
+
 	local self = nodes[node];
 
 	for ( i in registered_pools )

scripts/base/init-bare.bro

@@ -1,4 +1,4 @@
-@load base/bif/const.bif.bro
+@load base/bif/const.bif
 @load base/bif/types.bif
 
 # Type declarations
@@ -1797,9 +1797,11 @@ type gtp_delete_pdp_ctx_response_elements: record {
 };
 
 # Prototypes of Bro built-in functions.
-@load base/bif/strings.bif
 @load base/bif/bro.bif
+@load base/bif/stats.bif
 @load base/bif/reporter.bif
+@load base/bif/strings.bif
+@load base/bif/option.bif
 
 ## Deprecated. This is superseded by the new logging framework.
 global log_file_name: function(tag: string): string &redef;
@@ -4245,6 +4247,8 @@ export {
 
 module KRB;
 export {
+	## Kerberos keytab file name. Used to decrypt tickets encountered on the wire.
+	const keytab = "" &redef;
 	## KDC Options. See :rfc:`4120`
 	type KRB::KDC_Options: record {
 		## The ticket to be issued should have its forwardable flag set.
@@ -4367,6 +4371,8 @@ export {
 		cipher		: count;
 		## Cipher text of the ticket
 		ciphertext  : string &optional;
+		## Authentication info
+		authenticationinfo: string &optional;
 	};
 
 	type KRB::Ticket_Vector: vector of KRB::Ticket;
@@ -4806,6 +4812,12 @@ export {
 	const max_frag_data = 30000 &redef;
 }
 
+module NCP;
+export {
+	## The maximum number of bytes to allocate when parsing NCP frames.
+	const max_frame_size = 65536 &redef;
+}
+
 module Cluster;
 export {
 	type Cluster::Pool: record {};
@@ -4823,16 +4835,9 @@ const global_hash_seed: string = "" &redef;
 ## The maximum is currently 128 bits.
 const bits_per_uid: count = 96 &redef;
 
-# Load these frameworks here because they use fairly deep integration with
+## Whether usage of the old communication system is considered an error or
-# BiFs and script-land defined types.
+## not.  The default Bro configuration no longer works with the non-Broker
-@load base/frameworks/logging
+## communication system unless you have manually taken action to initialize
-@load base/frameworks/broker
+## and set up the old comm. system.  Deprecation warnings are still emitted
-@load base/frameworks/input
+## when setting this flag, but they will not result in a fatal error.
-@load base/frameworks/analyzer
+const old_comm_usage_is_ok: bool = F &redef;
-@load base/frameworks/files
-
-@load base/bif
-
-# Load BiFs defined by plugins.
-@load base/bif/plugins
-

scripts/base/init-frameworks-and-bifs.bro

@@ -0,0 +1,15 @@
+# Load these frameworks here because they use fairly deep integration with
+# BiFs and script-land defined types.  They are also more likely to
+# make use of calling BIFs for variable initializations, and that
+# can't be done until init-bare.bro has been loaded completely (hence
+# the separate file).
+@load base/frameworks/logging
+@load base/frameworks/broker
+@load base/frameworks/input
+@load base/frameworks/analyzer
+@load base/frameworks/files
+
+@load base/bif
+
+# Load BiFs defined by plugins.
+@load base/bif/plugins

scripts/base/protocols/conn/main.bro

@@ -95,9 +95,12 @@ export {
 		##
 		## If the event comes from the originator, the letter is in
 		## upper-case; if it comes from the responder, it's in
-		## lower-case. Multiple packets of the same type will only be
+		## lower-case.  The 'a', 'c', 'd', 'i', 'q', and 't' flags are
-		## noted once (e.g. we only record one "d" in each direction,
+		## recorded a maximum of one time in either direction regardless
-		## regardless of how many data packets were seen.)
+		## of how many are actually seen.  However, 'f', 'h', 'r', or
+		## 's' may be recorded multiple times for either direction and
+		## only compressed when sharing a sequence number with the
+		## last-seen packet of the same flag type.
 		history:      string          &log &optional;
 		## Number of packets that the originator sent.
 		## Only set if :bro:id:`use_conn_size_analyzer` = T.

scripts/base/protocols/smb/const-nt-status.bro

@@ -64,8 +64,8 @@ redef SMB::statuses += {
 	[0x40000007] = [$id="BAD_CURRENT_DIRECTORY", $desc="{Invalid Current Directory} The process cannot switch to the startup current directory %hs. Select OK to set the current directory to %hs, or select CANCEL to exit."],
 	[0x40000008] = [$id="SERIAL_MORE_WRITES", $desc="{Serial IOCTL Complete} A serial I/O operation was completed by another write to a serial port. (The IOCTL_SERIAL_XOFF_COUNTER reached zero.)"],
 	[0x40000009] = [$id="REGISTRY_RECOVERED", $desc="{Registry Recovery} One of the files that contains the system registry data had to be recovered by using a log or alternate copy. The recovery was successful."],
-	[0x4000000A] = [$id="FT_READ_RECOVERY_FROM_BACKUP", $desc="{Redundant Read} To satisfy a read request, the Windows NT fault-tolerant file system successfully read the requested data from a redundant copy. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device."],
+	[0x4000000A] = [$id="FT_READ_RECOVERY_FROM_BACKUP", $desc="{Redundant Read} To satisfy a read request, the Windows NT fault-tolerant file system successfully read the requested data from a redundant copy. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device."],
-	[0x4000000B] = [$id="FT_WRITE_RECOVERY", $desc="{Redundant Write} To satisfy a write request, the Windows NT fault-tolerant file system successfully wrote a redundant copy of the information. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device."],
+	[0x4000000B] = [$id="FT_WRITE_RECOVERY", $desc="{Redundant Write} To satisfy a write request, the Windows NT fault-tolerant file system successfully wrote a redundant copy of the information. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device."],
 	[0x4000000C] = [$id="SERIAL_COUNTER_TIMEOUT", $desc="{Serial IOCTL Timeout} A serial I/O operation completed because the time-out period expired. (The IOCTL_SERIAL_XOFF_COUNTER had not reached zero.)"],
 	[0x4000000D] = [$id="NULL_LM_PASSWORD", $desc="{Password Too Complex} The Windows password is too complex to be converted to a LAN Manager password. The LAN Manager password that returned is a NULL string."],
 	[0x4000000E] = [$id="IMAGE_MACHINE_TYPE_MISMATCH", $desc="{Machine Type Mismatch} The image file %hs is valid but is for a machine type other than the current machine. Select OK to continue, or CANCEL to fail the DLL load."],
@@ -494,7 +494,7 @@ redef SMB::statuses += {
 	[0xC0000131] = [$id="INVALID_IMAGE_WIN_16", $desc="The specified image file did not have the correct format: it appears to be a 16-bit Windows image."],
 	[0xC0000132] = [$id="LOGON_SERVER_CONFLICT", $desc="The Netlogon service cannot start because another Netlogon service running in the domain conflicts with the specified role."],
 	[0xC0000133] = [$id="TIME_DIFFERENCE_AT_DC", $desc="The time at the primary domain controller is different from the time at the backup domain controller or member server by too large an amount."],
-	[0xC0000134] = [$id="SYNCHRONIZATION_REQUIRED", $desc="The SAM database on a Windows Server is significantly out of synchronization with the copy on the domain controller. A complete synchronization is required."],
+	[0xC0000134] = [$id="SYNCHRONIZATION_REQUIRED", $desc="The SAM database on a Windows Server is significantly out of synchronization with the copy on the domain controller. A complete synchronization is required."],
 	[0xC0000135] = [$id="DLL_NOT_FOUND", $desc="{Unable To Locate Component} This application has failed to start because %hs was not found. Reinstalling the application may fix this problem."],
 	[0xC0000136] = [$id="OPEN_FAILED", $desc="The NtCreateFile API failed. This error should never be returned to an application; it is a place holder for the Windows LAN Manager Redirector to use in its internal error-mapping routines."],
 	[0xC0000137] = [$id="IO_PRIVILEGE_FAILED", $desc="{Privilege Failed} The I/O permissions for the process could not be changed."],
@@ -536,7 +536,7 @@ redef SMB::statuses += {
 	[0xC000015B] = [$id="LOGON_TYPE_NOT_GRANTED", $desc="A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network."],
 	[0xC000015C] = [$id="NOT_REGISTRY_FILE", $desc="The system has attempted to load or restore a file into the registry, and the specified file is not in the format of a registry file."],
 	[0xC000015D] = [$id="NT_CROSS_ENCRYPTION_REQUIRED", $desc="An attempt was made to change a user password in the security account manager without providing the necessary Windows cross-encrypted password."],
-	[0xC000015E] = [$id="DOMAIN_CTRLR_CONFIG_ERROR", $desc="A Windows Server has an incorrect configuration."],
+	[0xC000015E] = [$id="DOMAIN_CTRLR_CONFIG_ERROR", $desc="A Windows Server has an incorrect configuration."],
 	[0xC000015F] = [$id="FT_MISSING_MEMBER", $desc="An attempt was made to explicitly access the secondary copy of information via a device control to the fault tolerance driver and the secondary copy is not present in the system."],
 	[0xC0000160] = [$id="ILL_FORMED_SERVICE_ENTRY", $desc="A configuration registry node that represents a driver service entry was ill-formed and did not contain the required value entries."],
 	[0xC0000161] = [$id="ILLEGAL_CHARACTER", $desc="An illegal character was encountered. For a multibyte character set, this includes a lead byte without a succeeding trail byte. For the Unicode character set this includes the characters 0xFFFF and 0xFFFE."],
@@ -577,7 +577,7 @@ redef SMB::statuses += {
 	[0xC0000188] = [$id="LOG_FILE_FULL", $desc="The log file space is insufficient to support this operation."],
 	[0xC0000189] = [$id="TOO_LATE", $desc="A write operation was attempted to a volume after it was dismounted."],
 	[0xC000018A] = [$id="NO_TRUST_LSA_SECRET", $desc="The workstation does not have a trust secret for the primary domain in the local LSA database."],
-	[0xC000018B] = [$id="NO_TRUST_SAM_ACCOUNT", $desc="The SAM database on the Windows Server does not have a computer account for this workstation trust relationship."],
+	[0xC000018B] = [$id="NO_TRUST_SAM_ACCOUNT", $desc="The SAM database on the Windows Server does not have a computer account for this workstation trust relationship."],
 	[0xC000018C] = [$id="TRUSTED_DOMAIN_FAILURE", $desc="The logon request failed because the trust relationship between the primary domain and the trusted domain failed."],
 	[0xC000018D] = [$id="TRUSTED_RELATIONSHIP_FAILURE", $desc="The logon request failed because the trust relationship between this workstation and the primary domain failed."],
 	[0xC000018E] = [$id="EVENTLOG_FILE_CORRUPT", $desc="The Eventlog log file is corrupt."],
@@ -833,18 +833,18 @@ redef SMB::statuses += {
 	[0xC00002FD] = [$id="KDC_UNKNOWN_ETYPE", $desc="The encryption type requested is not supported by the KDC."],
 	[0xC00002FE] = [$id="SHUTDOWN_IN_PROGRESS", $desc="A system shutdown is in progress."],
 	[0xC00002FF] = [$id="SERVER_SHUTDOWN_IN_PROGRESS", $desc="The server machine is shutting down."],
-	[0xC0000300] = [$id="NOT_SUPPORTED_ON_SBS", $desc="This operation is not supported on a computer running Windows Server 2003 for Small Business Server."],
+	[0xC0000300] = [$id="NOT_SUPPORTED_ON_SBS", $desc="This operation is not supported on a computer running Windows Server 2003 for Small Business Server."],
 	[0xC0000301] = [$id="WMI_GUID_DISCONNECTED", $desc="The WMI GUID is no longer available."],
 	[0xC0000302] = [$id="WMI_ALREADY_DISABLED", $desc="Collection or events for the WMI GUID is already disabled."],
 	[0xC0000303] = [$id="WMI_ALREADY_ENABLED", $desc="Collection or events for the WMI GUID is already enabled."],
 	[0xC0000304] = [$id="MFT_TOO_FRAGMENTED", $desc="The master file table on the volume is too fragmented to complete this operation."],
 	[0xC0000305] = [$id="COPY_PROTECTION_FAILURE", $desc="Copy protection failure."],
-	[0xC0000306] = [$id="CSS_AUTHENTICATION_FAILURE", $desc="Copy protection error—DVD CSS Authentication failed."],
+	[0xC0000306] = [$id="CSS_AUTHENTICATION_FAILURE", $desc="Copy protection error-DVD CSS Authentication failed."],
-	[0xC0000307] = [$id="CSS_KEY_NOT_PRESENT", $desc="Copy protection error—The specified sector does not contain a valid key."],
+	[0xC0000307] = [$id="CSS_KEY_NOT_PRESENT", $desc="Copy protection error-The specified sector does not contain a valid key."],
-	[0xC0000308] = [$id="CSS_KEY_NOT_ESTABLISHED", $desc="Copy protection error—DVD session key not established."],
+	[0xC0000308] = [$id="CSS_KEY_NOT_ESTABLISHED", $desc="Copy protection error-DVD session key not established."],
-	[0xC0000309] = [$id="CSS_SCRAMBLED_SECTOR", $desc="Copy protection error—The read failed because the sector is encrypted."],
+	[0xC0000309] = [$id="CSS_SCRAMBLED_SECTOR", $desc="Copy protection error-The read failed because the sector is encrypted."],
-	[0xC000030A] = [$id="CSS_REGION_MISMATCH", $desc="Copy protection error—The region of the specified DVD does not correspond to the region setting of the drive."],
+	[0xC000030A] = [$id="CSS_REGION_MISMATCH", $desc="Copy protection error-The region of the specified DVD does not correspond to the region setting of the drive."],
-	[0xC000030B] = [$id="CSS_RESETS_EXHAUSTED", $desc="Copy protection error—The region setting of the drive may be permanent."],
+	[0xC000030B] = [$id="CSS_RESETS_EXHAUSTED", $desc="Copy protection error-The region setting of the drive may be permanent."],
 	[0xC0000320] = [$id="PKINIT_FAILURE", $desc="The Kerberos protocol encountered an error while validating the KDC certificate during smart card logon. There is more information in the system event log."],
 	[0xC0000321] = [$id="SMARTCARD_SUBSYSTEM_FAILURE", $desc="The Kerberos protocol encountered an error while attempting to use the smart card subsystem."],
 	[0xC0000322] = [$id="NO_KERB_KEY", $desc="The target server does not have acceptable Kerberos credentials."],
@@ -855,7 +855,7 @@ redef SMB::statuses += {
 	[0xC0000354] = [$id="DEBUGGER_INACTIVE", $desc="An attempt to do an operation on a debug port failed because the port is in the process of being deleted."],
 	[0xC0000355] = [$id="DS_VERSION_CHECK_FAILURE", $desc="This version of Windows is not compatible with the behavior version of the directory forest, domain, or domain controller."],
 	[0xC0000356] = [$id="AUDITING_DISABLED", $desc="The specified event is currently not being audited."],
-	[0xC0000357] = [$id="PRENT4_MACHINE_ACCOUNT", $desc="The machine account was created prior to Windows NT 4.0. The account needs to be recreated."],
+	[0xC0000357] = [$id="PRENT4_MACHINE_ACCOUNT", $desc="The machine account was created prior to Windows NT 4.0. The account needs to be recreated."],
 	[0xC0000358] = [$id="DS_AG_CANT_HAVE_UNIVERSAL_MEMBER", $desc="An account group cannot have a universal group as a member."],
 	[0xC0000359] = [$id="INVALID_IMAGE_WIN_32", $desc="The specified image file did not have the correct format; it appears to be a 32-bit Windows image."],
 	[0xC000035A] = [$id="INVALID_IMAGE_WIN_64", $desc="The specified image file did not have the correct format; it appears to be a 64-bit Windows image."],

scripts/policy/protocols/smb/main.bro

@@ -18,6 +18,7 @@ export {
 		FILE_CLOSE,
 		FILE_DELETE,
 		FILE_RENAME,
+		FILE_SET_ATTRIBUTE,
 
 		PIPE_READ,
 		PIPE_WRITE,

scripts/policy/protocols/smb/smb2-main.bro

@@ -239,6 +239,26 @@ event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID,
 	SMB::write_file_log(c$smb_state);
 	}
 
+event smb2_file_sattr(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=-5
+	{
+	SMB::write_file_log(c$smb_state);
+	}
+
+event smb2_file_sattr(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=5
+	{
+	SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile);
+
+	switch ( c$smb_state$current_tree$share_type )
+		{
+		case "DISK":
+			c$smb_state$current_file$action = SMB::FILE_SET_ATTRIBUTE;
+			break;
+		default:
+			c$smb_state$current_file$action = SMB::FILE_SET_ATTRIBUTE;
+			break;
+		}
+	}
+
 event smb2_file_rename(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string) &priority=5
 	{
 	SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile);

scripts/policy/protocols/ssl/validate-sct.bro

@@ -180,6 +180,8 @@ hook ssl_finishing(c: connection) &priority=19
 					{
 					if ( i == 0 ) # end-host-cert
 						next;
+					if ( ! c$ssl$cert_chain[i]?$x509 || ! c$ssl$cert_chain[i]$x509?$handle )
+						next;
 
 					issuer_key_hash = x509_spki_hash(c$ssl$cert_chain[i]$x509$handle, 4);
 					valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);

src/3rdparty

@@ -1 +1 @@
-Subproject commit 6511cd6e45811af0904947a36e565dcb9eee61dd
+Subproject commit c78abc8454932019f030045340348560a8ac9b23

src/Brofiler.cc

@@ -50,10 +50,18 @@ bool Brofiler::WriteStats()
 	char* bf = getenv("BRO_PROFILER_FILE");
 	if ( ! bf ) return false;
 
-	FILE* f;
+	SafeDirname dirname{bf};
-	const char* p = strstr(bf, ".XXXXXX");
 
-	if ( p && ! p[7] )
+	if ( ! ensure_intermediate_dirs(dirname.result.data()) )
+		{
+		reporter->Error("Failed to open BRO_PROFILER_FILE destination '%s' for writing", bf);
+		return false;
+		}
+
+	FILE* f;
+	const char* p = strstr(bf, "XXXXXX");
+
+	if ( p && ! p[6] )
 		{
 		mode_t old_umask = umask(S_IXUSR | S_IRWXO | S_IRWXG);
 		int fd = mkstemp(bf);

src/Expr.cc

@@ -21,8 +21,10 @@ const char* expr_name(BroExprTag t)
 	static const char* expr_names[int(NUM_EXPRS)] = {
 		"name", "const",
 		"(*)",
-		"++", "--", "!", "+", "-",
+		"++", "--", "!", "~", "+", "-",
-		"+", "-", "+=", "-=", "*", "/", "%", "&&", "||",
+		"+", "-", "+=", "-=", "*", "/", "%",
+		"&", "|", "^",
+		"&&", "||",
 		"<", "<=", "==", "!=", ">=", ">", "?:", "ref",
 		"=", "~", "[]", "$", "?$", "[=]",
 		"table()", "set()", "vector()",
@@ -702,6 +704,12 @@ Val* BinaryExpr::Fold(Val* v1, Val* v2) const
 	else \
 		Internal("bad type in BinaryExpr::Fold");
 
+#define DO_UINT_FOLD(op) \
+	if ( is_unsigned ) \
+		u3 = u1 op u2; \
+	else \
+		Internal("bad type in BinaryExpr::Fold");
+
 #define DO_FOLD(op) \
 	if ( is_integral ) \
 		i3 = i1 op i2; \
@@ -775,8 +783,12 @@ Val* BinaryExpr::Fold(Val* v1, Val* v2) const
 
 		break;
 
-	case EXPR_AND:		DO_INT_FOLD(&&); break;
+	case EXPR_AND:		DO_UINT_FOLD(&); break;
-	case EXPR_OR:		DO_INT_FOLD(||); break;
+	case EXPR_OR:		DO_UINT_FOLD(|); break;
+	case EXPR_XOR:		DO_UINT_FOLD(^); break;
+
+	case EXPR_AND_AND:	DO_INT_FOLD(&&); break;
+	case EXPR_OR_OR:	DO_INT_FOLD(||); break;
 
 	case EXPR_LT:		DO_INT_VAL_FOLD(<); break;
 	case EXPR_LE:		DO_INT_VAL_FOLD(<=); break;
@@ -1077,6 +1089,39 @@ bool IncrExpr::DoUnserialize(UnserialInfo* info)
 	return true;
 	}
 
+ComplementExpr::ComplementExpr(Expr* arg_op) : UnaryExpr(EXPR_COMPLEMENT, arg_op)
+	{
+	if ( IsError() )
+		return;
+
+	BroType* t = op->Type();
+	TypeTag bt = t->Tag();
+
+	if ( bt != TYPE_COUNT )
+		ExprError("requires \"count\" operand");
+	else
+		SetType(base_type(TYPE_COUNT));
+	}
+
+Val* ComplementExpr::Fold(Val* v) const
+	{
+	return new Val(~ v->InternalUnsigned(), type->Tag());
+	}
+
+IMPLEMENT_SERIAL(ComplementExpr, SER_COMPLEMENT_EXPR);
+
+bool ComplementExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_COMPLEMENT_EXPR, UnaryExpr);
+	return true;
+	}
+
+bool ComplementExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return true;
+	}
+
 NotExpr::NotExpr(Expr* arg_op) : UnaryExpr(EXPR_NOT, arg_op)
 	{
 	if ( IsError() )
@@ -1670,14 +1715,14 @@ Val* BoolExpr::DoSingleEval(Frame* f, Val* v1, Expr* op2) const
 		RE_Matcher* re1 = v1->AsPattern();
 		RE_Matcher* re2 = v2->AsPattern();
 
-		RE_Matcher* res = tag == EXPR_AND ?
+		RE_Matcher* res = tag == EXPR_AND_AND ?
 			RE_Matcher_conjunction(re1, re2) :
 			RE_Matcher_disjunction(re1, re2);
 
 		return new PatternVal(res);
 		}
 
-	if ( tag == EXPR_AND )
+	if ( tag == EXPR_AND_AND )
 		{
 		if ( v1->IsZero() )
 			return v1;
@@ -1741,8 +1786,8 @@ Val* BoolExpr::Eval(Frame* f) const
 
 		VectorVal* result = 0;
 
-		// It's either and EXPR_AND or an EXPR_OR.
+		// It's either and EXPR_AND_AND or an EXPR_OR_OR.
-		bool is_and = (tag == EXPR_AND);
+		bool is_and = (tag == EXPR_AND_AND);
 
 		if ( scalar_v->IsZero() == is_and )
 			{
@@ -1783,7 +1828,7 @@ Val* BoolExpr::Eval(Frame* f) const
 		Val* op2 = vec_v2->Lookup(i);
 		if ( op1 && op2 )
 			{
-			bool local_result = (tag == EXPR_AND) ?
+			bool local_result = (tag == EXPR_AND_AND) ?
 				(! op1->IsZero() && ! op2->IsZero()) :
 				(! op1->IsZero() || ! op2->IsZero());
 
@@ -1813,6 +1858,49 @@ bool BoolExpr::DoUnserialize(UnserialInfo* info)
 	return true;
 	}
 
+BitExpr::BitExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
+: BinaryExpr(arg_tag, arg_op1, arg_op2)
+	{
+	if ( IsError() )
+		return;
+
+	TypeTag bt1 = op1->Type()->Tag();
+	if ( IsVector(bt1) )
+		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+
+	TypeTag bt2 = op2->Type()->Tag();
+	if ( IsVector(bt2) )
+		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
+
+	if ( (bt1 == TYPE_COUNT || bt1 == TYPE_COUNTER) &&
+	     (bt2 == TYPE_COUNT || bt2 == TYPE_COUNTER) )
+		{
+		if ( bt1 == TYPE_COUNTER && bt2 == TYPE_COUNTER )
+			ExprError("cannot apply a bitwise operator to two \"counter\" operands");
+		else if ( is_vector(op1) || is_vector(op2) )
+			SetType(new VectorType(base_type(TYPE_COUNT)));
+		else
+			SetType(base_type(TYPE_COUNT));
+		}
+
+	else
+		ExprError("requires \"count\" operands");
+	}
+
+IMPLEMENT_SERIAL(BitExpr, SER_BIT_EXPR);
+
+bool BitExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_BIT_EXPR, BinaryExpr);
+	return true;
+	}
+
+bool BitExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BinaryExpr);
+	return true;
+	}
+
 EqExpr::EqExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 : BinaryExpr(arg_tag, arg_op1, arg_op2)
 	{

src/Expr.h

@@ -17,10 +17,13 @@ typedef enum {
 	EXPR_ANY = -1,
 	EXPR_NAME, EXPR_CONST,
 	EXPR_CLONE,
-	EXPR_INCR, EXPR_DECR, EXPR_NOT, EXPR_POSITIVE, EXPR_NEGATE,
+	EXPR_INCR, EXPR_DECR,
+	EXPR_NOT, EXPR_COMPLEMENT,
+	EXPR_POSITIVE, EXPR_NEGATE,
 	EXPR_ADD, EXPR_SUB, EXPR_ADD_TO, EXPR_REMOVE_FROM,
 	EXPR_TIMES, EXPR_DIVIDE, EXPR_MOD,
-	EXPR_AND, EXPR_OR,
+	EXPR_AND, EXPR_OR, EXPR_XOR,
+	EXPR_AND_AND, EXPR_OR_OR,
 	EXPR_LT, EXPR_LE, EXPR_EQ, EXPR_NE, EXPR_GE, EXPR_GT,
 	EXPR_COND,
 	EXPR_REF,
@@ -379,6 +382,19 @@ protected:
 	DECLARE_SERIAL(IncrExpr);
 };
 
+class ComplementExpr : public UnaryExpr {
+public:
+	explicit ComplementExpr(Expr* op);
+
+protected:
+	friend class Expr;
+	ComplementExpr()	{ }
+
+	Val* Fold(Val* v) const override;
+
+	DECLARE_SERIAL(ComplementExpr);
+};
+
 class NotExpr : public UnaryExpr {
 public:
 	explicit NotExpr(Expr* op);
@@ -532,6 +548,17 @@ protected:
 	DECLARE_SERIAL(BoolExpr);
 };
 
+class BitExpr : public BinaryExpr {
+public:
+	BitExpr(BroExprTag tag, Expr* op1, Expr* op2);
+
+protected:
+	friend class Expr;
+	BitExpr()	{ }
+
+	DECLARE_SERIAL(BitExpr);
+};
+
 class EqExpr : public BinaryExpr {
 public:
 	EqExpr(BroExprTag tag, Expr* op1, Expr* op2);

src/NFA.cc

@@ -55,7 +55,10 @@ void NFA_State::AddXtionsTo(NFA_state_list* ns)
 NFA_State* NFA_State::DeepCopy()
 	{
 	if ( mark )
+		{
+		Ref(mark);
 		return mark;
+		}
 
 	NFA_State* copy = ccl ? new NFA_State(ccl) : new NFA_State(sym, 0);
 	SetMark(copy);

src/Net.h

@@ -83,6 +83,8 @@ extern iosource::PktDumper* pkt_dumper;	// where to save packets
 
 extern char* writefile;
 
+extern int old_comm_usage_count;
+
 // Script file we have already scanned (or are in the process of scanning).
 // They are identified by inode number.
 struct ScannedFile {

src/SerialObj.h

@@ -3,7 +3,7 @@
 // How to make objects of class Foo serializable:
 //
 //    1. Derive Foo (directly or indirectly) from SerialObj.
-//    2. Add a SER_FOO constant to SerialTypes below.
+//    2. Add a SER_FOO constant to SerialTypes in SerialTypes.h.
 //    3. Add DECLARE_SERIAL(Foo) into class definition.
 //    4. Add a (preferably protected) default ctor if it doesn't already exist.
 //    5. For non-abstract classes, add IMPLEMENT_SERIAL(Foo, SER_FOO) to *.cc

src/SerialTypes.h

@@ -164,6 +164,8 @@ SERIAL_EXPR(TABLE_COERCE_EXPR, 43)
 SERIAL_EXPR(VECTOR_COERCE_EXPR, 44)
 SERIAL_EXPR(CAST_EXPR, 45)
 SERIAL_EXPR(IS_EXPR_, 46) // Name conflict with internal SER_IS_EXPR constant.
+SERIAL_EXPR(BIT_EXPR, 47)
+SERIAL_EXPR(COMPLEMENT_EXPR, 48)
 
 #define SERIAL_STMT(name, val) SERIAL_CONST(name, val, STMT)
 SERIAL_STMT(STMT, 1)

src/Serializer.cc

@@ -1017,7 +1017,7 @@ double EventPlayer::NextTimestamp(double* local_network_time)
 		return ne_time;
 
 	if ( ! io )
-		return 0;
+		return -1;
 
 	// Read next event if we don't have one waiting.
 	if ( ! ne_time )
@@ -1028,7 +1028,7 @@ double EventPlayer::NextTimestamp(double* local_network_time)
 		}
 
 	if ( ! ne_time )
-		return 0;
+		return -1;
 
 	if ( ! network_time )
 		{

src/Type.cc

@@ -1184,8 +1184,15 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const
 
 		if ( d->FindType(td->type) )
 			d->Add("<recursion>");
+		else
+			{
+			if ( num_fields == 1 && streq(td->id, "va_args") &&
+			     td->type->Tag() == TYPE_ANY )
+				// This was a BIF using variable argument list
+				d->Add("...");
 			else
 				td->DescribeReST(d);
+			}
 
 		if ( func_args )
 			continue;

src/analyzer/protocol/krb/KRB.cc

@@ -6,12 +6,52 @@
 
 using namespace analyzer::krb;
 
+bool KRB_Analyzer::krb_available = false;
+#ifdef USE_KRB5
+krb5_context KRB_Analyzer::krb_context = nullptr;
+krb5_keytab KRB_Analyzer::krb_keytab = nullptr;
+std::once_flag KRB_Analyzer::krb_initialized;
+#endif
+
 KRB_Analyzer::KRB_Analyzer(Connection* conn)
 	: Analyzer("KRB", conn)
 	{
 	interp = new binpac::KRB::KRB_Conn(this);
+#ifdef USE_KRB5
+	std::call_once(krb_initialized, Initialize_Krb);
+#endif
 	}
 
+#ifdef USE_KRB5
+void KRB_Analyzer::Initialize_Krb()
+	{
+	if ( BifConst::KRB::keytab->Len() == 0 )
+		return; // no keytab set
+
+	const char* keytab_filename = BifConst::KRB::keytab->CheckString();
+	if ( access(keytab_filename, R_OK) != 0 )
+		{
+		reporter->Warning("KRB: Can't access keytab (%s)", keytab_filename);
+		return;
+		}
+
+	krb5_error_code retval = krb5_init_context(&krb_context);
+	if ( retval )
+		{
+		reporter->Warning("KRB: Couldn't initialize the context (%s)", krb5_get_error_message(krb_context, retval));
+		return;
+		}
+
+	retval = krb5_kt_resolve(krb_context, keytab_filename, &krb_keytab);
+	if ( retval )
+		{
+		reporter->Warning("KRB: Couldn't resolve keytab (%s)", krb5_get_error_message(krb_context, retval));
+		return;
+		}
+	krb_available = true;
+	}
+#endif
+
 KRB_Analyzer::~KRB_Analyzer()
 	{
 	delete interp;
@@ -37,3 +77,60 @@ void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 		}
 	}
 
+StringVal* KRB_Analyzer::GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype)
+	{
+#ifdef USE_KRB5
+	if ( !krb_available )
+		return nullptr;
+
+	BroString delim("/");
+	int pos = principal->FindSubstring(&delim);
+	if ( pos == -1 )
+		{
+		reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString());
+		return nullptr;
+		}
+	std::unique_ptr<BroString> service = unique_ptr<BroString>(principal->GetSubstring(0, pos));
+	std::unique_ptr<BroString> hostname = unique_ptr<BroString>(principal->GetSubstring(pos + 1, -1));
+	if ( !service || !hostname )
+		{
+		reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString());
+		return nullptr;
+		}
+	krb5_principal sprinc;
+	krb5_error_code retval = krb5_sname_to_principal(krb_context, hostname->CheckString(), service->CheckString(), KRB5_NT_SRV_HST, &sprinc);
+	if ( retval )
+		{
+		reporter->Warning("KRB: Couldn't generate principal name (%s)", krb5_get_error_message(krb_context, retval));
+		return nullptr;
+		}
+
+	krb5_ticket tkt;
+	tkt.server = sprinc;
+	tkt.enc_part.enctype = enctype;
+	tkt.enc_part.ciphertext.data = reinterpret_cast<char*>(ciphertext->Bytes());
+	tkt.enc_part.ciphertext.length = ciphertext->Len();
+
+	retval = krb5_server_decrypt_ticket_keytab(krb_context, krb_keytab, &tkt);
+	if ( retval )
+		{
+		reporter->Warning("KRB: Couldn't decrypt ticket (%s)", krb5_get_error_message(krb_context, retval));
+		return nullptr;
+		}
+
+	char* cp;
+	retval = krb5_unparse_name(krb_context, tkt.enc_part2->client, &cp);
+	if ( retval )
+		{
+		reporter->Warning("KRB: Couldn't unparse name (%s)", krb5_get_error_message(krb_context, retval));
+		return nullptr;
+		}
+	StringVal* ret = new StringVal(cp);
+
+	krb5_free_unparsed_name(krb_context, cp);
+
+	return ret;
+#else
+	return nullptr;
+#endif
+	}

src/analyzer/protocol/krb/KRB.h

@@ -5,6 +5,10 @@
 
 #include "krb_pac.h"
 
+#ifdef USE_KRB5
+#include <krb5.h>
+#endif
+
 namespace analyzer { namespace krb {
 
 class KRB_Analyzer : public analyzer::Analyzer {
@@ -20,9 +24,20 @@ public:
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new KRB_Analyzer(conn); }
 
+	StringVal* GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype);
+
 protected:
 
 	binpac::KRB::KRB_Conn* interp;
+
+private:
+	static bool krb_available;
+#ifdef USE_KRB5
+	static std::once_flag krb_initialized;
+	static void Initialize_Krb();
+	static krb5_context krb_context;
+	static krb5_keytab krb_keytab;
+#endif
 };
 
 } } // namespace analyzer::*

src/analyzer/protocol/krb/KRB_TCP.h

@@ -22,6 +22,8 @@ public:
 	// Overriden from tcp::TCP_ApplicationAnalyzer.
 	void EndpointEOF(bool is_orig) override;
 
+	StringVal* GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype) { return new StringVal(""); }
+
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new KRB_Analyzer(conn); }
 

src/analyzer/protocol/krb/krb-analyzer.pac

@@ -245,8 +245,12 @@ refine connection KRB_Conn += {
 			rv->Assign(0, new Val(${msg.ap_options.use_session_key}, TYPE_BOOL));
 			rv->Assign(1, new Val(${msg.ap_options.mutual_required}, TYPE_BOOL));
 
+			RecordVal* rvticket = proc_ticket(${msg.ticket});
+			StringVal* authenticationinfo = bro_analyzer()->GetAuthenticationInfo(rvticket->Lookup(2)->AsString(), rvticket->Lookup(4)->AsString(), rvticket->Lookup(3)->AsCount());
+			if ( authenticationinfo )
+				rvticket->Assign(5, authenticationinfo);
 			BifEvent::generate_krb_ap_request(bro_analyzer(), bro_analyzer()->Conn(),
-						      proc_ticket(${msg.ticket}), rv);
+						      rvticket, rv);
 			}
 		return true;
 		%}

src/analyzer/protocol/krb/krb.pac

@@ -4,14 +4,22 @@
 %extern{
 #include "types.bif.h"
 #include "events.bif.h"
+
+namespace analyzer { namespace krb { class KRB_Analyzer; } }
+namespace binpac { namespace KRB { class KRB_Conn; } }
+typedef analyzer::krb::KRB_Analyzer* KRBAnalyzer;
+
+#include "KRB.h"
 %}
 
+extern type KRBAnalyzer;
+
 analyzer KRB withcontext {
 	connection:	KRB_Conn;
 	flow:		KRB_Flow;
 };
 
-connection KRB_Conn(bro_analyzer: BroAnalyzer) {
+connection KRB_Conn(bro_analyzer: KRBAnalyzer) {
 	upflow = KRB_Flow(true);
 	downflow = KRB_Flow(false);
 };

src/analyzer/protocol/krb/krb_TCP.pac

@@ -4,14 +4,22 @@
 %extern{
 #include "types.bif.h"
 #include "events.bif.h"
+
+namespace analyzer { namespace krb_tcp { class KRB_Analyzer; } }
+namespace binpac { namespace KRB_TCP { class KRB_Conn; } }
+typedef analyzer::krb_tcp::KRB_Analyzer* KRBTCPAnalyzer;
+
+#include "KRB_TCP.h"
 %}
 
+extern type KRBTCPAnalyzer;
+
 analyzer KRB_TCP withcontext {
 	connection:	KRB_Conn;
 	flow:		KRB_Flow;
 };
 
-connection KRB_Conn(bro_analyzer: BroAnalyzer) {
+connection KRB_Conn(bro_analyzer: KRBTCPAnalyzer) {
 	upflow = KRB_Flow(true);
 	downflow = KRB_Flow(false);
 };

src/analyzer/protocol/krb/types.bif

@@ -1,5 +1,7 @@
 module KRB;
 
+const keytab: string;
+
 type Error_Msg: record;
 type SAFE_Msg: record;
 

src/analyzer/protocol/ncp/CMakeLists.txt

@@ -5,6 +5,6 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 
 bro_plugin_begin(Bro NCP)
 bro_plugin_cc(NCP.cc Plugin.cc)
-bro_plugin_bif(events.bif)
+bro_plugin_bif(events.bif consts.bif)
 bro_plugin_pac(ncp.pac)
 bro_plugin_end()

src/analyzer/protocol/ncp/NCP.cc

@@ -9,6 +9,7 @@
 #include "NCP.h"
 
 #include "events.bif.h"
+#include "consts.bif.h"
 
 using namespace std;
 using namespace analyzer::ncp;
@@ -79,7 +80,7 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame)
 		}
 	}
 
-FrameBuffer::FrameBuffer(int header_length)
+FrameBuffer::FrameBuffer(size_t header_length)
 	{
 	hdr_len = header_length;
 	msg_buf = 0;
@@ -105,13 +106,12 @@ void FrameBuffer::Reset()
 	msg_len = 0;
 	}
 
-// Returns true if we have a complete frame
+int FrameBuffer::Deliver(int &len, const u_char* &data)
-bool FrameBuffer::Deliver(int &len, const u_char* &data)
 	{
 	ASSERT(buf_len >= hdr_len);
 
 	if ( len == 0 )
-		return false;
+		return -1;
 
 	if ( buf_n < hdr_len )
 		{
@@ -123,13 +123,16 @@ bool FrameBuffer::Deliver(int &len, const u_char* &data)
 			}
 
 		if ( buf_n < hdr_len )
-			return false;
+			return -1;
 
 		compute_msg_length();
 
 		if ( msg_len > buf_len )
 			{
-			buf_len = msg_len * 2;
+			if ( msg_len > BifConst::NCP::max_frame_size )
+				return 1;
+
+			buf_len = msg_len;
 			u_char* new_buf = new u_char[buf_len];
 			memcpy(new_buf, msg_buf, buf_n);
 			delete [] msg_buf;
@@ -143,7 +146,13 @@ bool FrameBuffer::Deliver(int &len, const u_char* &data)
 		++buf_n; ++data; --len;
 		}
 
-	return buf_n >= msg_len;
+	if ( buf_n < msg_len )
+		return -1;
+
+	if ( buf_n == msg_len )
+		return 0;
+
+	return 1;
 	}
 
 void NCP_FrameBuffer::compute_msg_length()
@@ -159,11 +168,7 @@ Contents_NCP_Analyzer::Contents_NCP_Analyzer(Connection* conn, bool orig, NCP_Se
 	{
 	session = arg_session;
 	resync = true;
-
+	resync_set = false;
-	tcp::TCP_Analyzer* tcp = static_cast<tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
-	if ( tcp )
-		resync = (orig ? tcp->OrigState() : tcp->RespState()) !=
-						tcp::TCP_ENDPOINT_ESTABLISHED;
 	}
 
 Contents_NCP_Analyzer::~Contents_NCP_Analyzer()
@@ -174,20 +179,23 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig
 	{
 	tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
 
-	tcp::TCP_Analyzer* tcp = static_cast<tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
+	auto tcp = static_cast<NCP_Analyzer*>(Parent())->TCP();
+
+	if ( ! resync_set )
+		{
+		resync_set = true;
+		resync = (IsOrig() ? tcp->OrigState() : tcp->RespState()) !=
+						tcp::TCP_ENDPOINT_ESTABLISHED;
+		}
 
 	if ( tcp && tcp->HadGap(orig) )
 		return;
 
-	DEBUG_MSG("NCP deliver: len = %d resync = %d buffer.empty = %d\n",
-		len, resync, buffer.empty());
-
 	if ( buffer.empty() && resync )
 		{
 		// Assume NCP frames align with packet boundary.
 		if ( (IsOrig() && len < 22) || (! IsOrig() && len < 16) )
 			{ // ignore small fragmeents
-			DEBUG_MSG("NCP discard small pieces: %d\n", len);
 			return;
 			}
 
@@ -204,11 +212,28 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig
 		resync = false;
 		}
 
-	while ( buffer.Deliver(len, data) )
+	for ( ; ; )
+		{
+		auto result = buffer.Deliver(len, data);
+
+		if ( result < 0 )
+			break;
+
+		if ( result == 0 )
 			{
 			session->Deliver(IsOrig(), buffer.Len(), buffer.Data());
 			buffer.Reset();
 			}
+		else
+			{
+			// The rest of the data available in this delivery will
+			// be discarded and will need to resync to a new frame header.
+			Weird("ncp_large_frame");
+			buffer.Reset();
+			resync = true;
+			break;
+			}
+		}
 	}
 
 void Contents_NCP_Analyzer::Undelivered(uint64 seq, int len, bool orig)
@@ -224,13 +249,13 @@ NCP_Analyzer::NCP_Analyzer(Connection* conn)
 	{
 	session = new NCP_Session(this);
 	o_ncp = new Contents_NCP_Analyzer(conn, true, session);
+	AddSupportAnalyzer(o_ncp);
 	r_ncp = new Contents_NCP_Analyzer(conn, false, session);
+	AddSupportAnalyzer(r_ncp);
 	}
 
 NCP_Analyzer::~NCP_Analyzer()
 	{
 	delete session;
-	delete o_ncp;
-	delete r_ncp;
 	}
 

src/analyzer/protocol/ncp/NCP.h

@@ -51,11 +51,12 @@ protected:
 
 class FrameBuffer {
 public:
-	explicit FrameBuffer(int header_length);
+	explicit FrameBuffer(size_t header_length);
 	virtual ~FrameBuffer();
 
-	// Returns true if a frame is ready
+	// Returns -1 if frame is not ready, 0 if it else, and 1 if
-	bool Deliver(int& len, const u_char* &data);
+	// the frame would require too large of a buffer allocation.
+	int Deliver(int& len, const u_char* &data);
 
 	void Reset();
 
@@ -66,11 +67,11 @@ public:
 protected:
 	virtual void compute_msg_length() = 0;
 
-	int hdr_len;
+	size_t hdr_len;
 	u_char* msg_buf;
-	int msg_len;
+	uint64 msg_len;
-	int buf_n;	// number of bytes in msg_buf
+	size_t buf_n;	// number of bytes in msg_buf
-	int buf_len;	// size off msg_buf
+	size_t buf_len;	// size off msg_buf
 };
 
 #define NCP_TCPIP_HEADER_LENGTH 8
@@ -97,6 +98,7 @@ protected:
 
 	// Re-sync for partial connections (or after a content gap).
 	bool resync;
+	bool resync_set;
 };
 
 class NCP_Analyzer : public tcp::TCP_ApplicationAnalyzer {

src/analyzer/protocol/ncp/consts.bif

@@ -0,0 +1 @@
+const NCP::max_frame_size: count;

src/analyzer/protocol/smb/smb2-com-set-info.pac

@@ -6,12 +6,29 @@ enum smb2_set_info_type {
 };
 
 enum smb_file_info_type {
+	SMB2_FILE_BASIC_INFO        = 0x04,
 	SMB2_FILE_RENAME_INFO       = 0x0a,
 	SMB2_FILE_DISPOSITION_INFO = 0x0d,
 }
 
 refine connection SMB_Conn += {
 
+	function proc_smb2_set_info_request_file(val: SMB2_file_basic_info): bool
+		%{
+		if ( smb2_file_sattr )
+			BifEvent::generate_smb2_file_sattr(bro_analyzer(),
+			                                      bro_analyzer()->Conn(),
+			                                      BuildSMB2HeaderVal(${val.sir.header}),
+			                                      BuildSMB2GUID(${val.sir.file_id}),
+			                                      SMB_BuildMACTimes(${val.last_write_time},
+			                                                        ${val.last_access_time},
+			                                                        ${val.creation_time},
+			                                                        ${val.change_time}),
+			                                      smb2_file_attrs_to_bro(${val.file_attrs}));
+
+		return true;
+		%}
+
 	function proc_smb2_set_info_request_file_rename(val: SMB2_file_rename_info): bool
 		%{
 		if ( smb2_file_rename )
@@ -38,6 +55,16 @@ refine connection SMB_Conn += {
 
 };
 
+type SMB2_file_basic_info(sir: SMB2_set_info_request) = record {
+	creation_time    : SMB_timestamp;
+	last_access_time : SMB_timestamp;
+	last_write_time  : SMB_timestamp;
+	change_time      : SMB_timestamp;
+	file_attrs       : SMB2_file_attributes;
+} &let {
+	proc: bool = $context.connection.proc_smb2_set_info_request_file(this);
+};
+
 type SMB2_file_rename_info(sir: SMB2_set_info_request) = record {
 	replace_if_exists : uint8;
 	reserved          : uint8[7];
@@ -55,6 +82,7 @@ type SMB2_file_disposition_info(sir: SMB2_set_info_request) = record {
 };
 
 type SMB2_set_info_file_class(sir: SMB2_set_info_request) = case sir.info_level of {
+	SMB2_FILE_BASIC_INFO       -> file_basic          : SMB2_file_basic_info(sir);
 	SMB2_FILE_RENAME_INFO      -> file_rename         : SMB2_file_rename_info(sir);
 	SMB2_FILE_DISPOSITION_INFO -> file_disposition    : SMB2_file_disposition_info(sir);
 	default                    -> info_file_unhandled : empty;

src/analyzer/protocol/smb/smb2_com_set_info.bif

@@ -11,7 +11,7 @@
 ##
 ## dst_filename: The filename to rename the file into.
 ##
-## .. bro:see:: smb2_message smb2_file_delete
+## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr
 event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
@@ -23,12 +23,32 @@ event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, d
 ##
 ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
+## file_id: The SMB2 GUID for the file.
+##
 ## delete_pending: A boolean value to indicate that a file should be deleted 
 ##                 when it's closed if set to T.
 ##
-## .. bro:see:: smb2_message smb2_file_rename
+## .. bro:see:: smb2_message smb2_file_rename smb2_file_sattr
 event smb2_file_delete%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, delete_pending: bool%);
 
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *set_info* of the *file* subtype
+##
+## For more infomation, see MS-SMB2:2.2.39
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+##
+## file_id: The SMB2 GUID for the file.
+##
+## times: Timestamps associated with the file in question.
+##
+## attrs: File attributes.
+##
+## .. bro:see:: smb2_message smb2_file_rename smb2_file_delete
+event smb2_file_sattr%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs%);
+
 # TODO - Not implemented
 
 # Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`

src/analyzer/protocol/ssh/ssh-analyzer.pac

@@ -173,6 +173,18 @@ refine flow SSH_Flow += {
 		connection()->bro_analyzer()->ProtocolConfirmation();
 		return true;
 		%}
+
+	function get_kex_length(v: int, packet_length: uint32): int
+		%{
+		switch (v) {
+			case SSH1:
+				return packet_length + 4 + 8 - (packet_length % 8);
+			case SSH2:
+				return packet_length + 4;
+			default:
+				return 1; //currently causes the rest of the packet to dump
+		}
+		%}
 };
 
 refine typeattr SSH_Version += &let {

src/analyzer/protocol/ssh/ssh-protocol.pac

@@ -22,21 +22,23 @@ type SSH_Version(is_orig: bool) = record {
 	update_version : bool = $context.connection.update_version(version, is_orig);
 };
 
-type SSH_Key_Exchange(is_orig: bool) = case $context.connection.get_version() of {
+type SSH_Key_Exchange(is_orig: bool) = record {
-	SSH1 -> ssh1_msg : SSH1_Key_Exchange(is_orig);
+	packet_length: uint32;
-	SSH2 -> ssh2_msg : SSH2_Key_Exchange(is_orig);
+	key_ex: case $context.connection.get_version() of {
+		SSH1 -> ssh1_msg : SSH1_Key_Exchange(is_orig, packet_length);
+		SSH2 -> ssh2_msg : SSH2_Key_Exchange(is_orig, packet_length);
 	};
+} &length = $context.flow.get_kex_length($context.connection.get_version(), packet_length);
 
 # SSH1 constructs
 #################
 
-type SSH1_Key_Exchange(is_orig: bool) = record {
+type SSH1_Key_Exchange(is_orig: bool, packet_length: uint32) = record {
-	packet_length : uint32;
 	pad_fill      : bytestring &length = 8 - (packet_length % 8);
 	msg_type      : uint8;
 	message       : SSH1_Message(is_orig, msg_type, packet_length - 5);
 	crc           : uint32;
-} &length = packet_length + 4 + 8 - (packet_length % 8);
+} &length = $context.flow.get_kex_length($context.connection.get_version(), packet_length) - 4;
 
 type SSH1_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of {
 	SSH_SMSG_PUBLIC_KEY  -> public_key  : SSH1_PUBLIC_KEY(length);
@@ -73,8 +75,7 @@ type ssh1_mp_int = record {
 
 ## SSH2
 
-type SSH2_Header(is_orig: bool) = record {
+type SSH2_Header(is_orig: bool, packet_length: uint32) = record {
-	packet_length  : uint32;
 	padding_length : uint8;
 	msg_type       : uint8;
 } &let {
@@ -82,11 +83,11 @@ type SSH2_Header(is_orig: bool) = record {
 	detach         : bool = $context.connection.update_state(ENCRYPTED, is_orig) &if(msg_type == MSG_NEWKEYS);
 };
 
-type SSH2_Key_Exchange(is_orig: bool) = record {
+type SSH2_Key_Exchange(is_orig: bool, packet_length: uint32) = record {
-	header   : SSH2_Header(is_orig);
+	header   : SSH2_Header(is_orig, packet_length);
 	payload  : SSH2_Message(is_orig, header.msg_type, header.payload_length);
 	pad      : bytestring &length=header.padding_length;
-} &length=header.packet_length + 4;
+} &length=packet_length;
 
 type SSH2_Message(is_orig: bool, msg_type: uint8, length: uint32) = case $context.connection.get_state(is_orig) of {
 	KEX_INIT   -> kex        : SSH2_KEXINIT(length, is_orig);

src/broker/Manager.cc

@@ -113,9 +113,7 @@ static inline Val* get_option(const char* option)
 	return id->ID_Val();
 	}
 
-class configuration : public broker::configuration {
+Manager::BrokerConfig::BrokerConfig(broker::broker_options options)
-public:
-	configuration(broker::broker_options options)
 	: broker::configuration(options)
 	{
 	openssl_cafile = get_option("Broker::ssl_cafile")->AsString()->CheckString();
@@ -124,10 +122,9 @@ public:
 	openssl_key = get_option("Broker::ssl_keyfile")->AsString()->CheckString();
 	openssl_passphrase = get_option("Broker::ssl_passphrase")->AsString()->CheckString();
 	}
-};
 
-Manager::BrokerState::BrokerState(broker::broker_options options)
+Manager::BrokerState::BrokerState(BrokerConfig config)
-	: endpoint(configuration(options)),
+	: endpoint(std::move(config)),
 	  subscriber(endpoint.make_subscriber({}, SUBSCRIBER_MAX_QSIZE)),
 	  status_subscriber(endpoint.make_status_subscriber(true))
 	{
@@ -136,6 +133,7 @@ Manager::BrokerState::BrokerState(broker::broker_options options)
 Manager::Manager(bool reading_pcaps)
 	{
 	bound_port = 0;
+	peer_count = 0;
 
 	next_timestamp = 1;
 	SetIdle(false);
@@ -172,7 +170,43 @@ void Manager::InitPostScript()
 	options.forward = get_option("Broker::forward_messages")->AsBool();
 	options.use_real_time = ! reading_pcaps;
 
-	bstate = std::make_shared<BrokerState>(options);
+	BrokerConfig config{std::move(options)};
+	auto max_threads = get_option("Broker::max_threads")->AsCount();
+	auto max_sleep = get_option("Broker::max_sleep")->AsCount();
+
+	if ( max_threads )
+		config.scheduler_max_threads = max_threads;
+	else
+		{
+		// On high-core-count systems, spawning one thread per core
+		// can lead to significant performance problems even if most
+		// threads are under-utilized.  Related:
+		// https://github.com/actor-framework/actor-framework/issues/699
+		if ( reading_pcaps )
+			config.scheduler_max_threads = 2u;
+		else
+			{
+			auto hc = std::thread::hardware_concurrency();
+
+			if ( hc > 8u )
+				hc = 8u;
+			else if ( hc < 4u)
+				hc = 4u;
+
+			config.scheduler_max_threads = hc;
+			}
+		}
+
+	if ( max_sleep )
+		config.work_stealing_relaxed_sleep_duration_us = max_sleep;
+	else
+		// 64ms is just an arbitrary amount derived from testing
+		// the overhead of a unused CAF actor system on a 32-core system.
+		// Performance was within 2% of baseline timings (w/o CAF)
+		// when using this sleep duration.
+		config.work_stealing_relaxed_sleep_duration_us = 64000;
+
+	bstate = std::make_shared<BrokerState>(std::move(config));
 	}
 
 void Manager::Terminate()
@@ -192,7 +226,9 @@ void Manager::Terminate()
 	FlushLogBuffers();
 
 	for ( auto& p : bstate->endpoint.peers() )
-		bstate->endpoint.unpeer(p.peer.network->address, p.peer.network->port);
+		if ( p.peer.network )
+			bstate->endpoint.unpeer(p.peer.network->address,
+			                        p.peer.network->port);
 
 	bstate->endpoint.shutdown();
 	}
@@ -205,7 +241,7 @@ bool Manager::Active()
 	if ( bound_port > 0 )
 		return true;
 
-	return bstate->endpoint.peers().size();
+	return peer_count > 0;
 	}
 
 void Manager::AdvanceTime(double seconds_since_unix_epoch)
@@ -228,9 +264,18 @@ void Manager::FlushPendingQueries()
 		{
 		// possibly an infinite loop if a query can recursively
 		// generate more queries...
-		Process();
+		for ( auto& s : data_stores )
+			{
+			while ( ! s.second->proxy.mailbox().empty() )
+				{
+				auto response = s.second->proxy.receive();
+				ProcessStoreResponse(s.second, move(response));
 				}
 			}
+		}
+
+	SetIdle(false);
+	}
 
 uint16_t Manager::Listen(const string& addr, uint16_t port)
 	{
@@ -301,7 +346,7 @@ bool Manager::PublishEvent(string topic, std::string name, broker::vector args)
 	if ( bstate->endpoint.is_shutdown() )
 		return true;
 
-	if ( ! bstate->endpoint.peers().size() )
+	if ( peer_count == 0 )
 		return true;
 
 	DBG_LOG(DBG_BROKER, "Publishing event: %s",
@@ -317,7 +362,7 @@ bool Manager::PublishEvent(string topic, RecordVal* args)
 	if ( bstate->endpoint.is_shutdown() )
 		return true;
 
-	if ( ! bstate->endpoint.peers().size() )
+	if ( peer_count == 0 )
 		return true;
 
 	if ( ! args->Lookup(0) )
@@ -341,31 +386,47 @@ bool Manager::PublishEvent(string topic, RecordVal* args)
 bool Manager::RelayEvent(std::string first_topic,
                          broker::set relay_topics,
                          std::string name,
-                         broker::vector args)
+                         broker::vector args,
+                         bool handle_on_relayer)
 	{
 	if ( bstate->endpoint.is_shutdown() )
 		return true;
 
-	if ( ! bstate->endpoint.peers().size() )
+	if ( peer_count == 0 )
 		return true;
 
-	DBG_LOG(DBG_BROKER, "Publishing relay event: %s",
+	DBG_LOG(DBG_BROKER, "Publishing %s-relay event: %s",
+			handle_on_relayer ? "handle" : "",
 	        RenderEvent(first_topic, name, args).c_str());
-	broker::bro::RelayEvent msg(std::move(relay_topics), std::move(name),
+
+	if ( handle_on_relayer )
+		{
+		broker::bro::HandleAndRelayEvent msg(std::move(relay_topics),
+		                                     std::move(name),
 		                                     std::move(args));
 		bstate->endpoint.publish(std::move(first_topic), std::move(msg));
+		}
+	else
+		{
+		broker::bro::RelayEvent msg(std::move(relay_topics),
+		                            std::move(name),
+		                            std::move(args));
+		bstate->endpoint.publish(std::move(first_topic), std::move(msg));
+		}
+
 	++statistics.num_events_outgoing;
 	return true;
 	}
 
 bool Manager::RelayEvent(std::string first_topic,
                          std::set<std::string> relay_topics,
-                         RecordVal* args)
+                         RecordVal* args,
+                         bool handle_on_relayer)
 	{
 	if ( bstate->endpoint.is_shutdown() )
 		return true;
 
-	if ( ! bstate->endpoint.peers().size() )
+	if ( peer_count == 0 )
 		return true;
 
 	if ( ! args->Lookup(0) )
@@ -389,7 +450,7 @@ bool Manager::RelayEvent(std::string first_topic,
 		topic_set.emplace(std::move(t));
 
 	return RelayEvent(first_topic, std::move(topic_set), event_name,
-					  std::move(xs));
+					  std::move(xs), handle_on_relayer);
 	}
 
 bool Manager::PublishIdentifier(std::string topic, std::string id)
@@ -397,7 +458,7 @@ bool Manager::PublishIdentifier(std::string topic, std::string id)
 	if ( bstate->endpoint.is_shutdown() )
 		return true;
 
-	if ( ! bstate->endpoint.peers().size() )
+	if ( peer_count == 0 )
 		return true;
 
 	ID* i = global_scope()->Lookup(id.c_str());
@@ -437,7 +498,7 @@ bool Manager::PublishLogCreate(EnumVal* stream, EnumVal* writer,
 	if ( bstate->endpoint.is_shutdown() )
 		return true;
 
-	if ( ! bstate->endpoint.peers().size() )
+	if ( peer_count == 0 )
 		return true;
 
 	auto stream_id = stream->Type()->AsEnumType()->Lookup(stream->AsEnum());
@@ -491,7 +552,7 @@ bool Manager::PublishLogWrite(EnumVal* stream, EnumVal* writer, string path, int
 	if ( bstate->endpoint.is_shutdown() )
 		return true;
 
-	if ( ! bstate->endpoint.peers().size() )
+	if ( peer_count == 0 )
 		return true;
 
 	auto stream_id_num = stream->AsEnum();
@@ -820,6 +881,10 @@ void Manager::DispatchMessage(broker::data msg)
 		ProcessRelayEvent(std::move(msg));
 		break;
 
+	case broker::bro::Message::Type::HandleAndRelayEvent:
+		ProcessHandleAndRelayEvent(std::move(msg));
+		break;
+
 	case broker::bro::Message::Type::LogCreate:
 		ProcessLogCreate(std::move(msg));
 		break;
@@ -907,23 +972,23 @@ void Manager::Process()
 	SetIdle(! had_input);
 	}
 
-void Manager::ProcessEvent(broker::bro::Event ev)
+
+void Manager::ProcessEvent(std::string name, broker::vector args)
 	{
-	DBG_LOG(DBG_BROKER, "Received event: %s", RenderMessage(ev).c_str());
+	DBG_LOG(DBG_BROKER, "Process event: %s %s",
-
+			name.data(), RenderMessage(args).data());
 	++statistics.num_events_incoming;
+	auto handler = event_registry->Lookup(name.data());
 
-	auto handler = event_registry->Lookup(ev.name().c_str());
 	if ( ! handler )
 		return;
 
-	auto& args = ev.args();
 	auto arg_types = handler->FType(false)->ArgTypes()->Types();
 
 	if ( static_cast<size_t>(arg_types->length()) != args.size() )
 		{
 		reporter->Warning("got event message '%s' with invalid # of args,"
-				  " got %zd, expected %d", ev.name().data(), args.size(),
+				  " got %zd, expected %d", name.data(), args.size(),
 				  arg_types->length());
 		return;
 		}
@@ -942,7 +1007,7 @@ void Manager::ProcessEvent(broker::bro::Event ev)
 			{
 			reporter->Warning("failed to convert remote event '%s' arg #%d,"
 			                  " got %s, expected %s",
-			                  ev.name().data(), i, got_type,
+			                  name.data(), i, got_type,
 			                  type_name(expected_type->Tag()));
 			break;
 			}
@@ -954,6 +1019,11 @@ void Manager::ProcessEvent(broker::bro::Event ev)
 		delete_vals(vl);
 	}
 
+void Manager::ProcessEvent(broker::bro::Event ev)
+	{
+	ProcessEvent(std::move(ev.name()), std::move(ev.args()));
+	}
+
 void Manager::ProcessRelayEvent(broker::bro::RelayEvent ev)
 	{
 	DBG_LOG(DBG_BROKER, "Received relay event: %s", RenderMessage(ev).c_str());
@@ -965,6 +1035,18 @@ void Manager::ProcessRelayEvent(broker::bro::RelayEvent ev)
 		             std::move(ev.args()));
 	}
 
+void Manager::ProcessHandleAndRelayEvent(broker::bro::HandleAndRelayEvent ev)
+	{
+	DBG_LOG(DBG_BROKER, "Received handle-relay event: %s",
+	        RenderMessage(ev).c_str());
+	ProcessEvent(ev.name(), ev.args());
+
+	for ( auto& t : ev.topics() )
+		PublishEvent(std::move(broker::get<std::string>(t)),
+		             std::move(ev.name()),
+		             std::move(ev.args()));
+	}
+
 bool bro_broker::Manager::ProcessLogCreate(broker::bro::LogCreate lc)
 	{
 	DBG_LOG(DBG_BROKER, "Received log-create: %s", RenderMessage(lc).c_str());
@@ -1148,16 +1230,19 @@ void Manager::ProcessStatus(broker::status stat)
 		break;
 
 	case broker::sc::peer_added:
+		++peer_count;
 		assert(ctx);
 		log_mgr->SendAllWritersTo(*ctx);
 		event = Broker::peer_added;
 		break;
 
 	case broker::sc::peer_removed:
+		--peer_count;
 		event = Broker::peer_removed;
 		break;
 
 	case broker::sc::peer_lost:
+		--peer_count;
 		event = Broker::peer_lost;
 		break;
 	}
@@ -1453,11 +1538,7 @@ bool Manager::TrackStoreQuery(StoreHandleVal* handle, broker::request_id id,
 
 const Stats& Manager::GetStatistics()
 	{
-	if ( bstate->endpoint.is_shutdown() )
+	statistics.num_peers = peer_count;
-		statistics.num_peers = 0;
-	else
-		statistics.num_peers = bstate->endpoint.peers().size();
-
 	statistics.num_stores = data_stores.size();
 	statistics.num_pending_queries = pending_queries.size();
 

src/broker/Manager.h

@@ -148,33 +148,41 @@ public:
 	bool PublishEvent(std::string topic, RecordVal* ev);
 
 	/**
-	 * Sends an event to any interested peers, who, upon receipt, immediately
+	 * Sends an event to any interested peers, who, upon receipt,
-	 * republish the event to a new set of topics.
+	 * republishes the event to a new set of topics and optionally
+	 * calls event handlers.
 	 * @param first_topic the first topic to use when publishing the event
 	 * @param relay_topics the set of topics the receivers will use to
 	 * republish the event.  The event is relayed at most a single hop.
 	 * @param name the name of the event
 	 * @param args the event's arguments
+	 * @param handle_on_relayer whether they relaying-node should call event
+	 * handlers.
 	 * @return true if the message is sent successfully.
 	 */
 	bool RelayEvent(std::string first_topic,
 					broker::set relay_topics,
 					std::string name,
-					broker::vector args);
+					broker::vector args,
+					bool handle_on_relayer);
 
 	/**
-	 * Sends an event to any interested peers, who, upon receipt, immediately
+	 * Sends an event to any interested peers, who, upon receipt,
-	 * republish the event to a new set of topics.
+	 * republishes the event to a new set of topics and optionally
+	 * calls event handlers.
 	 * @param first_topic the first topic to use when publishing the event
 	 * @param relay_topics the set of topics the receivers will use to
 	 * republish the event.  The event is relayed at most a single hop.
 	 * @param ev the event and its arguments to send to peers, in the form of
 	 * a Broker::Event record type.
+	 * @param handle_on_relayer whether they relaying-node should call event
+	 * handlers.
 	 * @return true if the message is sent successfully.
 	 */
 	bool RelayEvent(std::string first_topic,
 					std::set<std::string> relay_topics,
-					RecordVal* ev);
+					RecordVal* ev,
+					bool handle_on_relayer);
 
 	/**
 	 * Send a message to create a log stream to any interested peers.
@@ -331,17 +339,24 @@ public:
 
 private:
 
+	class BrokerConfig : public broker::configuration {
+	public:
+		BrokerConfig(broker::broker_options options);
+	};
+
 	class BrokerState {
 	public:
-		BrokerState(broker::broker_options options);
+		BrokerState(BrokerConfig config);
 		broker::endpoint endpoint;
 		broker::subscriber subscriber;
 		broker::status_subscriber status_subscriber;
 	};
 
 	void DispatchMessage(broker::data msg);
+	void ProcessEvent(std::string name, broker::vector args);
 	void ProcessEvent(broker::bro::Event ev);
 	void ProcessRelayEvent(broker::bro::RelayEvent re);
+	void ProcessHandleAndRelayEvent(broker::bro::HandleAndRelayEvent ev);
 	bool ProcessLogCreate(broker::bro::LogCreate lc);
 	bool ProcessLogWrite(broker::bro::LogWrite lw);
 	bool ProcessIdentifierUpdate(broker::bro::IdentifierUpdate iu);
@@ -404,6 +419,8 @@ private:
 	Stats statistics;
 	double next_timestamp;
 	bool reading_pcaps;
+	int peer_count;
+
 	static int script_scope;
 
 	static VectorType* vector_of_data_type;

src/broker/messaging.bif

@@ -76,13 +76,13 @@ static bool relay_event_args(val_list& args, const BroString* topic,
 	if ( args[0]->Type()->Tag() == TYPE_RECORD )
 		rval = broker_mgr->RelayEvent(topic->CheckString(),
 									  std::move(topic_set),
-		                              args[0]->AsRecordVal());
+		                              args[0]->AsRecordVal(), false);
 	else
 		{
 		auto ev = broker_mgr->MakeEvent(&args, frame);
 		rval = broker_mgr->RelayEvent(topic->CheckString(),
 									  std::move(topic_set),
-									  ev);
+									  ev, false);
 		Unref(ev);
 		}
 
@@ -133,7 +133,7 @@ function Broker::publish%(topic: string, ...%): bool
 
 ## Publishes an event at a given topic, with any receivers automatically
 ## forwarding it to its peers with a different topic.  The event is relayed
-## at most a single hop.
+## at most a single hop and the relayer does not call any local event handlers.
 ##
 ## first_topic: the initial topic to use for publishing the event.
 ##
@@ -181,12 +181,74 @@ function Broker::relay%(first_topic: string, ...%): bool
 	if ( args[0]->Type()->Tag() == TYPE_RECORD )
 		rval = broker_mgr->RelayEvent(first_topic->CheckString(),
 									  std::move(topic_set),
-	                                  args[0]->AsRecordVal());
+	                                  args[0]->AsRecordVal(), false);
 	else
 		{
 		auto ev = broker_mgr->MakeEvent(&args, frame);
 		rval = broker_mgr->RelayEvent(first_topic->CheckString(),
-									  std::move(topic_set), ev);
+									  std::move(topic_set), ev, false);
+		Unref(ev);
+		}
+
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+## Publishes an event at a given topic, with any receivers automatically
+## forwarding it to its peers with a different topic.  The event is relayed
+## at most a single hop and the relayer does call local event handlers.
+##
+## first_topic: the initial topic to use for publishing the event.
+##
+## args: the first member of the argument list may be either a string or
+##       a set of strings indicating the secondary topic that the first
+##       set of receivers will use to re-publish the event.  The remaining
+##       members of the argument list are either the return value of a
+##       previously-made call to :bro:see:`Broker::make_event` or the
+##       argument list that should be passed along to it, so that it can
+##       be called as part of executing this function.
+##
+## Returns: true if the message is sent.
+function Broker::publish_and_relay%(first_topic: string, ...%): bool
+	%{
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	val_list* bif_args = @ARGS@;
+
+	if ( bif_args->length() < 3 )
+		{
+		builtin_error("Broker::publish_and_relay requires at least 3 arguments");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto second_topic = (*bif_args)[1];
+
+	if ( second_topic->Type()->Tag() != TYPE_STRING &&
+		 ! is_string_set(second_topic->Type()) )
+		{
+		builtin_error("Broker::publish_and_relay requires a string or string_set as 2nd argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto topic_set = val_to_topic_set(second_topic);
+
+	if ( topic_set.empty() )
+		return new Val(false, TYPE_BOOL);
+
+	val_list args(bif_args->length() - 2);
+
+	for ( auto i = 2; i < bif_args->length(); ++i )
+		args.append((*bif_args)[i]);
+
+	auto rval = false;
+
+	if ( args[0]->Type()->Tag() == TYPE_RECORD )
+		rval = broker_mgr->RelayEvent(first_topic->CheckString(),
+									  std::move(topic_set),
+	                                  args[0]->AsRecordVal(), true);
+	else
+		{
+		auto ev = broker_mgr->MakeEvent(&args, frame);
+		rval = broker_mgr->RelayEvent(first_topic->CheckString(),
+									  std::move(topic_set), ev, true);
 		Unref(ev);
 		}
 

src/broxygen/Manager.cc

@@ -12,7 +12,13 @@ using namespace std;
 
 static void DbgAndWarn(const char* msg)
 	{
-	reporter->InternalWarning("%s", msg);
+	if ( reporter->Errors() )
+		// We've likely already reported to real source of the problem
+		// as an error, avoid adding an additional warning which may
+		// be confusing.
+		return;
+
+	reporter->Warning("%s", msg);
 	DBG_LOG(DBG_BROXYGEN, "%s", msg);
 	}
 
@@ -22,7 +28,8 @@ static void WarnMissingScript(const char* type, const ID* id,
 	if ( script == "<command line>" )
 		return;
 
-	DbgAndWarn(fmt("Can't document %s %s, lookup of %s failed",
+	DbgAndWarn(fmt("Can't generate Broxygen doumentation for %s %s, "
+	               "lookup of %s failed",
 	               type, id->Name(), script.c_str()));
 	}
 
@@ -122,7 +129,8 @@ void Manager::Script(const string& path)
 
 	if ( scripts.GetInfo(name) )
 		{
-		DbgAndWarn(fmt("Duplicate script documentation: %s", name.c_str()));
+		DbgAndWarn(fmt("Duplicate Broxygen script documentation: %s",
+		               name.c_str()));
 		return;
 		}
 
@@ -138,7 +146,8 @@ void Manager::Script(const string& path)
 
 	if ( packages.GetInfo(name) )
 		{
-		DbgAndWarn(fmt("Duplicate package documentation: %s", name.c_str()));
+		DbgAndWarn(fmt("Duplicate Broxygen package documentation: %s",
+		               name.c_str()));
 		return;
 		}
 
@@ -155,7 +164,8 @@ void Manager::ScriptDependency(const string& path, const string& dep)
 
 	if ( dep.empty() )
 		{
-		DbgAndWarn(fmt("Empty script doc dependency: %s", path.c_str()));
+		DbgAndWarn(fmt("Empty Broxygen script doc dependency: %s",
+		               path.c_str()));
 		return;
 		}
 
@@ -165,8 +175,8 @@ void Manager::ScriptDependency(const string& path, const string& dep)
 
 	if ( ! script_info )
 		{
-		DbgAndWarn(fmt("Failed to add script doc dependency %s for %s",
+		DbgAndWarn(fmt("Failed to add Broxygen script doc dependency %s "
-		               depname.c_str(), name.c_str()));
+		               "for %s", depname.c_str(), name.c_str()));
 		return;
 		}
 
@@ -189,7 +199,7 @@ void Manager::ModuleUsage(const string& path, const string& module)
 
 	if ( ! script_info )
 		{
-		DbgAndWarn(fmt("Failed to add module usage %s in %s",
+		DbgAndWarn(fmt("Failed to add Broxygen module usage %s in %s",
 		               module.c_str(), name.c_str()));
 		return;
 		}
@@ -231,7 +241,8 @@ void Manager::StartType(ID* id)
 
 	if ( id->GetLocationInfo() == &no_location )
 		{
-		DbgAndWarn(fmt("Can't document %s, no location available", id->Name()));
+		DbgAndWarn(fmt("Can't generate broxygen doumentation for %s, "
+		               "no location available", id->Name()));
 		return;
 		}
 
@@ -323,7 +334,8 @@ void Manager::RecordField(const ID* id, const TypeDecl* field,
 
 	if ( ! idd )
 		{
-		DbgAndWarn(fmt("Can't document record field %s, unknown record: %s",
+		DbgAndWarn(fmt("Can't generate broxygen doumentation for "
+		               "record field %s, unknown record: %s",
 		               field->id, id->Name()));
 		return;
 		}
@@ -348,7 +360,8 @@ void Manager::Redef(const ID* id, const string& path)
 
 	if ( ! id_info )
 		{
-		DbgAndWarn(fmt("Can't document redef of %s, identifier lookup failed",
+		DbgAndWarn(fmt("Can't generate broxygen doumentation for "
+		               "redef of %s, identifier lookup failed",
 		               id->Name()));
 		return;
 		}

src/broxygen/ScriptInfo.cc

@@ -250,6 +250,19 @@ void ScriptInfo::DoInitPostScript()
 		        id->Name(), name.c_str());
 		state_vars.push_back(info);
 		}
+
+	// The following enum types are automatically created internally in Bro,
+	// so just manually associating them with scripts for now.
+	if ( name == "base/frameworks/input/main.bro" )
+		{
+		auto id = global_scope()->Lookup("Input::Reader");
+		types.push_back(new IdentifierInfo(id, this));
+		}
+	else if ( name == "base/frameworks/logging/main.bro" )
+		{
+		auto id = global_scope()->Lookup("Log::Writer");
+		types.push_back(new IdentifierInfo(id, this));
+		}
 	}
 
 vector<string> ScriptInfo::GetComments() const

src/file_analysis/analyzer/x509/X509Common.cc

@@ -244,7 +244,7 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, EventHandlerP
 		int len = i2d_ASN1_OCTET_STRING(X509_EXTENSION_get_data(ex), &buf);
 		if ( len >=0 )
 			{
-			BIO_write(bio, &buf, len);
+			BIO_write(bio, buf, len);
 			OPENSSL_free(buf);
 			}
 		}

src/input.h

@@ -14,6 +14,7 @@ extern int yydebug;
 extern int brolex();
 extern char last_tok[128];
 
+extern void add_essential_input_file(const char* file);
 extern void add_input_file(const char* file);
 extern void add_input_file_at_front(const char* file);
 

src/iosource/Manager.cc

@@ -81,7 +81,7 @@ IOSource* Manager::FindSoonest(double* ts)
 			all_idle = false;
 			double local_network_time = 0;
 			double ts = (*i)->src->NextTimestamp(&local_network_time);
-			if ( ts > 0 && ts < soonest_ts )
+			if ( ts >= 0 && ts < soonest_ts )
 				{
 				soonest_ts = ts;
 				soonest_src = (*i)->src;
@@ -162,7 +162,7 @@ IOSource* Manager::FindSoonest(double* ts)
 				{
 				double local_network_time = 0;
 				double ts = src->src->NextTimestamp(&local_network_time);
-				if ( ts > 0.0 && ts < soonest_ts )
+				if ( ts >= 0.0 && ts < soonest_ts )
 					{
 					soonest_ts = ts;
 					soonest_src = src->src;

src/main.cc

@@ -44,6 +44,7 @@ extern "C" {
 #include "EventRegistry.h"
 #include "Stats.h"
 #include "Brofiler.h"
+#include "Traverse.h"
 
 #include "threading/Manager.h"
 #include "input/Manager.h"
@@ -114,6 +115,7 @@ char* command_line_policy = 0;
 vector<string> params;
 set<string> requested_plugins;
 char* proc_status_file = 0;
+int old_comm_usage_count = 0;
 
 OpaqueType* md5_type = 0;
 OpaqueType* sha1_type = 0;
@@ -424,6 +426,70 @@ static void bro_new_handler()
 	out_of_memory("new");
 	}
 
+static auto old_comm_ids = std::set<const char*, CompareString>{
+	"connect",
+	"disconnect",
+	"request_remote_events",
+	"request_remote_sync",
+	"request_remote_logs",
+	"set_accept_state",
+	"set_compression_level",
+	"listen",
+	"send_id",
+	"terminate_communication",
+	"complete_handshake",
+	"send_ping",
+	"send_current_packet",
+	"get_event_peer",
+	"send_capture_filter",
+	"suspend_state_updates",
+	"resume_state_updates",
+};
+
+static bool is_old_comm_usage(const ID* id)
+	{
+	auto name = id->Name();
+
+	if ( old_comm_ids.find(name) == old_comm_ids.end() )
+		return false;
+
+	return true;
+	}
+
+class OldCommUsageTraversalCallback : public TraversalCallback {
+public:
+	virtual TraversalCode PreExpr(const Expr* expr) override
+		{
+		switch ( expr->Tag() ) {
+		case EXPR_CALL:
+			{
+			const CallExpr* call = static_cast<const CallExpr*>(expr);
+			auto func = call->Func();
+
+			if ( func->Tag() == EXPR_NAME )
+				{
+				const NameExpr* ne = static_cast<const NameExpr*>(func);
+				auto id = ne->Id();
+
+				if ( is_old_comm_usage(id) )
+					++old_comm_usage_count;
+				}
+			}
+			break;
+		default:
+			break;
+		}
+
+		return TC_CONTINUE;
+		}
+};
+
+static void find_old_comm_usages()
+	{
+	OldCommUsageTraversalCallback cb;
+	traverse_all(&cb);
+	}
+
 int main(int argc, char** argv)
 	{
 	std::set_new_handler(bro_new_handler);
@@ -755,7 +821,9 @@ int main(int argc, char** argv)
 
 	broxygen_mgr = new broxygen::Manager(broxygen_config, bro_argv[0]);
 
-	add_input_file("base/init-bare.bro");
+	add_essential_input_file("base/init-bare.bro");
+	add_essential_input_file("base/init-frameworks-and-bifs.bro");
+
 	if ( ! bare_mode )
 		add_input_file("base/init-default.bro");
 
@@ -852,6 +920,22 @@ int main(int argc, char** argv)
 	yyparse();
 	is_parsing = false;
 
+	find_old_comm_usages();
+
+	if ( old_comm_usage_count )
+		{
+		auto old_comm_ack_id = global_scope()->Lookup("old_comm_usage_is_ok");
+
+		if ( ! old_comm_ack_id->ID_Val()->AsBool() )
+			reporter->FatalError("Detected old, deprecated communication "
+								 "system usages that will not work unless "
+								 "you explicitly take action to initizialize "
+								 "and set up the old comm. system.  "
+								 "Set the 'old_comm_usage_is_ok' flag "
+								 "to bypass this error if you've taken such "
+								 "actions.");
+		}
+
 	RecordVal::ResizeParseTimeRecords();
 
 	init_general_global_var();

src/parse.y

@@ -34,18 +34,21 @@
 
 %token TOK_NO_TEST
 
-%left ',' '|'
+%left ','
 %right '=' TOK_ADD_TO TOK_REMOVE_FROM
 %right '?' ':'
-%left TOK_OR
+%left TOK_OR_OR
-%left TOK_AND
+%left TOK_AND_AND
 %nonassoc TOK_HOOK
 %nonassoc '<' '>' TOK_LE TOK_GE TOK_EQ TOK_NE
 %left TOK_IN TOK_NOT_IN
+%left '|'
+%left '^'
+%left '&'
 %left '+' '-'
 %left '*' '/' '%'
 %left TOK_INCR TOK_DECR
-%right '!'
+%right '!' '~'
 %left '$' '[' ']' '(' ')' TOK_HAS_FIELD TOK_HAS_ATTR
 %nonassoc TOK_AS TOK_IS
 
@@ -338,6 +341,12 @@ expr:
 			$$ = new NotExpr($2);
 			}
 
+	|	'~' expr
+			{
+			set_location(@1, @2);
+			$$ = new ComplementExpr($2);
+			}
+
 	|	'-' expr	%prec '!'
 			{
 			set_location(@1, @2);
@@ -392,16 +401,34 @@ expr:
 			$$ = new ModExpr($1, $3);
 			}
 
-	|	expr TOK_AND expr
+	|	expr '&' expr
 			{
 			set_location(@1, @3);
-			$$ = new BoolExpr(EXPR_AND, $1, $3);
+			$$ = new BitExpr(EXPR_AND, $1, $3);
 			}
 
-	|	expr TOK_OR expr
+	|	expr '|' expr
 			{
 			set_location(@1, @3);
-			$$ = new BoolExpr(EXPR_OR, $1, $3);
+			$$ = new BitExpr(EXPR_OR, $1, $3);
+			}
+
+	|	expr '^' expr
+			{
+			set_location(@1, @3);
+			$$ = new BitExpr(EXPR_XOR, $1, $3);
+			}
+
+	|	expr TOK_AND_AND expr
+			{
+			set_location(@1, @3);
+			$$ = new BoolExpr(EXPR_AND_AND, $1, $3);
+			}
+
+	|	expr TOK_OR_OR expr
+			{
+			set_location(@1, @3);
+			$$ = new BoolExpr(EXPR_OR_OR, $1, $3);
 			}
 
 	|	expr TOK_EQ expr
@@ -704,7 +731,7 @@ expr:
 			$$ = new ConstExpr(new PatternVal($1));
 			}
 
-	|       '|' expr '|'
+	|       '|' expr '|'	%prec '('
 			{
 			set_location(@1, @3);
 			$$ = new SizeExpr($2);

src/scan.l

@@ -193,7 +193,7 @@ ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
 	RET_CONST(new SubNetVal(IPPrefix(IPAddr(ip), len)))
 }
 
-[!%*/+\-,:;<=>?()\[\]{}~$|]	return yytext[0];
+[!%*/+\-,:;<=>?()\[\]{}~$|&^]	return yytext[0];
 
 "--"	return TOK_DECR;
 "++"	return TOK_INCR;
@@ -206,8 +206,8 @@ ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
 ">="	return TOK_GE;
 "<="	return TOK_LE;
 
-"&&"	return TOK_AND;
+"&&"	return TOK_AND_AND;
-"||"	return TOK_OR;
+"||"	return TOK_OR_OR;
 
 add	return TOK_ADD;
 addr	return TOK_ADDR;
@@ -310,6 +310,7 @@ when	return TOK_WHEN;
 	}
 
 &synchronized  {
+	++old_comm_usage_count;
 	deprecated_attr(yytext);
 	return TOK_ATTR_SYNCHRONIZED;
 	}
@@ -821,6 +822,18 @@ void do_atendif()
 // are referred to (in order to save the locations of tokens and statements,
 // for error reporting and debugging).
 static name_list input_files;
+static name_list essential_input_files;
+
+void add_essential_input_file(const char* file)
+	{
+	if ( ! file )
+		reporter->InternalError("empty filename");
+
+	if ( ! filename )
+		(void) load_files(file);
+	else
+		essential_input_files.append(copy_string(file));
+	}
 
 void add_input_file(const char* file)
 	{
@@ -869,7 +882,7 @@ int yywrap()
 	if ( ! did_builtin_init && file_stack.length() == 1 )
 		{
 		// ### This is a gross hack - we know that the first file
-		// we parse is bro.init, and after it it's safe to initialize
+		// we parse is init-bare.bro, and after it it's safe to initialize
 		// the built-ins.  Furthermore, we want to initialize the
 		// built-in's *right* after parsing bro.init, so that other
 		// source files can use built-in's when initializing globals.
@@ -885,19 +898,22 @@ int yywrap()
 		return 0;
 
 	// Stack is now empty.
-	while ( input_files.length() > 0 )
+	while ( essential_input_files.length() > 0 || input_files.length() > 0 )
 		{
-		if ( load_files(input_files[0]) )
+		name_list& files = essential_input_files.length() > 0 ?
+		             essential_input_files : input_files;
+
+		if ( load_files(files[0]) )
 			{
 			// Don't delete the filename - it's pointed to by
 			// every BroObj created when parsing it.
-			(void) input_files.remove_nth(0);
+			(void) files.remove_nth(0);
 			return 0;
 			}
 
 		// We already scanned the file.  Pop it and try the next,
 		// if any.
-		(void) input_files.remove_nth(0);
+		(void) files.remove_nth(0);
 		}
 
 	// For each file scanned so far, and for each @prefix, look for a

testing/btest/Baseline/broker.remote_publish_and_relay_event/one.one.out

@@ -0,0 +1,3 @@
+sender added peer: endpoint=127.0.0.1 msg=received handshake from remote core
+got ready event
+sender lost peer: endpoint=127.0.0.1 msg=lost remote peer

testing/btest/Baseline/broker.remote_publish_and_relay_event/three.three.out

@@ -0,0 +1,2 @@
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+got my_event, hello world

testing/btest/Baseline/broker.remote_publish_and_relay_event/two.two.out

@@ -0,0 +1,5 @@
+receiver added peer: endpoint=127.0.0.1 msg=received handshake from remote core
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+sending ready event
+got my_event, hello world
+receiver lost peer: endpoint=127.0.0.1 msg=lost remote peer

testing/btest/Baseline/core.old_comm_usage/out

@@ -0,0 +1,2 @@
+warning in /Users/jon/projects/bro/bro/testing/btest/.tmp/core.old_comm_usage/old_comm_usage.bro, line 6: deprecated (terminate_communication)
+fatal error: Detected old, deprecated communication system usages that will not work unless you explicitly take action to initizialize and set up the old comm. system.  Set the 'old_comm_usage_is_ok' flag to bypass this error if you've taken such actions.

testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log

@@ -3,18 +3,21 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2018-03-01-16-07-03
+#open	2018-06-08-16-37-15
 #fields	name
 #types	string
 scripts/base/init-bare.bro
   build/scripts/base/bif/const.bif.bro
   build/scripts/base/bif/types.bif.bro
-  build/scripts/base/bif/strings.bif.bro
   build/scripts/base/bif/bro.bif.bro
+  build/scripts/base/bif/stats.bif.bro
   build/scripts/base/bif/reporter.bif.bro
+  build/scripts/base/bif/strings.bif.bro
+  build/scripts/base/bif/option.bif.bro
   build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro
   build/scripts/base/bif/plugins/Bro_KRB.types.bif.bro
   build/scripts/base/bif/event.bif.bro
+scripts/base/init-frameworks-and-bifs.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
       build/scripts/base/bif/logging.bif.bro
@@ -52,8 +55,6 @@ scripts/base/init-bare.bro
         scripts/base/utils/patterns.bro
     scripts/base/frameworks/files/magic/__load__.bro
   build/scripts/base/bif/__load__.bro
-    build/scripts/base/bif/stats.bif.bro
-    build/scripts/base/bif/option.bif.bro
     build/scripts/base/bif/broxygen.bif.bro
     build/scripts/base/bif/pcap.bif.bro
     build/scripts/base/bif/bloom-filter.bif.bro
@@ -93,6 +94,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro
     build/scripts/base/bif/plugins/Bro_MySQL.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_NCP.consts.bif.bro
     build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_NTLM.types.bif.bro
@@ -175,4 +177,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2018-03-01-16-07-03
+#close	2018-06-08-16-37-15

testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log

@@ -3,18 +3,21 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2018-05-17-23-49-59
+#open	2018-06-08-16-37-20
 #fields	name
 #types	string
 scripts/base/init-bare.bro
   build/scripts/base/bif/const.bif.bro
   build/scripts/base/bif/types.bif.bro
-  build/scripts/base/bif/strings.bif.bro
   build/scripts/base/bif/bro.bif.bro
+  build/scripts/base/bif/stats.bif.bro
   build/scripts/base/bif/reporter.bif.bro
+  build/scripts/base/bif/strings.bif.bro
+  build/scripts/base/bif/option.bif.bro
   build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro
   build/scripts/base/bif/plugins/Bro_KRB.types.bif.bro
   build/scripts/base/bif/event.bif.bro
+scripts/base/init-frameworks-and-bifs.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
       build/scripts/base/bif/logging.bif.bro
@@ -52,8 +55,6 @@ scripts/base/init-bare.bro
         scripts/base/utils/patterns.bro
     scripts/base/frameworks/files/magic/__load__.bro
   build/scripts/base/bif/__load__.bro
-    build/scripts/base/bif/stats.bif.bro
-    build/scripts/base/bif/option.bif.bro
     build/scripts/base/bif/broxygen.bif.bro
     build/scripts/base/bif/pcap.bif.bro
     build/scripts/base/bif/bloom-filter.bif.bro
@@ -93,6 +94,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro
     build/scripts/base/bif/plugins/Bro_MySQL.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_NCP.consts.bif.bro
     build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_NTLM.types.bif.bro
@@ -364,4 +366,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-filtered-trace.bro
   scripts/base/misc/version.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2018-05-17-23-49-59
+#close	2018-06-08-16-37-20

testing/btest/Baseline/language.count/out

@@ -14,5 +14,16 @@ modulus operator (PASS)
 division operator (PASS)
 assignment operator (PASS)
 assignment operator (PASS)
+bitwise and (PASS)
+bitwise and (PASS)
+bitwise and (PASS)
+bitwise or (PASS)
+bitwise or (PASS)
+bitwise or (PASS)
+bitwise xor (PASS)
+bitwise xor (PASS)
+bitwise xor (PASS)
+bitwise complement (PASS)
+bitwise complement (PASS)
 max count value = 18446744073709551615 (PASS)
 max count value = 18446744073709551615 (PASS)

testing/btest/Baseline/plugins.hooks/output

@@ -264,7 +264,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
@@ -441,7 +441,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -469,6 +469,7 @@
 0.000000   MetaHookPost  CallFunction(bro_init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(current_time, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
+0.000000   MetaHookPost  CallFunction(getenv, <null>, (BRO_DEFAULT_LISTEN_ADDRESS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(getenv, <null>, (CLUSTER_NODE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(global_ids, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
@@ -522,6 +523,7 @@
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_MIME.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Modbus.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_MySQL.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NCP.consts.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NCP.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NTLM.events.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NTLM.types.bif.bro) -> -1
@@ -727,6 +729,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/http) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/imap) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/init-default.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/init-frameworks-and-bifs.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/input) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/input.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/intel) -> -1
@@ -744,6 +747,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/ntlm) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/numbers.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/openflow) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/option.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/packet-filter) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/paths.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/patterns.bro) -> -1
@@ -766,6 +770,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/software) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/ssh) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/ssl) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/stats.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/store.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/strings.bif.bro) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/strings.bro) -> -1
@@ -1062,7 +1067,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
@@ -1239,7 +1244,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1267,6 +1272,7 @@
 0.000000   MetaHookPre   CallFunction(bro_init, <null>, ())
 0.000000   MetaHookPre   CallFunction(current_time, <frame>, ())
 0.000000   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
+0.000000   MetaHookPre   CallFunction(getenv, <null>, (BRO_DEFAULT_LISTEN_ADDRESS))
 0.000000   MetaHookPre   CallFunction(getenv, <null>, (CLUSTER_NODE))
 0.000000   MetaHookPre   CallFunction(global_ids, <frame>, ())
 0.000000   MetaHookPre   CallFunction(network_time, <frame>, ())
@@ -1320,6 +1326,7 @@
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_MIME.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Modbus.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_MySQL.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NCP.consts.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NCP.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NTLM.events.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NTLM.types.bif.bro)
@@ -1525,6 +1532,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/http)
 0.000000   MetaHookPre   LoadFile(0, base<...>/imap)
 0.000000   MetaHookPre   LoadFile(0, base<...>/init-default.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/init-frameworks-and-bifs.bro)
 0.000000   MetaHookPre   LoadFile(0, base<...>/input)
 0.000000   MetaHookPre   LoadFile(0, base<...>/input.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, base<...>/intel)
@@ -1542,6 +1550,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/ntlm)
 0.000000   MetaHookPre   LoadFile(0, base<...>/numbers.bro)
 0.000000   MetaHookPre   LoadFile(0, base<...>/openflow)
+0.000000   MetaHookPre   LoadFile(0, base<...>/option.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, base<...>/packet-filter)
 0.000000   MetaHookPre   LoadFile(0, base<...>/paths.bro)
 0.000000   MetaHookPre   LoadFile(0, base<...>/patterns.bro)
@@ -1564,6 +1573,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/software)
 0.000000   MetaHookPre   LoadFile(0, base<...>/ssh)
 0.000000   MetaHookPre   LoadFile(0, base<...>/ssl)
+0.000000   MetaHookPre   LoadFile(0, base<...>/stats.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, base<...>/store.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, base<...>/strings.bif.bro)
 0.000000   MetaHookPre   LoadFile(0, base<...>/strings.bro)
@@ -1859,7 +1869,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
@@ -2036,7 +2046,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -2064,6 +2074,7 @@
 0.000000 | HookCallFunction bro_init()
 0.000000 | HookCallFunction current_time()
 0.000000 | HookCallFunction filter_change_tracking()
+0.000000 | HookCallFunction getenv(BRO_DEFAULT_LISTEN_ADDRESS)
 0.000000 | HookCallFunction getenv(CLUSTER_NODE)
 0.000000 | HookCallFunction global_ids()
 0.000000 | HookCallFunction network_time()
@@ -2117,6 +2128,7 @@
 0.000000 | HookLoadFile  .<...>/Bro_MIME.events.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_Modbus.events.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_MySQL.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_NCP.consts.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_NCP.events.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_NTLM.events.bif.bro
 0.000000 | HookLoadFile  .<...>/Bro_NTLM.types.bif.bro
@@ -2331,6 +2343,7 @@
 0.000000 | HookLoadFile  base<...>/http
 0.000000 | HookLoadFile  base<...>/imap
 0.000000 | HookLoadFile  base<...>/init-default.bro
+0.000000 | HookLoadFile  base<...>/init-frameworks-and-bifs.bro
 0.000000 | HookLoadFile  base<...>/input
 0.000000 | HookLoadFile  base<...>/input.bif.bro
 0.000000 | HookLoadFile  base<...>/intel
@@ -2348,6 +2361,7 @@
 0.000000 | HookLoadFile  base<...>/ntlm
 0.000000 | HookLoadFile  base<...>/numbers.bro
 0.000000 | HookLoadFile  base<...>/openflow
+0.000000 | HookLoadFile  base<...>/option.bif.bro
 0.000000 | HookLoadFile  base<...>/packet-filter
 0.000000 | HookLoadFile  base<...>/paths.bro
 0.000000 | HookLoadFile  base<...>/patterns.bro
@@ -2370,6 +2384,7 @@
 0.000000 | HookLoadFile  base<...>/software
 0.000000 | HookLoadFile  base<...>/ssh
 0.000000 | HookLoadFile  base<...>/ssl
+0.000000 | HookLoadFile  base<...>/stats.bif.bro
 0.000000 | HookLoadFile  base<...>/store.bif.bro
 0.000000 | HookLoadFile  base<...>/strings.bif.bro
 0.000000 | HookLoadFile  base<...>/strings.bro
@@ -2387,7 +2402,7 @@
 0.000000 | HookLoadFile  base<...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=1525287517.317589, node=bro, filter=ip or not ip, init=T, success=T]
+0.000000 | HookLogWrite  packet_filter [ts=1528475846.472749, node=bro, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent bro_init()
 0.000000 | HookQueueEvent filter_change_tracking()

testing/btest/Baseline/scripts.base.protocols.arp.bad/.stdout

@@ -0,0 +1,6 @@
+BAD, 192.168.123.1, 7e:8e:20:d8:23:a7, 192.168.123.2, 00:00:00:00:00:00, corrupt-arp-header (hrd=1, hln=255)
+BAD, 192.168.123.2, 52:54:00:12:34:57, 192.168.123.1, 7e:8e:20:d8:23:a7, corrupt-arp-header (hrd=1, hln=255)
+BAD, 192.168.123.1, 7e:8e:20:d8:23:a7, 192.168.123.2, 00:00:00:00:00:00, corrupt-arp-header (pro=2048, pln=255)
+BAD, 192.168.123.2, 52:54:00:12:34:57, 192.168.123.1, 7e:8e:20:d8:23:a7, corrupt-arp-header (pro=2048, pln=255)
+BAD, 192.168.123.1, 7e:8e:20:d8:23:a7, 192.168.123.2, 00:00:00:00:00:00, corrupt-arp-header (hrd=1, hln=255)
+BAD, 192.168.123.2, 52:54:00:12:34:57, 192.168.123.1, 7e:8e:20:d8:23:a7, corrupt-arp-header (hrd=1, hln=255)

testing/btest/Baseline/scripts.base.protocols.krb.kinit/output

@@ -1,3 +1,3 @@
 KRB_AP_REQUEST
-[pvno=5, realm=VLADG.NET, service_name=krbtgt/VLADG.NET, cipher=18, ciphertext={\x9fY\xd0f\x8dS\xf4I\x88\x04\xfa\xc1\xd8m\xa2\xb7+\xbb\x19\xcag\x0c\x13\xd1g*\xfc\x18\xd1\xb1\x80!\xbd\x85\xec\xf9\x9b\xfa-\x18\xb6\xf5h\x91\xe7\x99\xf4\xdb\x93\xa0\xc7\x90\x1e\xa9\x95v\xd3\x12\xfa,9\x1d\x0b\xd0\xa1\xd25\x0f\x1f[G\xdf\xd0\xbbd\x06$2\xd1\xae\x130qZiY\x07@\xe9\xf9\xff\xa4\x9a\xd4\x09\xf0\x0d\xc1R\x10M\xbdKOV\xfd\xf6\x13\xf6\x9a\x95N\xdf!\xf6x\x94\xd8j\xa5\xdcp\xa8\x04\x99\x02x\xdb$\xd8\xfa_o\x8dV\xc8\x0a\xfe\x00\xf3&c\x0c8\xd1\xd0\xe9\x8e\xab\xfe&\xfe\x00\x8d$\x98I\xe5\x8d\x94rM4%\xd8\xfe\xa9\x08\x06\xc6\x95H7\xf7HCq\xb9\x0d$\x95?\x83B\x82\xdd\xea\xc3f3\xcc\xbb\x09\x0d-\x09;\xa6i%\xcd\xba\x11\xd4\xe0\x12w\xd0G&\xdaj\x82\x7f;\xf3\x1d\x10\xa4l\x06\x16l\x1bc\xa1\xd1\x15!\x00\x8a\xff\x8a\x06\xe7U^:<d\xba"\x02I\xf0\xce\xc7\xad\xb2]
+[pvno=5, realm=VLADG.NET, service_name=krbtgt/VLADG.NET, cipher=18, ciphertext={\x9fY\xd0f\x8dS\xf4I\x88\x04\xfa\xc1\xd8m\xa2\xb7+\xbb\x19\xcag\x0c\x13\xd1g*\xfc\x18\xd1\xb1\x80!\xbd\x85\xec\xf9\x9b\xfa-\x18\xb6\xf5h\x91\xe7\x99\xf4\xdb\x93\xa0\xc7\x90\x1e\xa9\x95v\xd3\x12\xfa,9\x1d\x0b\xd0\xa1\xd25\x0f\x1f[G\xdf\xd0\xbbd\x06$2\xd1\xae\x130qZiY\x07@\xe9\xf9\xff\xa4\x9a\xd4\x09\xf0\x0d\xc1R\x10M\xbdKOV\xfd\xf6\x13\xf6\x9a\x95N\xdf!\xf6x\x94\xd8j\xa5\xdcp\xa8\x04\x99\x02x\xdb$\xd8\xfa_o\x8dV\xc8\x0a\xfe\x00\xf3&c\x0c8\xd1\xd0\xe9\x8e\xab\xfe&\xfe\x00\x8d$\x98I\xe5\x8d\x94rM4%\xd8\xfe\xa9\x08\x06\xc6\x95H7\xf7HCq\xb9\x0d$\x95?\x83B\x82\xdd\xea\xc3f3\xcc\xbb\x09\x0d-\x09;\xa6i%\xcd\xba\x11\xd4\xe0\x12w\xd0G&\xdaj\x82\x7f;\xf3\x1d\x10\xa4l\x06\x16l\x1bc\xa1\xd1\x15!\x00\x8a\xff\x8a\x06\xe7U^:<d\xba"\x02I\xf0\xce\xc7\xad\xb2, authenticationinfo=<uninitialized>]
 [use_session_key=F, mutual_required=F]

testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb/.stdout

@@ -0,0 +1 @@
+wallior@DS.SUSQ.COM

testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stdout

@@ -0,0 +1 @@
+F

testing/btest/Baseline/scripts.base.protocols.ncp.event/out

@@ -0,0 +1,468 @@
+ncp reply, 13107, 70, 0, 0, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 59, 89
+ncp reply, 13107, 2, 8738, 89, 255
+ncp request, 8738, 59, 89
+ncp reply, 13107, 2, 8738, 89, 255
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 66, 89
+ncp reply, 13107, 92, 8738, 89, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 66, 89
+ncp reply, 13107, 92, 8738, 89, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 46, 89
+ncp reply, 13107, 88, 8738, 89, 0
+ncp request, 8738, 40, 89
+ncp reply, 13107, 11, 8738, 89, 0
+ncp request, 8738, 40, 89
+ncp reply, 13107, 102, 8738, 89, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 6, 22338
+ncp reply, 13107, 10, 8738, 22338, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 14, 72

testing/btest/Baseline/scripts.base.protocols.ncp.frame_size_tuning/out

@@ -0,0 +1,418 @@
+ncp reply, 13107, 70, 0, 0, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 59, 89
+ncp reply, 13107, 2, 8738, 89, 255
+ncp request, 8738, 59, 89
+ncp reply, 13107, 2, 8738, 89, 255
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 66, 89
+ncp reply, 13107, 92, 8738, 89, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 66, 89
+ncp reply, 13107, 92, 8738, 89, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 46, 89
+ncp reply, 13107, 88, 8738, 89, 0
+ncp request, 8738, 40, 89
+ncp reply, 13107, 11, 8738, 89, 0
+ncp request, 8738, 40, 89
+ncp reply, 13107, 102, 8738, 89, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 6, 22338
+ncp reply, 13107, 10, 8738, 22338, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 14, 72

testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout

@@ -5,6 +5,7 @@ smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=73, volatil
 smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=2, create_options=2097185]
 smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=WP_SMBPlugin.pdf, disposition=2, create_options=68]
 smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=77, volatile=18446744069414584329], size=0, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=T, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=2]
+smb2_file_sattr 10.0.0.11 -> 10.0.0.12:445 [persistent=77, volatile=18446744069414584329] MACTimes:[modified=1319047808.3125, accessed=-1.164447e+10, created=-1.164447e+10, changed=-1.164447e+10] FileAttrs:[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F]
 smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=1, create_options=32]
 smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=81, volatile=18446744069414584333], size=8192, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
 smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=1, create_options=32]

testing/btest/Baseline/scripts.base.protocols.ssl.x509-invalid-extension/.stdout

@@ -0,0 +1,4 @@
+UNDEF
+\x04a0_\xa1]\xa0[0Y0W0U\x16\x09image/gif0!0\x1f0\x07\x06\x05+\x0e\x03\x02\x1a\x04\x14\x8f\xe5\xd3\x1a\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H\x18,{\x19.0%\x16#http://logo.verisign.com/vslogo.gif
+UNDEF
+\x04a0_\xa1]\xa0[0Y0W0U\x16\x09image/gif0!0\x1f0\x07\x06\x05+\x0e\x03\x02\x1a\x04\x14\x8f\xe5\xd3\x1a\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H\x18,{\x19.0%\x16#http://logo.verisign.com/vslogo.gif

testing/btest/Makefile

@@ -1,6 +1,7 @@
 
 DIAG=diag.log
 BTEST=../../aux/btest/btest
+SCRIPT_COV=.tmp/script-coverage
 
 all: cleanup btest-verbose coverage
 
@@ -15,11 +16,11 @@ btest-brief:
 	@$(BTEST) -j -b -f $(DIAG)
 
 coverage:
-	@../scripts/coverage-calc ".tmp/script-coverage*" coverage.log `pwd`/../../scripts
+	@../scripts/coverage-calc "$(SCRIPT_COV)/*" coverage.log `pwd`/../../scripts
 
 cleanup:
 	@rm -f $(DIAG)
-	@rm -f .tmp/script-coverage*
+	@rm -rf $(SCRIPT_COV)*
 
 distclean: cleanup
 	@rm -rf .btest.failed.dat \

testing/btest/broker/remote_publish_and_relay_event.bro

@@ -0,0 +1,125 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run three "bro -B broker -b ../three.bro >three.out"
+# @TEST-EXEC: btest-bg-run two "bro -B broker -b ../two.bro >two.out"
+# @TEST-EXEC: btest-bg-run one "bro -B broker -b ../one.bro >one.out"
+#
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff one/one.out
+# @TEST-EXEC: btest-diff two/two.out
+# @TEST-EXEC: btest-diff three/three.out
+
+@TEST-START-FILE one.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+event my_event(s: string)
+	{
+	print "got my_event", s;
+	}
+
+event ready_event()
+	{
+	print "got ready event";
+
+	Broker::publish_and_relay("bro/event/pre-relay", "bro/event/post-relay",
+	                          my_event, "hello world");
+	}
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/ready");
+    Broker::peer("127.0.0.1", 10000/tcp);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender added peer: endpoint=%s msg=%s",
+    		  endpoint$network$address, msg);
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender lost peer: endpoint=%s msg=%s",
+    		  endpoint$network$address, msg);
+    terminate();
+    }
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE two.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+global peers_added = 0;
+
+event my_event(s: string)
+	{
+	print "got my_event", s;
+	}
+
+event ready_event()
+	{
+	}
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/pre-relay");
+    Broker::listen("127.0.0.1", 10000/tcp);
+	Broker::peer("127.0.0.1", 9999/tcp);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    ++peers_added;
+
+    if ( peers_added == 2 )
+    	{
+		print "sending ready event";
+        Broker::publish("bro/event/ready", ready_event);
+    	}
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    terminate();
+    }
+
+@TEST-END-FILE
+
+@TEST-START-FILE three.bro
+
+redef Broker::default_connect_retry=1secs;
+redef Broker::default_listen_retry=1secs;
+redef exit_only_after_terminate = T;
+
+event my_event(s: string)
+	{
+	print "got my_event", s;
+	terminate();
+	}
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/post-relay");
+    Broker::listen("127.0.0.1", 9999/tcp);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    }
+
+@TEST-END-FILE

testing/btest/btest.cfg

@@ -22,6 +22,8 @@ DIST=%(testbase)s/../..
 BUILD=%(testbase)s/../../build
 TEST_DIFF_CANONIFIER=%(testbase)s/../scripts/diff-canonifier
 TMPDIR=%(testbase)s/.tmp
-BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage.XXXXXX
+BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage/XXXXXX
 BTEST_RST_FILTER=$SCRIPTS/rst-filter
 BRO_DNS_FAKE=1
+BRO_DEFAULT_LISTEN_ADDRESS=127.0.0.1
+BRO_DISABLE_BROXYGEN=1

testing/btest/core/old_comm_usage.bro

@@ -0,0 +1,7 @@
+# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+event bro_init()
+	{
+	terminate_communication();
+	}

testing/btest/doc/broxygen/all_scripts.test

@@ -5,7 +5,7 @@
 # listen.bro in order to document it.
 
 # @TEST-SERIALIZE: comm
-# @TEST-EXEC: bro -X broxygen.config broxygen DumpEvents::include=/NOTHING_MATCHES/
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -X broxygen.config broxygen DumpEvents::include=/NOTHING_MATCHES/
 # @TEST-EXEC: btest-diff .stdout
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
 

testing/btest/doc/broxygen/command_line.bro

@@ -1,7 +1,7 @@
 # Shouldn't emit any warnings about not being able to document something
 # that's supplied via command line script.
 
-# @TEST-EXEC: bro %INPUT -e 'redef myvar=10; print myvar' >output 2>&1
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro %INPUT -e 'redef myvar=10; print myvar' >output 2>&1
 # @TEST-EXEC: btest-diff output
 
 const myvar = 5 &redef;

testing/btest/doc/broxygen/comment_retrieval_bifs.bro

@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b %INPUT >out
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b %INPUT >out
 # @TEST-EXEC: btest-diff out
 
 ##! This is a test script.

testing/btest/doc/broxygen/enums.bro

@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff autogen-reST-enums.rst
 
 @TEST-START-FILE broxygen.config

testing/btest/doc/broxygen/example.bro

@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff example.rst
 
 @TEST-START-FILE broxygen.config

testing/btest/doc/broxygen/func-params.bro

@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff autogen-reST-func-params.rst
 
 @TEST-START-FILE broxygen.config

testing/btest/doc/broxygen/identifier.bro

@@ -1,5 +1,5 @@
 # @TEST-SERIALIZE: comm
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
 @TEST-START-FILE broxygen.config

testing/btest/doc/broxygen/package.bro

@@ -1,5 +1,5 @@
 # @TEST-SERIALIZE: comm
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
 @TEST-START-FILE broxygen.config

testing/btest/doc/broxygen/package_index.bro

@@ -1,5 +1,5 @@
 # @TEST-SERIALIZE: comm
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
 @TEST-START-FILE broxygen.config

testing/btest/doc/broxygen/records.bro

@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff autogen-reST-records.rst
 
 @TEST-START-FILE broxygen.config

testing/btest/doc/broxygen/script_index.bro

@@ -1,5 +1,5 @@
 # @TEST-SERIALIZE: comm
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
 @TEST-START-FILE broxygen.config

testing/btest/doc/broxygen/script_summary.bro

@@ -1,5 +1,5 @@
 # @TEST-SERIALIZE: comm
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
 @TEST-START-FILE broxygen.config

testing/btest/doc/broxygen/type-aliases.bro

@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff autogen-reST-type-aliases.rst
 
 @TEST-START-FILE broxygen.config