Merge branch 'topic/policy-scripts-new' of ssh://git.bro-ids.org/bro into topic/policy-scripts-new

2025-10-10 10:38:20 +00:00 · 2011-06-30 13:23:45 -04:00 · 2011-06-30 13:23:45 -04:00 · aebc2ea030
commit aebc2ea030
parent 24d570a94c fe5f4b8e53
25 changed files with 415 additions and 312 deletions
--- a/doc/scripts/CMakeLists.txt
+++ b/doc/scripts/CMakeLists.txt
@ -94,7 +94,7 @@ macro(REST_TARGET srcDir broInput)
        set(group "")
    endif ()
-    if (${group} STREQUAL "default" OR ${group} STREQUAL "bifs")
+    if ("${group}" STREQUAL "default" OR "${group}" STREQUAL "bifs")
        set(BRO_ARGS --doc-scripts --exec '')
    else ()
        set(BRO_ARGS --doc-scripts ${broInput})
@ -127,117 +127,127 @@ macro(REST_TARGET srcDir broInput)
 endmacro(REST_TARGET)
 # Schedule Bro scripts for which to generate documentation.
-# Note: the script may be located in a subdirectory off of one of the main
+#
-# directories in BROPATH.  In that case, just list the script as 'foo/bar.bro'
+# Note: any path prefix of the script (2nd argument of rest_target macro)
-rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro           internal)
+# will be used to derive what path under policy/ the generated documentation
 # will be placed.
-rest_target(${POLICY_SRC_DIR} conn.bro                        user)
+rest_target(${CMAKE_CURRENT_SOURCE_DIR} example.bro)
 rest_target(${POLICY_SRC_DIR} conn/base.bro                   user)
 rest_target(${POLICY_SRC_DIR} conn/contents.bro               user)
-rest_target(${POLICY_SRC_DIR} dns.bro                         policy/dns-index)
+rest_target(${CMAKE_BINARY_DIR}/src bro.bif.bro)
-rest_target(${POLICY_SRC_DIR} dns/auth-addl.bro               policy/dns-index)
+rest_target(${CMAKE_BINARY_DIR}/src const.bif.bro)
-rest_target(${POLICY_SRC_DIR} dns/base.bro                    policy/dns-index)
+rest_target(${CMAKE_BINARY_DIR}/src event.bif.bro)
-rest_target(${POLICY_SRC_DIR} dns/consts.bro                  policy/dns-index)
+rest_target(${CMAKE_BINARY_DIR}/src logging.bif.bro)
-rest_target(${POLICY_SRC_DIR} dns/detect.bro                  policy/dns-index)
+rest_target(${CMAKE_BINARY_DIR}/src strings.bif.bro)
-rest_target(${POLICY_SRC_DIR} dns/passive-replication.bro     policy/dns-index)
+rest_target(${CMAKE_BINARY_DIR}/src types.bif.bro)
-# TODO: these don't currently work due to something that looks like a
+set(psd ${POLICY_SRC_DIR})
 # circular dependency.  They'll also change to the 'default' group once
 # loaded from bro.init.
 #rest_target(${POLICY_SRC_DIR} dpd.bro                         policy/dpd-index)
 #rest_target(${POLICY_SRC_DIR} dpd/base.bro                    policy/dpd-index)
 #rest_target(${POLICY_SRC_DIR} dpd/dyn-disable.bro             policy/dpd-index)
 #rest_target(${POLICY_SRC_DIR} dpd/packet-segment-logging.bro  policy/dpd-index)
-rest_target(${POLICY_SRC_DIR} ftp.bro                         policy/ftp-index)
+rest_target(${psd} bro.init)
-rest_target(${POLICY_SRC_DIR} ftp/base.bro                    policy/ftp-index)
+rest_target(${psd} site.bro)
 rest_target(${POLICY_SRC_DIR} ftp/detect.bro                  policy/ftp-index)
 rest_target(${POLICY_SRC_DIR} ftp/file-extract.bro            policy/ftp-index)
 rest_target(${POLICY_SRC_DIR} ftp/software.bro                policy/ftp-index)
 rest_target(${POLICY_SRC_DIR} ftp/utils-commands.bro          policy/ftp-index)
-rest_target(${POLICY_SRC_DIR} functions.bro                   user)
+rest_target(${psd} detectors/http-MHR.bro)
-# TODO: hot.conn.bro currently won't load because hot.bro doesn't exist
+rest_target(${psd} frameworks/communication/base.bro)
-#rest_target(${POLICY_SRC_DIR} hot.conn.bro                    user)
+rest_target(${psd} frameworks/communication/listen-clear.bro)
 rest_target(${psd} frameworks/communication/listen-ssl.bro)
-rest_target(${POLICY_SRC_DIR} http.bro                        policy/http-index)
+rest_target(${psd} frameworks/dpd/base.bro)
-rest_target(${POLICY_SRC_DIR} http/base-extended.bro          policy/http-index)
+rest_target(${psd} frameworks/dpd/dyn-disable.bro)
-rest_target(${POLICY_SRC_DIR} http/base.bro                   policy/http-index)
+rest_target(${psd} frameworks/dpd/packet-segment-logging.bro)
 rest_target(${POLICY_SRC_DIR} http/detect-intel.bro           policy/http-index)
 rest_target(${POLICY_SRC_DIR} http/detect-sqli.bro            policy/http-index)
 rest_target(${POLICY_SRC_DIR} http/detect-webapps.bro         policy/http-index)
 rest_target(${POLICY_SRC_DIR} http/file-extract.bro           policy/http-index)
 rest_target(${POLICY_SRC_DIR} http/file-hash.bro              policy/http-index)
 rest_target(${POLICY_SRC_DIR} http/file-ident.bro             policy/http-index)
 rest_target(${POLICY_SRC_DIR} http/headers.bro                policy/http-index)
 rest_target(${POLICY_SRC_DIR} http/software.bro               policy/http-index)
 rest_target(${POLICY_SRC_DIR} http/utils.bro                  policy/http-index)
 rest_target(${POLICY_SRC_DIR} http/var-extraction-cookies.bro policy/http-index)
 rest_target(${POLICY_SRC_DIR} http/var-extraction-uri.bro     policy/http-index)
-rest_target(${POLICY_SRC_DIR} irc.bro                         policy/irc-index)
+rest_target(${psd} frameworks/intel/base.bro)
 rest_target(${POLICY_SRC_DIR} irc/base.bro                    policy/irc-index)
 rest_target(${POLICY_SRC_DIR} irc/dcc-send.bro                policy/irc-index)
-rest_target(${POLICY_SRC_DIR} known-services.bro              user)
+rest_target(${psd} frameworks/logging/base.bro)
-rest_target(${POLICY_SRC_DIR} known-hosts.bro                 user)
+rest_target(${psd} frameworks/logging/plugins/ascii.bro)
-rest_target(${POLICY_SRC_DIR} metrics.bro                  policy/metrics-index)
+rest_target(${psd} frameworks/metrics/base.bro)
-rest_target(${POLICY_SRC_DIR} metrics/base.bro             policy/metrics-index)
+rest_target(${psd} frameworks/metrics/conn-example.bro)
-rest_target(${POLICY_SRC_DIR} metrics/conn-example.bro     policy/metrics-index)
+rest_target(${psd} frameworks/metrics/http-example.bro)
 rest_target(${POLICY_SRC_DIR} metrics/http-example.bro     policy/metrics-index)
-rest_target(${POLICY_SRC_DIR} mime.bro                        policy/mime-index)
+rest_target(${psd} frameworks/notice/action-filters.bro)
-rest_target(${POLICY_SRC_DIR} mime/base.bro                   policy/mime-index)
+rest_target(${psd} frameworks/notice/base.bro)
-rest_target(${POLICY_SRC_DIR} mime/file-extract.bro           policy/mime-index)
+rest_target(${psd} frameworks/notice/weird.bro)
 rest_target(${POLICY_SRC_DIR} mime/file-hash.bro              policy/mime-index)
 rest_target(${POLICY_SRC_DIR} mime/file-ident.bro             policy/mime-index)
-rest_target(${POLICY_SRC_DIR} notice-action-filters.bro       user)
+rest_target(${psd} frameworks/packet-filter/base.bro)
-rest_target(${POLICY_SRC_DIR} notice.bro                      user)
+rest_target(${psd} frameworks/packet-filter/netstats.bro)
 rest_target(${POLICY_SRC_DIR} site.bro                        user)
-rest_target(${POLICY_SRC_DIR} signatures.bro                  policy/sig-index)
+rest_target(${psd} frameworks/signatures/base.bro)
 rest_target(${POLICY_SRC_DIR} signatures/base.bro             policy/sig-index)
-rest_target(${POLICY_SRC_DIR} smtp.bro                        policy/smtp-index)
+rest_target(${psd} frameworks/software/base.bro)
-rest_target(${POLICY_SRC_DIR} smtp/base-extended.bro          policy/smtp-index)
+rest_target(${psd} frameworks/software/vulnerable.bro)
 rest_target(${POLICY_SRC_DIR} smtp/base.bro                   policy/smtp-index)
 rest_target(${POLICY_SRC_DIR} smtp/detect.bro                 policy/smtp-index)
 rest_target(${POLICY_SRC_DIR} smtp/software.bro               policy/smtp-index)
 rest_target(${POLICY_SRC_DIR} smtp/utils.bro                  policy/smtp-index)
 rest_target(${POLICY_SRC_DIR} smtp/webmail-ident.bro          policy/smtp-index)
-rest_target(${POLICY_SRC_DIR} software.bro                policy/software-index)
+rest_target(${psd} integration/barnyard2/base.bro)
-rest_target(${POLICY_SRC_DIR} software/base.bro           policy/software-index)
+rest_target(${psd} integration/barnyard2/event.bro)
-rest_target(${POLICY_SRC_DIR} software/vulnerable.bro     policy/software-index)
+rest_target(${psd} integration/barnyard2/types.bro)
-rest_target(${POLICY_SRC_DIR} ssh.bro                         policy/ssh-index)
+rest_target(${psd} protocols/conn/base.bro)
-rest_target(${POLICY_SRC_DIR} ssh/base.bro                    policy/ssh-index)
+rest_target(${psd} protocols/conn/contents.bro)
-rest_target(${POLICY_SRC_DIR} ssh/software.bro                policy/ssh-index)
+rest_target(${psd} protocols/conn/inactivity.bro)
 rest_target(${psd} protocols/conn/known-hosts.bro)
 rest_target(${psd} protocols/conn/known-services.bro)
-rest_target(${POLICY_SRC_DIR} ssl-ciphers.bro                 policy/ssl-index)
+rest_target(${psd} protocols/dns/auth-addl.bro)
-rest_target(${POLICY_SRC_DIR} ssl-errors.bro                  policy/ssl-index)
+rest_target(${psd} protocols/dns/base.bro)
-rest_target(${POLICY_SRC_DIR} ssl.bro                         policy/ssl-index)
+rest_target(${psd} protocols/dns/consts.bro)
 rest_target(${psd} protocols/dns/detect.bro)
-rest_target(${POLICY_SRC_DIR} utils/pattern.bro               user)
+rest_target(${psd} protocols/ftp/base.bro)
-rest_target(${POLICY_SRC_DIR} weird.bro                       user)
+rest_target(${psd} protocols/ftp/detect.bro)
 rest_target(${psd} protocols/ftp/file-extract.bro)
 rest_target(${psd} protocols/ftp/software.bro)
 rest_target(${psd} protocols/ftp/utils-commands.bro)
-# Finding out what scripts bro will generate documentation for by default
+rest_target(${psd} protocols/http/base.bro)
-# can be done like: `bro --doc-scripts --exec ""`
+rest_target(${psd} protocols/http/detect-intel.bro)
-rest_target(${POLICY_SRC_DIR} bro.init                         default)
+rest_target(${psd} protocols/http/detect-sqli.bro)
-rest_target(${POLICY_SRC_DIR} logging-ascii.bro                default)
+rest_target(${psd} protocols/http/detect-webapps.bro)
-rest_target(${POLICY_SRC_DIR} logging.bro                      default)
+rest_target(${psd} protocols/http/file-extract.bro)
-rest_target(${POLICY_SRC_DIR} pcap.bro                         default)
+rest_target(${psd} protocols/http/file-hash.bro)
-rest_target(${POLICY_SRC_DIR} server-ports.bro                 default)
+rest_target(${psd} protocols/http/file-ident.bro)
-rest_target(${CMAKE_BINARY_DIR}/src bro.bif.bro                bifs)
+rest_target(${psd} protocols/http/headers.bro)
-rest_target(${CMAKE_BINARY_DIR}/src const.bif.bro              bifs)
+rest_target(${psd} protocols/http/software.bro)
-rest_target(${CMAKE_BINARY_DIR}/src event.bif.bro              bifs)
+rest_target(${psd} protocols/http/utils.bro)
-rest_target(${CMAKE_BINARY_DIR}/src logging.bif.bro            bifs)
+rest_target(${psd} protocols/http/var-extraction-cookies.bro)
-rest_target(${CMAKE_BINARY_DIR}/src strings.bif.bro            bifs)
+rest_target(${psd} protocols/http/var-extraction-uri.bro)
-rest_target(${CMAKE_BINARY_DIR}/src types.bif.bro              bifs)
+
 rest_target(${psd} protocols/irc/base.bro)
 rest_target(${psd} protocols/irc/dcc-send.bro)
 rest_target(${psd} protocols/mime/base.bro)
 rest_target(${psd} protocols/mime/file-extract.bro)
 rest_target(${psd} protocols/mime/file-hash.bro)
 rest_target(${psd} protocols/mime/file-ident.bro)
 rest_target(${psd} protocols/smtp/base.bro)
 rest_target(${psd} protocols/smtp/detect.bro)
 rest_target(${psd} protocols/smtp/software.bro)
 rest_target(${psd} protocols/ssh/base.bro)
 rest_target(${psd} protocols/ssh/software.bro)
 #rest_target(${psd} protocols/ssl/base.bro)
 #rest_target(${psd} protocols/ssl/ssl-ciphers.bro)
 #rest_target(${psd} protocols/ssl/ssl-errors.bro)
 #rest_target(${psd} protocols/ssl/ssl.bro)
 #rest_target(${psd} protocols/ssl/validate.bro)
 rest_target(${psd} protocols/syslog/base.bro)
 rest_target(${psd} protocols/syslog/consts.bro)
 rest_target(${psd} tuning/defaults/packet-fragments.bro)
 rest_target(${psd} tuning/defaults/remove-high-volume-notices.bro)
 rest_target(${psd} tuning/track-all-assets.bro)
 rest_target(${psd} utils/addrs.bro)
 rest_target(${psd} utils/conn_ids.bro)
 rest_target(${psd} utils/directions-and-hosts.bro)
 rest_target(${psd} utils/files.bro)
 rest_target(${psd} utils/numbers.bro)
 rest_target(${psd} utils/paths.bro)
 rest_target(${psd} utils/pattern.bro)
 rest_target(${psd} utils/strings.bro)
 rest_target(${psd} utils/thresholds.bro)
 # create temporary list of all docs to include in the master policy/index file
 file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/tmp_policy_index
--- a/doc/scripts/source/index.rst
+++ b/doc/scripts/source/index.rst
@ -13,7 +13,6 @@ Contents:
   builtins
   default
   bifs
   user
   policy/dns-index
   policy/ftp-index
   policy/http-index
--- a/doc/scripts/source/user.rst
+++ b/doc/scripts/source/user.rst
@ -1,5 +0,0 @@
 .. This is a stub doc to which the build process can append.
 Other User-Facing Policy Scripts
 ================================
--- a/src/BroDoc.cc
+++ b/src/BroDoc.cc
@ -3,9 +3,11 @@
 #include <string>
 #include <list>
 #include <algorithm>
 #include <libgen.h>
 #include "BroDoc.h"
 #include "BroDocObj.h"
 #include "util.h"
 BroDoc::BroDoc(const std::string& rel, const std::string& abs)
 	{
@ -15,25 +17,19 @@ BroDoc::BroDoc(const std::string& rel, const std::string& abs)
 	else
 		source_filename = abs.substr(f_pos + 1);
-	if ( rel == abs )
+	if ( rel[0] == '/' || rel[0] == '.' )
 		{
-		// The Bro script must have been loaded from an explicit path,
+		// The Bro script must not be on a subpath of the policy/ dir of
-		// so just use the basename as the document title
+		// BROPATH, so just use the basename as the document title
 		doc_title = source_filename;
 		}
 	else
 		{
-		// Must have relied on BROPATH to load the script, keep the relative
+		// keep the relative directory as part of the document title
-		// directory as part of the source file name
+		if ( rel.size() == 0 || rel[rel.size() - 1] == '/' )
-		size_t ext_pos = rel.find_last_of('.');
+			doc_title = rel + source_filename;
 		std::string rel_ext = rel.substr(ext_pos + 1);
 		ext_pos = abs.find_last_of('.');
 		std::string abs_ext = abs.substr(ext_pos + 1);
 		if ( rel_ext == abs_ext || std::string::npos == ext_pos )
 			doc_title = rel;
 		else
-			doc_title = rel + "." + abs_ext;
+			doc_title = rel + "/" + source_filename;
 		}
 	reST_filename = doc_title;
@ -46,24 +42,6 @@ BroDoc::BroDoc(const std::string& rel, const std::string& abs)
 	reST_filename = doc_title.substr(0, ext_pos);
 	reST_filename += ".rst";
 /*
 	// if the bro source file is being loaded from a relative path,
 	// re-create that directory tree to store the output
 	size_t f_pos = reST_filename.find_last_of('/');
 	if ( std::string::npos != f_pos )
 		{
 		std::string outdir = reST_filename.substr(0, f_pos);
 		std::string subdir;
 		while ( ! outdir.empty() )
 			{
 			size_t pos = outdir.find_first_of('/');
 			if ( pos != std::string::npos ) pos++;
 			subdir += outdir.substr(0, pos);
 			outdir.erase(0, pos);
 			ensure_dir(subdir.c_str());
 			}
 		}
 */
 	// Instead of re-creating the directory hierarchy based on related
 	// loads, just replace the directory separatories such that the reST
 	// output will all be placed in a flat directory (the working dir).
@ -76,7 +54,7 @@ BroDoc::BroDoc(const std::string& rel, const std::string& abs)
 #ifdef DEBUG
 	fprintf(stdout, "Documenting absolute source: %s\n", abs.c_str());
-	fprintf(stdout, "\trelative load: %s\n", rel.c_str());
+	fprintf(stdout, "\trelative dir: %s\n", rel.c_str());
 	fprintf(stdout, "\tdoc title: %s\n", doc_title.c_str());
 	fprintf(stdout, "\tbro file: %s\n", source_filename.c_str());
 	fprintf(stdout, "\trst file: %s\n", reST_filename.c_str());
@ -93,12 +71,60 @@ BroDoc::~BroDoc()
 void BroDoc::AddImport(const std::string& s)
 	{
-	size_t ext_pos = s.find_last_of('.');
+	std::string lname(s);
 	// first strip any .bro extension
 	size_t ext_pos = lname.find(".bro");
 	if ( ext_pos != std::string::npos )
 		lname = lname.substr(0, ext_pos);
-	if ( ext_pos == std::string::npos )
+	const char* full_filename = "<error>";
-		imports.push_back(s);
+	const char* subpath = "<error>";
 	FILE* f = search_for_file(lname.c_str(), "bro", &full_filename, true,
 	                          &subpath);
 	if ( f )
 		{
 		fclose(f);
 		char* tmp = copy_string(full_filename);
 		char* filename = basename(tmp);
 		extern char* PACKAGE_LOADER;
 		if ( streq(filename, PACKAGE_LOADER) )
 			{
 			// link to the package's index
 			// TODO: check that this works
 			string pkg(subpath);
 			pkg += "/index";
 			imports.push_back(pkg);
 			}
 		else
 			{
 			if ( subpath[0] == '/' || subpath[0] == '.' )
 				{
 				// it's not a subpath of policy/, so just add the name of it
 				// as it's given in the @load directive
 				imports.push_back(lname);
 				}
 			else
 				{
 				// combine the base file name of script in the @load directive
 				// with the subpath of BROPATH's policy/ directory
 				string fname(subpath);
 				char* othertmp = copy_string(lname.c_str());
 				fname.append("/").append(basename(othertmp));
 				imports.push_back(fname);
 				delete [] othertmp;
 				}
 			}
 		delete [] tmp;
 		delete [] full_filename;
 		delete [] subpath;
 		}
 	else
-		imports.push_back(s.substr(0, ext_pos));
+		fprintf(stderr, "Failed to document '@load %s' in file: %s\n",
 		        s.c_str(), reST_filename.c_str());
 	}
 void BroDoc::SetPacketFilter(const std::string& s)
--- a/src/BroDoc.h
+++ b/src/BroDoc.h
@ -24,9 +24,11 @@ public:
 	 * If the filename doesn't end in ".bro", then ".rst" is just appended.
 	 * Any '/' characters in the reST file name that result from choice of
 	 * the 'rel' parameter are replaced with '^'.
-	 * @param rel A string representing the path relative to BROPATH off of
+	 * @param subpath A string representing a subpath of BROPATH's policy/
-	 *        which the source file is loaded or generally any filesystem
+	 *        directory in which the source file is located.  It can
-	 *        path to a Bro script.  May or may not have .bro file extension.
+	 *        also be full path to the file or a full path that's in BROPATH,
 	 *        but in either of those cases, the parameter is essentially
 	 *        ignored and the document title is just derived from file name
 	 * @param abs The absolute path to the Bro script for which to generate
 	 *        documentation.
 	 */
--- a/src/Debug.cc
+++ b/src/Debug.cc
@ -343,7 +343,7 @@ vector<ParseLocationRec> parse_location_string(const string& s)
 				plr.type = plrUnknown;
 			FILE* throwaway = search_for_file(filename.c_str(), "bro",
-								&full_filename, true);
+								&full_filename, true, 0);
 			if ( ! throwaway )
 				{
 				debug_msg("No such policy file: %s.\n", filename.c_str());
--- a/src/OSFinger.cc
+++ b/src/OSFinger.cc
@ -295,7 +295,7 @@ void OSFingerprint::load_config(const char* file)
  uint32 ln=0;
  char buf[MAXLINE];
  char* p;
-  FILE* c = search_for_file( file, "osf", 0, false);
+  FILE* c = search_for_file( file, "osf", 0, false, 0);
  if (!c)
    {
--- a/src/RuleMatcher.cc
+++ b/src/RuleMatcher.cc
@ -197,7 +197,7 @@ bool RuleMatcher::ReadFiles(const name_list& files)
 	for ( int i = 0; i < files.length(); ++i )
 		{
-		rules_in = search_for_file( files[i], "sig", 0, false);
+		rules_in = search_for_file( files[i], "sig", 0, false, 0);
 		if ( ! rules_in )
 			{
 			error("Can't open signature file", files[i]);
--- a/src/scan.l
+++ b/src/scan.l
@ -348,7 +348,7 @@ when	return TOK_WHEN;
 	// All we have to do is pretend we've already scanned it.
 	const char* full_filename;
-	FILE* f = search_for_file(new_file, "bro", &full_filename, true);
+	FILE* f = search_for_file(new_file, "bro", &full_filename, true, 0);
 	if ( f )
 		{
@ -537,6 +537,7 @@ static int load_files_with_prefix(const char* orig_file)
 		const char* prefix = prefixes[i];
 		const char* full_filename = "<internal error>";
 		const char* bropath_subpath = "<internal error>";
 		FILE* f;
 		if ( streq(orig_file, "-") )
@ -561,7 +562,7 @@ static int load_files_with_prefix(const char* orig_file)
 			else
 				strcpy(new_filename, orig_file);
-			f = search_for_file(new_filename, "bro", &full_filename, true);
+			f = search_for_file(new_filename, "bro", &full_filename, true, &bropath_subpath);
 			delete [] new_filename;
 			}
@ -576,6 +577,7 @@ static int load_files_with_prefix(const char* orig_file)
 					{
 					fclose(f);
 					delete [] full_filename;
 					delete [] bropath_subpath;
 					return 0;
 					}
 				}
@ -621,10 +623,12 @@ static int load_files_with_prefix(const char* orig_file)
 			if ( generate_documentation )
 				{
-				current_reST_doc = new BroDoc(orig_file, full_filename);
+				current_reST_doc = new BroDoc(bropath_subpath, full_filename);
 				docs_generated.push_back(current_reST_doc);
 				}
 			delete [] bropath_subpath;
 			// "orig_file", could be an alias for yytext, which is ephemeral
 			//  and will be zapped after the yy_switch_to_buffer() below.
 			yy_switch_to_buffer(yy_create_buffer(f, YY_BUF_SIZE));
--- a/src/util.cc
+++ b/src/util.cc
@ -26,6 +26,7 @@
 #include <stdarg.h>
 #include <errno.h>
 #include <signal.h>
 #include <libgen.h>
 #ifdef HAVE_MALLINFO
 # include <malloc.h>
@ -881,7 +882,7 @@ const char* bro_prefixes()
 	return p;
 	}
-static const char* PACKAGE_LOADER = "__load__.bro";
+const char* PACKAGE_LOADER = "__load__.bro";
 // If filename is pointing to a directory that contains a file called
 // PACKAGE_LOADER, returns the files path. Otherwise returns filename itself.
@ -915,11 +916,73 @@ FILE* open_file(const char* filename, const char** full_filename, bool load_pkgs
 	return f;
 	}
 // Returns the subpath of BROPATH's policy/ directory in which the loaded
 // file in located.  If it's not under a subpath of policy/ then the full
 // path is returned, else the subpath of policy/ concatentated with any
 // directory prefix of the file is returned.
 void get_policy_subpath(const char* dir, const char* file, const char** subpath)
 	{
 	// first figure out if this is a subpath of policy/
 	const char* ploc = strstr(dir, "policy");
 	if ( ploc )
 		if ( ploc[6] == '\0' )
 			*subpath = copy_string(ploc + 6);
 		else if ( ploc[6] == '/' )
 			*subpath = copy_string(ploc + 7);
 		else
 			*subpath = copy_string(dir);
 	else
 		*subpath = copy_string(dir);
 	// and now add any directory parts of the filename
 	char full_filename_buf[1024];
 	safe_snprintf(full_filename_buf, sizeof(full_filename_buf),
 			"%s/%s", dir, file);
 	char* tmp = copy_string(file);
 	const char* fdir = 0;
 	if ( is_dir(full_filename_buf) )
 		fdir = file;
 	if ( ! fdir )
 		fdir = dirname(tmp);
 	if ( ! streq(fdir, ".") )
 		{
 		size_t full_subpath_len = strlen(*subpath) + strlen(fdir) + 1;
 		bool needslash = false;
 		if ( strlen(*subpath) != 0 && (*subpath)[strlen(*subpath) - 1] != '/' )
 			{
 			++full_subpath_len;
 			needslash = true;
 			}
 		char* full_subpath = new char[full_subpath_len];
 		strcpy(full_subpath, *subpath);
 		if ( needslash )
 			strcat(full_subpath, "/");
 		strcat(full_subpath, fdir);
 		delete [] *subpath;
 		*subpath = full_subpath;
 		}
 	delete [] tmp;
 	}
 FILE* search_for_file(const char* filename, const char* ext,
-			const char** full_filename, bool load_pkgs)
+			const char** full_filename, bool load_pkgs,
 			const char** bropath_subpath)
 	{
 	if ( filename[0] == '/' || filename[0] == '.' )
 		{
 		if ( bropath_subpath )
 			{
 			char* tmp = copy_string(filename);
 			*bropath_subpath = copy_string(dirname(tmp));
 			delete [] tmp;
 			}
 		return open_file(filename, full_filename, load_pkgs);
 		}
 	char path[1024], full_filename_buf[1024];
 	safe_strncpy(path, bro_path(), sizeof(path));
@ -942,18 +1005,32 @@ FILE* search_for_file(const char* filename, const char* ext,
 				"%s/%s.%s", dir_beginning, filename, ext);
 		if ( access(full_filename_buf, R_OK) == 0 &&
 		     ! is_dir(full_filename_buf) )
 			{
 			if ( bropath_subpath )
 				get_policy_subpath(dir_beginning, filename, bropath_subpath);
 			return open_file(full_filename_buf, full_filename, load_pkgs);
 			}
 		safe_snprintf(full_filename_buf, sizeof(full_filename_buf),
 				"%s/%s", dir_beginning, filename);
 		if ( access(full_filename_buf, R_OK) == 0 )
 			{
 			if ( bropath_subpath )
 				get_policy_subpath(dir_beginning, filename, bropath_subpath);
 			return open_file(full_filename_buf, full_filename, load_pkgs);
 			}
 		dir_beginning = ++dir_ending;
 		}
 	if ( full_filename )
 		*full_filename = copy_string(filename);
 	if ( bropath_subpath )
 			{
 			char* tmp = copy_string(filename);
 			*bropath_subpath = copy_string(dirname(tmp));
 			delete [] tmp;
 			}
 	return 0;
 	}
--- a/src/util.h
+++ b/src/util.h
@ -189,8 +189,9 @@ extern int int_list_cmp(const void* v1, const void* v2);
 extern const char* bro_path();
 extern const char* bro_prefixes();
 void get_policy_subpath(const char* dir, const char* file, const char** subpath);
 extern FILE* search_for_file(const char* filename, const char* ext,
-	const char** full_filename, bool load_pkgs);
+	const char** full_filename, bool load_pkgs, const char** bropath_subpath);
 // Renames the given file to a new temporary name, and opens a new file with
 // the original name. Returns new file or NULL on error. Inits rotate_info if
--- a/testing/btest/Baseline/core.conn-uid/output
+++ b/testing/btest/Baseline/core.conn-uid/output
@ -1,39 +1,39 @@
 [orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
-[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 56gKBmhBBB6
+[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 50da4BEzauh
-[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], 50da4BEzauh
+[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], tdkrEYpj5ja
-[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], F5XgctwO3Vl
-[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], F5XgctwO3Vl
-[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], ecqdozAET6c
+[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], svqqNKN9CFj
-[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], tdkrEYpj5ja
+[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], UZkBBvjF0r8
-[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], F5XgctwO3Vl
+[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], nSEQzFk1LZc
-[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], rmXOq6wncn1
-[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 4YYJTjETe1i
-[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], nSEQzFk1LZc
+[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], OldlyspNIr7
-[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], rmXOq6wncn1
+[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], R8BqVlcp23e
-[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], 4YYJTjETe1i
+[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], duYdXg7bTa3
-[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], yzqaQTU9DXe
-[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], R8BqVlcp23e
+[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], OPM7xFSDNw3
-[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], duYdXg7bTa3
+[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], j5w2LueK8Ti
-[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], yzqaQTU9DXe
+[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], N6rbUGwigQ7
-[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 8b9q7qPtzhd
-[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], KOdlL7sC9z2
-[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], N6rbUGwigQ7
+[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], hvOo97vj60k
-[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], 8b9q7qPtzhd
+[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], FHu81uYujA9
-[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], KOdlL7sC9z2
+[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], 2M1wDTa0C7a
-[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OKiJdtzKWPk
-[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], FHu81uYujA9
+[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], tpUWfNdSLE
-[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], 2M1wDTa0C7a
+[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], ra1C6ZLut4b
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], UElDH5b9qA5
-[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 4YYJTjETe1i
-[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], rmXOq6wncn1
-[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], yzqaQTU9DXe
-[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], KOdlL7sC9z2
-[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 8b9q7qPtzhd
-[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OKiJdtzKWPk
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], UElDH5b9qA5
-[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], tpUWfNdSLE
+[orig_h=173.192.163.128, orig_p=80/tcp, resp_h=141.142.220.235, resp_p=6705/tcp], zVecVnfOlsf
-[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], ra1C6ZLut4b
+[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], eWnXpPX1c78
-[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], UElDH5b9qA5
+[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], LgR69jMtmJe
-[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], sO3mBXBav1h
+[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], KrFIsOCbrmk
-[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], xAQqZE8Wdp4
+[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], SVk7XftAIqb
-[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], zVecVnfOlsf
+[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], pE4ZiaKtRel
--- a/testing/btest/Baseline/core.conn-uid/output.cc
+++ b/testing/btest/Baseline/core.conn-uid/output.cc
@ -1,40 +1,39 @@
 [orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
-[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 56gKBmhBBB6
+[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 50da4BEzauh
-[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], 50da4BEzauh
+[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], tdkrEYpj5ja
-[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], F5XgctwO3Vl
-[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], F5XgctwO3Vl
-[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], ecqdozAET6c
+[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], svqqNKN9CFj
-[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], tdkrEYpj5ja
+[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], UZkBBvjF0r8
-[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], F5XgctwO3Vl
+[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], nSEQzFk1LZc
-[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], rmXOq6wncn1
-[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 4YYJTjETe1i
-[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], nSEQzFk1LZc
+[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], OldlyspNIr7
-[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], rmXOq6wncn1
+[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], R8BqVlcp23e
-[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], 4YYJTjETe1i
+[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], duYdXg7bTa3
-[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], yzqaQTU9DXe
-[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], R8BqVlcp23e
+[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], OPM7xFSDNw3
-[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], duYdXg7bTa3
+[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], j5w2LueK8Ti
-[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], yzqaQTU9DXe
+[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], N6rbUGwigQ7
-[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 8b9q7qPtzhd
-[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], KOdlL7sC9z2
-[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], N6rbUGwigQ7
+[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], hvOo97vj60k
-[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], 8b9q7qPtzhd
+[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], FHu81uYujA9
-[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], KOdlL7sC9z2
+[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], 2M1wDTa0C7a
-[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OKiJdtzKWPk
-[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], FHu81uYujA9
+[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], tpUWfNdSLE
-[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], 2M1wDTa0C7a
+[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], ra1C6ZLut4b
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], UElDH5b9qA5
-[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 4YYJTjETe1i
-[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], rmXOq6wncn1
-[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], yzqaQTU9DXe
-[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], KOdlL7sC9z2
-[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 8b9q7qPtzhd
-[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OKiJdtzKWPk
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], UElDH5b9qA5
-[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], tpUWfNdSLE
+[orig_h=173.192.163.128, orig_p=80/tcp, resp_h=141.142.220.235, resp_p=6705/tcp], zVecVnfOlsf
-[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], tpUWfNdSLE
+[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], eWnXpPX1c78
-[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], ra1C6ZLut4b
+[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], LgR69jMtmJe
-[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], UElDH5b9qA5
+[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], KrFIsOCbrmk
-[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], sO3mBXBav1h
+[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], SVk7XftAIqb
-[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], xAQqZE8Wdp4
+[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], pE4ZiaKtRel
 [orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], zVecVnfOlsf
--- a/testing/btest/Baseline/core.conn-uid/output.cc2
+++ b/testing/btest/Baseline/core.conn-uid/output.cc2
@ -1,39 +1,39 @@
 [orig_h=141.142.220.202, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], UWkUyAuUGXf
-[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 56gKBmhBBB6
+[orig_h=141.142.220.50, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], 50da4BEzauh
-[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], 50da4BEzauh
+[orig_h=141.142.220.118, orig_p=35634/tcp, resp_h=208.80.152.2, resp_p=80/tcp], tdkrEYpj5ja
-[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], F5XgctwO3Vl
-[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], WUjEZFOdSS
+[orig_h=141.142.220.118, orig_p=48649/tcp, resp_h=208.80.152.118, resp_p=80/tcp], F5XgctwO3Vl
-[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], ecqdozAET6c
+[orig_h=141.142.220.118, orig_p=43927/udp, resp_h=141.142.2.2, resp_p=53/udp], svqqNKN9CFj
-[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], tdkrEYpj5ja
+[orig_h=141.142.220.118, orig_p=37676/udp, resp_h=141.142.2.2, resp_p=53/udp], UZkBBvjF0r8
-[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], F5XgctwO3Vl
+[orig_h=141.142.220.118, orig_p=40526/udp, resp_h=141.142.2.2, resp_p=53/udp], nSEQzFk1LZc
-[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], rmXOq6wncn1
-[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 4YYJTjETe1i
-[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], nSEQzFk1LZc
+[orig_h=141.142.220.118, orig_p=32902/udp, resp_h=141.142.2.2, resp_p=53/udp], OldlyspNIr7
-[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], rmXOq6wncn1
+[orig_h=141.142.220.118, orig_p=59816/udp, resp_h=141.142.2.2, resp_p=53/udp], R8BqVlcp23e
-[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], 4YYJTjETe1i
+[orig_h=141.142.220.118, orig_p=59714/udp, resp_h=141.142.2.2, resp_p=53/udp], duYdXg7bTa3
-[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], yzqaQTU9DXe
-[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], R8BqVlcp23e
+[orig_h=141.142.220.118, orig_p=58206/udp, resp_h=141.142.2.2, resp_p=53/udp], OPM7xFSDNw3
-[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], duYdXg7bTa3
+[orig_h=141.142.220.118, orig_p=38911/udp, resp_h=141.142.2.2, resp_p=53/udp], j5w2LueK8Ti
-[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], yzqaQTU9DXe
+[orig_h=141.142.220.118, orig_p=59746/udp, resp_h=141.142.2.2, resp_p=53/udp], N6rbUGwigQ7
-[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 8b9q7qPtzhd
-[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], KOdlL7sC9z2
-[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], N6rbUGwigQ7
+[orig_h=141.142.220.118, orig_p=45000/udp, resp_h=141.142.2.2, resp_p=53/udp], hvOo97vj60k
-[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], 8b9q7qPtzhd
+[orig_h=141.142.220.118, orig_p=48479/udp, resp_h=141.142.2.2, resp_p=53/udp], FHu81uYujA9
-[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], KOdlL7sC9z2
+[orig_h=141.142.220.118, orig_p=48128/udp, resp_h=141.142.2.2, resp_p=53/udp], 2M1wDTa0C7a
-[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OKiJdtzKWPk
-[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], FHu81uYujA9
+[orig_h=141.142.220.118, orig_p=56056/udp, resp_h=141.142.2.2, resp_p=53/udp], tpUWfNdSLE
-[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], 2M1wDTa0C7a
+[orig_h=141.142.220.118, orig_p=55092/udp, resp_h=141.142.2.2, resp_p=53/udp], ra1C6ZLut4b
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], UElDH5b9qA5
-[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], UZkBBvjF0r8
+[orig_h=141.142.220.118, orig_p=49997/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 4YYJTjETe1i
-[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], svqqNKN9CFj
+[orig_h=141.142.220.118, orig_p=49996/tcp, resp_h=208.80.152.3, resp_p=80/tcp], rmXOq6wncn1
-[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OldlyspNIr7
+[orig_h=141.142.220.118, orig_p=49998/tcp, resp_h=208.80.152.3, resp_p=80/tcp], yzqaQTU9DXe
-[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], j5w2LueK8Ti
+[orig_h=141.142.220.118, orig_p=50000/tcp, resp_h=208.80.152.3, resp_p=80/tcp], KOdlL7sC9z2
-[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OPM7xFSDNw3
+[orig_h=141.142.220.118, orig_p=49999/tcp, resp_h=208.80.152.3, resp_p=80/tcp], 8b9q7qPtzhd
-[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], hvOo97vj60k
+[orig_h=141.142.220.118, orig_p=50001/tcp, resp_h=208.80.152.3, resp_p=80/tcp], OKiJdtzKWPk
-[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], OKiJdtzKWPk
+[orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp], UElDH5b9qA5
-[orig_h=141.142.220.235, orig_p=6705/tcp, resp_h=173.192.163.128, resp_p=80/tcp], tpUWfNdSLE
+[orig_h=173.192.163.128, orig_p=80/tcp, resp_h=141.142.220.235, resp_p=6705/tcp], zVecVnfOlsf
-[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], ra1C6ZLut4b
+[orig_h=141.142.220.44, orig_p=5353/udp, resp_h=224.0.0.251, resp_p=5353/udp], eWnXpPX1c78
-[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], UElDH5b9qA5
+[orig_h=141.142.220.226, orig_p=137/udp, resp_h=141.142.220.255, resp_p=137/udp], LgR69jMtmJe
-[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], sO3mBXBav1h
+[orig_h=141.142.220.226, orig_p=55131/udp, resp_h=224.0.0.252, resp_p=5355/udp], KrFIsOCbrmk
-[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], xAQqZE8Wdp4
+[orig_h=141.142.220.226, orig_p=55671/udp, resp_h=224.0.0.252, resp_p=5355/udp], SVk7XftAIqb
-[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], zVecVnfOlsf
+[orig_h=141.142.220.238, orig_p=56641/udp, resp_h=141.142.220.255, resp_p=137/udp], pE4ZiaKtRel
--- a/testing/btest/Baseline/core.load-unload/output
+++ b/testing/btest/Baseline/core.load-unload/output
@ -1,12 +0,0 @@
 loading /Users/jsiwek/tmp/bro/policy/bro.init
   loading /Users/jsiwek/tmp/bro/build/src/const.bif.bro
   loading /Users/jsiwek/tmp/bro/build/src/types.bif.bro
   loading /Users/jsiwek/tmp/bro/build/src/strings.bif.bro
   loading /Users/jsiwek/tmp/bro/build/src/bro.bif.bro
   loading /Users/jsiwek/tmp/bro/policy/logging.bro
      loading /Users/jsiwek/tmp/bro/build/src/logging.bif.bro
   loading /Users/jsiwek/tmp/bro/policy/logging-ascii.bro
   loading /Users/jsiwek/tmp/bro/build/src/event.bif.bro
   loading /Users/jsiwek/tmp/bro/policy/pcap.bro
   loading /Users/jsiwek/tmp/bro/policy/server-ports.bro
 loading /Users/jsiwek/tmp/bro/testing/btest/.tmp/core.load-unload/load-unload.bro
--- a/testing/btest/Baseline/core.vlan-mpls/conn.log
+++ b/testing/btest/Baseline/core.vlan-mpls/conn.log
@ -1,4 +1,4 @@
 # ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	notice_tags
 952109346.874907	UWkUyAuUGXf	10.1.2.1	11001	10.34.0.1	23	tcp	-	2.10255992412567	25	0	SH	-	0	-	-
-1128727435.4509	56gKBmhBBB6	141.42.64.125	56730	125.190.109.199	80	tcp	-	1.73330307006836	98	9417	SF	-	0	ShADdFaf	-
+1128727435.4509	50da4BEzauh	141.42.64.125	56730	125.190.109.199	80	tcp	-	1.73330307006836	98	9417	SF	-	0	ShADdFaf	-
-1278600802.06942	50da4BEzauh	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.00415205955505371	9	3429	SF	-	0	ShADadfF	-
+1278600802.06942	WUjEZFOdSS	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.00415205955505371	9	3429	SF	-	0	ShADadfF	-
--- a/testing/btest/Baseline/doc.autogen-reST-example/example.rst
+++ b/testing/btest/Baseline/doc.autogen-reST-example/example.rst
@ -29,7 +29,7 @@ each of "columns", "event", "filter" depending on exactly what it's doing.
 :Author: Jon Siwek <jsiwek@ncsa.illinois.edu>
-:Imports: :doc:`notice </policy/notice>`
+:Imports: :doc:`frameworks/notice/index </policy/frameworks/notice/index>`
 Summary
 ~~~~~~~
--- a/testing/btest/Baseline/policy.frameworks.logging.rotate-custom/out
+++ b/testing/btest/Baseline/policy.frameworks.logging.rotate-custom/out
@ -1,32 +1,32 @@
 2nd test2-11-03-07_03.00.05.log test2.log 11-03-07_03.00.05 11-03-07_03.59.55 0
 1st test-11-03-07_03.00.05.log test.log 11-03-07_03.00.05 11-03-07_04.00.05 0
 1st test-11-03-07_04.00.05.log test.log 11-03-07_04.00.05 11-03-07_05.00.05 0
 1st test-11-03-07_05.00.05.log test.log 11-03-07_05.00.05 11-03-07_06.00.05 0
 1st test-11-03-07_06.00.05.log test.log 11-03-07_06.00.05 11-03-07_07.00.05 0
 1st test-11-03-07_07.00.05.log test.log 11-03-07_07.00.05 11-03-07_08.00.05 0
 1st test-11-03-07_08.00.05.log test.log 11-03-07_08.00.05 11-03-07_09.00.05 0
 1st test-11-03-07_09.00.05.log test.log 11-03-07_09.00.05 11-03-07_10.00.05 0
 1st test-11-03-07_10.00.05.log test.log 11-03-07_10.00.05 11-03-07_11.00.05 0
 1st test-11-03-07_11.00.05.log test.log 11-03-07_11.00.05 11-03-07_12.00.05 0
 1st test-11-03-07_12.00.05.log test.log 11-03-07_12.00.05 11-03-07_12.59.55 1
 2nd test2-11-03-07_03.00.05.log test2.log 11-03-07_03.00.05 11-03-07_03.59.55 0
 2nd test2-11-03-07_03.59.55.log test2.log 11-03-07_03.59.55 11-03-07_04.00.05 0
 2nd test2-11-03-07_04.00.05.log test2.log 11-03-07_04.00.05 11-03-07_04.59.55 0
 1st test-11-03-07_04.00.05.log test.log 11-03-07_04.00.05 11-03-07_05.00.05 0
 2nd test2-11-03-07_04.59.55.log test2.log 11-03-07_04.59.55 11-03-07_05.00.05 0
 2nd test2-11-03-07_05.00.05.log test2.log 11-03-07_05.00.05 11-03-07_05.59.55 0
 1st test-11-03-07_05.00.05.log test.log 11-03-07_05.00.05 11-03-07_06.00.05 0
 2nd test2-11-03-07_05.59.55.log test2.log 11-03-07_05.59.55 11-03-07_06.00.05 0
 2nd test2-11-03-07_06.00.05.log test2.log 11-03-07_06.00.05 11-03-07_06.59.55 0
 1st test-11-03-07_06.00.05.log test.log 11-03-07_06.00.05 11-03-07_07.00.05 0
 2nd test2-11-03-07_06.59.55.log test2.log 11-03-07_06.59.55 11-03-07_07.00.05 0
 2nd test2-11-03-07_07.00.05.log test2.log 11-03-07_07.00.05 11-03-07_07.59.55 0
 1st test-11-03-07_07.00.05.log test.log 11-03-07_07.00.05 11-03-07_08.00.05 0
 2nd test2-11-03-07_07.59.55.log test2.log 11-03-07_07.59.55 11-03-07_08.00.05 0
 2nd test2-11-03-07_08.00.05.log test2.log 11-03-07_08.00.05 11-03-07_08.59.55 0
 1st test-11-03-07_08.00.05.log test.log 11-03-07_08.00.05 11-03-07_09.00.05 0
 2nd test2-11-03-07_08.59.55.log test2.log 11-03-07_08.59.55 11-03-07_09.00.05 0
 2nd test2-11-03-07_09.00.05.log test2.log 11-03-07_09.00.05 11-03-07_09.59.55 0
 1st test-11-03-07_09.00.05.log test.log 11-03-07_09.00.05 11-03-07_10.00.05 0
 2nd test2-11-03-07_09.59.55.log test2.log 11-03-07_09.59.55 11-03-07_10.00.05 0
 2nd test2-11-03-07_10.00.05.log test2.log 11-03-07_10.00.05 11-03-07_10.59.55 0
 1st test-11-03-07_10.00.05.log test.log 11-03-07_10.00.05 11-03-07_11.00.05 0
 2nd test2-11-03-07_10.59.55.log test2.log 11-03-07_10.59.55 11-03-07_11.00.05 0
 2nd test2-11-03-07_11.00.05.log test2.log 11-03-07_11.00.05 11-03-07_11.59.55 0
 1st test-11-03-07_11.00.05.log test.log 11-03-07_11.00.05 11-03-07_12.00.05 0
 2nd test2-11-03-07_11.59.55.log test2.log 11-03-07_11.59.55 11-03-07_12.00.05 0
 2nd test2-11-03-07_12.00.05.log test2.log 11-03-07_12.00.05 11-03-07_12.59.55 0
 1st test-11-03-07_12.00.05.log test.log 11-03-07_12.00.05 11-03-07_12.59.55 1
 2nd test2-11-03-07_12.59.55.log test2.log 11-03-07_12.59.55 11-03-07_12.59.55 1
 # t	id.orig_h	id.orig_p	id.resp_h	id.resp_p
 1299466805.0	10.0.0.1	20	10.0.0.2	1024
--- a/testing/btest/core/conn-uid.bro
+++ b/testing/btest/core/conn-uid.bro
@ -6,18 +6,18 @@
 #
 # Without a seed, they should differ each time:
 #
-# @TEST-EXEC: unset BRO_SEED_FILE &&  bro -C -r $TRACES/wikipedia.trace %INPUT tcp >output2
+# @TEST-EXEC: unset BRO_SEED_FILE &&  bro -C -r $TRACES/wikipedia.trace %INPUT conn >output2
 # @TEST-EXEC: cat output output2 | sort | uniq -c | wc -l | sed 's/ //g' >counts
 # @TEST-EXEC: btest-diff counts
 #
 # Make sure it works without the connection compressor as well.
 #
-# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT tcp use_connection_compressor=F >output.cc
+# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT conn use_connection_compressor=F >output.cc
 # @TEST-EXEC: btest-diff output.cc
 #
 # Make sure it works with the full connection compressor as well.
 #
-# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT tcp cc_handle_only_syns=F >output.cc2
+# @TEST-EXEC: bro -C -r $TRACES/wikipedia.trace %INPUT conn cc_handle_only_syns=F >output.cc2
 # @TEST-EXEC: btest-diff output.cc2
--- a/testing/btest/core/load-unload.bro
+++ b/testing/btest/core/load-unload.bro
@ -1,7 +1,7 @@
 # This tests the @unload directive
 #
-# @TEST-EXEC: echo 'print "oops";' >dontloadmebro.bro
+# @TEST-EXEC: echo 'print "oops12345";' >dontloadmebro.bro
-# @TEST-EXEC: bro -l %INPUT dontloadmebro >output 2>&1
+# @TEST-EXEC: bro -l %INPUT dontloadmebro >output
-# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+# @TEST-EXEC: btest-diff output
@unload dontloadmebro
--- a/testing/btest/core/print-bpf-filters-ipv4.bro
+++ b/testing/btest/core/print-bpf-filters-ipv4.bro
@ -1,12 +1,12 @@
 # @TEST-REQUIRES: bro -e 'print bro_has_ipv6()' | grep -q F
 #
 # @TEST-EXEC: bro -e '' >output
-# @TEST-EXEC: cat packetfilter.log >>output
+# @TEST-EXEC: cat packet_filter.log >>output
 # @TEST-EXEC: bro PacketFilter::all_packets=F ssh >>output
-# @TEST-EXEC: cat packetfilter.log >>output
+# @TEST-EXEC: cat packet_filter.log >>output
 # @TEST-EXEC: bro -f "port 42" -e '' >>output
-# @TEST-EXEC: cat packetfilter.log >>output
+# @TEST-EXEC: cat packet_filter.log >>output
 # @TEST-EXEC: bro -C -f "port 56730" -r $TRACES/mixed-vlan-mpls.trace conn >>output
-# @TEST-EXEC: cat packetfilter.log >>output
+# @TEST-EXEC: cat packet_filter.log >>output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: btest-diff conn.log
--- a/testing/btest/core/print-bpf-filters-ipv6.bro
+++ b/testing/btest/core/print-bpf-filters-ipv6.bro
@ -1,12 +1,12 @@
 # @TEST-REQUIRES: bro -e 'print bro_has_ipv6()' | grep -q T
 #
 # @TEST-EXEC: bro -e '' >output
-# @TEST-EXEC: cat packetfilter.log >>output
+# @TEST-EXEC: cat packet_filter.log >>output
 # @TEST-EXEC: bro PacketFilter::all_packets=F ssh >>output
-# @TEST-EXEC: cat packetfilter.log >>output
+# @TEST-EXEC: cat packet_filter.log >>output
 # @TEST-EXEC: bro -f "port 42" -e '' >>output
-# @TEST-EXEC: cat packetfilter.log >>output
+# @TEST-EXEC: cat packet_filter.log >>output
 # @TEST-EXEC: bro -C -f "port 56730" -r $TRACES/mixed-vlan-mpls.trace conn >>output
-# @TEST-EXEC: cat packetfilter.log >>output
+# @TEST-EXEC: cat packet_filter.log >>output
 # @TEST-EXEC: btest-diff output
 # @TEST-EXEC: btest-diff conn.log
--- a/testing/btest/policy/frameworks/logging/rotate-custom.bro
+++ b/testing/btest/policy/frameworks/logging/rotate-custom.bro
@ -1,5 +1,5 @@
 #
-# @TEST-EXEC: bro -r %DIR/rotation.trace %INPUT | egrep "test|test2" >out
+# @TEST-EXEC: bro -r %DIR/rotation.trace %INPUT | egrep "test|test2" | sort >out
 # @TEST-EXEC: for i in `ls test*.log | sort`; do printf '> %s\n' $i; cat $i; done | sort | uniq >>out
 # @TEST-EXEC: btest-diff out
--- a/testing/btest/policy/protocols/conn/known-hosts.bro
+++ b/testing/btest/policy/protocols/conn/known-hosts.bro
@ -1,20 +1,21 @@
 # A basic test of the known-hosts script's logging and asset_tracking options
 # @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT KnownHosts::asset_tracking=LOCAL_HOSTS
-# @TEST-EXEC: mv knownhosts.log knownhosts-local.log
+# @TEST-EXEC: mv known_hosts.log knownhosts-local.log
 # @TEST-EXEC: btest-diff knownhosts-local.log
 # @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT KnownHosts::asset_tracking=REMOTE_HOSTS
-# @TEST-EXEC: mv knownhosts.log knownhosts-remote.log
+# @TEST-EXEC: mv known_hosts.log knownhosts-remote.log
 # @TEST-EXEC: btest-diff knownhosts-remote.log
 # @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT KnownHosts::asset_tracking=ALL_HOSTS
-# @TEST-EXEC: mv knownhosts.log knownhosts-all.log
+# @TEST-EXEC: mv known_hosts.log knownhosts-all.log
 # @TEST-EXEC: btest-diff knownhosts-all.log
 # @TEST-EXEC: bro -r $TRACES/wikipedia.trace %INPUT KnownHosts::asset_tracking=NO_HOSTS
-# @TEST-EXEC: test '!' -e knownhosts.log
+# @TEST-EXEC: test '!' -e known_hosts.log
@load conn/known-hosts
@load site
-redef local_nets += {141.142.0.0/16};
+redef Site::local_nets += {141.142.0.0/16};
--- a/testing/btest/policy/protocols/conn/known-services.bro
+++ b/testing/btest/policy/protocols/conn/known-services.bro
@ -1,23 +1,24 @@
 # A basic test of the known-services script's logging and asset_tracking options
 # @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT KnownServices::asset_tracking=LOCAL_HOSTS
-# @TEST-EXEC: mv knownservices.log knownservices-local.log
+# @TEST-EXEC: mv known_services.log knownservices-local.log
 # @TEST-EXEC: btest-diff knownservices-local.log
 # @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT KnownServices::asset_tracking=REMOTE_HOSTS
-# @TEST-EXEC: mv knownservices.log knownservices-remote.log
+# @TEST-EXEC: mv known_services.log knownservices-remote.log
 # @TEST-EXEC: btest-diff knownservices-remote.log
 # @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT KnownServices::asset_tracking=ALL_HOSTS
-# @TEST-EXEC: mv knownservices.log knownservices-all.log
+# @TEST-EXEC: mv known_services.log knownservices-all.log
 # @TEST-EXEC: btest-diff knownservices-all.log
 # @TEST-EXEC: bro -r $TRACES/var-services-std-ports.trace %INPUT KnownServices::asset_tracking=NO_HOSTS
-# @TEST-EXEC: test '!' -e knownservices.log
+# @TEST-EXEC: test '!' -e known_services.log
@load conn/known-services
@load http
@load ssh
@load ftp
@load site
-redef local_nets += {172.16.238.0/24};
+redef Site::local_nets += {172.16.238.0/24};