diff --git a/.gitignore b/.gitignore
index d59a62b7e1..fa397f98d2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 build
 tmp
+*.gcov
diff --git a/.gitmodules b/.gitmodules
index efd027e86b..789449bca6 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -19,12 +19,12 @@
 [submodule "src/3rdparty"]
 	path = src/3rdparty
 	url = git://git.bro.org/bro-3rdparty
-[submodule "aux/plugins"]
-	path = aux/plugins
-	url = git://git.bro.org/bro-plugins
 [submodule "aux/broker"]
 	path = aux/broker
 	url = git://git.bro.org/broker
 [submodule "aux/netcontrol-connectors"]
 	path = aux/netcontrol-connectors
 	url = git://git.bro.org/bro-netcontrol
+[submodule "aux/bifcl"]
+	path = aux/bifcl
+	url = git://git.bro.org/bifcl
diff --git a/.travis.yml b/.travis.yml
new file mode 100644
index 0000000000..56d41de17d
--- /dev/null
+++ b/.travis.yml
@@ -0,0 +1,34 @@
+language: cpp
+
+services:
+  - docker
+
+addons:
+  apt:
+    packages:
+      - libpcap-dev
+      - libssl-dev
+
+branches:
+  only:
+  - master
+
+notifications:
+  email:
+    recipients:
+    - bro-commits-internal@bro.org
+
+# Build Bro and run tests in the following Linux distros (specifying "travis"
+# builds bro in Travis without using docker).
+env:
+  - distro: centos_7
+  - distro: debian_9
+  - distro: fedora_28
+  - distro: ubuntu_16.04
+  - distro: ubuntu_18.04
+
+install: sh testing/scripts/travis-job install $distro
+
+before_script: sh testing/scripts/travis-job build $distro
+
+script: sh testing/scripts/travis-job run $distro
diff --git a/CHANGES b/CHANGES
index cb8ecef0a9..c51cd00bbf 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,1373 @@
 
+2.5-850 | 2018-08-17 11:12:53 -0500
+
+  * BIT-1815: move SMB::write_cmd_log functionality into policy/ script
+
+    The option is removed, but same functionality is now enabled simply
+    by loading policy/protocols/smb/log-cmds.bro (Jon Siwek, Corelight)
+
+2.5-849 | 2018-08-17 10:29:58 -0500
+
+  * Fix possible race in netcontrol acld/broker plugins (Jon Siwek, Corelight)
+
+2.5-848 | 2018-08-16 17:21:28 -0500
+
+  * Enable SMB by default by moving scripts from policy/ to base/
+    (Jon Siwek, Corelight)
+
+2.5-847 | 2018-08-16 16:07:14 -0500
+
+  * BIT-1924: add DHCP port to software.log for completeness
+    (Jon Siwek, Corelight)
+
+2.5-846 | 2018-08-16 14:11:02 -0500
+
+  * BIT-1858: fix logged-names for DNS RR types 44 and 45 (Jon Siwek, Corelight)
+
+  * BIT-1850: add missing DCE/RPC PDU type enum values (Jon Siwek, Corelight)
+
+2.5-844 | 2018-08-16 12:13:16 -0500
+
+  * Add env. variables to override Broker listen/connect retry intervals
+    And use them to default retries to 1sec for all unit tests.
+    (Jon Siwek, Corelight)
+
+2.5-843 | 2018-08-15 18:01:56 -0500
+
+  * BIT-1544: allow NULs in file analysis handles (Jon Siwek, Corelight)
+
+2.5-842 | 2018-08-15 11:00:20 -0500
+
+  * Fix seg fault on trying to type-cast invalid/nil Broker::Data
+    (Jon Siwek, Corelight)
+
+2.5-841 | 2018-08-14 16:45:09 -0500
+
+  * BIT-1798: fix PPTP GRE tunnel decapsulation (Jon Siwek, Corelight)
+
+2.5-840 | 2018-08-13 17:40:06 -0500
+
+  * Fix SumStats::observe key normalization logic
+    (reported by Jim Mellander and fixed by Jon Siwek, Corelight)
+
+2.5-839 | 2018-08-13 10:51:43 -0500
+
+  * Make options redef-able by default. (Johanna Amann, Corelight)
+
+  * Fix incorrect input framework warnings when parsing ports.
+    (Johanna Amann, Corelight)
+
+  * Allow input framework to accept 0 and 1 as valid boolean values.
+    (Johanna Amann, Corelight)
+
+  * Improve the travis-job script to work outside of Travis (Daniel Thayer)
+
+  * Fix validate-certs.bro comments (Jon Siwek, Corelight)
+
+2.5-831 | 2018-08-10 17:12:53 -0500
+
+  * Immediately apply broker subscriptions made during bro_init()
+    (Jon Siwek, Corelight)
+
+  * Update default broker threading configuration to use 4 threads and allow
+    tuning via BRO_BROKER_MAX_THREADS env. variable (Jon Siwek, Corelight)
+
+  * Misc. unit test improvements (Jon Siwek, Corelight)
+
+2.5-826 | 2018-08-08 13:09:27 -0700
+
+  * Add support for code coverage statistics for bro source files after running btest
+    test suite
+
+    This adds --enable-coverage flag to configure Bro with gcov.
+    A new directory named /testing/coverage/ contains a new
+    coverage target. By default a coverage.log is created; running
+    make html in testing/coverage creates a HTML report.
+    (Chung Min Kim, Corelight)
+
+2.5-819 | 2018-08-08 13:03:22 -0500
+
+  * Fix cluster layout graphic and doc warnings (Jon Siwek, Corelight)
+
+  * Added missing tcp-state for signature dpd_rfb_server (Zhongjie Wang)
+
+2.5-815 | 2018-08-06 17:07:56 -0500
+
+  * Fix an "uninitialized" compiler warning (Jon Siwek, Corelight)
+
+  * Fix (non)suppression of proxy-bound events in known-*.bro scripts
+    (Jon Siwek, Corelight)
+
+2.5-811 | 2018-08-03 11:33:57 -0500
+
+  * Update scripts to use vector "+=" append operation (Vern Paxson, Corelight)
+
+  * Add vector "+=" append operation (Vern Paxson, Corelight)
+
+  * Improve a travis output message in pull request builds (Daniel Thayer)
+
+  * Use default version of OpenSSL on all travis docker containers
+    (Daniel Thayer)
+
+2.5-802 | 2018-08-02 10:40:36 -0500
+
+  * Add set operations: union, intersection, difference, comparison
+    (Vern Paxson, Corelight)
+
+2.5-796 | 2018-08-01 16:31:25 -0500
+
+  * Add 'W' connection history indicator for zero windows
+    (Vern Paxson, Corelight)
+
+  * Allow logarithmic 'T'/'C'/'W' connection history repetitions, which
+    also now raise their own events (Vern Paxson, Corelight)
+
+2.5-792 | 2018-08-01 12:15:31 -0500
+
+  * fix NTLM NegotiateFlags field offsets (Jeffrey Bencteux)
+
+2.5-790 | 2018-08-01 11:25:27 -0500
+
+  * Fix --with-binpac configure option (Jon Siwek, Corelight)
+
+  * Update CAF-finding logic (Jon Siwek, Corelight)
+
+2.5-787 | 2018-07-31 16:50:55 -0500
+
+  * Add Cisco FabricPath support (Damani Wade, Corelight)
+
+  * Replace GeoIP Legacy DB support with MaxMind DB support
+    (Jonathan Perkins, Corelight)
+
+2.5-782 | 2018-07-31 11:53:22 +0200
+
+  * Update install instructions for OpenSSL 1.1 compat (Jon Siwek, Corelight)
+
+  * Remove requestorName parameter of ocsp_request event
+
+    This field isn't publicly available via the OpenSSL 1.1 API, not used
+    in the base scripts, and has no example in the test suit, so removing
+    it is simpler than trying to support manually parsing it out of the
+    raw data. (Jon Siwek, Corelight)
+
+  * Adjust x509 unit tests to work around OpenSSL 1.0 vs. 1.1 differences (Jon Siwek, Corelight)
+
+  * Fixes for OpenSSL 1.1 support (Jon Siwek, Corelight)
+
+2.5-775 | 2018-07-24 16:39:34 -0500
+
+  * Add broker/binpac/caf dirs to bro-config script (Jon Siwek, Corelight)
+
+  * Exclude CMakeFiles from header installation path (Jon Siwek, Corelight)
+
+2.5-773 | 2018-07-24 15:04:41 +0000
+
+  * BIT-1950: Support PPPoE over QinQ (Jon Siwek, Corelight)
+
+2.5-771 | 2018-07-24 02:26:17 +0000
+
+  * Support building plugins from Bro installation prefix so that it
+    does no longer need access to a Bro source/build tree. This
+    required installing various Bro headers, BinPAC and it's headers,
+    bifcl, and Bro's custom CMake modules. (Jon Siwek, Corelight)
+
+  * Add binpac to install process. (Jon Siwek, Corelight)
+
+  * Move bifcl to a separate repo. (Jon Siwek, Corelight)
+
+2.5-766 | 2018-07-24 01:39:07 +0000
+
+  * Clusterization of configureation framework. (Johanna Amann, Corelight)
+
+  * Fix special-case-bug for vectors in UnaryExpr. (Johanna Amann, Corelight)
+
+  * Teach Option::set to unwrap Broker::Data values (Jon Siwek, Corelight)
+
+  * Fix some compiler warnings. (Robin Sommer, Corelight)
+
+2.5-749 | 2018-07-20 12:08:06 -0500
+
+  * Make Broker congestion queue size tunable and increase default
+    (Jon Siwek, Corelight)
+
+  * Improve control framework id-update/test output (Jon Siwek, Corelight)
+
+2.5-747 | 2018-07-18 09:51:13 -0500
+
+  * Improve some netcontrol unit tests (Jon Siwek, Corelight)
+
+2.5-746 | 2018-07-17 17:51:13 -0500
+
+  * Improve an input framework unit test (Jon Siwek, Corelight)
+
+2.5-745 | 2018-07-17 16:46:16 -0500
+
+  * Add explicit key in Travis known_hosts (Jon Siwek, Corelight)
+
+2.5-743 | 2018-07-17 14:20:19 -0500
+
+  * Port broker::data variant usages to use CAF API directly
+    (Jon Siwek, Corelight)
+
+2.5-741 | 2018-07-16 16:06:02 -0500
+
+  * Improve Specific_RE_Matcher::CompileSet() error condition cleanup
+    (Jon Siwek, Corelight)
+
+2.5-740 | 2018-07-16 16:01:31 -0500
+
+  * Add support for case-insensitive patterns (Vern Paxson, Corelight)
+
+2.5-730 | 2018-07-16 10:39:33 -0500
+
+  * de-restrict pattern-oriented BiFs to no longer require only running at init
+    (Vern Paxson)
+
+  * Add option to toggle extraction of subject alternate names from X509 SAN
+    DNS field (Liviu Valsan)
+
+2.5-725 | 2018-07-03 14:56:10 -0500
+
+  * BIT-1941: improve unit test stability (Corelight)
+
+2.5-723 | 2018-07-03 09:34:10 -0500
+
+  * Fix unstable config framework test (Corelight)
+
+2.5-722 | 2018-07-03 09:16:37 -0500
+
+  * BIT-1941: teach diff-remove-timestamps about time 0 (Corelight)
+
+2.5-721 | 2018-07-02 16:29:21 -0500
+
+  * BIT-1941: improve reliability of broker.disconnect unit test (Corelight)
+
+2.5-719 | 2018-06-27 20:02:52 -0500
+
+  * Fix some typos and formatting in NEWS and other documentation
+    (Daniel Thayer)
+
+  * Add documentation for type-based switch statment, as/is operators,
+    bitwise operators, and pattern operators (Daniel Thayer)
+
+2.5-711 | 2018-06-27 19:11:58 -0500
+
+  * Prevent double-wrapping Broker::Data in published event args (Corelight)
+
+2.5-710 | 2018-06-26 18:06:22 -0500
+
+  * Add memory leak unit test for pattern operations (Corelight)
+
+  * fixed 3 leaks in creating pattern values (Vern Paxson)
+
+  * add & and | operators for patterns (Vern Paxson)
+
+  * deprecate merge_patterns() (Vern Paxson)
+
+  * deprecate boolean scalar+vector operations (Vern Paxson)
+
+  * deprecate mixing scalars and vectors (Vern Paxson)
+
+  * deprecate && / || operators for patterns (Vern Paxson)
+
+2.5-690 | 2018-06-26 15:05:23 -0500
+
+  * Fix deprecated actor_system_config field usages (Corelight)
+
+2.5-689 | 2018-06-26 11:45:52 -0500
+
+  * Remove header self-inclusions (Corelight)
+
+  * Fix travis-job script to not fail when all tests succeed (Daniel Thayer)
+
+2.5-687 | 2018-06-25 16:35:25 -0500
+
+  * Reorganize internal + private broker/Manager.h bits (Corelight)
+
+  * Reduce proliferation of including broker header files (Corelight)
+
+2.5-684 | 2018-06-25 11:26:55 -0500
+
+  * Use docker containers to run Bro tests on Travis CI (Daniel Thayer)
+
+  * Travis CI fewer failures and improved output messages (Daniel Thayer)
+
+2.5-681 | 2018-06-22 20:17:06 -0500
+
+  * Fix null pointer deref in AST traversal (Corelight)
+
+  * Fix for ancient reference-counting bug in NFA.cc (Vern Paxson)
+
+2.5-679 | 2018-06-21 16:00:48 -0500
+
+  * Add support for bitwise operations (&, |, ^, ~) on "count" values.
+    (Vern Paxson)
+
+2.5-671 | 2018-06-21 11:55:39 -0500
+
+  * Add ability for BroControl to skip cluster setup (Corelight)
+
+  * BIT-1938: fix crash in Broker manager shutdown (Corelight)
+
+  * Disable broxygen when running unit tests (Daniel Thayer)
+
+2.5-668 | 2018-06-15 17:14:33 -0500
+
+  * Make old comm. system usages an error unless old_comm_usage_is_ok is set
+    (Corelight)
+
+2.5-667 | 2018-06-15 15:30:11 -0500
+
+  * Add --disable-broker-tests configure option (Corelight)
+
+2.5-663 | 2018-06-14 12:51:28 -0500
+
+  * Add Broker::max_threads and Broker::max_sleep tuning options,
+    remove Broker::max_live_threads and Broker::max_pcap threads (Corelight)
+
+  * Minor optimization to bro_broker::Manager::FlushPendingQueries (Corelight)
+
+2.5-660 | 2018-06-12 13:49:39 -0500
+
+  * Add Broker::max_live_threads and Broker::max_pcap_threads tunables
+    (Corelight)
+
+2.5-658 | 2018-06-08 16:41:07 +0000
+
+  * Allow BRO_DEFAULT_LISTEN_ADDRESS to control broker listen address.
+    This environment variable is now set to listen only on IPv4
+    loopback when running unit tests (instead of using the default
+    INADDR_ANY). (Corelight)
+
+  * Move some of the @loads out from init-bare.bro into a new
+    init-frameworks-and-bifs.bro in order to better support calling BIFs
+    (like `getenv`) from variable initializations in those particular
+    frameworks. (Corelight)
+
+2.5-655 | 2018-06-08 10:43:03 -0500
+
+  * Correct conn history field documentation (Corelight)
+
+2.5-652 | 2018-06-07 13:57:23 -0500
+
+  * GH-131: disable krb ticket decryption on non-Linux (Corelight)
+
+2.5-651 | 2018-06-07 09:57:29 -0500
+
+  * Fix signed/unsigned comparison compiler warning (Corelight)
+
+2.5-650 | 2018-06-06 16:20:18 -0500
+
+  * Improve Broker performance (Corelight)
+
+2.5-648 | 2018-06-05 17:32:47 -0500
+
+  * BIT-1936: improve Broxygen warnings (Corelight)
+
+2.5-647 | 2018-06-05 15:19:16 -0500
+
+  * Update `make doc`: don't copy broker docs (Corelight)
+
+2.5-646 | 2018-06-05 11:31:43 -0500
+
+  * Add NCP::max_frame_size tuning option (Corelight)
+
+  * Migrate NCP analyzer to use latest analyzer API (Corelight)
+
+  * Fix read at invalid address in X509 extension parser (Johanna Amann)
+
+2.5-642 | 2018-06-04 13:52:46 -0500
+
+  * Make 0 be a valid packet source timestamp (Corelight)
+
+2.5-641 | 2018-06-04 09:18:59 -0700
+
+  * Add Broker::publish_and_relay BIF
+
+    Like Broker::relay, except the relaying-node also calls event handlers. (Corelight)
+
+  * Document variable argument list BIFs using ellipsis. (Corelight).
+
+  * Support unserializing broker data into type 'any'
+
+    The receiver side will wrap the data as a Broker::Data value, which
+    can then be type-checked/cast via 'is' or 'as' operators to a specific
+    Bro type. For example:
+
+    Sender:
+
+        Broker::publish("topic", my_event, "hello")
+
+    Receiver:
+
+        event my_event(arg: any)
+            {
+            if ( arg is string )
+                print arg as string;
+            }
+
+     (Corelight)
+
+  * Fix a bug in broker data type-casting check (Corelight)
+
+  * Remove dead code in broker data/val conversion function (Corelight)
+
+  * SSH protocol now assesses the packet length at an earlier stage within binpac
+    (Andrew Woodford).
+
+  * Remove some UTF-8 characters that snuck into a few scripts. (Corelight)
+
+  * Decrypt the krb ticket and extract authentication data. (Julien Wallior)
+
+2.5-619 | 2018-06-01 11:29:15 -0500
+
+  * Relocate temporary script coverage files (Corelight)
+
+2.5-618 | 2018-06-01 10:03:24 -0500
+
+  * BIT-1635: fix `make doc` warnings (Corelight)
+
+  * Add smb2_file_sattr event (Devin Trejo)
+
+  * Add bad ARP tests (Pierre LATET)
+
+  * Fix SCT validation when invalid certificates are in chain. (Johanna Amann)
+
+2.5-611 | 2018-05-29 10:13:17 -0500
+
+  * Fix NEWS file formatting (Corelight)
+
+  * Improve Broker docs with reminder about modules and event namespace
+    scoping interactions. (Michael Dopheide)
+
+  * Change Intel framework to round-robin insertion events across proxies
+    (Corelight)
+
+  * Add a counter for number of alive nodes within a given cluster pool
+    (Corelight)
+
+  * Fix how cluster framework tracks worker count (Corelight)
+
+2.5-599 | 2018-05-23 16:50:12 -0500
+
+  * Documentation improvements/fixes (Corelight)
+
+2.5-598 | 2018-05-22 15:05:24 -0500
+
+  * Fixes for MySQL and SMB protocol parsers (Corelight)
+
+    * MySQL: the parser for this was generally broken (not following
+      the specification well) and needed many changes.  One addition is a
+      new "mysql_result_row" event that provides access to the results of
+      queries.
+
+    * SMB: the spec seems to explitly call out the omission of the
+      PrimaryDomain field on SMB_COM_SESSION_SETUP_ANDX responses (and I
+      don't see that field in pcaps either), so this may have just been a
+      typo that used to work fine in the past only due to faulty array
+      parsing behavior in binpac.
+
+  * BIT-1829: add unit test for modbus parser issue (Corelight)
+
+2.5-591 | 2018-05-22 09:19:59 -0500
+
+  * Make Reassembler::TotalSize a constant time operation (Corelight)
+
+2.5-589 | 2018-05-21 21:37:54 +0000
+
+  * Switch Bro's communication over to Broker; deprecate the old
+    communication system, including Broccoli. See NEWS for more.
+
+    (Many people contributed to this effort. Broker library: Jon
+    Siwek, Matthias Vallentin, Robin Sommer, Dominik Charousset.
+    Porting Bro to Broker: Daniel Thayer, Robin Sommer, Jon Siwek.
+    Further contributions by: Johanna Amann, Justin Azoff, Matthias
+    Fischer, Jan Grashoefer, and Seth Hall. The final integration was
+    supported by Corelight.)
+
+  * Extend switch statement to branch by type of the operand. See NEWS
+    for more. (Robin Sommer)
+
+  * Add new operators "is" and "as" for dynamic type casting and type
+    checking. See NEWS for more. (Robin Sommer)
+
+2.5-582 | 2018-05-21 13:34:16 -0500
+
+  * Update link to flex pattern docs (Corelight)
+
+  * Add non-standard experimental Google post-quantum ciphers (Johanna Amann)
+
+  * ARP: fix the l2 source address check for ARP over Wi-Fi (Pierre LALET)
+
+  * Support 802.11 monitor mode (Pierre LALET)
+
+2.5-569 | 2018-05-10 11:24:07 -0500
+
+  * BIT-1927: relocate notice/extend-email/ scripts to policy/ dir and
+    load it from local.bro to allow users to control whether it is used.
+    (Stephen Hosom)
+
+  * Sort output of the missing-file-initially.bro test (Daniel Thayer)
+
+2.5-565 | 2018-05-08 15:29:53 -0500
+
+  * BIT-1926: add unit tests for misc. HTTP patches (Corelight)
+
+  * Fix case insensitive HTTP/MIME header name comparisons
+    (Jeffrey Bencteux)
+
+  * Don't use chunked mode Transfer-Encoding with HTTP/1.0 (Jeffrey Bencteux)
+
+  * Fix handling of HTTP body length when Content-Range length differs
+    from Content-Length. (Jeffrey Bencteux)
+
+  * Decode 'x-gzip' HTTP Content-Encoding the same as 'gzip'
+    (Jeffrey Bencteux)
+
+2.5-559 | 2018-05-08 11:23:28 -0700
+
+  * Add test for dump_current_packet bif. (Johanna Amann)
+
+	* Fix dump_packet & dump_current_packet to work with several filenames.
+    (Assaf Morami)
+
+2.5-553 | 2018-05-03 14:59:53 -0500
+
+  * Make BinPAC exception handling more consistent (Vlad Grigorescu)
+
+2.5-551 | 2018-05-01 18:27:38 -0500
+
+  * Fix the ip-broken-header.bro test on macOS due to missing 'xzcat'
+    (Daniel Thayer)
+
+  * Improve reliability of the logging rotate.bro test (Daniel Thayer)
+
+  * Improve reliability of missing-file-initially.bro test (Daniel thayer)
+
+2.5-547 | 2018-05-01 18:17:14 -0500
+
+  * Update install instructions for Ubuntu 18.04 (Daniel Thayer)
+
+2.5-545 | 2018-05-01 18:09:30 -0500
+
+  * Improve canonicalization of build dir path in a coverage unit test
+    (Corelight)
+
+2.5-544 | 2018-05-01 17:57:15 -0500
+
+  * Rewrite the DHCP analyzer and accompanying script-layer API.
+    (Valerio G, Corelight)
+
+     * Reduced all DHCP events into a single dhcp_message event.
+       (removed legacy events since they weren't widely used anyway)
+     - Support many more DHCP options.
+
+     - DHCP log is completely reworked and now represents DHCP sessions
+       based on the transaction ID (and works on clusters).
+
+     - Removed the known-devices-and-hostnames.bro and known-devices.bro
+       scripts since it's generally less relevant now with the updated log.
+
+  * Change include directory search order to better support --with-openssl.
+    (Johanna Amann)
+
+2.5-535 | 2018-04-30 16:22:30 -0500
+
+  * Improve how coverage unit tests handle name of build dir (Corelight)
+
+2.5-534 | 2018-04-27 19:59:46 -0400
+
+  * Fix subnet expiration in the intel framework. (Seth Hall)
+
+  * BIT-1909: fix invalid redef'd record field accesses (Jon Siwek)
+
+2.5-527 | 2018-04-27 11:01:03 -0500
+
+  * BIT-1430: Improve cross compilation support (Corelight)
+
+    * Add --toolchain= configure option
+
+    * Add --with-bifcl= configure option
+
+    * Change --with-binpac= configure option to mean "path to binpac
+      executable"
+
+2.5-526 | 2018-04-25 11:06:50 -0500
+
+  * BIT-1914: comment out &check usages now that they emit warnings
+    and convert some to &enforce (Corelight)
+
+  * Removed the "start" parameter of the dnp3_header_block event
+    since it's always the same value. (Corelight)
+
+2.5-522 | 2018-04-25 10:48:38 -0500
+
+  * Improve dce-rpc/consts.bro operations table organization (Luciano Mammino)
+
+2.5-519 | 2018-04-20 07:46:07 -0700
+
+  * Reduce number of btest threads running tests on Travis CI. (Daniel Thayer)
+
+2.5-515 | 2018-04-18 11:44:36 -0500
+
+  * Improve std::map usages in SMB code. (Corelight)
+
+2.5-514 | 2018-04-18 10:54:24 -0500
+
+  * Improve HLL cardinality estimate unit test. (Corelight)
+
+2.5-513 | 2018-04-18 10:38:41 -0500
+
+  * Updating the defined SMB2 dialects to match Microsofts current docs.
+    (Corelight)
+
+  * BIT-1862: Improve handling SMB pending commands and read response tree id.
+    (Stefano Rinaldi, Corelight)
+
+    On rare occasions, SMB server doesn't return the tree id on read responses.
+
+  * Better reporter for Brostring with embedded NUL (Philippe Antoine)
+
+  * Fix config input reader on systems with gcc 4.8 (Daniel Thayer)
+
+2.5-504 | 2018-04-06 10:51:19 -0700
+
+  * Trim the Travis CI build log output. (Daniel Thayer)
+
+  * Remove unneeded lines from .travis.yml. (Daniel Thayer)
+
+2.5-501 | 2018-04-06 10:49:54 -0700
+
+  * Fix NETBIOSSSN analyzer name (Vladimir Ruzanov)
+
+  * Additional fix for Kerberos in GSSAPI. (Seth Hall)
+
+2.5-498 | 2018-04-03 01:59:46 -0400
+
+  * Improvements to GSSAPI handling of Kerberos messages (John E. Rollinson, Seth Hall, juno0812, Justin Oursler)
+
+  * Improve SMB2 Create command events and add newly parsed data. (Julien Wallior)
+
+2.5-483 | 2018-03-29 14:10:48 -0700
+
+  * Source code clean up (Johanna Amann)
+      - Mark one-parameter constructors as 'explicit' & use 'override' where possible
+      - Remove unimplemented & unused functions from header files.
+      - Make some data flows more explicit for compilers.
+
+2.5-478 | 2018-03-29 12:59:49 -0700
+
+  * Recognize TLS 1.3 negotiation correctly. The way in which TLS 1.3
+    is negotiated was changed slightly in later revisions of the
+    standard. (Johanna Amann)
+
+  * Fix the travis-job script to always run external tests. (Daniel
+    Thayer)
+
+  * Fix information leak in the update-traces script. (Daniel Thayer)
+
+  * Add Coverity scan and private testing to Travis CI. (Daniel Thayer)
+
+2.5-471 | 2018-03-21 13:56:57 -0700
+
+  * Fix a memory leak in SMBv1 share mapping. (Corelight)
+
+  * Fix one new minor typo in the config framework docs. (Daniel Thayer)
+
+2.5-467 | 2018-03-15 14:58:40 -0700
+
+  * Configure Travis CI email recipients and build branches. (Daniel Thayer)
+
+  * Add documentation of the configuration framework, and improve
+    existing script comments.  (Daniel Thayer)
+
+2.5-459 | 2018-03-07 12:46:57 -0600
+
+  * Update a doc test/baseline (Corelight)
+
+  * Add removed root certificate back to test that requires it.
+
+    Test has a trace that contains a WoSign certificate - they are no longer
+    recognized by pretty much anyone. (Johanna Amann)
+
+2.5-457 | 2018-02-18 17:35:50 -0600
+
+  * Fix another warning when building the documentation (Daniel Thayer)
+
+  * Fix a warning when building documentation (Daniel Thayer)
+
+  * Fix the config framework several-files.bro test (Daniel Thayer)
+
+  * Update Mozilla CA list to state of NSS 3.35. (Johanna Amann)
+
+  * Update list of Certificate Transparency logs. (Johanna Amann)
+
+2.5-449 | 2018-02-14 08:49:27 -0800
+
+  * Patch in Binpac submodule that fixes an integer overflow
+    (Philippe Antoine/Catena cyber).
+
+2.5-448 | 2018-02-12 11:09:00 -0600
+
+  * Fix pessimizing-move compiler warning. (Corelight)
+
+2.5-447 | 2018-02-12 11:00:44 -0600
+
+  * Add limit to number of auth flavors parsed out of MNT replies (Corelight)
+
+  * Treat LibreSSL as an older OpenSSL (Xiaogrill)
+
+2.5-445 | 2018-02-07 14:20:59 -0800
+
+  * Add new configuration framework for dynamically changing script
+    options at runtime. See NEWS for more. (Corelight)
+
+  * Allow the empty field separator to be empty when reading through
+    the input frameworkk. (Corelight)
+
+2.5-435 | 2018-02-06 08:40:38 -0800
+
+  * BIT-1854: Improve reassembly overlap checking. (Corelight)
+
+  * BIT-1854: Fix the 'tcp_excessive_data_without_further_acks'
+    option. (Corelight)
+
+  * Make parsing of ServerKeyExchange work for D(TLS) < 1.2. (Johanna
+    Amann)
+
+  * Add more details to ssl_server_signature. (Johanna Amann)
+
+2.5-427 | 2018-02-05 15:09:14 -0800
+
+  * BIT-1898: Fix problems with SumStats non-cluster.bro script.
+    Reported by Jim Mellander. (Corelight)
+
+2.5-424 | 2018-02-05 15:07:20 -0800
+
+  * Add a .travis.yml. file (Daniel Thayer)
+
+2.5-422 | 2018-02-05 16:28:25 -0600
+
+  * fix setup field handling in smb1_com_transaction_request messages
+
+    This field is an array of 16 bit words and was parsed as an array of
+    32 bit words. Moreover, one can not assume the format is going to be a
+    16 bits opcode followed by a 16 bit file ID, the content of the setup
+    field is different according to its first 16 bits word that defines
+    the subcommand code. See MS-CIFS section 2.2.4.33.1 :
+
+    Setup (variable): An array of two-byte words that provides transaction
+    context to the server. The size and content of the array are specific
+    to individual subcommands. (Jeffrey Bencteux)
+
+  * add smb1_transaction2_secondary_request event
+
+    parse and expose SMB_COM_TRANSACTION2_SECONDARY (0x33) message to
+    script level. See MS-CIFS section 2.2.4.47.1. (Jeffrey Bencteux)
+
+  * add smb1_transaction_secondary_request event
+
+    expose SMB_COM_TRANSACTION_SECONDARY (0x26) message to script
+    language. See MS-CIFS section 2.2.4.34.1. (Jeffrey Bencteux)
+
+  * add parameters and data to smb1_transaction_request/response messages
+
+    expose SMB_Data.Trans_Parameters and SMB_Data.Trans_Data fields of
+    SMB_COM_TRANSACTION (0x25) message type. See MS-CIFS section
+    2.2.4.33.1.
+
+    These fields are exposed to the script level as Bro strings. Note that
+    this commit also expose a new event smb1_transaction_response.
+    (Jeffrey Bencteux)
+
+  * add SMB_Parameters.Words to smb1_transaction2_request event
+
+    expose the fields contained in SMB_Parameters.Words of the
+    SMB_COM_TRANSACTION2 (0x32) message to the script language. See
+    MS-CIFS section 2.2.46.1. (Jeffrey Bencteux)
+
+2.5-410 | 2018-02-05 15:18:41 -0600
+
+  * Fix warnings when building sphinx docs (Corelight)
+
+2.5-409 | 2018-02-05 14:12:21 -0600
+
+  * Bug fix: nfs3_writeargs didn't properly return filehandle. (Devin Trejo)
+
+  * Add NFS events and unit tests: nfs_proc_symlink, nfs_proc_link,
+    nfs_proc_sattr. (Devin Trejo)
+
+2.5-405 | 2018-02-05 13:29:39 -0600
+
+  * Add MOUNT3 protocol parser.
+  
+    It's not activated by default.  New events available: mount_proc_null,
+    mount_proc_mnt, mount_proc_umnt, mount_proc_umnt_all,
+    mount_proc_not_implemented, mount_reply_status. (Devin Trejo)
+
+2.5-402 | 2018-02-05 10:43:59 -0600
+
+  * Fix (unlikely) memory leak in nb_dns.c (Corelight)
+
+  * Remove bro-plugins submodule from .gitmodules file (Daniel Thayer)
+
+2.5-399 | 2018-01-30 14:31:45 -0800
+
+  * Adapt the X509 analyzer to partially support OpenSSL 1.1.
+    (Hilgo Bengen, Johanna Amann)
+
+2.5-395 | 2018-01-26 15:46:05 -0600
+
+  * BIT-1894: fix bad integer casts in BIFs: sort, rand, order, to_int
+    (Corelight)
+
+2.5-392 | 2018-01-19 11:39:34 -0600
+
+  * Make nearly all bool conversion operators explicit. (Corelight)
+
+2.5-390 | 2018-01-17 16:09:55 -0600
+
+  * Logging: implement get_filter_names and small fixes.
+
+    get_filter_names(id: ID) : set[string] returns the names of the current
+    list of filters for a specified log stream.
+
+    Furthermore this commit makes a number of logging functions more robust
+    by checking existence of values before trying to modify them. This
+    commit also really implements (and tests) the enable_stream function.
+    (Corelight)
+
+2.5-388 | 2018-01-16 15:35:21 -0600
+
+  * HTTP: Recognize and skip upgrade/websocket connections.
+
+    This patches the HTTP analyzerto recognize when a connections is upgraded
+    to a different protocol (e.g. client uses the Upgrade header and gets a
+    101 reply).  In this case, the analyzer stops further processing (which
+    would have resulted in DPD errors) and raises a new event:
+
+      event http_connection_upgrade(c: connection, protocol: string);
+
+    The protocol parameter contains the name of the protocol that is being
+    upgraded to, as specified in one of the header values. (Johanna Amann)
+
+2.5-385 | 2018-01-16 14:51:07 -0600
+
+  * Make tunnel_parents in conn.log optional.
+
+    This makes conn.logs a bit prettier (and smaller) because all lines tha
+    do not use a tunnel will now have a "-" instead of the "(empty)" for
+    tunnel_parents. (Johanna Amann)
+
+  * Correct include-path in x509Common.h (Johanna Amann)
+
+2.5-381 | 2018-01-12 10:03:21 -0800
+
+  * Preallocate all possible PortVals, mark PortVal ctors deprecated.
+
+    The performance benefit is small (maybe ~1% at most), however, it's a
+    trivial change without downsides. (Jon Siwek)
+
+  * Add BRO_DEPRECATED macro. (Jon Siwek)
+
+  * Add functions for retrieving files by their id.
+
+    There are two new script level functions to query and lookup files
+    from the core by their IDs.  These are adding feature parity for
+    similarly named functions for files.  The function prototypes are
+    as follows:
+
+      Files::file_exists(fuid: string): bool
+      Files::lookup_File(fuid: string): fa_file (Seth Hall)
+
+2.5-375 | 2018-01-11 11:47:01 -0600
+
+  * Fix a test that fails in some environments (Daniel Thayer)
+
+  * Add CVE ID for BIT-1856. (Johanna Amann)
+
+2.5-372 | 2017-12-15 15:08:51 -0600
+
+  * Remove some DNS weirds that caused volume and are generally not useful:
+    dns_unmatched_msg, dns_unmatched_msg_quantity, dns_unmatched_reply.
+    (Corelight)
+
+2.5-369 | 2017-12-13 14:22:47 -0600
+
+  * Fix typo in analyzer::Manager API docs (Corelight)
+
+2.5-368 | 2017-12-08 13:09:25 -0600
+
+  * Improve for-loop iteration performance over empty tables. (Justin Azoff)
+
+  * Fix gcc7 warnings. (Johanna Amann)
+
+2.5-363 | 2017-12-05 11:00:09 -0600
+
+  * Fix documentation for ReassemblerStats. (Corelight)
+
+2.5-362 | 2017-12-02 09:45:04 -0600
+
+  * BIT-1791: Do not log SOCKS passwords by default and add
+    SOCKS::default_capture_password option.  (Johanna Amann)
+
+  * Add missing ; in SSL binpac parser, found by Luke Valenta. (Johanna Amann)
+
+2.5-359 | 2017-11-29 14:01:37 -0600
+
+  * Add --ccache option to configure script (requires CMake 3.10+). (Corelight)
+
+2.5-358 | 2017-11-28 12:28:14 -0800
+
+  * Extend the TLS analyzer with several events containing cryptographic
+    parameters from the client and server key exchanges.
+
+   The new events are:
+
+    ssl_ecdh_server_params, ssl_dh_server_params, ssl_server_signature,
+    ssl_ecdh_client_params, ssl_dh_client_params, ssl_rsa_client_pms
+
+    Since ssl_ecdh_server_params contains more information than the old
+    ssl_server_curve event, ssl_server_curve is now marked as deprecated.
+
+    (Luke Valenta)
+
+2.5-352 | 2017-11-21 13:21:51 -0600
+
+  * Fix assignments to event arguments becoming visible to subsequent
+    handlers. (Robin Sommer)
+
+2.5-350 | 2017-11-21 12:19:28 -0600
+
+  * Add HookReporter plugin hook function.
+
+    This hook gives access to basically all information that is available in
+    the function in Reporter.cc that performs the logging. The hook is
+    called each time when anything passes through the reporter in the cases
+    in which an event usually would be called. This includes weirds. The
+    hook can return false to prevent the normal reporter events from being
+    raised. (Corelight)
+
+2.5-348 | 2017-11-21 11:30:55 -0600
+
+  * Fix a nb_dns.c compile error (older OSs) due to C90 vs C99. (Corelight)
+
+2.5-347 | 2017-11-20 14:00:37 -0600
+
+  * Fix and extend behavior of HookLoadFile. (Corelight)
+
+2.5-345 | 2017-11-20 11:28:59 -0600
+
+  * BIT-1827: fix error on initializing DNS w/ IPv6 nameserver. (Corelight)
+
+  * Add --build-type flag to configure wrapper. (Corelight)
+
+2.5-343 | 2017-11-17 15:27:04 -0800
+
+  * Fix ASCII logging of very large values of type "double".
+    Previously, the nonsensical "NAN.0" would be written to ASCII logs
+    for any value >= 1e248). (Daniel Thayer)
+
+  * Add more test cases to ascii-double.bro (Daniel Thayer)
+
+  * Enforce a maximum line length in ContentLine analyzer. (Justin Azoff)
+
+  * Fix OOB read with IP packets that have a header length greater than the total
+    length of their packet. (Johanna Amann)
+
+  * Verify version field of IP packets read from tunnels. (Johanna Amann)
+
+2.5-332 | 2017-10-27 13:27:16 -0700
+
+  * Bro docs tweaks for correctness and readability. (Christian Kreibich)
+
+  * Fix use-after-free in Trigger.cc. (Johanna Amann)
+
+2.5-328 | 2017-10-16 13:13:41 -0700
+
+  * Patch OOB write in content-line analyzer.
+
+    A combination of packets can trigger an out of bound write of '0' byte
+    in the content-line analyzer. Addresses BIT-1856 / CVE-2017-1000458.
+    (Frank Meier/Johanna Amann)
+
+2.5-327 | 2017-10-16 12:21:01 -0700
+
+  * Updating submodule(s).
+
+2.5-326 | 2017-10-05 14:34:20 -0700
+
+  * Update the SSH analyzer to support the "curve25519-sha256" KEX.
+    (Vlad Grigorescu)
+
+2.5-321 | 2017-10-03 12:00:29 -0500
+
+  * Add "-B scripts" flag to allow debug output of script load order.
+    (Corelight)
+
+  * Fix segmentation fault on eval condition with no return value. (Corelight)
+
+2.5-317 | 2017-09-29 09:54:50 -0400
+
+  * BIT-1853 - Fix an issue with broctl triggering reporter error in the
+    intel framework. (Justin Azoff)
+
+  * BIT-1845 - Make "in" keyword work with binary data. (Johanna Amann)
+
+  * Add TLS 1.3 fix and testcase due to Google Chrome's use of TLS 1.3. 
+
+    It turns out that Chrome supports an experimental mode to support TLS
+    1.3, which uses a non-standard way to negotiate TLS 1.3 with a server.
+    This non-standard way to negotiate TLS 1.3 breaks the current draft RFC
+    and re-uses an extension on the server-side with a different binary
+    formatting, causing us to throw a binpac exception.
+
+    This patch ignores the extension when sent by the server, continuing to
+    correctly parse the server_hello reply (as far as possible).
+
+    From what I can tell this seems to be google working around the fac
+    that MITM equipment cannot deal with TLS 1.3 server hellos; this change
+    makes the fact that TLS 1.3 is used completely opaque unless one looks
+    into a few extensions.
+
+    We currently log this as TLS 1.2. (Johanna Amann)
+
+2.5-310 | 2017-09-21 09:10:21 -0700
+
+  * fix interaction of gridftp scripts with other thresholds. (Justin Azoff)
+
+2.5-307 | 2017-09-20 10:51:09 -0500
+
+  * BIT-1846: Updating broctl submodule to include fix for symlinking
+    issue (Jon Siwek)
+
+2.5-306 | 2017-09-18 14:43:42 -0700
+
+  * Make strerror_r portable, supporting XSI/gnu versions. (Thomas Petersen)
+
+  * Prevent crash when calling bro -U. (Thomas Petersen)
+
+  * Remove annoying error message from connsize bifs. (Johanna Amann)
+
+  * Add test to verify that log rotation works with gzipped logs (Daniel Thayer)
+
+  * Fix ascii writer to not discard a ".gz" file extension. (Daniel Thayer)
+
+    When Bro writes a compressed log, it uses a file extension of ".gz".
+    However, upon log rotation the ascii writer script function
+    "default_rotation_postprocessor_func" was discarding the ".gz"
+    file extension.  Fixed so that the correct file extension is
+    preserved after rotation. (Daniel Thayer)
+
+2.5-297 | 2017-09-11 09:26:33 -0700
+
+  * Fix small OCSP parser bug; serial numbers were not passed to events
+    (Johanna Amann)
+
+  * Fix expire-redef.bro test. (Daniel Thayer)
+
+2.5-294 | 2017-08-11 13:51:49 -0500
+
+  * Fix core.truncation unit test on macOS. (Jon Siwek)
+
+  * Fix a netcontrol test that often fails (Daniel Thayer)
+
+  * Update install instructions for Fedora 26 (Daniel Thayer)
+
+2.5-288 | 2017-08-04 14:17:10 -0700
+
+  * Fix field not being populated, which resulted in a reporter
+    messsage. Addresses BIT-1831. Reported by Chris Herdt. (Seth Hall)
+
+  * Support for OCSP and Signed Certificate Timestamp. (Liang
+    Zhu/Johanna Amann)
+
+      - OCSP parsing is added to the X.509 module.
+
+      - Signed Certificate Timestamp extraction, parsing, & validation
+        is added to the SSL, X.509, and OCSP analyzers. Validation is
+        added to the X.509 BIFs.
+
+    This adds the following events and BIFs:
+
+      - event ocsp_request(f: fa_file, version: count, requestorName: string);
+      - event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string);
+      - event ocsp_response_status(f: fa_file, status: string);
+      - event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector);
+      - event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revokeTime: time, revokeReason: string, thisUpdate: time, nextUpdate: time);
+      - event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool);
+      - event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string);
+      - event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string);
+      - function sct_verify(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default=""): bool
+      - function x509_subject_name_hash(cert: opaque of x509, hash_alg: count): string
+      - function x509_issuer_name_hash(cert: opaque of x509, hash_alg: count): string
+      - function x509_spki_hash(cert: opaque of x509, hash_alg: count): string
+
+    This also changes the MIME types that we use to identify X.509
+    certificates in SSL connections from "application/pkix-cert" to
+    "application/x-x509-user-cert" for host certificates and
+    "application/x-x509-ca-cert" for CA certificates.
+
+  * The SSL scripts provide a new hook "ssl_finishing(c: connection)"
+    to trigger actions after the handshake has concluded. (Johanna
+    Amann)
+
+  * Add an internal API for protocol analyzers to provide the MIME
+    type of file data directly, disabling automatic inferrence.
+    (Johanna Amann).
+
+2.5-186 | 2017-07-28 12:22:20 -0700
+
+  * Improved handling of '%' at end of line in HTTP analyzer. (Johanna
+    Amann)
+
+  * Add canonifier to catch and release test that should fix test
+    failures. (Johanna Amann)
+
+2.5-181 | 2017-07-25 16:02:41 -0700
+
+  * Extend plugin infrastructure to catch Bro version mismatches at link
+    time.
+
+    The version number used for the function name is slightly normalized
+    to skip any git revision postfixes (i.e., "2.5-xxx" is always treated
+    as "2.5-git") so that one doesn't need to recompile all plugins after
+    every master commit. That seems good enough, usually people run into
+    this when upgrading to a new release. The Plugin API version is also
+    part of the version number.
+
+    If one loads an old plugin into a new Bro, the error message looks
+    like this:
+
+        $ bro -NN Demo::Foo
+        fatal error in /home/robin/bro/master/scripts/base/init-bare.bro, line 1:
+        cannot load plugin library /home/robin/tmp/p/build//lib/Demo-Foo.linux-x86_64.so:
+        /home/robin/tmp/p/build//lib/Demo-Foo.linux-x86_64.so: undefined symbol: bro_version_2_5_git_debug
+
+    (Robin Sommer)
+
+  * Several fixes and improvements for software version parsing.
+
+     - Addresses Philip Romero's question from the Bro mailing list.
+     - Adds Microsoft Edge as a detected browser.
+     - We are now unescaping encoded characters in software names. (Seth Hall)
+
+  * Remove another reference to now removed bro-plugins. (Johanna Amann)
+
+2.5-175 | 2017-07-07 14:35:11 -0700
+
+  * Removing aux/plugins. Most of the plugins are now Bro packages.
+    (Robin Sommer)
+
+  * Update install instructions for Debian 9. (Daniel Thayer)
+
+2.5-170 | 2017-07-07 12:20:19 -0700
+
+  * Update krb-protocol.pac (balintm)
+    This fixes parsing of KRB_AP_Options where the padding and flags were reversed.
+
+  * Add new cipher suites from draft-ietf-tls-ecdhe-psk-aead-05 (Johanna Amann)
+
+  * Test changes: remove loading of listen.bro in tests that do not use it,
+    serialize tests that load listen.bro, fix race conditions in some tests.
+    (Daniel Thayer)
+
+  * The broccoli-v6addrs "-r" option was renamed to "-R" (Daniel Thayer)
+
+2.5-156 | 2017-06-13 11:01:56 -0700
+
+  * Add 2.5.1 news file to master. (Johanna Amann)
+
+  * Remove link to no longer existing myricom plugin. (Johanna Amann)
+
+2.5-152 | 2017-06-05 15:16:49 -0700
+
+  * Remove non-existing links; this broke documentation build. (Johanna Amann)
+
+  * Fix at_least in Version.bro - it did exactly the oposite of the documented
+    behavior. (Johanna Amann)
+
+2.5-147 | 2017-05-22 20:32:32 -0500
+
+  * Add nfs unittest. (Julien Wallior)
+
+  * Added nfs_proc_rename event to rpc/nfs protocol analyzer.
+    (Roberto Del Valle Rodriguez)
+
+  * Expand parsing of RPC Call packets to add Uid, Gid, Stamp, MachineName
+    and AuxGIDs (Julien Wallior)
+
+  * Fix NFS protocol parser. (Julien Wallior)
+
+2.5-142 | 2017-05-22 00:08:52 -0500
+
+  * Add gzip log writing to the ascii writer.
+
+    This feature can be enabled globally for all logs by setting
+    LogAscii::gzip_level to a value greater than 0.
+
+    This feature can be enabled on a per-log basis by setting gzip-level in
+    $config to a value greater than 0. (Corelight)
+
+2.5-140 | 2017-05-12 15:31:32 -0400
+
+  * Lessen cluster load due to notice suppression. 
+    (Johanna Amann, Justin Azoff)
+
+2.5-137 | 2017-05-04 11:37:48 -0500
+
+  * Add plugin hooks for log init and writing: HookLogInit and HookLogWrite.
+    (Corelight)
+
+  * TLS: Fix compile warning (comparison between signed/unsigned).
+
+    This was introduced with the addition of new TLS1.3 extensions. (Johanna Amann)
+
+
+2.5-134 | 2017-05-01 10:34:34 -0500
+
+  * Add rename, unlink, and rmdir bifs. (Corelight)
+
+2.5-131 | 2017-04-21 14:27:16 -0700
+
+  * Guard more format strings with __attribute__((format)). (Johanna Amann)
+
+  * Add support for two TLS 1.3 extensions.
+
+    New events:
+        - event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec)
+        - event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec) (Johanna Amann)
+
+2.5-125 | 2017-04-17 22:02:39 +0200
+
+  * Documentation updates for loading Bro scripts. (Seth Hall)
+
+2.5-123 | 2017-04-10 13:30:14 -0700
+
+  * Fix some failing tests by increasing delay times. (Daniel Thayer)
+
+  * Threading Types: add a bit of documentation to subnet type. (Johanna Amann)
+
+  * Fixing couple issues reported by Coverity. (Robin Sommer)
+
+2.5-119 | 2017-04-07 10:30:09 -0700
+
+  * Fix the test group name in some broker test files. (Daniel Thayer)
+
+  * NetControl: small rule_error changes (test, call fix). (Johanna Amann)
+
+  * SSL: update dpd signature for TLS1.3. (Johanna Amann)
+
+2.5-115 | 2017-03-23 07:25:41 -0700
+
+  * Fix a test that was failing on some platforms. (Daniel Thayer)
+
+  * Remove test for cluster catch and release. This test keeps failing
+    intermittently because of timing issues that are surprisingly hard
+    to fix. (Johanna Amann)
+
+  * Fix some Coverity warnings. (Daniel Thayer)
+
+2.5-106 | 2017-03-13 11:19:03 -0700
+
+  * print version string to stdout on --version, instead
+    of printing it to stderr. Output is not an error output.  (Pete)
+
+  * Fix compiler warning raised by llvm8. (Johanna Amann)
+
+  * Fix coverity warning in Ascii reader. (Johanna Amann)
+
+2.5-101 | 2017-03-09 12:20:11 -0500
+
+  * Input's framework's ascii reader is now more resilient.
+
+    By default, the ASCII reader does not fail on errors anymore.
+    If there is a problem parsing a line, a reporter warning is
+    written and parsing continues.  If the file is missing or can't
+    be read, the input thread just tries again on the next heartbeat.
+    (Seth Hall, Johanna Amann)
+
+2.5-92 | 2017-03-03 10:44:14 -0800
+
+  * Move most threading to C++11 primitives (mostly). (Johanna Amann)
+
+  * Fix a test that sometimes fails on FreeBSD. (Daniel Thayer)
+
+  * Remove build time warnings. (Seth Hall)
+
+2.5-84 | 2017-02-27 15:08:55 -0500
+
+  * Change semantics of Broker's remote logging to match old communication
+    framework. (Robin Sommer)
+
+  * Add and fix documentation for HookSetupAnalyzerTree (Johanna Amann)
+
+
+2.5-76 | 2017-02-23 10:19:57 -0800
+
+  * Kerberos ciphertext had some additional ASN.1 content being lumped
+    in. (Vlad Grigorescu)
+
+  * Updated Windows version detection to include Windows 10. (Fatema
+    Bannatwala, Keith Lehigh, Mike, Seth Hall).
+
+2.5-70 | 2017-02-20 00:20:02 -0500
+
+  * Rework the RADIUS base script.
+
+    Fixes BIT-1769 which improves logging behavior when replies aren't
+    seen.  Also added a `framed_addr` field to indicate if the radius
+    server is hinting at an address for the client and a `ttl` field to
+    show how quickly the server is responding. (Seth Hall)
+
+2.5-68 | 2017-02-18 13:59:05 -0500
+
+  * Refactored base krb scripts. (Seth Hall)
+
+  * New script to log ticket hashes in krb log
+    (policy/protocols/krb/ticket-logging.bro).  Also, add
+    ciphertext to ticket data structure. (John E. Rollinson)
+
+2.5-62 | 2017-02-15 15:56:38 -0800
+
+  * Fix case in which scripts were able to access unitialized variables
+    in certain cases. Addresses BIT-1785. (Jon Siwek)
+
+2.5-60 | 2017-02-15 15:19:20 -0800
+
+  * Implement ERSPAN support.
+
+    There is a small caveat to this implementation.  The ethernet
+    header that is carried over the tunnel is ignored.  If a user
+    tries to do MAC address logging, it will only show the MAC
+    addresses for the outer tunnel and the inner MAC addresses
+    will be stripped and not available anywhere. (Seth Hall)
+
+  * Tiny mime-type fix from Dan Caselden. (Seth Hall)
+
+  * Update failing intel framework test. (Johanna Amann)
+
+2.5-55 | 2017-02-10 09:50:43 -0500
+
+  * Fixed intel expiration reset. Reinserting the same indicator did not reset
+    the expiration timer for the indicator in the underlying data store.
+    Addresses BIT-1790. (Jan Grashoefer)
+
+2.5-51 | 2017-02-06 10:15:56 -0500
+
+  * Fix memory leak in file analyzer. (Johanna Amann)
+
+  * Fix a series of problems with the to_json function.
+    Addresses BIT-1788. (Daniel Thayer)
+
+2.5-44 | 2017-02-03 16:38:10 -0800
+
+  * Change snap lengths of some tests. (Johanna Amann)
+
+  * Fix layer 2 connection flipping. If connection flipping occured in
+    Sessions.cc code (invoked e.g. when the original SYN is missing),
+    layer 2 flipping was not performed. (Johanna Amann)
+
 2.5-39 | 2017-02-01 14:03:08 -0800
 
   * Fix file analyzer memory management, and a delay in disabling file analyzers.
@@ -548,7 +1917,7 @@
 
 2.4-683 | 2016-07-08 14:55:04 -0700
 
-  * Extendign connection history field to flag with '^' when Bro flips
+  * Extending connection history field to flag with '^' when Bro flips
     a connection's endpoints. Addresses BIT-1629. (Robin Sommer)
 
 2.4-680 | 2016-07-06 09:18:21 -0700
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 5a7fba482e..452f2834cc 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -2,13 +2,25 @@ project(Bro C CXX)
 
 # When changing the minimum version here, also adapt
 # aux/bro-aux/plugin-support/skeleton/CMakeLists.txt
-cmake_minimum_required(VERSION 2.8 FATAL_ERROR)
+cmake_minimum_required(VERSION 2.8.12 FATAL_ERROR)
 
 include(cmake/CommonCMakeConfig.cmake)
 
 ########################################################################
 ## Project/Build Configuration
 
+if ( ENABLE_CCACHE )
+    find_program(CCACHE_PROGRAM ccache)
+
+    if ( NOT CCACHE_PROGRAM )
+        message(FATAL_ERROR "ccache not found")
+    endif ()
+
+    message(STATUS "Using ccache: ${CCACHE_PROGRAM}")
+    set(CMAKE_C_COMPILER_LAUNCHER   ${CCACHE_PROGRAM})
+    set(CMAKE_CXX_COMPILER_LAUNCHER ${CCACHE_PROGRAM})
+endif ()
+
 set(BRO_ROOT_DIR ${CMAKE_INSTALL_PREFIX})
 if (NOT BRO_SCRIPT_INSTALL_PATH)
     # set the default Bro script installation path (user did not specify one)
@@ -40,12 +52,26 @@ file(WRITE ${CMAKE_CURRENT_BINARY_DIR}/bro-path-dev.csh
      "setenv PATH \"${CMAKE_CURRENT_BINARY_DIR}/src\":$PATH\n")
 
 file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1)
+execute_process(COMMAND grep "^#define  *BRO_PLUGIN_API_VERSION"
+                INPUT_FILE ${CMAKE_CURRENT_SOURCE_DIR}/src/plugin/Plugin.h
+                OUTPUT_VARIABLE API_VERSION
+                OUTPUT_STRIP_TRAILING_WHITESPACE)
+string(REGEX REPLACE "^#define.*VERSION *" "" API_VERSION "${API_VERSION}")
+
 string(REPLACE "." " " version_numbers ${VERSION})
 separate_arguments(version_numbers)
 list(GET version_numbers 0 VERSION_MAJOR)
 list(GET version_numbers 1 VERSION_MINOR)
 set(VERSION_MAJ_MIN "${VERSION_MAJOR}.${VERSION_MINOR}")
 
+set(VERSION_C_IDENT "${VERSION}_plugin_${API_VERSION}")
+string(REGEX REPLACE "-[0-9]*$" "_git" VERSION_C_IDENT "${VERSION_C_IDENT}")
+string(REGEX REPLACE "[^a-zA-Z0-9_\$]" "_" VERSION_C_IDENT "${VERSION_C_IDENT}")
+
+if(${ENABLE_DEBUG})
+    set(VERSION_C_IDENT "${VERSION_C_IDENT}_debug")
+endif()
+
 ########################################################################
 ## Dependency Configuration
 
@@ -69,16 +95,34 @@ FindRequiredPackage(OpenSSL)
 FindRequiredPackage(BIND)
 FindRequiredPackage(ZLIB)
 
-if (NOT BinPAC_ROOT_DIR AND
+find_package(CAF COMPONENTS core io openssl)
+if (CAF_FOUND)
+    # e.g. if not using embedded CAF, then need to know where to look
+    # for CAF headers since that may differ from where Broker headers
+    # are found (and including a Broker header may pull in CAF headers).
+	include_directories(BEFORE ${CAF_INCLUDE_DIRS})
+endif ()
+
+if (NOT BINPAC_EXE_PATH AND
     EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/aux/binpac/CMakeLists.txt)
     add_subdirectory(aux/binpac)
 endif ()
 FindRequiredPackage(BinPAC)
 
+if ( NOT BIFCL_EXE_PATH )
+  add_subdirectory(aux/bifcl)
+endif ()
+
 if (ENABLE_JEMALLOC)
     find_package(JeMalloc)
 endif ()
 
+if ( BISON_VERSION AND BISON_VERSION VERSION_LESS 2.5 )
+    set(MISSING_PREREQS true)
+    list(APPEND MISSING_PREREQ_DESCS
+         " Could not find prerequisite package Bison >= 2.5, found: ${BISON_VERSION}")
+endif ()
+
 if (MISSING_PREREQS)
     foreach (prereq ${MISSING_PREREQ_DESCS})
         message(SEND_ERROR ${prereq})
@@ -88,7 +132,6 @@ endif ()
 
 include_directories(BEFORE
                     ${PCAP_INCLUDE_DIR}
-                    ${OPENSSL_INCLUDE_DIR}
                     ${BIND_INCLUDE_DIR}
                     ${BinPAC_INCLUDE_DIR}
                     ${ZLIB_INCLUDE_DIR}
@@ -98,11 +141,20 @@ include_directories(BEFORE
 # Optional Dependencies
 
 set(USE_GEOIP false)
-find_package(LibGeoIP)
-if (LIBGEOIP_FOUND)
+find_package(LibMMDB)
+if (LibMMDB_FOUND)
     set(USE_GEOIP true)
-    include_directories(BEFORE ${LibGeoIP_INCLUDE_DIR})
-    list(APPEND OPTLIBS ${LibGeoIP_LIBRARY})
+    include_directories(BEFORE ${LibMMDB_INCLUDE_DIR})
+    list(APPEND OPTLIBS ${LibMMDB_LIBRARY})
+endif ()
+
+set(USE_KRB5 false)
+if ( ${CMAKE_SYSTEM_NAME} MATCHES Linux )
+  find_package(LibKrb5)
+  if (LibKrb5_FOUND)
+     set(USE_KRB5 true)
+     list(APPEND OPTLIBS ${LibKrb5_LIBRARY})
+  endif ()
 endif ()
 
 set(HAVE_PERFTOOLS false)
@@ -138,6 +190,12 @@ if (ENABLE_PERFTOOLS_DEBUG OR ENABLE_PERFTOOLS)
     # perftools weren't found
 endif ()
 
+# Making sure any non-standard OpenSSL includes get searched earlier
+# than other dependencies which tend to be in standard system locations
+# and thus cause the system OpenSSL headers to still be picked up even
+# if one specifies --with-openssl (which may be common).
+include_directories(BEFORE ${OPENSSL_INCLUDE_DIR})
+
 set(brodeps
     ${BinPAC_LIBRARY}
     ${PCAP_LIBRARY}
@@ -167,6 +225,10 @@ include(CheckNameserCompat)
 include(GetArchitecture)
 include(RequireCXX11)
 
+if ( (OPENSSL_VERSION VERSION_EQUAL "1.1.0") OR (OPENSSL_VERSION VERSION_GREATER "1.1.0") )
+  set(BRO_HAVE_OPENSSL_1_1 true CACHE INTERNAL "" FORCE)
+endif()
+
 # Tell the plugin code that we're building as part of the main tree.
 set(BRO_PLUGIN_INTERNAL_BUILD true CACHE INTERNAL "" FORCE)
 
@@ -178,22 +240,40 @@ endif ()
 
 configure_file(${CMAKE_CURRENT_SOURCE_DIR}/bro-config.h.in
                ${CMAKE_CURRENT_BINARY_DIR}/bro-config.h)
+include_directories(${CMAKE_CURRENT_BINARY_DIR})
+install(FILES ${CMAKE_CURRENT_BINARY_DIR}/bro-config.h DESTINATION include/bro)
+
+if ( CAF_ROOT_DIR )
+  set(BRO_CONFIG_CAF_ROOT_DIR ${CAF_ROOT_DIR})
+else ()
+  set(BRO_CONFIG_CAF_ROOT_DIR ${BRO_ROOT_DIR})
+endif ()
+
+if ( BinPAC_ROOT_DIR )
+  set(BRO_CONFIG_BINPAC_ROOT_DIR ${BinPAC_ROOT_DIR})
+else ()
+  set(BRO_CONFIG_BINPAC_ROOT_DIR ${BRO_ROOT_DIR})
+endif ()
+
+set(BRO_CONFIG_BROKER_ROOT_DIR ${BRO_ROOT_DIR})
 
 configure_file(${CMAKE_CURRENT_SOURCE_DIR}/bro-config.in
                ${CMAKE_CURRENT_BINARY_DIR}/bro-config @ONLY)
 install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/bro-config DESTINATION bin)
 
-include_directories(${CMAKE_CURRENT_BINARY_DIR})
+install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/cmake DESTINATION share/bro
+        USE_SOURCE_PERMISSIONS)
 
 ########################################################################
 ## Recurse on sub-directories
 
-if ( ENABLE_BROKER )
-    add_subdirectory(aux/broker)
-    set(brodeps ${brodeps} broker)
-    add_definitions(-DENABLE_BROKER)
-    include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}/aux/broker)
-endif ()
+add_subdirectory(aux/broker)
+set(brodeps ${brodeps} broker)
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}/aux/broker
+                           ${CMAKE_CURRENT_BINARY_DIR}/aux/broker)
+include_directories(BEFORE ${CAF_INCLUDE_DIR_CORE})
+include_directories(BEFORE ${CAF_INCLUDE_DIR_IO})
+include_directories(BEFORE ${CAF_INCLUDE_DIR_OPENSSL})
 
 add_subdirectory(src)
 add_subdirectory(scripts)
@@ -232,6 +312,8 @@ endif ()
 message(
     "\n====================|  Bro Build Summary  |====================="
     "\n"
+    "\nBuild type:        ${CMAKE_BUILD_TYPE}"
+    "\nBuild dir:         ${CMAKE_BINARY_DIR}"
     "\nInstall prefix:    ${CMAKE_INSTALL_PREFIX}"
     "\nBro Script Path:   ${BRO_SCRIPT_INSTALL_PATH}"
     "\nDebug mode:        ${ENABLE_DEBUG}"
@@ -242,13 +324,12 @@ message(
     "\nCXXFLAGS:          ${CMAKE_CXX_FLAGS} ${CMAKE_CXX_FLAGS_${BuildType}}"
     "\nCPP:               ${CMAKE_CXX_COMPILER}"
     "\n"
-    "\nBroker:            ${ENABLE_BROKER}"
-    "\nBroker Python:     ${BROKER_PYTHON_BINDINGS}"
     "\nBroccoli:          ${INSTALL_BROCCOLI}"
     "\nBroctl:            ${INSTALL_BROCTL}"
     "\nAux. Tools:        ${INSTALL_AUX_TOOLS}"
     "\n"
-    "\nGeoIP:             ${USE_GEOIP}"
+    "\nlibmaxminddb:      ${USE_GEOIP}"
+    "\nKerberos:          ${USE_KRB5}"
     "\ngperftools found:  ${HAVE_PERFTOOLS}"
     "\n        tcmalloc:  ${USE_PERFTOOLS_TCMALLOC}"
     "\n       debugging:  ${USE_PERFTOOLS_DEBUG}"
diff --git a/NEWS b/NEWS
index 9aa1e35c7c..e5f5b28054 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,501 @@ release. For an exhaustive list of changes, see the ``CHANGES`` file
 (note that submodules, such as BroControl and Broccoli, come with
 their own ``CHANGES``.)
 
+
+Bro 2.6 (in progress)
+=====================
+
+New Functionality
+-----------------
+
+- Bro has switched to using the new Broker library for all its
+  communication. Broker's API has been completely redesigned (compared
+  to the version in 2.5), and much of its implementation has been
+  redone. There's a new script-level "broker" framework that
+  supersedes the old "communication" framework, which is now
+  deprecated. The "cluster" and "control" frameworks have been ported
+  to Broker; same for BroControl. For more about the new Broker
+  framework, see doc/frameworks/broker.rst (there's also a guide there
+  for porting existing Bro scripts to Broker). For more about Broker
+  itself, including its API for external applications, see
+  aux/broker/doc.
+
+  TODO: Replace documentation paths with URLs once these are available
+  online.
+
+  When using BroControl, the meaning of proxies has changed with
+  Broker. If you are upgrading and have configured more than one proxy
+  currenty, we recommend going back down to a single proxy node now.
+  Unless you are using custom scripts doing significant data
+  distribution themselves through the new cluster framework, that
+  should be fine.
+
+- Bro now has new "is" and "as" script operators for dynamic
+  type-checking and casting.
+
+    - "v as T" casts a value v into a value of type T, assuming that's
+      possible (if not, it triggers a runtime error).
+
+    - "v is T" returns a boolean indicating whether value v can be
+      casted into type T (i.e., if true then "v as T" will succeed).
+
+    This casting supports three cases currently: (1) a value of
+    declared type "any" can be casted to its actual underlying type;
+    (2) Broker values can be casted to their corresponding script
+    types; and (3) all values can be casted to their declared types
+    (i.e., a no-op).
+
+    Example for "any"::
+
+        # cat a.bro
+        function check(a: any)
+            {
+            local s: string = "default";
+
+            if ( a is string )
+                s = (a as string);
+
+            print fmt("s=%s", s);
+            }
+
+        event bro_init()
+            {
+            check("Foo");
+            check(1);
+            }
+
+        # bro a.bro
+        s=Foo
+        s=default
+
+- The existing "switch" got extended to now also support switching by
+  type rather than value. The new syntax supports two type-based versions
+  of "case":
+
+    - "case type T: ...": Take branch if operand can be casted to type T.
+
+    - "case type T as x: ... ": Take branch if operand can be casted
+      to type T, and make the casted value available through ID "x".
+
+    Multiple types can be listed per branch, separated by commas.
+    However, one cannot mix cases with expressions and types inside a
+    single switch statement.
+
+    Example::
+
+        function switch_one(v: any)
+            {
+            switch (v) {
+            case type string:
+                    print "It's a string!";
+                    break;
+
+            case type count as c:
+                    print "It's a count!", c;
+                    break;
+
+            case type bool, type addr:
+                    print "It's a bool or address!";
+                    break;
+
+            default:
+                    print "Something else!";
+                    break;
+            }
+            }
+
+- Bro now comes with a new "configuration framework" that allows
+  updating script options dynamically at runtime. This functionality
+  consists of three larger pieces working together:
+
+  - Option variables: The new "option" keyword allows variables to be
+    declared as runtime options. Such variables cannot be changed
+    using normal assignments. Instead, they can be changed using the
+    new function Option::set.
+
+    It is possible to "subscribe" to an option through
+    Option::set_change_handler, which will trigger a handler callback
+    when an option changes. Change handlers can optionally modify
+    values before they are applied by returning the desired value, or
+    reject updates by returning the old value. Priorities can be
+    specified if there are several handlers for one option.
+
+    Example script::
+
+        option testbool: bool = T;
+
+        function option_changed(ID: string, new_value: bool): bool
+            {
+            print fmt("Value of %s changed from %s to %s", ID, testbool, new_value);
+            return new_value;
+            }
+
+        event bro_init()
+            {
+            print "Old value", testbool;
+            Option::set_change_handler("testbool", option_changed);
+            Option::set("testbool", F);
+            print "New value", testbool;
+            }
+
+  - Script-level configuration framework: The new script framework
+    base/framework/config facilitates reading in new option values
+    from external files at runtime. The format for these files looks
+    like this:
+
+        [option name][tab/spaces][new variable value]
+
+    Configuration files to read can be specified by adding them to
+    Config::config_files.
+
+    Usage example::
+
+        redef Config::config_files += { "/path/to/config.dat" };
+
+        module TestConfig;
+
+        export {
+            option testbool: bool = F;
+        }
+
+    The specified file will now be monitored continuously for changes, so
+    that writing "testbool T" into /path/to/config.dat will
+    automatically update the option's value accordingly.
+
+    The configuration framework creates a config.log that shows all
+    value changes that took place.
+
+  - Config reader: Internally, the configuration framework uses a new
+    type of input reader to read such configuration files into Bro.
+    The reader uses the option name to look up the type that variable
+    has, converts the read value to the correct type, and then updates
+    the option's value. Example script use::
+
+        type Idx: record {
+            option_name: string;
+        };
+
+        type Val: record {
+            option_val: string;
+        };
+
+        global currconfig: table[string] of string = table();
+
+        event InputConfig::new_value(name: string, source: string, id: string, value: any)
+            {
+            print id, value;
+            }
+
+        event bro_init()
+            {
+            Input::add_table([$reader=Input::READER_CONFIG, $source="../configfile", $name="configuration", $idx=Idx, $val=Val, $destination=currconfig, $want_record=F]);
+            }
+
+- Support for OCSP and Signed Certificate Timestamp. This adds the
+  following events and BIFs:
+
+  - Events: ocsp_request, ocsp_request_certificate,
+    ocsp_response_status, ocsp_response_bytes
+    ocsp_response_certificate ocsp_extension
+    x509_ocsp_ext_signed_certificate_timestamp
+    ssl_extension_signed_certificate_timestamp
+
+  - Functions: sct_verify, x509_subject_name_hash,
+    x509_issuer_name_hash x509_spki_hash
+
+- The SSL scripts provide a new hook "ssl_finishing(c: connection)"
+  to trigger actions after the handshake has concluded.
+
+- New functionality has been added to the TLS parser, adding several
+  events. These events mostly extract information from the server and client
+  key exchange messages. The new events are:
+
+  ssl_ecdh_server_params, ssl_dh_server_params, ssl_server_signature,
+  ssl_ecdh_client_params, ssl_dh_client_params, ssl_rsa_client_pms
+
+  Since ssl_ecdh_server_params contains more information than the old
+  ssl_server_curve event, ssl_server_curve is now marked as deprecated.
+
+- Functions for retrieving files by their ID have been added:
+
+  Files::file_exists, Files::lookup_File
+
+- New functions in the logging API: Log::get_filter_names, Log::enable_stream
+
+- HTTP now recognizes and skips upgraded/websocket connections.  A new event,
+  http_connection_upgrade, is raised in such cases.
+
+- Added a MOUNT3 protocol parser
+
+  - This is not enabled by default (no ports are registered and no
+    DPD signatures exist, so no connections will end up attaching the
+    new Mount analyzer).  If it were to be activated by users, the
+    following events are available: mount_proc_null, mount_proc_mnt,
+    mount_proc_umnt, mount_proc_umnt_all, mount_proc_not_implemented,
+    mount_reply_status.
+
+- Added new NFS events: nfs_proc_symlink, nfs_proc_link, nfs_proc_sattr
+
+- The SMB scripts in policy/protocols/smb are now moved into base/protocols/smb
+  and loaded/enabled by default.
+
+- Added new SMB events: smb1_transaction_secondary_request,
+  smb1_transaction2_secondary_request, smb1_transaction_response
+
+- Bro can now decrypt Kerberos tickets, and retrieve the authentication from
+  them, given a suitable keytab file.
+
+- Added support for bitwise operations on "count" values.  '&', '|' and
+  '^' are binary "and", "or" and "xor" operators, and '~' is a unary
+  ones-complement operator.
+
+- The '&' and '|' operators can apply to patterns, too.  p1 & p2 yields
+  a pattern that represents matching p1 followed by p2, and p1 | p2 yields
+  a pattern representing matching p1 or p2.  The p1 | p2 functionality was
+  semi-present in previous versions of Bro, but required constants as
+  its operands; now you can use any pattern-valued expressions.
+
+- You can now specify that a pattern matches in a case-insensitive
+  fashion by adding 'i' to the end of its specification.  So for example
+  /fOO/i == "Foo" yields T, as does /fOO/i in "xFoObar".  Characters
+  enclosed in quotes however keep their casing, so /"fOO"/i in "xFoObar"
+  yields F, though it yields T for "xfOObar".
+
+  You can achieve the same functionality for a subpattern enclosed in
+  parentheses by adding "?i:" to the open parenthesis.  So for example
+  "/foo|(?i:bar)/" will match "BaR", but not "FoO".
+
+  For both ways of specifying case-insensitivity, characters enclosed in
+  double quotes maintain their case-sensitivity.  So for example /"foo"/i
+  will not match "Foo", but it will match "foo".
+
+- "make install" now installs Bro's include headers (and more) into
+  --prefix so that compiling plugins does no longer need access to a
+  source/build tree. For OS distributions, this also facilitates
+  creating "bro-devel" packages providing all files necessary to build
+  plugins.
+
+- Bro now supports PPPoE over QinQ.
+
+- Bro now supports OpenSSL 1.1.
+
+- The new connection/conn.log history character 'W' indicates that
+  the originator ('w' = responder) advertised a TCP zero window
+  (instructing the peer to not send any data until receiving a
+  non-zero window).
+
+- The connection/conn.log history characters 'C' (checksum error seen),
+  'T' (retransmission seen), and 'W' (zero window advertised) are now
+  repeated in a logarithmic fashion upon seeing multiple instances
+  of the corresponding behavior.  Thus a connection with 2 C's in its
+  history means that the originator sent >= 10 packets with checksum
+  errors; 3 C's means >= 100, etc.
+
+- The above connection history behaviors occurring multiple times
+  (i.e., starting at 10 instances, than again for 100 instances,
+  etc.) generate corresponding events: tcp_multiple_checksum_errors,
+  udp_multiple_checksum_errors, tcp_multiple_zero_windows, and
+  tcp_multiple_retransmissions.  Each has the same form, e.g.
+
+      event tcp_multiple_retransmissions(c: connection, is_orig: bool,
+				                         threshold: count);
+
+- Added support for set union, intersection, difference, and comparison
+  operations.  The corresponding operators for the first three are
+  "s1 | s2", "s1 & s2", and "s1 - s2".  Relationals are in terms
+  of subsets, so "s1 < s2" yields true if s1 is a proper subset of s2
+  and "s1 == s2" if the two sets have exactly the same elements.
+  "s1 <= s2" holds for subsets or equality, and similarly "s1 != s2",
+  "s1 > s2", and "s1 >= s2" have the expected meanings in terms
+  of non-equality, proper superset, and superset-or-equal.
+
+- An expression of the form "v += e" will append the value of the expression
+  "e" to the end of the vector "v" (of course assuming type-compatbility).
+
+Changed Functionality
+---------------------
+
+- All communication is now handled through Broker, requiring changes
+  to existing scripts to port them over to the new API. The Broker
+  framework documentation comes with a porting guide.
+
+- The DHCP analyzer and its script-layer interface have been rewritten.
+
+  - Supports more DHCP options than before.
+
+  - The DHCP log now represents DHCP sessions based on transaction ID
+    and works on Bro cluster deployments.
+
+  - Removed the policy/protocols/dhcp/known-devices-and-hostnames.bro
+    script since it's generally less relevant now with the updated log.
+
+  - Removed the base/protocols/dhcp/utils.bro script and thus the
+    'reverse_ip' function.
+
+  - Replaced all DHCP events with the single 'dhcp_message' event.
+    The list of removed events includes:
+
+    - dhcp_discover
+    - dhcp_offer
+    - dhcp_request
+    - dhcp_decline
+    - dhcp_ack
+    - dhcp_nak
+    - dhcp_release
+    - dhcp_inform
+
+- Removed policy/misc/known-devices.bro script and thus
+  known_devices.log will no longer be created.
+
+- The --with-binpac= configure option has changed to mean "path
+  to the binpac executable" instead of "path to binpac installation root".
+
+- The MIME types used to identify X.509 certificates in SSL
+  connections changed from "application/pkix-cert" to
+  "application/x-x509-user-cert" for host certificates and
+  "application/x-x509-ca-cert" for CA certificates.
+
+- With the new ssl_ecdh_server_params event, the ssl_server_curve
+  event is considered deprecated and will be removed in a future
+  version of Bro.
+
+- The Socks analyzer no longer logs passwords by default. This
+  brings its behavior in line with the FTP/HTTP analyzers which also
+  do not log passwords by default.
+
+  To restore the previous behavior and log Socks passwords, use:
+
+  redef SOCKS::default_capture_password = T;
+
+- The DNS base scripts no longer generate some noisy and annoying
+  weirds (dns_unmatched_msg, dns_unmatched_msg_quantity, dns_unmatched_reply)
+
+- The 'tunnel_parents' field of conn.log is now marked &optional, so, for
+  the default configuration of logs, this field will show "-" instead of
+  "(empty)" for connections that lack any tunneling.
+
+- SMB event argument changes:
+
+  - smb1_transaction_request now has two additional arguments, "parameters"
+    and "data" strings
+
+  - smb1_transaction2_request now has an additional "args" record argument
+
+- The SMB::write_cmd_log option has been removed and the corresponding
+  logic moving to policy/protocols/smb/log-cmds.bro which can simply
+  be loaded to produce the same effect of toggling the old flag on.
+
+- SSL event argument changes:
+
+  - event ssl_server_signature now has an additional argument
+    "signature_and_hashalgorithm".
+
+- The "dnp3_header_block" event no longer has the "start" parameter
+
+- The string_to_pattern() built-in (and the now-deprecated merge_pattern()
+  built-in) is no longer restricted to only be called at initialization time.
+
+- GeoIP Legacy Database support has been replaced with GeoIP2 MaxMind DB
+  format support.
+
+  - This updates the "lookup_location" and "lookup_asn" BIFs to use
+    libmaxminddb.  The motivation for this is that MaxMind is discontinuing
+    GeoLite Legacy databases: no updates after April 1, 2018, no downloads
+    after January 2, 2019.  It's also noted that all GeoIP Legacy databases
+    may be discontinued as they are superseded by GeoIP2.
+
+Removed Functionality
+---------------------
+
+- We no longer maintain any Bro plugins as part of the Bro
+  distribution. Most of the plugins that used to be in aux/plugins have
+  been moved over to use the Bro Package Manager instead. See
+  https://github.com/bro/packages for a list of Bro packages currently
+  available.
+
+- BroControl: The option 'IPv6Comm' and 'ZoneID' options are no longer
+  available (though Broker should be able to handle IPv6 automatically).
+
+- The "ocsp_request" event no longer has "requestorName" parameter.
+
+Deprecated Functionality
+------------------------
+
+- The old communication system is now deprecated and scheduled for
+  removal with the next Bro release. This includes the "communication"
+  framework, the &sychronized attributes, and the existing
+  communication-related BiFs. Use Broker instead.
+
+- The infrastructure for serializing Bro values into a binary
+  representation is now deprecated and scheduled for removal with the
+  next Bro release. This includes the &persistent attribute, as well
+  as BiFs like send_id(). Use Broker data stores and the new
+  configuration framework instead.
+
+- BroControl: The 'update' command is deprecated and scheduled for
+  removal with the next Bro release. Bro's new configuration framework
+  is taking its place.
+
+- Mixing of scalars and vectors, such as "v + e" yielding a vector
+  corresponding to the vector v with the scalar e added to each of
+  its elements, has been deprecated.
+
+- The built-in function merge_pattern() has been deprecated.  It will
+  be replaced by the '&' operator for patterns.
+
+- The undocumented feature of using "&&" and "||" operators for patterns
+  has been deprecated.
+
+Bro 2.5.1
+=========
+
+New Functionality
+-----------------
+
+- Bro now includes bifs for rename, unlink, and rmdir.
+
+- Bro now includes events for two extensions used by TLS 1.3:
+  ssl_extension_supported_versions and ssl_extension_psk_key_exchange_modes
+
+- Bro now includes hooks that can be used to interact with log processing
+  on the C++ level.
+
+- Bro now supports ERSPAN. Currently this ignores the ethernet header that is
+  carried over the tunnel; if a MAC is logged currently only the outer MAC
+  is returned.
+
+- Added a new BroControl option CrashExpireInterval to enable
+  "broctl cron" to remove crash directories that are older than the
+  specified number of days (the default value is 0, which means crash
+  directories never expire).
+
+- Added a new BroControl option MailReceivingPackets to control
+  whether or not "broctl cron" will mail a warning when it notices
+  that no packets were seen on an interface.
+
+- There is a new broctl command-line option "--version" which outputs
+  the BroControl version.
+
+Changed Functionality
+---------------------
+
+- The input framework's Ascii reader is now more resilient. If an input
+  is marked to reread a file when it changes and the file didn't exist
+  during a check Bro would stop watching the file in previous versions.
+  The same could happen with bad data in a line of a file.  These
+  situations do not cause Bro to stop watching input files anymore. The
+  old behavior is available through settings in the Ascii reader.
+
+- The RADIUS scripts have been reworked. Requests are now logged even if
+  there is no response. The new framed_addr field in the log indicates
+  if the radius server is hinting at an address for the client. The ttl
+  field indicates how quickly the server is replying to the network access
+  server.
+
+- With the introduction of the Bro package manager, the Bro plugin repository
+  is considered deprecated. The af_packet, postgresql, and tcprs plugins have
+  already been removed and are available via bro-pkg.
+
 Bro 2.5
 =======
 
diff --git a/VERSION b/VERSION
index c6ccae672a..3e949de53a 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5-39
+2.5-850
diff --git a/aux/bifcl b/aux/bifcl
new file mode 160000
index 0000000000..e99152c00a
--- /dev/null
+++ b/aux/bifcl
@@ -0,0 +1 @@
+Subproject commit e99152c00aad8f81c684a01bc4d40790a295f85c
diff --git a/aux/binpac b/aux/binpac
index a0990e61ad..74cf55ace0 160000
--- a/aux/binpac
+++ b/aux/binpac
@@ -1 +1 @@
-Subproject commit a0990e61ad4a3705bda4cc5a20059af2d1bda4c3
+Subproject commit 74cf55ace0de2bf061bbbf285ccf47cba122955f
diff --git a/aux/bro-aux b/aux/bro-aux
index 7660b5f4c5..53aae82024 160000
--- a/aux/bro-aux
+++ b/aux/bro-aux
@@ -1 +1 @@
-Subproject commit 7660b5f4c5be40aa5f3a7c8746fdcf68331f9b93
+Subproject commit 53aae820242c02790089e384a9fe2d3174799ab1
diff --git a/aux/broccoli b/aux/broccoli
index 765eab50f7..edf754ea6e 160000
--- a/aux/broccoli
+++ b/aux/broccoli
@@ -1 +1 @@
-Subproject commit 765eab50f7796fdb3c308fe9232cd7891f098c67
+Subproject commit edf754ea6e89a84ad74eff69a454c5e285c4b81b
diff --git a/aux/broctl b/aux/broctl
index f6d451520e..70a8b2e151 160000
--- a/aux/broctl
+++ b/aux/broctl
@@ -1 +1 @@
-Subproject commit f6d451520eaaaae97aab6df2bb4e0aecb6b63e66
+Subproject commit 70a8b2e15105f4c238765a882151718162e46208
diff --git a/aux/broker b/aux/broker
index 68a36ed814..e0f9f6504d 160000
--- a/aux/broker
+++ b/aux/broker
@@ -1 +1 @@
-Subproject commit 68a36ed81480ba935268bcaf7b6f2249d23436da
+Subproject commit e0f9f6504db9285a48e0be490abddf959999a404
diff --git a/aux/btest b/aux/btest
index 32e582514a..99ec0e1ea8 160000
--- a/aux/btest
+++ b/aux/btest
@@ -1 +1 @@
-Subproject commit 32e582514ae044befa8e0511083bf11a51408a1d
+Subproject commit 99ec0e1ea89e166af4cb6ebc2d923d123424123d
diff --git a/aux/netcontrol-connectors b/aux/netcontrol-connectors
index 9f3d6fce49..a432ae2f9a 160000
--- a/aux/netcontrol-connectors
+++ b/aux/netcontrol-connectors
@@ -1 +1 @@
-Subproject commit 9f3d6fce49cad3b45b5ddd0fe1f3c79186e1d2e7
+Subproject commit a432ae2f9a06e7b1664df5fc4ce1b694acb7b099
diff --git a/aux/plugins b/aux/plugins
deleted file mode 160000
index 0a2f021527..0000000000
--- a/aux/plugins
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 0a2f0215270e6ceaf9c1312f705b95d2cce1b530
diff --git a/bro-config.h.in b/bro-config.h.in
index 290dd31cae..1b351e550f 100644
--- a/bro-config.h.in
+++ b/bro-config.h.in
@@ -108,11 +108,8 @@
 /* GeoIP geographic lookup functionality */
 #cmakedefine USE_GEOIP
 
-/* Whether the found GeoIP API supports IPv6 Country Edition */
-#cmakedefine HAVE_GEOIP_COUNTRY_EDITION_V6
-
-/* Whether the found GeoIP API supports IPv6 City Edition */
-#cmakedefine HAVE_GEOIP_CITY_EDITION_REV0_V6
+/* Define if KRB5 is available */
+#cmakedefine USE_KRB5
 
 /* Use Google's perftools */
 #cmakedefine USE_PERFTOOLS_DEBUG
@@ -229,3 +226,14 @@
 #ifndef BRO_PLUGIN_INTERNAL_BUILD
 #define BRO_PLUGIN_INTERNAL_BUILD @BRO_PLUGIN_INTERNAL_BUILD@
 #endif
+
+/* A C function that has the Bro version encoded into its name. */
+#define BRO_VERSION_FUNCTION bro_version_@VERSION_C_IDENT@
+#ifdef __cplusplus
+extern "C" {
+#endif
+extern const char* BRO_VERSION_FUNCTION();
+#ifdef __cplusplus
+}
+#endif
+
diff --git a/bro-config.in b/bro-config.in
index 0c426fd17b..be9ee551b3 100755
--- a/bro-config.in
+++ b/bro-config.in
@@ -7,11 +7,16 @@ site_dir=@BRO_SCRIPT_INSTALL_PATH@/site
 plugin_dir=@BRO_PLUGIN_INSTALL_PATH@
 config_dir=@BRO_ETC_INSTALL_DIR@
 python_dir=@PY_MOD_INSTALL_DIR@
+cmake_dir=@CMAKE_INSTALL_PREFIX@/share/bro/cmake
+include_dir=@CMAKE_INSTALL_PREFIX@/include/bro
 bropath=@DEFAULT_BROPATH@
 bro_dist=@BRO_DIST@
+binpac_root=@BRO_CONFIG_BINPAC_ROOT_DIR@
+caf_root=@BRO_CONFIG_CAF_ROOT_DIR@
+broker_root=@BRO_CONFIG_BROKER_ROOT_DIR@
 
 usage="\
-Usage: bro-config [--version] [--prefix] [--script_dir] [--site_dir] [--plugin_dir] [--config_dir] [--python_dir] [--bropath] [--bro_dist]"
+Usage: bro-config [--version] [--prefix] [--script_dir] [--site_dir] [--plugin_dir] [--config_dir] [--python_dir] [--include_dir] [--cmake_dir] [--bropath] [--bro_dist] [--binpac_root] [--caf_root] [--broker_root]"
 
 if [ $# -eq 0 ] ; then
       echo "${usage}" 1>&2
@@ -46,12 +51,27 @@ while [ $# -ne 0 ]; do
     --python_dir)
       echo $python_dir
       ;;
+    --cmake_dir)
+      echo $cmake_dir
+      ;;
+    --include_dir)
+      echo $include_dir
+      ;;
     --bropath)
       echo $bropath
       ;;
     --bro_dist)
       echo $bro_dist
       ;;
+    --binpac_root)
+      echo $binpac_root
+      ;;
+    --caf_root)
+      echo $caf_root
+      ;;
+    --broker_root)
+      echo $broker_root
+      ;;
     *)
       echo "${usage}" 1>&2
       exit 1
diff --git a/cmake b/cmake
index d29fbf6152..4cc3e344cf 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit d29fbf6152e54fbb536910af02a80874b1917311
+Subproject commit 4cc3e344cf2698010a46684d32a2907a943430e3
diff --git a/configure b/configure
index b58dd84c6a..90dda2fdd7 100755
--- a/configure
+++ b/configure
@@ -18,7 +18,17 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
 
   Build Options:
     --builddir=DIR         place build files in directory [build]
+    --build-type=TYPE      set CMake build type [RelWithDebInfo]:
+                             - Debug: optimizations off, debug symbols + flags
+                             - MinSizeRel: size optimizations, debugging off
+                             - Release: optimizations on, debugging off
+                             - RelWithDebInfo: optimizations on,
+                                   debug symbols on, debug flags off
     --generator=GENERATOR  CMake generator to use (see cmake --help)
+    --ccache               use ccache to speed up recompilation (requires
+                           ccache installation and CMake 3.10+)
+    --toolchain=PATH       path to a CMAKE_TOOLCHAIN_FILE
+                           (useful for cross-compiling)
 
   Installation Directories:
     --prefix=PREFIX        installation directory [/usr/local/bro]
@@ -34,42 +44,41 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --conf-files-dir=PATH  config files installation directory [PREFIX/etc]
 
   Optional Features:
-    --enable-debug         compile in debugging mode
+    --enable-debug         compile in debugging mode (like --build-type=Debug)
+    --enable-coverage      compile with code coverage support (implies debugging mode)
     --enable-mobile-ipv6   analyze mobile IPv6 features defined by RFC 6275
     --enable-perftools     force use of Google perftools on non-Linux systems
                            (automatically on when perftools is present on Linux)
     --enable-perftools-debug use Google's perftools for debugging
     --enable-jemalloc      link against jemalloc
-    --enable-ruby          build ruby bindings for broccoli (deprecated)
-    --enable-broker        enable use of the Broker communication library
-                           (requires C++ Actor Framework)
-    --disable-broccoli     don't build or install the Broccoli library
+    --enable-broccoli      build or install the Broccoli library (deprecated)
     --disable-broctl       don't install Broctl
     --disable-auxtools     don't build or install auxiliary tools
     --disable-perftools    don't try to build with Google Perftools
-    --disable-python       don't try to build python bindings for broccoli
-    --disable-pybroker     don't try to build python bindings for broker
+    --disable-python       don't try to build python bindings for broker
+    --disable-broker-tests don'e try to build Broker unit tests
 
   Required Packages in Non-Standard Locations:
     --with-openssl=PATH    path to OpenSSL install root
     --with-bind=PATH       path to BIND install root
     --with-pcap=PATH       path to libpcap install root
-    --with-binpac=PATH     path to BinPAC install root
+    --with-binpac=PATH     path to BinPAC executable
+                           (useful for cross-compiling)
+    --with-bifcl=PATH      path to Bro BIF compiler executable
+                           (useful for cross-compiling)
     --with-flex=PATH       path to flex executable
     --with-bison=PATH      path to bison executable
     --with-python=PATH     path to Python executable
+    --with-caf=PATH        path to C++ Actor Framework installation for using external version
+                           (a required Broker dependency)
 
   Optional Packages in Non-Standard Locations:
-    --with-caf=PATH        path to C++ Actor Framework installation
-                           (a required Broker dependency)
-    --with-geoip=PATH      path to the libGeoIP install root
+    --with-geoip=PATH      path to the libmaxminddb install root
+    --with-krb5=PATH       path to krb5 install root
     --with-perftools=PATH  path to Google Perftools install root
     --with-jemalloc=PATH   path to jemalloc install root
     --with-python-lib=PATH path to libpython
     --with-python-inc=PATH path to Python headers
-    --with-ruby=PATH       path to ruby interpreter
-    --with-ruby-lib=PATH   path to ruby library
-    --with-ruby-inc=PATH   path to ruby headers
     --with-swig=PATH       path to SWIG executable
     --with-rocksdb=PATH    path to RocksDB installation
                            (an optional Broker dependency)
@@ -122,21 +131,19 @@ append_cache_entry BRO_ROOT_DIR         PATH   $prefix
 append_cache_entry PY_MOD_INSTALL_DIR   PATH   $prefix/lib/broctl
 append_cache_entry BRO_SCRIPT_INSTALL_PATH STRING $prefix/share/bro
 append_cache_entry BRO_ETC_INSTALL_DIR  PATH   $prefix/etc
-append_cache_entry BROKER_PYTHON_BINDINGS BOOL false
 append_cache_entry ENABLE_DEBUG         BOOL   false
 append_cache_entry ENABLE_PERFTOOLS     BOOL   false
 append_cache_entry ENABLE_PERFTOOLS_DEBUG BOOL false
 append_cache_entry ENABLE_JEMALLOC      BOOL   false
-append_cache_entry ENABLE_BROKER        BOOL   false
-append_cache_entry BinPAC_SKIP_INSTALL  BOOL   true
 append_cache_entry BUILD_SHARED_LIBS    BOOL   true
+append_cache_entry INSTALL_BROCCOLI     BOOL   false
 append_cache_entry INSTALL_AUX_TOOLS    BOOL   true
-append_cache_entry INSTALL_BROCCOLI     BOOL   true
 append_cache_entry INSTALL_BROCTL       BOOL   true
 append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING
 append_cache_entry ENABLE_MOBILE_IPV6   BOOL   false
 append_cache_entry DISABLE_PERFTOOLS    BOOL   false
 append_cache_entry DISABLE_RUBY_BINDINGS     BOOL   true
+append_cache_entry ENABLE_COVERAGE	BOOL   false
 
 # parse arguments
 while [ $# -ne 0 ]; do
@@ -153,9 +160,22 @@ while [ $# -ne 0 ]; do
         --builddir=*)
             builddir=$optarg
             ;;
+        --build-type=*)
+            append_cache_entry CMAKE_BUILD_TYPE     STRING $optarg
+
+            if [ $(echo "$optarg" | tr [:upper:] [:lower:]) = "debug" ]; then
+                append_cache_entry ENABLE_DEBUG         BOOL   true
+            fi
+            ;;
         --generator=*)
             CMakeGenerator="$optarg"
             ;;
+        --ccache)
+            append_cache_entry ENABLE_CCACHE         BOOL   true
+            ;;
+        --toolchain=*)
+            append_cache_entry CMAKE_TOOLCHAIN_FILE  PATH   $optarg
+            ;;
         --prefix=*)
             prefix=$optarg
             append_cache_entry CMAKE_INSTALL_PREFIX PATH   $optarg
@@ -179,6 +199,10 @@ while [ $# -ne 0 ]; do
         --logdir=*)
             append_cache_entry BRO_LOG_DIR  PATH   $optarg
             ;;
+        --enable-coverage)
+            append_cache_entry ENABLE_COVERAGE         BOOL   true
+            append_cache_entry ENABLE_DEBUG         BOOL   true
+            ;;
         --enable-debug)
             append_cache_entry ENABLE_DEBUG         BOOL   true
             ;;
@@ -195,15 +219,10 @@ while [ $# -ne 0 ]; do
         --enable-jemalloc)
             append_cache_entry ENABLE_JEMALLOC     BOOL   true
             ;;
-        --enable-broker)
-            append_cache_entry ENABLE_BROKER        BOOL   true
+        --enable-broccoli)
+            append_cache_entry INSTALL_BROCCOLI     BOOL   yes
             ;;
-        --disable-broker)
-            ;;
-        --disable-broccoli)
-            append_cache_entry INSTALL_BROCCOLI     BOOL   false
-            ;;
-        --disable-broctl)
+       --disable-broctl)
             append_cache_entry INSTALL_BROCTL       BOOL   false
             ;;
         --disable-auxtools)
@@ -215,11 +234,8 @@ while [ $# -ne 0 ]; do
         --disable-python)
             append_cache_entry DISABLE_PYTHON_BINDINGS     BOOL   true
             ;;
-        --disable-pybroker)
-            append_cache_entry DISABLE_PYBROKER     BOOL   true
-            ;;
-        --enable-ruby)
-            append_cache_entry DISABLE_RUBY_BINDINGS     BOOL   false
+        --disable-broker-tests)
+            append_cache_entry BROKER_DISABLE_TESTS     BOOL   true
             ;;
         --with-openssl=*)
             append_cache_entry OPENSSL_ROOT_DIR PATH $optarg
@@ -231,7 +247,11 @@ while [ $# -ne 0 ]; do
             append_cache_entry PCAP_ROOT_DIR PATH $optarg
             ;;
         --with-binpac=*)
-            append_cache_entry BinPAC_ROOT_DIR PATH $optarg
+            append_cache_entry BINPAC_EXE_PATH     PATH $optarg
+            append_cache_entry BinPAC_ROOT_DIR     PATH "$(dirname $optarg)/.."
+            ;;
+        --with-bifcl=*)
+            append_cache_entry BIFCL_EXE_PATH      PATH   $optarg
             ;;
         --with-flex=*)
             append_cache_entry FLEX_EXECUTABLE PATH $optarg
@@ -240,7 +260,10 @@ while [ $# -ne 0 ]; do
             append_cache_entry BISON_EXECUTABLE PATH $optarg
             ;;
         --with-geoip=*)
-            append_cache_entry LibGeoIP_ROOT_DIR PATH $optarg
+            append_cache_entry LibMMDB_ROOT_DIR PATH $optarg
+            ;;
+        --with-krb5=*)
+            append_cache_entry LibKrb5_ROOT_DIR PATH $optarg
             ;;
         --with-perftools=*)
             append_cache_entry GooglePerftools_ROOT_DIR PATH $optarg
@@ -259,26 +282,12 @@ while [ $# -ne 0 ]; do
             append_cache_entry PYTHON_INCLUDE_DIR   PATH    $optarg
             append_cache_entry PYTHON_INCLUDE_PATH  PATH    $optarg
             ;;
-        --with-ruby=*)
-            append_cache_entry RUBY_EXECUTABLE    PATH    $optarg
-            ;;
-        --with-ruby-lib=*)
-            append_cache_entry RUBY_LIBRARY       PATH    $optarg
-            ;;
-        --with-ruby-inc=*)
-            append_cache_entry RUBY_INCLUDE_DIRS  PATH    $optarg
-            append_cache_entry RUBY_INCLUDE_PATH  PATH    $optarg
-            ;;
         --with-swig=*)
             append_cache_entry SWIG_EXECUTABLE      PATH    $optarg
             ;;
         --with-caf=*)
             append_cache_entry CAF_ROOT_DIR      PATH   $optarg
             ;;
-        --with-libcaf=*)
-            echo "warning: --with-libcaf deprecated, use --with-caf instead"
-            append_cache_entry CAF_ROOT_DIR      PATH   $optarg
-            ;;
         --with-rocksdb=*)
             append_cache_entry ROCKSDB_ROOT_DIR     PATH   $optarg
             ;;
diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt
index 414cf56b0c..0edf2429ab 100644
--- a/doc/CMakeLists.txt
+++ b/doc/CMakeLists.txt
@@ -1,9 +1,9 @@
-set(BROCCOLI_DOCS_SRC ${CMAKE_BINARY_DIR}/aux/broccoli/doc/html)
-set(BROCCOLI_DOCS_DST ${CMAKE_BINARY_DIR}/html/broccoli-api)
 set(SPHINX_INPUT_DIR ${CMAKE_CURRENT_BINARY_DIR}/sphinx_input)
 set(SPHINX_OUTPUT_DIR ${CMAKE_CURRENT_BINARY_DIR}/sphinx_output)
 set(BROXYGEN_SCRIPT_OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/broxygen_script_output)
 set(BROXYGEN_CACHE_DIR ${CMAKE_CURRENT_BINARY_DIR}/broxygen_cache)
+set(BROCCOLI_DOCS_SRC ${CMAKE_BINARY_DIR}/aux/broccoli/doc/html)
+set(BROCCOLI_DOCS_DST ${CMAKE_BINARY_DIR}/html/broccoli-api)
 
 # Find out what BROPATH to use when executing bro.
 execute_process(COMMAND ${CMAKE_BINARY_DIR}/bro-path-dev
@@ -61,10 +61,6 @@ add_custom_target(sphinxdoc
     COMMAND "${CMAKE_COMMAND}" -E create_symlink
             ${SPHINX_OUTPUT_DIR}/html
             ${CMAKE_BINARY_DIR}/html
-    # Copy Broccoli API reference into output dir if it exists.
-    COMMAND test -d ${BROCCOLI_DOCS_SRC} &&
-            ( rm -rf ${BROCCOLI_DOCS_DST} &&
-              cp -r ${BROCCOLI_DOCS_SRC} ${BROCCOLI_DOCS_DST} ) || true
     WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
     COMMENT "[Sphinx] Generate HTML documentation in ${CMAKE_BINARY_DIR}/html")
 
@@ -77,7 +73,10 @@ add_custom_target(sphinxdoc_clean
     COMMAND "${CMAKE_COMMAND}" -E remove_directory ${BROXYGEN_CACHE_DIR}
     VERBATIM)
 
-add_custom_target(doc)
+if (NOT TARGET doc)
+  add_custom_target(doc)
+endif ()
+
 add_custom_target(docclean)
 add_dependencies(doc sphinxdoc)
 add_dependencies(docclean sphinxdoc_clean)
diff --git a/doc/_static/broxygen.css b/doc/_static/broxygen.css
index 5259c3adfc..ad06b0f9d9 100644
--- a/doc/_static/broxygen.css
+++ b/doc/_static/broxygen.css
@@ -152,12 +152,10 @@ sup, sub {
 
 pre, code  {
 	white-space: pre;
-    overflow: auto;
-    margin-left: 2em;
-    margin-right: 2em;
-    margin-top: .5em;
-    margin-bottom: 1.5em;
-    word-wrap: normal;
+	overflow: auto;
+	margin-left: 0.25em;
+	margin-right: 0.25em;
+	word-wrap: normal;
 }
 
 pre, code, tt {
@@ -482,4 +480,4 @@ li {
 
 .btest-cmd .code pre, .btest-include .code pre {
     margin-left: 0px;
-}
\ No newline at end of file
+}
diff --git a/doc/_templates/layout.html b/doc/_templates/layout.html
index 3df56a12ff..4debd1d90e 100644
--- a/doc/_templates/layout.html
+++ b/doc/_templates/layout.html
@@ -10,7 +10,7 @@
 {% endblock %}
 
 {% block header %}
-<iframe src="//www.bro.org/frames/header-no-logo.html" width="100%" height="100px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
+<iframe src="https://www.bro.org/frames/header-no-logo.html" width="100%" height="100px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
 </iframe>
 {% endblock %}
 
@@ -108,6 +108,6 @@
 {% endblock %}
 
 {% block footer %}
-<iframe src="//www.bro.org/frames/footer.html" width="100%" height="420px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
+<iframe src="https://www.bro.org/frames/footer.html" width="100%" height="420px" frameborder="0" marginheight="0" scrolling="no" marginwidth="0">
 </iframe>
 {% endblock %}
diff --git a/doc/components/bro-plugins/README.rst b/doc/components/bro-plugins/README.rst
deleted file mode 120000
index 8f96f50909..0000000000
--- a/doc/components/bro-plugins/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../aux/plugins/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/af_packet/README.rst b/doc/components/bro-plugins/af_packet/README.rst
deleted file mode 120000
index b8f745bed2..0000000000
--- a/doc/components/bro-plugins/af_packet/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/af_packet/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/elasticsearch/README.rst b/doc/components/bro-plugins/elasticsearch/README.rst
deleted file mode 120000
index 8a5b78d689..0000000000
--- a/doc/components/bro-plugins/elasticsearch/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/elasticsearch/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/kafka/README.rst b/doc/components/bro-plugins/kafka/README.rst
deleted file mode 120000
index 6ca2195f17..0000000000
--- a/doc/components/bro-plugins/kafka/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/kafka/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/myricom/README.rst b/doc/components/bro-plugins/myricom/README.rst
deleted file mode 120000
index 3bfabcdae3..0000000000
--- a/doc/components/bro-plugins/myricom/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/myricom/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/netmap/README.rst b/doc/components/bro-plugins/netmap/README.rst
deleted file mode 120000
index 819a2bb0e9..0000000000
--- a/doc/components/bro-plugins/netmap/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/netmap/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/pf_ring/README.rst b/doc/components/bro-plugins/pf_ring/README.rst
deleted file mode 120000
index 5ea666e8c9..0000000000
--- a/doc/components/bro-plugins/pf_ring/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/pf_ring/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/postgresql/README.rst b/doc/components/bro-plugins/postgresql/README.rst
deleted file mode 120000
index b8c815c45b..0000000000
--- a/doc/components/bro-plugins/postgresql/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/postgresql/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/redis/README.rst b/doc/components/bro-plugins/redis/README.rst
deleted file mode 120000
index c42051828e..0000000000
--- a/doc/components/bro-plugins/redis/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/redis/README
\ No newline at end of file
diff --git a/doc/components/bro-plugins/tcprs/README.rst b/doc/components/bro-plugins/tcprs/README.rst
deleted file mode 120000
index c0e84fd579..0000000000
--- a/doc/components/bro-plugins/tcprs/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../../aux/plugins/tcprs/README
\ No newline at end of file
diff --git a/doc/components/broccoli-python/README.rst b/doc/components/broccoli-python/README.rst
deleted file mode 120000
index 4187e87202..0000000000
--- a/doc/components/broccoli-python/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../aux/broccoli/bindings/broccoli-python/README
\ No newline at end of file
diff --git a/doc/components/broccoli-ruby/README.rst b/doc/components/broccoli-ruby/README.rst
deleted file mode 120000
index da71663099..0000000000
--- a/doc/components/broccoli-ruby/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../aux/broccoli/bindings/broccoli-ruby/README
\ No newline at end of file
diff --git a/doc/components/broccoli/README.rst b/doc/components/broccoli/README.rst
deleted file mode 120000
index d32c70ccd9..0000000000
--- a/doc/components/broccoli/README.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../aux/broccoli/README
\ No newline at end of file
diff --git a/doc/components/broccoli/broccoli-manual.rst b/doc/components/broccoli/broccoli-manual.rst
deleted file mode 120000
index bd5e8d711f..0000000000
--- a/doc/components/broccoli/broccoli-manual.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../aux/broccoli/doc/broccoli-manual.rst
\ No newline at end of file
diff --git a/doc/components/broker/broker-manual.rst b/doc/components/broker/broker-manual.rst
deleted file mode 120000
index 90bf8f0833..0000000000
--- a/doc/components/broker/broker-manual.rst
+++ /dev/null
@@ -1 +0,0 @@
-../../../aux/broker/broker-manual.rst
\ No newline at end of file
diff --git a/doc/components/index.rst b/doc/components/index.rst
index 85527e9f9c..2f69b3ef54 100644
--- a/doc/components/index.rst
+++ b/doc/components/index.rst
@@ -13,19 +13,10 @@ current, independent component releases.
    :maxdepth: 1
 
    BinPAC - A protocol parser generator <binpac/README>
-   Broccoli - The Bro Client Communication Library (README) <broccoli/README>
-   Broccoli - User Manual <broccoli/broccoli-manual>
-   Broccoli Python Bindings <broccoli-python/README>
-   Broccoli Ruby Bindings <broccoli-ruby/README>
-   Broker - Bro's (New) Messaging Library (README) <broker/README>
-   Broker - User Manual <broker/broker-manual.rst>
+   Broker - Bro's (New) Messaging Library <broker/README>
    BroControl - Interactive Bro management shell <broctl/README>
    Bro-Aux - Small auxiliary tools for Bro <bro-aux/README>
-   Bro-Plugins - A collection of plugins for Bro <bro-plugins/README>
    BTest - A unit testing framework <btest/README>
    Capstats - Command-line packet statistic tool <capstats/README>
    PySubnetTree - Python module for CIDR lookups<pysubnettree/README>
    trace-summary - Script for generating break-downs of network traffic <trace-summary/README>
-
-The `Broccoli API Reference <../broccoli-api/index.html>`_ may also be of
-interest.
diff --git a/doc/conf.py.in b/doc/conf.py.in
index ef9367483a..f7243b4527 100644
--- a/doc/conf.py.in
+++ b/doc/conf.py.in
@@ -195,8 +195,6 @@ html_sidebars = {
 # Output file base name for HTML help builder.
 htmlhelp_basename = 'Broxygen'
 
-html_add_permalinks = None
-
 # -- Options for LaTeX output --------------------------------------------------
 
 # The paper size ('letter' or 'a4').
diff --git a/doc/ext/bro.py b/doc/ext/bro.py
index 6a4c50e8ce..96a2628cea 100644
--- a/doc/ext/bro.py
+++ b/doc/ext/bro.py
@@ -259,9 +259,14 @@ class BroDomain(Domain):
     }
 
     def clear_doc(self, docname):
+        to_delete = []
+
         for (typ, name), doc in self.data['objects'].items():
             if doc == docname:
-                del self.data['objects'][typ, name]
+                to_delete.append((typ, name))
+
+        for (typ, name) in to_delete:
+            del self.data['objects'][typ, name]
 
     def resolve_xref(self, env, fromdocname, builder, typ, target, node,
                      contnode):
diff --git a/doc/frameworks/broker.rst b/doc/frameworks/broker.rst
index 9c9ed89514..e050ec6479 100644
--- a/doc/frameworks/broker.rst
+++ b/doc/frameworks/broker.rst
@@ -1,174 +1,360 @@
+.. _CAF: https://github.com/actor-framework/actor-framework
 
 .. _brokercomm-framework:
 
-======================================
-Broker-Enabled Communication Framework
-======================================
+==============================================
+Broker-Enabled Communication/Cluster Framework
+==============================================
 
 .. rst-class:: opening
 
-    Bro can now use the `Broker Library
+    Bro now uses the `Broker Library
     <../components/broker/README.html>`_ to exchange information with
-    other Bro processes.
+    other Bro processes.  Broker itself uses CAF_ (C++ Actor Framework)
+    internally for connecting nodes and exchanging arbitrary data over
+    networks.  Broker then introduces, on top of CAF, a topic-based
+    publish/subscribe communication pattern using a data model that is
+    compatible to Bro's.  Broker itself can be utilized outside the
+    context of Bro, with Bro itself making use of only a few predefined
+    Broker message formats that represent Bro events, log entries, etc.
+
+    In summary, the Bro's Broker framework provides basic facilities for
+    connecting broker-enabled peers (e.g. Bro instances) to each other
+    and exchanging messages (e.g. events and logs).  With this comes
+    changes in how clusters operate and, since Broker significantly
+    differs from the previous communication framework, there are several
+    changes in the set of scripts that Bro ships with that may break
+    your own customizations.  This document aims to describe the changes
+    that have been made, making it easier to port your own scripts.  It
+    also gives examples of Broker and the new cluster framework that
+    show off all the new features and capabilities.
 
 .. contents::
 
+Porting Guide
+=============
+
+Review and use the points below as a guide to port your own scripts
+to the latest version of Bro, which uses the new cluster and Broker
+communication framework.
+
+General Porting Tips
+--------------------
+
+- ``@load policy/frameworks/communication/listen`` and
+  ``@load base/frameworks/communication`` indicates use of the
+  old communication framework, consider porting to
+  ``@load base/frameworks/broker`` and using the Broker API:
+  :doc:`/scripts/base/frameworks/broker/main.bro`
+
+- The ``&synchronized`` and ``&persistent`` attributes are deprecated,
+  consider using `Data Stores`_ instead.
+
+- Usages of the old communications system features are all deprecated,
+  however, they also do not work in the default Bro configuration unless
+  you manually take action to set up the old communication system.
+  To aid in porting, such usages will default to raising a fatal error
+  unless you explicitly acknowledge that such usages of the old system
+  are ok.  Set the :bro:see:`old_comm_usage_is_ok` flag in this case.
+
+- Instead of using e.g. ``Cluster::manager2worker_events`` (and all
+  permutations for every node type), what you'd now use is either 
+  :bro:see:`Broker::publish` or :bro:see:`Broker::auto_publish` with
+  either the topic associated with a specific node or class of nodes,
+  like :bro:see:`Cluster::node_topic` or
+  :bro:see:`Cluster::worker_topic`.
+
+- Instead of using the ``send_id`` BIF, use :bro:see:`Broker::publish_id`.
+
+- Use :bro:see:`terminate` instead of :bro:see:`terminate_communication`.
+  The latter refers to the old communication system and no longer affects
+  the new Broker-based system.
+
+- For replacing :bro:see:`remote_connection_established` and
+  :bro:see:`remote_connection_closed`, consider :bro:see:`Broker::peer_added`
+  or :bro:see:`Broker::peer_lost`.  There's also :bro:see:`Cluster::node_up`
+  and :bro:see:`Cluster::node_down`.
+
+Notable / Specific Script API Changes
+-------------------------------------
+
+- :bro:see:`Software::tracked` is now partitioned among proxy nodes
+  instead of synchronized in its entirety to all nodes.
+
+- ``Known::known_hosts`` is renamed to :bro:see:`Known::host_store` and
+  implemented via the new Broker data store interface.
+
+- ``Known::known_services`` is renamed to :bro:see:`Known::service_store`
+  and implemented via the new Broker data store interface.
+
+- ``Known::certs`` is renamed to :bro:see:`Known::cert_store`
+  and implemented via the new Broker data store interface.
+
+New Cluster Layout / API
+========================
+
+Layout / Topology
+-----------------
+
+The cluster topology has changed.
+
+- Proxy nodes no longer connect with each other.
+
+- Each worker node connects to all proxies.
+
+- All node types connect to all logger nodes and the manager node.
+
+This looks like:
+
+.. figure:: broker/cluster-layout.png
+
+Some general suggestions as to the purpose/utilization of each node type:
+
+- Workers: are a good first choice for doing the brunt of any work you need
+  done.  They should be spending a lot of time performing the actual job
+  of parsing/analyzing incoming data from packets, so you might choose
+  to look at them as doing a "first pass" analysis and then deciding how
+  the results should be shared with other nodes in the cluster.
+
+- Proxies: serve as intermediaries for data storage and work/calculation
+  offloading.  Good for helping offload work or data in a scalable and
+  distributed way.  Since any given worker is connected to all
+  proxies and can agree on an "arbitrary key -> proxy node" mapping
+  (more on that later), you can partition work or data amongst them in a
+  uniform manner.  e.g. you might choose to use proxies as a method of
+  sharing non-persistent state or as a "second pass" analysis for any
+  work that you don't want interfering with the workers' capacity to
+  keep up with capturing and parsing packets.  Note that the default scripts
+  that come with Bro don't utilize proxies themselves, so if you are coming
+  from a previous BroControl deployment, you may want to try reducing down
+  to a single proxy node.  If you come to have custom/community scripts
+  that utilize proxies, that would be the time to start considering scaling
+  up the number of proxies to meet demands.
+
+- Manager: this node will be good at performing decisions that require a
+  global view of things since it is in a centralized location, connected
+  to everything.  However, that also makes it easy to overload, so try
+  to use it sparingly and only for tasks that must be done in a
+  centralized or authoritative location. Optionally, for some
+  deployments, the Manager can also serve as the sole Logger.
+
+- Loggers: these nodes should simply be spending their time writing out
+  logs to disk and not used for much else.  In the default cluster
+  configuration, logs get distributed among available loggers in a
+  round-robin fashion, providing failover capability should any given
+  logger temporarily go offline.
+
+Data Management/Sharing Strategies
+==================================
+
+There's maybe no single, best approach or pattern to use when you need a
+Bro script to store or share long-term state and data.  The two
+approaches that were previously used were either using the ``&synchronized``
+attribute on tables/sets or by explicitly sending events to specific
+nodes on which you wanted data to be stored.  The former is no longer
+possible, though there are several new possibilities that the new
+Broker/Cluster framework offer, namely distributed data store and data
+partitioning APIs.
+
+Data Stores
+-----------
+
+Broker provides a distributed key-value store interface with optional
+choice of using a persistent backend. For more detail, see
+:ref:`this example <data_store_example>`.
+
+Some ideas/considerations/scenarios when deciding whether to use
+a data store for your use-case:
+
+* If you need the full data set locally in order to achieve low-latency
+  queries using data store "clones" can provide that.
+
+* If you need data that persists across restarts of Bro processes, then
+  data stores can also provide that.
+
+* If the data you want to store is complex (tables, sets, records) or
+  you expect to read, modify, and store back, then data stores may not
+  be able to provide simple, race-free methods of performing the pattern
+  of logic that you want.
+
+* If the data set you want to store is excessively large, that's still
+  problematic even for stores that use a persistent backend as they are
+  implemented in a way that requires a full snapshot of the store's
+  contents to fit in memory (this limitation may change in the future).
+
+Data Partitioning
+-----------------
+
+New data partitioning strategies are available using the API in
+:doc:`/scripts/base/frameworks/cluster/pools.bro`.  Using that API, developers
+of custom Bro scripts can define a custom pool of nodes that best fits the
+needs of their script.
+
+One example strategy is to use Highest Random Weight (HRW) hashing to
+partition data tables amongst the pool of all proxy nodes.  e.g. using
+:bro:see:`Cluster::publish_hrw`.  This could allow clusters to
+be scaled more easily than the approach of "the entire data set gets
+synchronized to all nodes" as the solution to memory limitations becomes
+"just add another proxy node".  It may also take away some of the
+messaging load that used to be required to synchronize data sets across
+all nodes.
+
+The tradeoff of this approach, is that nodes that leave the pool (due to
+crashing, etc.) cause a temporary gap in the total data set until
+workers start hashing keys to a new proxy node that is still alive,
+causing data to now be located and updated there.
+
+If the developer of a script expects its workload to be particularly
+intensive, wants to ensure that their operations get exclusive
+access to nodes, or otherwise set constraints on the number of nodes within
+a pool utilized by their script, then the :bro:see:`Cluster::PoolSpec`
+structure will allow them to do that while still allowing users of that script
+to override the default suggestions made by the original developer.
+
+Broker Framework Examples
+=========================
+
+The broker framework provides basic facilities for connecting Bro instances
+to each other and exchanging messages, like events or logs.
+
+See :doc:`/scripts/base/frameworks/broker/main.bro` for an overview
+of the main Broker API.
+
+.. _broker_topic_naming:
+
+Topic Naming Conventions
+------------------------
+
+All Broker-based messaging involves two components: the information you
+want to send (e.g. an event w/ its arguments) along with an associated
+topic name string.  The topic strings are used as a filtering mechanism:
+Broker uses a publish/subscribe communication pattern where peers
+advertise interest in topic **prefixes** and only receive messages which
+match one of their prefix subscriptions.
+
+Broker itself supports arbitrary topic strings, however Bro generally
+follows certain conventions in choosing these topics to help avoid
+conflicts and generally make them easier to remember.
+
+As a reminder of how topic subscriptions work, subscribers advertise
+interest in a topic **prefix** and then receive any messages publish by a
+peer to a topic name that starts with that prefix.  E.g. Alice
+subscribes to the "alice/dogs" prefix, then would receive the following
+message topics published by Bob:
+
+- topic "alice/dogs/corgi"
+- topic "alice/dogs"
+- topic "alice/dogsarecool/oratleastilikethem"
+
+Alice would **not** receive the following message topics published by Bob:
+
+- topic "alice/cats/siamese"
+- topic "alice/cats"
+- topic "alice/dog"
+- topic "alice"
+
+Note that the topics aren't required to form a slash-delimited hierarchy,
+the subscription matching is purely a byte-per-byte prefix comparison.
+
+However, Bro scripts generally will follow a topic naming hierarchy and
+any given script will make the topic names it uses apparent via some
+redef'able constant in its export section.  Generally topics that Bro
+scripts use will be along the lines of "bro/<namespace>/<specifics>"
+with "<namespace>" being the script's module name (in all-undercase).
+For example, you might expect an imaginary "Pretend" framework to
+publish/subscribe using topic names like "bro/pretend/my_cool_event".
+
+For cluster operation, see :doc:`/scripts/base/frameworks/cluster/main.bro`
+for a list of topics that are useful for steering published events to
+the various node classes.  E.g. you have the ability to broadcast to all
+directly-connected nodes, only those of a given class (e.g. just workers),
+or to a specific node within a class.
+
+The topic names that logs get published under are a bit nuanced.  In the
+default cluster configuration, they are round-robin published to
+explicit topic names that identify a single logger.  In standalone Bro
+processes, logs get published to the topic indicated by
+:bro:see:`Broker::default_log_topic_prefix`.
+
+For those writing their own scripts which need new topic names, a
+suggestion would be to avoid prefixing any new topics/prefixes with
+"bro/" as any changes in scripts shipping with Bro will use that prefix
+and it's better to not risk unintended conflicts.
+
 Connecting to Peers
-===================
+-------------------
 
-Communication via Broker must first be turned on via
-:bro:see:`Broker::enable`.
-
-Bro can accept incoming connections by calling :bro:see:`Broker::listen`
-and then monitor connection status updates via the
-:bro:see:`Broker::incoming_connection_established` and
-:bro:see:`Broker::incoming_connection_broken` events.
+Bro can accept incoming connections by calling :bro:see:`Broker::listen`.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/connecting-listener.bro
 
-Bro can initiate outgoing connections by calling :bro:see:`Broker::connect`
-and then monitor connection status updates via the
-:bro:see:`Broker::outgoing_connection_established`,
-:bro:see:`Broker::outgoing_connection_broken`, and
-:bro:see:`Broker::outgoing_connection_incompatible` events.
+Bro can initiate outgoing connections by calling :bro:see:`Broker::peer`.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/connecting-connector.bro
 
-Remote Printing
-===============
-
-To receive remote print messages, first use the
-:bro:see:`Broker::subscribe_to_prints` function to advertise to peers a
-topic prefix of interest and then create an event handler for
-:bro:see:`Broker::print_handler` to handle any print messages that are
-received.
-
-.. btest-include:: ${DOC_ROOT}/frameworks/broker/printing-listener.bro
-
-To send remote print messages, just call :bro:see:`Broker::send_print`.
-
-.. btest-include:: ${DOC_ROOT}/frameworks/broker/printing-connector.bro
-
-Notice that the subscriber only used the prefix "bro/print/", but is
-able to receive messages with full topics of "bro/print/hi",
-"bro/print/stuff", and "bro/print/bye".  The model here is that the
-publisher of a message checks for all subscribers who advertised
-interest in a prefix of that message's topic and sends it to them.
-
-Message Format
---------------
-
-For other applications that want to exchange print messages with Bro,
-the Broker message format is simply:
-
-.. code:: c++
-
-    broker::message{std::string{}};
+In either case, connection status updates are monitored via the
+:bro:see:`Broker::peer_added` and :bro:see:`Broker::peer_lost` events.
 
 Remote Events
-=============
+-------------
 
-Receiving remote events is similar to remote prints.  Just use the
-:bro:see:`Broker::subscribe_to_events` function and possibly define any
-new events along with handlers that peers may want to send.
+To receive remote events, you need to first subscribe to a "topic" to which
+the events are being sent.  A topic is just a string chosen by the sender,
+and named in a way that helps organize events into various categories.
+See the :ref:`topic naming conventions section <broker_topic_naming>` for
+more on how topics work and are chosen.
+
+Use the :bro:see:`Broker::subscribe` function to subscribe to topics and
+define any event handlers for events that peers will send.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/events-listener.bro
 
-There are two different ways to send events.  The first is to call the
-:bro:see:`Broker::send_event` function directly.  The second option is to call
-the :bro:see:`Broker::auto_event` function where you specify a
-particular event that will be automatically sent to peers whenever the
-event is called locally via the normal event invocation syntax.
+There are two different ways to send events.
+
+The first is to call the :bro:see:`Broker::publish` function which you can
+supply directly with the event and its arguments or give it the return value of
+:bro:see:`Broker::make_event` in case you need to send the same event/args
+multiple times.  When publishing events like this, local event handlers for
+the event are not called.
+
+The second option is to call the :bro:see:`Broker::auto_publish` function where
+you specify a particular event that will be automatically sent to peers
+whenever the event is called locally via the normal event invocation syntax.
+When auto-publishing events, local event handlers for the event are called
+in addition to sending the event to any subscribed peers.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/events-connector.bro
 
-Again, the subscription model is prefix-based.
-
-Message Format
---------------
-
-For other applications that want to exchange event messages with Bro,
-the Broker message format is:
-
-.. code:: c++
-
-    broker::message{std::string{}, ...};
-
-The first parameter is the name of the event and the remaining ``...``
-are its arguments, which are any of the supported Broker data types as
-they correspond to the Bro types for the event named in the first
-parameter of the message.
+Note that the subscription model is prefix-based, meaning that if you subscribe
+to the "bro/events" topic prefix you would receive events that are published
+to topic names  "bro/events/foo" and "bro/events/bar" but not "bro/misc".
 
 Remote Logging
-==============
+--------------
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/testlog.bro
 
-Use the :bro:see:`Broker::subscribe_to_logs` function to advertise interest
-in logs written by peers.  The topic names that Bro uses are implicitly of the
-form "bro/log/<stream-name>".
+To toggle remote logs, redef :bro:see:`Log::enable_remote_logging`.
+Use the :bro:see:`Broker::subscribe` function to advertise interest
+in logs written by peers.  The topic names that Bro uses are determined by
+:bro:see:`Broker::log_topic`.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/logs-listener.bro
 
-To send remote logs either redef :bro:see:`Log::enable_remote_logging` or
-use the :bro:see:`Broker::enable_remote_logs` function.  The former
-allows any log stream to be sent to peers while the latter enables remote
-logging for particular streams.
-
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/logs-connector.bro
 
-Message Format
---------------
+Note that logging events are only raised locally on the node that performs
+the :bro:see:`Log::write` and not automatically published to peers.
 
-For other applications that want to exchange log messages with Bro,
-the Broker message format is:
-
-.. code:: c++
-
-    broker::message{broker::enum_value{}, broker::record{}};
-
-The enum value corresponds to the stream's :bro:see:`Log::ID` value, and
-the record corresponds to a single entry of that log's columns record,
-in this case a ``Test::Info`` value.
-
-Tuning Access Control
-=====================
-
-By default, endpoints do not restrict the message topics that it sends
-to peers and do not restrict what message topics and data store
-identifiers get advertised to peers.  These are the default
-:bro:see:`Broker::EndpointFlags` supplied to :bro:see:`Broker::enable`.
-
-If not using the ``auto_publish`` flag, one can use the
-:bro:see:`Broker::publish_topic` and :bro:see:`Broker::unpublish_topic`
-functions to manipulate the set of message topics (must match exactly)
-that are allowed to be sent to peer endpoints.  These settings take
-precedence over the per-message ``peers`` flag supplied to functions
-that take a :bro:see:`Broker::SendFlags` such as :bro:see:`Broker::send_print`,
-:bro:see:`Broker::send_event`, :bro:see:`Broker::auto_event` or
-:bro:see:`Broker::enable_remote_logs`.
-
-If not using the ``auto_advertise`` flag, one can use the
-:bro:see:`Broker::advertise_topic` and
-:bro:see:`Broker::unadvertise_topic` functions
-to manipulate the set of topic prefixes that are allowed to be
-advertised to peers.  If an endpoint does not advertise a topic prefix, then
-the only way peers can send messages to it is via the ``unsolicited``
-flag of :bro:see:`Broker::SendFlags` and choosing a topic with a matching
-prefix (i.e. full topic may be longer than receivers prefix, just the
-prefix needs to match).
+.. _data_store_example:
 
 Distributed Data Stores
-=======================
+-----------------------
 
-There are three flavors of key-value data store interfaces: master,
-clone, and frontend.
+See :doc:`/scripts/base/frameworks/broker/store.bro` for an overview
+of the Broker data store API.
 
-A frontend is the common interface to query and modify data stores.
-That is, a clone is a specific type of frontend and a master is also a
-specific type of frontend, but a standalone frontend can also exist to
-e.g. query and modify the contents of a remote master store without
-actually "owning" any of the contents itself.
+There are two flavors of key-value data store interfaces: master and clone.
 
 A master data store can be cloned from remote peers which may then
 perform lightweight, local queries against the clone, which
@@ -177,24 +363,217 @@ modify their content directly, instead they send modifications to the
 centralized master store which applies them and then broadcasts them to
 all clones.
 
-Master and clone stores get to choose what type of storage backend to
-use.  E.g. In-memory versus SQLite for persistence.  Note that if clones
-are used, then data store sizes must be able to fit within memory
-regardless of the storage backend as a single snapshot of the master
-store is sent in a single chunk to initialize the clone.
+Master stores get to choose what type of storage backend to
+use.  E.g. In-memory versus SQLite for persistence.
 
-Data stores also support expiration on a per-key basis either using an
-absolute point in time or a relative amount of time since the entry's
-last modification time.
+Data stores also support expiration on a per-key basis using an amount of
+time relative to the entry's last modification time.
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/stores-listener.bro
 
 .. btest-include:: ${DOC_ROOT}/frameworks/broker/stores-connector.bro
 
-In the above example, if a local copy of the store contents isn't
-needed, just replace the :bro:see:`Broker::create_clone` call with
-:bro:see:`Broker::create_frontend`.  Queries will then be made against
-the remote master store instead of the local clone.
-
 Note that all data store queries must be made within Bro's asynchronous
 ``when`` statements and must specify a timeout block.
+
+Cluster Framework Examples
+==========================
+
+This section contains a few brief examples of how various communication
+patterns one might use when developing Bro scripts that are to operate in
+the context of a cluster.
+
+A Reminder About Events and Module Namespaces
+---------------------------------------------
+
+For simplicity, the following examples do not use any modules/namespaces.
+If you choose to use them within your own code, it's important to
+remember that the ``event`` and ``schedule`` dispatching statements
+should always use the fully-qualified event name.
+
+For example, this will likely not work as expected:
+
+.. code:: bro
+
+    module MyModule;
+
+    export {
+        global my_event: event();
+    }
+
+    event my_event()
+        {
+        print "got my event";
+        }
+
+    event bro_init()
+        {
+        event my_event();
+        schedule 10sec { my_event() };
+        }
+
+This code runs without errors, however, the local ``my_event`` handler
+will never be called and also not any remote handlers either, even if
+:bro:see:`Broker::auto_publish` was used elsewhere for it.  Instead, at
+minimum you would need change the ``bro_init()`` handler:
+
+.. code:: bro
+
+    event bro_init()
+        {
+        event MyModule::my_event();
+        schedule 10sec { MyModule::my_event() };
+        }
+
+Though, an easy rule of thumb to remember would be to always use the
+explicit module namespace scoping and you can't go wrong:
+
+.. code:: bro
+
+    module MyModule;
+
+    export {
+        global MyModule::my_event: event();
+    }
+
+    event MyModule::my_event()
+        {
+        print "got my event";
+        }
+
+    event bro_init()
+        {
+        event MyModule::my_event();
+        schedule 10sec { MyModule::my_event() };
+        }
+
+Note that other identifiers in Bro do not have this inconsistency
+related to module namespacing, it's just events that require
+explicitness.
+
+Manager Sending Events To Workers
+---------------------------------
+
+This is fairly straightforward, we just need a topic name which we know
+all workers are subscribed combined with the event we want to send them.
+
+.. code:: bro
+
+    event manager_to_workers(s: string)
+        {
+        print "got event from manager", s;
+        }
+
+    event some_event_handled_on_manager()
+        {
+        Broker::publish(Cluster::worker_topic, manager_to_workers,
+                        "hello v0");
+
+        # If you know this event is only handled on the manager, you don't
+        # need any of the following conditions, they're just here as an
+        # example of how you can further discriminate based on node identity.
+
+        # Can check based on the name of the node.
+        if ( Cluster::node == "manager" )
+            Broker::publish(Cluster::worker_topic, manager_to_workers,
+                            "hello v1");
+
+        # Can check based on the type of the node.
+        if ( Cluster::local_node_type() == Cluster::MANAGER )
+            Broker::publish(Cluster::worker_topic, manager_to_workers,
+                            "hello v2");
+
+        # The run-time overhead of the above conditions can even be
+        # eliminated by using the following conditional directives.
+        # It's evaluated once per node at parse-time and, if false,
+        # any code within is just ignored / treated as not existing at all.
+        @if ( Cluster::local_node_type() == Cluster::MANAGER )
+            Broker::publish(Cluster::worker_topic, manager_to_workers,
+                            "hello v3");
+        @endif
+        }
+
+Worker Sending Events To Manager
+--------------------------------
+
+This should look almost identical to the previous case of sending an event
+from the manager to workers, except it simply changes the topic name to
+one which the manager is subscribed.
+
+.. code:: bro
+
+    event worker_to_manager(worker_name: string)
+        {
+        print "got event from worker", worker_name;
+        }
+
+    event some_event_handled_on_worker()
+        {
+        Broker::publish(Cluster::manager_topic, worker_to_manager,
+                        Cluster::node);
+        }
+
+Worker Sending Events To All Workers
+------------------------------------
+
+Since workers are not directly connected to each other in the cluster
+topology, this type of communication is a bit different than what we
+did before.  Instead of using :bro:see:`Broker::publish` we use different
+"relay" calls to hop the message from a different node that *is* connected.
+
+.. code:: bro
+
+    event worker_to_workers(worker_name: string)
+        {
+        print "got event from worker", worker_name;
+        }
+
+    event some_event_handled_on_worker()
+        {
+        # We know the manager is connected to all workers, so we could
+        # choose to relay the event across it.  Note that sending the event
+        # this way will not allow the manager to handle it, even if it
+        # does have an event handler.
+        Broker::relay(Cluster::manager_topic, Cluster::worker_topic,
+                      worker_to_workers, Cluster::node + " (via manager)");
+
+        # We also know that any given proxy is connected to all workers,
+        # though now we have a choice of which proxy to use.  If we
+        # want to distribute the work associated with relaying uniformly,
+        # we can use a round-robin strategy.  The key used here is simply
+        # used by the cluster framework internally to keep track of
+        # which node is up next in the round-robin.
+        Cluster::relay_rr(Cluster::proxy_pool, "example_key",
+                          Cluster::worker_topic, worker_to_workers,
+                          Cluster::node + " (via a proxy)");
+        }
+
+Worker Distributing Events Uniformly Across Proxies
+---------------------------------------------------
+
+If you want to offload some data/work from a worker to your proxies,
+we can make use of a `Highest Random Weight (HRW) hashing
+<https://en.wikipedia.org/wiki/Rendezvous_hashing>`_ distribution strategy
+to uniformly map an arbitrary key space across all available proxies.
+
+.. code:: bro
+
+    event worker_to_proxies(worker_name: string)
+        {
+        print "got event from worker", worker_name;
+        }
+
+    global my_counter = 0;
+
+    event some_event_handled_on_worker()
+        {
+        # The key here is used to choose which proxy shall receive
+        # the event.  Different keys may map to different nodes, but
+        # any given key always maps to the same node provided the
+        # pool of nodes remains consistent.  If a proxy goes offline,
+        # that key maps to a different node until the original comes
+        # back up.
+        Cluster::publish_hrw(Cluster::proxy_pool,
+                             cat("example_key", ++my_counter),
+                             worker_to_proxies, Cluster::node);
+        }
diff --git a/doc/frameworks/broker/cluster-layout.png b/doc/frameworks/broker/cluster-layout.png
new file mode 100644
index 0000000000..3813bfbfda
Binary files /dev/null and b/doc/frameworks/broker/cluster-layout.png differ
diff --git a/doc/frameworks/broker/cluster-layout.xml b/doc/frameworks/broker/cluster-layout.xml
new file mode 100644
index 0000000000..4269c6723f
--- /dev/null
+++ b/doc/frameworks/broker/cluster-layout.xml
@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<mxfile userAgent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36" version="9.0.3-1" editor="www.draw.io" type="device"><diagram name="Page-1" id="42789a77-a242-8287-6e28-9cd8cfd52e62">7VxLc6M4EP41Po4LSUjAcZJJZg+7VVOVrd3ZowwKZgYjFyaxvb9+hZEwEhA/eITs2JdYrZYE0ve1ultyZuh+tfua0vXyDx6weAatYDdDX2ZQfDxL/Mkl+0Li2G4hCNMoKETgKHiK/mVSKNuFL1HANppixnmcRWtd6PMkYX6myWia8q2u9sxjfdQ1DVlN8OTTuC79OwqypZQCyzpW/MaicCmHdrGsWFD/Z5jyl0SON4Po+fApqldU9SX1N0sa8G1FhB5m6D7lPCu+rXb3LM7nVk1b0e6xpbZ87pQl2VkNGEXAcTwrgD71XPQJoKKLVxq/MPUOhyfN9mp2WCAmSxYTnog/d4dXZnmnQJSW2SqWX2O6YPFdOSv3PObpsdkmo2n2OV8wQ/YYxXkPlipLiGBRZkmgWvgx3Wwi/89llBQVshkoSpVGP1iW7WWZvmRciHiaLXnIExr/zvlattpkKf/J1FOK1fOIgz6TskahIdd95kn2SFdRnIP8L5YGNKFSLEcCUJYrHVqHj5An/KEyj4dH3kXZ9/yt51iW/pFzcHxWqVpfZ7n0G/6S+qxtcSWVaBqyrEXHK3TyNa50LNHzlfEVy9K9UEhZTLPoVScMlbwLSz3ZVKwY3VcU1jxKsk2l52+5QCgoE6KYJg0IcqCOY1MfQTFp1Ra2bVdbiC/FM6hS5WWOogM7zmWKfWPKL80UNAmmAHIZUwB0RmdKjSgrAYCQpTNIYjG7d4v8W5iVq1VlUByLTT9H+3YZZexpTQ9rthV+h06fI68OVFD7al7l81Xky4pTLGsANW0BtWBQRZOBADOnO9hpHIVJzliBVzFDbwD4laUZ270JPVWL9BVHyrpuj86NctmWFbdGQasJrBW4XIYG2GA2Cxhs1jRRQFinfLf/BJsQUkjEuFX9qQEncLyFZZ0DnOdnRnx/msCBUAcOwHXgOLgOHDwEcJo80zpwYh4Ky5LbnI+BE7Ig+CwDI4IIOFWcePoeZJN3hIlXg4mERIN7dlv7HjYXD7/b4t+CVQ1QXxzvrm3T6Qac0uGuuNvFg4sV+14tKEe87rT35JrDM1xzMIhrXvOlbYLmnmMjDCxgI9dBjsYED84RJB7GmCAHQ7334h1lh29Fth6YE9GLhRwxAlbOerkj2/Y8790Rr01sYBFjmGKaasO0Rxka9S5z/JsC4jbPDtw8u3e12kbUOKZjh29Ge1yjrTImNaNtDWW07enYaAKN/Agi1xlirLwN1RExOhrT1JIbh0biUMmVObIcjS9zizRSpjk52UimQ2ffWBqJpc8t+2Eqe2PYMKn8GjGQbTAM4OsYZqO+GdaSArWMiAVoh2SdE6DOjZwjRyU1plVoS1yDtfC8je56bl4VsgxzmlAnK3J1jlnOdWRFjt4RgEZHPZEV4mHJqixphZx63FBhYnu0ezU57lxs42ZyNMXcBdL7ctO8Oi7tcWBonu/a5lFDCwwvNvVQD5e9nsFDLrPsJp5OOeij4GxANE30dgFCRvRrGbdkTuirMHgo/d5tnNsNpsfNFI9q+Grb+phQhSNZQqLvo90tYYewEoFuQGmwZxXM1C3avJNjORGbNo17IMjM6J2yaeRCG9VR37BpdR4YUSS2+7WB9WPBpuT0lqc/i6PCD5qdXrRzwsxOuz6bana6TBKPcYAMG5BxC9ff4xDRmtumfzFooH5OEu0WlzeP4wwblt/uoU/nlGhOiJn5nmYObaSEN1Fucpnwdq/jKnb1jgA09rO+cmjuwDk0XOPmFTHCIKHk4EedgJwBzJFiSdfMqoGB8KTOUAfKqjmXmfoWhNXzpu8UabaA8PBI/WFsJOMHjPN0bOYrumLsVPx6Kv48s/5UPFp7z57jURWQdgX5W0dfo2TrhjSkw5xGDJM6s/pZT2M1p2WyejVYI0VW4NRRU0+b4qVnChem0zqp9x6dNd0/as2mfdy7nv+PbNqYv8ZoSrP+wmH7G1Z4oGTamCcfI13hhMZ9rauvcNrmTTUT8n1dMDN+EmPsBd19x/ovam8sGzU5dpELNUc5UrT8WemZX5ccO8e9Gomc5W1P5Wp4BqfOJWf5EwTl4pgd9UVO0is5RfH471oK9eP/xEEP/wE=</diagram></mxfile>
\ No newline at end of file
diff --git a/doc/frameworks/broker/connecting-connector.bro b/doc/frameworks/broker/connecting-connector.bro
index adf901ea6a..4b7a588fcb 100644
--- a/doc/frameworks/broker/connecting-connector.bro
+++ b/doc/frameworks/broker/connecting-connector.bro
@@ -1,18 +1,12 @@
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1sec);
+	Broker::peer("127.0.0.1");
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established",
-		  peer_address, peer_port, peer_name;
+	print "peer added", endpoint;
 	terminate();
 	}
diff --git a/doc/frameworks/broker/connecting-listener.bro b/doc/frameworks/broker/connecting-listener.bro
index aa2b945dbe..2392d009fb 100644
--- a/doc/frameworks/broker/connecting-listener.bro
+++ b/doc/frameworks/broker/connecting-listener.bro
@@ -1,20 +1,17 @@
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established", peer_name;
+	print "peer added", endpoint;
 	}
 
-event Broker::incoming_connection_broken(peer_name: string)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_broken", peer_name;
+	print "peer lost", endpoint;
 	terminate();
 	}
diff --git a/doc/frameworks/broker/events-connector.bro b/doc/frameworks/broker/events-connector.bro
index 437e197925..c9ea0c7f31 100644
--- a/doc/frameworks/broker/events-connector.bro
+++ b/doc/frameworks/broker/events-connector.bro
@@ -1,31 +1,35 @@
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1sec);
-	Broker::auto_event("bro/event/my_auto_event", my_auto_event);
+	Broker::peer("127.0.0.1");
+	Broker::auto_publish("bro/event/my_auto_event", my_auto_event);
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;
-	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "hi", 0));
+	print "peer added", endpoint;
+	Broker::publish("bro/event/my_event", my_event, "hi", 0);
 	event my_auto_event("stuff", 88);
-	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "...", 1));
+	Broker::publish("bro/event/my_event", my_event, "...", 1);
 	event my_auto_event("more stuff", 51);
-	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "bye", 2));
+	local e = Broker::make_event(my_event, "bye", 2);
+	Broker::publish("bro/event/my_event", e);
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
+
+event my_event(msg: string, c: count)
+	{
+	print "got my_event", msg, c;
+	}
+
+event my_auto_event(msg: string, c: count)
+	{
+	print "got my_auto_event", msg, c;
+	}
diff --git a/doc/frameworks/broker/events-listener.bro b/doc/frameworks/broker/events-listener.bro
index b803e646ec..9c6a3217d0 100644
--- a/doc/frameworks/broker/events-listener.bro
+++ b/doc/frameworks/broker/events-listener.bro
@@ -1,20 +1,17 @@
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
 global msg_count = 0;
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/event/");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established", peer_name;
+	print "peer added", endpoint;
 	}
 
 event my_event(msg: string, c: count)
diff --git a/doc/frameworks/broker/logs-connector.bro b/doc/frameworks/broker/logs-connector.bro
index 9c5df335b9..50afb130b2 100644
--- a/doc/frameworks/broker/logs-connector.bro
+++ b/doc/frameworks/broker/logs-connector.bro
@@ -1,17 +1,11 @@
 @load ./testlog
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
-redef Log::enable_local_logging = F;
-redef Log::enable_remote_logging = F;
 global n = 0;
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::enable_remote_logs(Test::LOG);
-	Broker::connect("127.0.0.1", broker_port, 1sec);
+	Broker::peer("127.0.0.1");
 	}
 
 event do_write()
@@ -24,17 +18,19 @@ event do_write()
 	event do_write();
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;
+	print "peer added", endpoint;
 	event do_write();
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
+
+event Test::log_test(rec: Test::Info)
+	{
+	print "wrote log", rec;
+	Broker::publish("bro/logs/forward/test", Test::log_test, rec);
+	}
diff --git a/doc/frameworks/broker/logs-listener.bro b/doc/frameworks/broker/logs-listener.bro
index 34d475512a..7bfeacfe58 100644
--- a/doc/frameworks/broker/logs-listener.bro
+++ b/doc/frameworks/broker/logs-listener.bro
@@ -1,24 +1,21 @@
 @load ./testlog
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_logs("bro/log/Test::LOG");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/logs");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established", peer_name;
+	print "peer added", endpoint;
 	}
 
 event Test::log_test(rec: Test::Info)
 	{
-	print "wrote log", rec;
+	print "got log event", rec;
 
 	if ( rec$num == 5 )
 		terminate();
diff --git a/doc/frameworks/broker/printing-connector.bro b/doc/frameworks/broker/printing-connector.bro
deleted file mode 100644
index 42d961669a..0000000000
--- a/doc/frameworks/broker/printing-connector.bro
+++ /dev/null
@@ -1,26 +0,0 @@
-const broker_port: port = 9999/tcp &redef;
-redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1sec);
-	}
-
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	print "Broker::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;
-	Broker::send_print("bro/print/hi", "hello");
-	Broker::send_print("bro/print/stuff", "...");
-	Broker::send_print("bro/print/bye", "goodbye");
-	}
-
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-	{
-	terminate();
-	}
diff --git a/doc/frameworks/broker/printing-listener.bro b/doc/frameworks/broker/printing-listener.bro
deleted file mode 100644
index 4630a7e6d7..0000000000
--- a/doc/frameworks/broker/printing-listener.bro
+++ /dev/null
@@ -1,25 +0,0 @@
-const broker_port: port = 9999/tcp &redef;
-redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
-global msg_count = 0;
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_prints("bro/print/");
-	Broker::listen(broker_port, "127.0.0.1");
-	}
-
-event Broker::incoming_connection_established(peer_name: string)
-	{
-	print "Broker::incoming_connection_established", peer_name;
-	}
-
-event Broker::print_handler(msg: string)
-	{
-	++msg_count;
-	print "got print message", msg;
-
-	if ( msg_count == 3 )
-		terminate();
-	}
diff --git a/doc/frameworks/broker/stores-connector.bro b/doc/frameworks/broker/stores-connector.bro
index d50807cc89..2ea199e222 100644
--- a/doc/frameworks/broker/stores-connector.bro
+++ b/doc/frameworks/broker/stores-connector.bro
@@ -1,53 +1,29 @@
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of Broker::Handle;
-
-function dv(d: Broker::Data): Broker::DataVector
-	{
-	local rval: Broker::DataVector;
-	rval[0] = d;
-	return rval;
-	}
+global h: opaque of Broker::Store;
 
 global ready: event();
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	local myset: set[string] = {"a", "b", "c"};
-	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	h = Broker::create_master("mystore");
-	Broker::insert(h, Broker::data("one"), Broker::data(110));
-	Broker::insert(h, Broker::data("two"), Broker::data(223));
-	Broker::insert(h, Broker::data("myset"), Broker::data(myset));
-	Broker::insert(h, Broker::data("myvec"), Broker::data(myvec));
-	Broker::increment(h, Broker::data("one"));
-	Broker::decrement(h, Broker::data("two"));
-	Broker::add_to_set(h, Broker::data("myset"), Broker::data("d"));
-	Broker::remove_from_set(h, Broker::data("myset"), Broker::data("b"));
-	Broker::push_left(h, Broker::data("myvec"), dv(Broker::data("delta")));
-	Broker::push_right(h, Broker::data("myvec"), dv(Broker::data("omega")));
-
-	when ( local res = Broker::size(h) )
-		{
-		print "master size", res;
-		event ready();
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
 event bro_init()
 	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1secs);
-	Broker::auto_event("bro/event/ready", ready);
+	h = Broker::create_master("mystore");
+
+	local myset: set[string] = {"a", "b", "c"};
+	local myvec: vector of string = {"alpha", "beta", "gamma"};
+	Broker::put(h, "one", 110);
+	Broker::put(h, "two", 223);
+	Broker::put(h, "myset", myset);
+	Broker::put(h, "myvec", myvec);
+	Broker::increment(h, "one");
+	Broker::decrement(h, "two");
+	Broker::insert_into_set(h, "myset", "d");
+	Broker::remove_from(h, "myset", "b");
+	Broker::push(h, "myvec", "delta");
+
+	Broker::peer("127.0.0.1");
 	}
diff --git a/doc/frameworks/broker/stores-listener.bro b/doc/frameworks/broker/stores-listener.bro
index 3dac30deca..49285a0e45 100644
--- a/doc/frameworks/broker/stores-listener.bro
+++ b/doc/frameworks/broker/stores-listener.bro
@@ -1,43 +1,79 @@
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of Broker::Handle;
+global h: opaque of Broker::Store;
 global expected_key_count = 4;
 global key_count = 0;
 
+# Lookup a value in the store based on an arbitrary key string.
 function do_lookup(key: string)
 	{
-	when ( local res = Broker::lookup(h, Broker::data(key)) )
+	when ( local res = Broker::get(h, key) )
 		{
 		++key_count;
 		print "lookup", key, res;
 
-		if ( key_count == expected_key_count )
+		# End after we iterated over looking up each key in the store twice.
+		if ( key_count == expected_key_count * 2 )
 			terminate();
 		}
-	timeout 10sec
+	# All data store queries must specify a timeout
+	timeout 3sec
 		{ print "timeout", key; }
 	}
 
-event ready()
+event check_keys()
 	{
-	h = Broker::create_clone("mystore");
-
+	# Here we just query for the list of keys in the store, and show how to
+	# look up each one's value.
 	when ( local res = Broker::keys(h) )
 		{
 		print "clone keys", res;
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 0)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 1)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 2)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 3)));
+
+		if ( res?$result )
+			{
+			# Since we know that the keys we are storing are all strings,
+			# we can conveniently cast the result of Broker::keys to
+			# a native Bro type, namely 'set[string]'.
+			for ( k in res$result as string_set )
+				do_lookup(k);
+
+			# Alternatively, we can use a generic iterator to iterate
+			# over the results (which we know is of the 'set' type because
+			# that's what Broker::keys() always returns).  If the keys
+			# we stored were not all of the same type, then you would
+			# likely want to use this method of inspecting the store's keys.
+			local i = Broker::set_iterator(res$result);
+
+			while ( ! Broker::set_iterator_last(i) )
+				{
+				do_lookup(Broker::set_iterator_value(i) as string);
+				Broker::set_iterator_next(i);
+				}
+			}
 		}
-	timeout 10sec
-		{ print "timeout"; }
+	# All data store queries must specify a timeout.
+	# You also might see timeouts on connecting/initializing a clone since
+	# it hasn't had time to get fully set up yet.
+	timeout 1sec
+		{
+		print "timeout";
+		schedule 1sec { check_keys() };
+		}
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer added";
+	# We could create a clone early, like in bro_init and it will periodically
+	# try to synchronize with its master once it connects, however, we just
+	# create it now since we know the peer w/ the master store has just
+	# connected.
+	h = Broker::create_clone("mystore");
+
+	event check_keys();
 	}
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/ready");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::listen("127.0.0.1");
 	}
diff --git a/doc/frameworks/broker/testlog.bro b/doc/frameworks/broker/testlog.bro
index 0099671e6d..8d31b6ef1e 100644
--- a/doc/frameworks/broker/testlog.bro
+++ b/doc/frameworks/broker/testlog.bro
@@ -13,6 +13,5 @@ export {
 
 event bro_init() &priority=5
 	{
-	Broker::enable();
 	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test, $path="test"]);
 	}
diff --git a/doc/frameworks/configuration.rst b/doc/frameworks/configuration.rst
new file mode 100644
index 0000000000..efb5182301
--- /dev/null
+++ b/doc/frameworks/configuration.rst
@@ -0,0 +1,150 @@
+
+.. _framework-configuration:
+
+=======================
+Configuration Framework
+=======================
+
+.. rst-class:: opening
+
+Bro includes a "configuration framework" that allows
+updating script options dynamically at runtime. This functionality
+consists of several components: an "option" declaration, the
+ability to specify input files to enable changing the value of options at
+runtime, a couple of built-in functions, and a log file "config.log"
+which contains information about every change to option values.
+
+
+.. contents::
+
+
+Introduction
+------------
+
+The configuration framework provides an alternative to using Bro
+script constants to store various Bro settings.
+
+In general, traditional constants can be used when a value is not
+expected to change at runtime, but they cannot be used for values that
+need to be modified occasionally. While a "redef" allows a
+re-definition of an already defined constant in Bro, these
+redefinitions can only be performed when Bro first starts. Afterwards,
+constants can no longer be modified.
+
+However, it is clearly desirable to be able to change at runtime many
+of the configuration options that Bro offers. Having to restart Bro
+can be time-consuming and causes Bro to lose all connection state and
+knowledge that it accumulated. Bro's configuration framework solves
+this problem by allowing changing configuration options at runtime.
+
+Declaring options
+-----------------
+
+The "option" keyword allows variables to be declared as configuration options.
+
+.. code:: bro
+
+    module TestModule;
+
+    export {
+        option my_networks: set[subnet] = {};
+        option enable_feature = F;
+        option hostname = "testsystem";
+    }
+
+The rules regarding options can be thought of as being in between global
+variables and constants.  Like global variables, options cannot be declared
+inside a function, hook, or event handler.  Like constants, options must be
+initialized when declared.  The value of an option can change at runtime,
+but options cannot be assigned a new value using normal assignments.
+
+
+Changing options
+----------------
+
+The configuration framework facilitates reading in new option values
+from external files at runtime.
+
+Configuration files contain a mapping between option names and their values.
+The format for these files looks like this:
+
+    [option name][tab/spaces][new value]
+
+Configuration files can be specified by adding them to Config::config_files.
+For example, simply add something like this to local.bro:
+
+.. code:: bro
+
+    redef Config::config_files += { "/path/to/config.dat" };
+
+The specified configuration file will then be monitored continuously for changes,
+so that writing ``TestModule::enable_feature T`` into that file will
+automatically update the option's value accordingly.  Here is an example
+configuration file::
+
+    TestModule::my_networks 10.0.12.0/24,192.168.17.0/24
+    TestModule::enable_feature  T
+    TestModule::hostname  host-1
+
+Internally, the configuration framework uses the Bro input framework
+with a type of input reader specifically for reading config files. Users
+familiar with the Bro input framework might be aware that the input framework
+is usually very strict about the syntax of input files. This is not true
+for configuration files: the files need no header lines and either
+tabs or spaces are accepted as separators.
+
+If you inspect the configuration framework scripts, you will notice that the
+scripts simply catch events from the input framework and then a built-in
+function :bro:see:`Option::set` is called to set an option to the new value.
+If you want to change an option yourself during runtime, you can
+call Option::set directly from a script.
+
+The log file "config.log" contains information about each configuration
+change that occurs during runtime.
+
+
+Change handlers
+---------------
+
+A change handler is a user-defined function that is called automatically
+each time an option value changes.  This example shows how to register a
+change handler for an option that has a data type of "addr" (for other
+data types, the return type and 2nd parameter data type must be adjusted
+accordingly):
+
+.. code:: bro
+
+    option testaddr = 127.0.0.1;
+
+    # Note: the data type of 2nd parameter and return type must match
+    function change_addr(ID: string, new_value: addr): addr
+        {
+        print fmt("Value of %s changed from %s to %s", ID, testaddr, new_value);
+        return new_value;
+        }
+
+    event bro_init()
+        {
+        Option::set_change_handler("testaddr", change_addr);
+        }
+
+Each time the specified option value is changed, the change handler
+function will be called before the change is performed.  The value returned
+by the change handler is the value finally assigned to the option. This
+allows, for example, checking of values to reject invalid input (the original
+value can be returned to reject the change).
+
+A change handler can optionally have a third argument, which is the location
+string (this is normally the pathname of the configuration file that triggered
+the change).
+
+It is also possible to chain together multiple change handlers.  In this
+case, the value returned by the first change handler is the "new value" seen
+by the next change handler, and so on.  The built-in function
+:bro:see:`Option::set_change_handler` takes an optional third argument
+that can specify a priority for the handlers.
+
+Note that change handlers are also used internally by the
+configuration framework. If you look at the script level source code of
+the config framework, you can see that change handlers are used for
+logging the option changes to config.log.
diff --git a/doc/frameworks/geoip.rst b/doc/frameworks/geoip.rst
index d756f97589..cd41c6f54c 100644
--- a/doc/frameworks/geoip.rst
+++ b/doc/frameworks/geoip.rst
@@ -8,11 +8,13 @@ GeoLocation
 .. rst-class:: opening
 
     During the process of creating policy scripts the need may arise
-    to find the geographic location for an IP address. Bro has support
+    to find the geographic location for an IP address. Bro had support
     for the `GeoIP library <http://www.maxmind.com/app/c>`__ at the
-    policy script level beginning with release 1.3 to account for this
-    need.  To use this functionality, you need to first install the libGeoIP
-    software, and then install the GeoLite city database before building
+    policy script level from release 1.3 to 2.5.X to account for this
+    need.  Starting with release 2.6 GeoIP support requires `libmaxminddb
+    <https://github.com/maxmind/libmaxminddb/releases>`__.
+    To use this functionality, you need to first install the libmaxminddb
+    software, and then install the GeoLite2 city database before building
     Bro.
 
 .. contents::
@@ -20,85 +22,91 @@ GeoLocation
 Install libGeoIP
 ----------------
 
-Before building Bro, you need to install libGeoIP.
+Before building Bro, you need to install libmaxminddb.
 
 * FreeBSD:
 
   .. console::
 
-      sudo pkg install GeoIP
+      sudo pkg install libmaxminddb
 
 * RPM/RedHat-based Linux:
 
   .. console::
 
-      sudo yum install GeoIP-devel
+      sudo yum install libmaxminddb-devel
 
 * DEB/Debian-based Linux:
 
   .. console::
 
-      sudo apt-get install libgeoip-dev
+      sudo apt-get install libmaxminddb-dev
 
 * Mac OS X:
 
   You need to install from your preferred package management system
   (e.g. MacPorts, Fink, or Homebrew).  The name of the package that you need
-  may be libgeoip, geoip, or geoip-dev, depending on which package management
-  system you are using.
+  may be libmaxminddb, maxminddb, or libmaxminddb-dev, depending on which
+  package management system you are using.
 
 
-GeoIPLite Database Installation
--------------------------------
+GeoLite2-City Database Installation
+-----------------------------------
 
-A country database for GeoIPLite is included when you do the C API
-install, but for Bro, we are using the city database which includes
-cities and regions in addition to countries.
+Bro can use the city or country database.  The city database includes cities
+and regions in addition to countries.
 
-`Download <http://www.maxmind.com/app/geolitecity>`__ the GeoLite city
-binary database:
+`Download <http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz>`__
+the GeoLite2 city binary database:
 
 .. console::
 
-    wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
-    gunzip GeoLiteCity.dat.gz
+    wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz
+    tar zxf GeoLite2-City.tar.gz
 
-Next, the file needs to be renamed and put in the GeoIP database directory.
-This directory should already exist and will vary depending on which platform
-and package you are using.  For FreeBSD, use ``/usr/local/share/GeoIP``.  For
-Linux, use ``/usr/share/GeoIP`` or ``/var/lib/GeoIP`` (choose whichever one
-already exists).
+Next, the file "GeoLite2-City_YYYYMMDD/GeoLite2-City.mmdb" needs to be renamed
+and put in the GeoIP database directory.  This directory should already exist
+and will vary depending on which platform and package you are using.  For
+FreeBSD, use ``/usr/local/share/GeoIP``.  For Linux, use ``/usr/share/GeoIP``
+or ``/var/lib/GeoIP`` (choose whichever one already exists).
     
 .. console::
 
-    mv GeoLiteCity.dat <path_to_database_dir>/GeoIPCity.dat
-
-Note that there is a separate database for IPv6 addresses, which can also
-be installed if you want GeoIP functionality for IPv6.
+    mv <extracted subdir>/GeoLite2-City.mmdb <path_to_database_dir>/GeoLite2-City.mmdb
 
 Testing
 -------
 
 Before using the GeoIP functionality, it is a good idea to verify that
-everything is setup correctly.  After installing libGeoIP and the GeoIP city
-database, and building Bro, you can quickly check if the GeoIP functionality
-works by running a command like this:
+everything is setup correctly.  After installing libmaxminddb and the GeoIP
+city database, and building Bro, you can quickly check if the GeoIP
+functionality works by running a command like this:
 
 .. console::
 
     bro -e "print lookup_location(8.8.8.8);"
 
-If you see an error message similar to "Failed to open GeoIP City database",
-then you may need to either rename or move your GeoIP city database file (the
-error message should give you the full pathname of the database file that
-Bro is looking for).
+If you see an error message similar to "Failed to open GeoIP location
+database", then you may need to either rename or move your GeoIP
+location database file.  Bro looks for location database files in the
+following order by default:
+
+    /usr/share/GeoIP/GeoLite2-City.mmdb
+    /var/lib/GeoIP/GeoLite2-City.mmdb
+    /usr/local/share/GeoIP/GeoLite2-City.mmdb
+    /usr/local/var/GeoIP/GeoLite2-City.mmdb
+    /usr/share/GeoIP/GeoLite2-Country.mmdb
+    /var/lib/GeoIP/GeoLite2-Country.mmdb
+    /usr/local/share/GeoIP/GeoLite2-Country.mmdb
+    /usr/local/var/GeoIP/GeoLite2-Country.mmdb
 
 If you see an error message similar to "Bro was not configured for GeoIP
-support", then you need to rebuild Bro and make sure it is linked against
-libGeoIP.  Normally, if libGeoIP is installed correctly then it should
-automatically be found when building Bro.  If this doesn't happen, then
-you may need to specify the path to the libGeoIP installation
-(e.g. ``./configure --with-geoip=<path>``).
+support", then you either need to rebuild Bro and make sure it is linked
+against libmaxminddb or else set the :bro:see:`mmdb_dir` value
+correctly.  Normally, if libmaxminddb is installed correctly then it
+should automatically be found when building Bro.  If this doesn't
+happen, then you may need to specify the path to the libmaxminddb
+installation (e.g. ``./configure --with-geoip=<path>``).
 
 Usage
 -----
diff --git a/doc/frameworks/index.rst b/doc/frameworks/index.rst
index 4f87df3b53..ab46939c38 100644
--- a/doc/frameworks/index.rst
+++ b/doc/frameworks/index.rst
@@ -6,6 +6,7 @@ Frameworks
 .. toctree::
    :maxdepth: 1
 
+   configuration
    file-analysis
    geoip
    input
diff --git a/doc/frameworks/logging.rst b/doc/frameworks/logging.rst
index a5128da202..bcd84dde2b 100644
--- a/doc/frameworks/logging.rst
+++ b/doc/frameworks/logging.rst
@@ -532,10 +532,5 @@ Bro supports the following additional built-in output formats:
 
    logging-input-sqlite
 
-Additional writers are available as external plugins:
-
-.. toctree::
-   :maxdepth: 1
-
-   ../components/bro-plugins/README
-
+Additional writers are available as external plugins through the `Bro
+Package Manager <https://github.com/bro/bro-plugins>`_.
diff --git a/doc/install/CHANGES-broccoli-python.txt b/doc/install/CHANGES-broccoli-python.txt
deleted file mode 120000
index fd01ad3cd4..0000000000
--- a/doc/install/CHANGES-broccoli-python.txt
+++ /dev/null
@@ -1 +0,0 @@
-../../aux/broccoli/bindings/broccoli-python/CHANGES
\ No newline at end of file
diff --git a/doc/install/CHANGES-broccoli-ruby.txt b/doc/install/CHANGES-broccoli-ruby.txt
deleted file mode 120000
index e04b33936c..0000000000
--- a/doc/install/CHANGES-broccoli-ruby.txt
+++ /dev/null
@@ -1 +0,0 @@
-../../aux/broccoli/bindings/broccoli-ruby/CHANGES
\ No newline at end of file
diff --git a/doc/install/CHANGES-broccoli.txt b/doc/install/CHANGES-broccoli.txt
deleted file mode 120000
index 22aeb7e410..0000000000
--- a/doc/install/CHANGES-broccoli.txt
+++ /dev/null
@@ -1 +0,0 @@
-../../aux/broccoli/CHANGES
\ No newline at end of file
diff --git a/doc/install/CHANGES-broker.txt b/doc/install/CHANGES-broker.txt
new file mode 120000
index 0000000000..e8a52d6797
--- /dev/null
+++ b/doc/install/CHANGES-broker.txt
@@ -0,0 +1 @@
+../../aux/broker/CHANGES
\ No newline at end of file
diff --git a/doc/install/changes.rst b/doc/install/changes.rst
index 32cd6ad33e..ad26cfde1a 100644
--- a/doc/install/changes.rst
+++ b/doc/install/changes.rst
@@ -17,23 +17,11 @@ BroControl
 
 .. literalinclude:: CHANGES-broctl.txt
 
---------
-Broccoli
---------
+------
+Broker
+------
 
-.. literalinclude:: CHANGES-broccoli.txt
-
----------------
-Broccoli Python
----------------
-
-.. literalinclude:: CHANGES-broccoli-python.txt
-
--------------
-Broccoli Ruby
--------------
-
-.. literalinclude:: CHANGES-broccoli-ruby.txt
+.. literalinclude:: CHANGES-broker.txt
 
 --------
 Capstats
diff --git a/doc/install/cross-compiling.rst b/doc/install/cross-compiling.rst
new file mode 100644
index 0000000000..d47bd83fc0
--- /dev/null
+++ b/doc/install/cross-compiling.rst
@@ -0,0 +1,85 @@
+.. _crosstool-NG: https://crosstool-ng.github.io/
+.. _CMake toolchain: https://cmake.org/cmake/help/latest/manual/cmake-toolchains.7.html
+
+===================
+Cross Compiling Bro
+===================
+
+.. contents::
+
+Prerequisites
+=============
+
+You need three things on the host system:
+
+1. The Bro source tree.
+2. A cross-compilation toolchain, such as one built via crosstool-NG_.
+3. Pre-built Bro dependencies from the target system.  This usually
+   includes libpcap, zlib, OpenSSL, and Python development headers
+   and libraries.
+
+Configuration and Compiling
+===========================
+
+You first need to compile a few build tools native to the host system
+for use during the later cross-compile build.  In the root of your
+Bro source tree:
+
+.. console::
+
+   ./configure --builddir=../bro-buildtools
+   ( cd ../bro-buildtools && make binpac bifcl )
+
+Next configure Bro to use your cross-compilation toolchain:
+
+.. console::
+
+   ./configure --toolchain=/home/jon/x-tools/RaspberryPi-toolchain.cmake --with-binpac=$(pwd)/../bro-buildtools/aux/binpac/src/binpac --with-bifcl=$(pwd)/../bro-buildtools/src/bifcl
+
+Here, the toolchain file a `CMake toolchain`_ file.  It might look
+something the following (using a Raspberry Pi as target system)::
+
+  # Operating System on which CMake is targeting.
+  set(CMAKE_SYSTEM_NAME Linux)
+
+  # The CMAKE_STAGING_PREFIX option may not work.
+  # Given that Bro is configured:
+  #
+  #   `./configure --prefix=<dir>`
+  #
+  # The options are:
+  #
+  #   (1) `make install` and then copy over the --prefix dir from host to
+  #       target system.
+  #
+  #   (2) `DESTDIR=<staging_dir> make install` and then copy over the
+  #       contents of that staging directory.
+
+  set(toolchain /home/jon/x-tools/arm-rpi-linux-gnueabihf)
+  set(CMAKE_C_COMPILER   ${toolchain}/bin/arm-rpi-linux-gnueabihf-gcc)
+  set(CMAKE_CXX_COMPILER ${toolchain}/bin/arm-rpi-linux-gnueabihf-g++)
+
+  # The cross-compiler/linker will use these paths to locate dependencies.
+  set(CMAKE_FIND_ROOT_PATH
+      /home/jon/x-tools/bro-rpi-deps
+      ${toolchain}/arm-rpi-linux-gnueabihf/sysroot
+  )
+
+  set(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)
+  set(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
+  set(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
+
+If that configuration succeeds you are ready to build:
+
+.. console::
+
+   make
+
+And if that works, install on your host system:
+
+.. console::
+
+   make install
+
+From there, you can copy/move the files from the installation prefix
+on the host system to the target system and start running Bro as usual.
diff --git a/doc/install/index.rst b/doc/install/index.rst
index 71d2534921..2689b9adea 100644
--- a/doc/install/index.rst
+++ b/doc/install/index.rst
@@ -10,3 +10,4 @@ Installation
 
    install
    upgrade
+   cross-compiling
diff --git a/doc/install/install.rst b/doc/install/install.rst
index 35a38da27b..cc8d81b14f 100644
--- a/doc/install/install.rst
+++ b/doc/install/install.rst
@@ -35,16 +35,16 @@ before you begin:
 
 To build Bro from source, the following additional dependencies are required:
 
-    * CMake 2.8 or greater              (http://www.cmake.org)
+    * CMake 2.8.12 or greater           (http://www.cmake.org)
     * Make
     * C/C++ compiler with C++11 support (GCC 4.8+ or Clang 3.3+)
     * SWIG                              (http://www.swig.org)
-    * Bison (GNU Parser Generator)
-    * Flex  (Fast Lexical Analyzer)
+    * Bison 2.5 or greater              (https://www.gnu.org/software/bison/)
+    * Flex (lexical analyzer generator) (https://github.com/westes/flex)
     * Libpcap headers                   (http://www.tcpdump.org)
     * OpenSSL headers                   (http://www.openssl.org)
-    * zlib headers
-    * Python
+    * zlib headers                      (https://zlib.net/)
+    * Python                            (https://www.python.org/)
 
 To install the required dependencies, you can use:
 
@@ -67,7 +67,7 @@ To install the required dependencies, you can use:
 
   .. console::
 
-      sudo pkg install bash cmake swig bison python py27-sqlite3
+      sudo pkg install bash cmake swig30 bison python py27-sqlite3 py27-ipaddress
 
   For older versions of FreeBSD (especially FreeBSD 9.x), the system compiler
   is not new enough to compile Bro. For these systems, you will have to install
@@ -95,14 +95,17 @@ To install the required dependencies, you can use:
   clicking "Install").
 
   OS X comes with all required dependencies except for CMake_, SWIG_,
-  and OpenSSL (OpenSSL headers were removed in OS X 10.11, therefore OpenSSL
-  must be installed manually for OS X versions 10.11 or newer).
-  Distributions of these dependencies can
-  likely be obtained from your preferred Mac OS X package management
-  system (e.g. Homebrew_, MacPorts_, or Fink_). Specifically for
-  Homebrew, the ``cmake``, ``swig``, and ``openssl`` packages
-  provide the required dependencies.  For MacPorts, the ``cmake``, ``swig``,
-  ``swig-python``, and ``openssl`` packages provide the required dependencies.
+  Bison, and OpenSSL (OpenSSL headers were removed in OS X 10.11,
+  therefore OpenSSL must be installed manually for OS X versions 10.11
+  or newer).
+
+  Distributions of these dependencies can likely be obtained from your
+  preferred Mac OS X package management system (e.g. Homebrew_,
+  MacPorts_, or Fink_). Specifically for Homebrew, the ``cmake``,
+  ``swig``, ``openssl``, and ``bison`` packages
+  provide the required dependencies.  For MacPorts, the ``cmake``,
+  ``swig``, ``swig-python``, ``openssl``, and ``bison`` packages provide
+  the required dependencies.
 
 
 Optional Dependencies
@@ -111,7 +114,6 @@ Optional Dependencies
 Bro can make use of some optional libraries and tools if they are found at
 build time:
 
-    * C++ Actor Framework (CAF) version 0.14 (http://actor-framework.org)
     * LibGeoIP (for geolocating IP addresses)
     * sendmail (enables Bro and BroControl to send mail)
     * curl (used by a Bro script that implements active HTTP)
@@ -208,6 +210,13 @@ all of the documentation for the latest Bro release is available on the
 Bro web site), there are instructions in ``doc/README`` in the source
 distribution.
 
+Cross Compiling
+---------------
+
+See :doc:`cross-compiling` for an example of how
+to cross compile Bro for a different target platform than the one on
+which you build.
+
 Configure the Run-Time Environment
 ==================================
 
diff --git a/doc/intro/index.rst b/doc/intro/index.rst
index cf448a0c84..b58a4dbb5b 100644
--- a/doc/intro/index.rst
+++ b/doc/intro/index.rst
@@ -169,7 +169,7 @@ History
 
 Bro's history goes back much further than many people realize. `Vern
 Paxson <http://www.icir.org/vern>`_ designed and implemented the
-initial version almost two decades ago.
+initial version more than two decades ago.
 Vern began work on the code in 1995 as a researcher at the `Lawrence
 Berkeley National Laboratory (LBNL) <http://www.lbl.gov>`_. Berkeley
 Lab began operational deployment in 1996, and the USENIX Security
diff --git a/doc/quickstart/index.rst b/doc/quickstart/index.rst
index 811fad53e1..d7e0491501 100644
--- a/doc/quickstart/index.rst
+++ b/doc/quickstart/index.rst
@@ -316,9 +316,8 @@ Analyzing live traffic from an interface is simple:
 
    bro -i en0 <list of scripts to load>
 
-``en0`` can be replaced by the interface of your choice and for the list of
-scripts, you can just use "all" for now to perform all the default analysis
-that's available.
+``en0`` can be replaced by the interface of your choice. A selection
+of common base scripts will be loaded by default.
 
 Bro will output log files into the working directory.
 
@@ -326,22 +325,6 @@ Bro will output log files into the working directory.
    capturing as an unprivileged user and checksum offloading are
    particularly relevant at this point.
 
-To use the site-specific ``local.bro`` script, just add it to the
-command-line:
-
-.. console::
-
-   bro -i en0 local
-
-This will cause Bro to print a warning about lacking the
-``Site::local_nets`` variable being configured. You can supply this
-information at the command line like this (supply your "local" subnets
-in place of the example subnets):
-
-.. console::
-
-   bro -r mypackets.trace local "Site::local_nets += { 1.2.3.0/24, 5.6.7.0/24 }"
-
 
 Reading Packet Capture (pcap) Files
 -----------------------------------
@@ -373,7 +356,6 @@ script that we include as a suggested configuration:
 
   bro -r mypackets.trace local
 
-
 Telling Bro Which Scripts to Load
 ---------------------------------
 
@@ -381,33 +363,65 @@ A command-line invocation of Bro typically looks like:
 
 .. console::
 
-   bro <options> <policies...>
+   bro <options> <scripts...>
 
 Where the last arguments are the specific policy scripts that this Bro
 instance will load.  These arguments don't have to include the ``.bro``
-file extension, and if the corresponding script resides under the default
-installation path, ``$PREFIX/share/bro``, then it requires no path
-qualification.  Further, a directory of scripts can be specified as
-an argument to be loaded as a "package" if it contains a ``__load__.bro``
-script that defines the scripts that are part of the package.
+file extension, and if the corresponding script resides in the default
+search path, then it requires no path qualification.  The following 
+directories are included in the default search path for Bro scripts::
+   
+   ./
+   <prefix>/share/bro/
+   <prefix>/share/bro/policy/
+   <prefix>/share/bro/site/
 
-This example does all of the base analysis (primarily protocol
-logging) and adds SSL certificate validation.
+These prefix paths can be used to load scripts like this:
 
 .. console::
 
-   bro -r mypackets.trace protocols/ssl/validate-certs
+   bro -r mypackets.trace frameworks/files/extract-all
+
+This will load the 
+``<prefix>/share/bro/policy/frameworks/files/extract-all.bro`` script which will
+cause Bro to extract all of the files it discovers in the PCAP.
+
+.. note:: If one wants Bro to be able to load scripts that live outside the
+   default directories in Bro's installation root, the full path to the file(s)
+   must be provided.  See the default search path by running ``bro --help``.
 
 You might notice that a script you load from the command line uses the
 ``@load`` directive in the Bro language to declare dependence on other scripts.
 This directive is similar to the ``#include`` of C/C++, except the semantics
 are, "load this script if it hasn't already been loaded."
 
-.. note:: If one wants Bro to be able to load scripts that live outside the
-   default directories in Bro's installation root, the ``BROPATH`` environment
-   variable will need to be extended to include all the directories that need
-   to be searched for scripts.  See the default search path by doing
-   ``bro --help``.
+Further, a directory of scripts can be specified as
+an argument to be loaded as a "package" if it contains a ``__load__.bro``
+script that defines the scripts that are part of the package.
+
+Local site customization
+------------------------
+
+There is one script that is installed which is considered "local site 
+customization" and is not overwritten when upgrades take place. To use 
+the site-specific ``local.bro`` script, just add it to the command-line (can
+also be loaded through scripts with @load):
+
+.. console::
+
+   bro -i en0 local
+
+This causes Bro to load a script that prints a warning about lacking the
+``Site::local_nets`` variable being configured. You can supply this
+information at the command line like this (supply your "local" subnets
+in place of the example subnets):
+
+.. console::
+
+   bro -r mypackets.trace local "Site::local_nets += { 1.2.3.0/24, 5.6.7.0/24 }"
+
+When running with Broctl, this value is set by configuring the ``networks.cfg``
+file.
 
 Running Bro Without Installing
 ------------------------------
diff --git a/doc/script-reference/log-files.rst b/doc/script-reference/log-files.rst
index 795b33f6b8..8f7d87d89a 100644
--- a/doc/script-reference/log-files.rst
+++ b/doc/script-reference/log-files.rst
@@ -14,6 +14,8 @@ Network Protocols
 +============================+=======================================+=================================+
 | conn.log                   | TCP/UDP/ICMP connections              | :bro:type:`Conn::Info`          |
 +----------------------------+---------------------------------------+---------------------------------+
+| config.log                 | Configuration option changes          | :bro:type:`Config::Info`        |
++----------------------------+---------------------------------------+---------------------------------+
 | dce_rpc.log                | Distributed Computing Environment/RPC | :bro:type:`DCE_RPC::Info`       |
 +----------------------------+---------------------------------------+---------------------------------+
 | dhcp.log                   | DHCP leases                           | :bro:type:`DHCP::Info`          |
@@ -76,6 +78,10 @@ Files
 +============================+=======================================+=================================+
 | files.log                  | File analysis results                 | :bro:type:`Files::Info`         |
 +----------------------------+---------------------------------------+---------------------------------+
+| ocsp.log                   | Online Certificate Status Protocol    | :bro:type:`OCSP::Info`          |
+|                            | (OCSP). Only created if policy script |                                 |
+|                            | is loaded.                            |                                 |
++----------------------------+---------------------------------------+---------------------------------+
 | pe.log                     | Portable Executable (PE)              | :bro:type:`PE::Info`            |
 +----------------------------+---------------------------------------+---------------------------------+
 | x509.log                   | X.509 certificate info                | :bro:type:`X509::Info`          |
@@ -124,9 +130,6 @@ Network Observations
 +============================+=======================================+=================================+
 | known_certs.log            | SSL certificates                      | :bro:type:`Known::CertsInfo`    |
 +----------------------------+---------------------------------------+---------------------------------+
-| known_devices.log          | MAC addresses of devices on the       | :bro:type:`Known::DevicesInfo`  |
-|                            | network                               |                                 |
-+----------------------------+---------------------------------------+---------------------------------+
 | known_hosts.log            | Hosts that have completed TCP         | :bro:type:`Known::HostsInfo`    |
 |                            | handshakes                            |                                 |
 +----------------------------+---------------------------------------+---------------------------------+
@@ -162,8 +165,8 @@ Bro Diagnostics
 +----------------------------+---------------------------------------+---------------------------------+
 | cluster.log                | Bro cluster messages                  | :bro:type:`Cluster::Info`       |
 +----------------------------+---------------------------------------+---------------------------------+
-| communication.log          | Communication events between Bro or   | :bro:type:`Communication::Info` |
-|                            | Broccoli instances                    |                                 |
+| broker.log                 | Peering status events between Bro or  | :bro:type:`Broker::Info`        |
+|                            | Broker-enabled processes              |                                 |
 +----------------------------+---------------------------------------+---------------------------------+
 | loaded_scripts.log         | Shows all scripts loaded by Bro       | :bro:type:`LoadedScripts::Info` |
 +----------------------------+---------------------------------------+---------------------------------+
diff --git a/doc/script-reference/operators.rst b/doc/script-reference/operators.rst
index 9442102b52..8f64617494 100644
--- a/doc/script-reference/operators.rst
+++ b/doc/script-reference/operators.rst
@@ -85,6 +85,25 @@ Arithmetic operators
 |                              |             | of elements.                  |
 +------------------------------+-------------+-------------------------------+
 
+Bitwise operators
+-----------------
+
+The bitwise operators work with operands of type :bro:type:`count` or
+``vector of count``, but the bitwise complement operator works with ``count``
+only.
+
++------------------------------+-------------+
+| Name                         | Syntax      |
++==============================+=============+
+| Bitwise AND                  | *a* & *b*   |
++------------------------------+-------------+
+| Bitwise OR                   | *a* | *b*   |
++------------------------------+-------------+
+| Bitwise XOR                  | *a* ^ *b*   |
++------------------------------+-------------+
+| Bitwise complement           | ~ *a*       |
++------------------------------+-------------+
+
 
 Assignment operators
 --------------------
@@ -122,6 +141,73 @@ field name must be in the declaration of the record type.
 +------------------------------+-------------+-------------------------------+
 
 
+Pattern operators
+-----------------
+
+In the table below, *p* is a pattern, and *s* is a string.
+
++------------------------------+-------------+-------------------------------+
+| Name                         | Syntax      | Notes                         |
++==============================+=============+===============================+
+| Exact matching               | *p* == *s*  | Evaluates to a boolean,       |
+|                              |             | indicating if the entire      |
+|                              |             | string exactly matches the    |
+|                              |             | pattern.                      |
++------------------------------+-------------+-------------------------------+
+| Embedded matching            | *p* in *s*  | Evaluates to a boolean,       |
+|                              |             | indicating if pattern is      |
+|                              |             | found somewhere in the string.|
++------------------------------+-------------+-------------------------------+
+| Conjunction                  | *p1* & *p2* | Evaluates to a pattern that   |
+|                              |             | represents matching p1        |
+|                              |             | followed by p2.               |
++------------------------------+-------------+-------------------------------+
+| Disjunction                  | *p1* | *p2* | Evaluates to a pattern that   |
+|                              |             | represents matching p1 or p2. |
++------------------------------+-------------+-------------------------------+
+
+
+Type casting
+------------
+
+The "as" operator performs type casting and the "is" operator checks if a
+type cast is supported or not.  For both operators, the first operand is a
+value and the second operand is the name of a Bro script type (either built-in
+or user-defined).
+
++------------------------------+-------------+-------------------------------+
+| Name                         | Syntax      | Notes                         |
++==============================+=============+===============================+
+| Type cast                    | *v* as *t*  | Cast value "v" into type "t". |
+|                              |             | Evaluates to the value casted |
+|                              |             | to the specified type.        |
+|                              |             | If this is not a supported    |
+|                              |             | cast, then a runtime error is |
+|                              |             | triggered.                    |
++------------------------------+-------------+-------------------------------+
+| Check if a cast is supported | *v* is *t*  | Evaluates to boolean. If true,|
+|                              |             | then "v as t" would succeed.  |
++------------------------------+-------------+-------------------------------+
+
+Only the following kinds of type casts are supported currently:
+
+- Broker values (i.e., :bro:see:`Broker::Data` values returned from
+  functions such as :bro:id:`Broker::data`) can be casted to their
+  corresponding Bro script types.
+- A value of declared type "any" can be casted to its actual underlying type.
+- All values can be casted to their declared types (i.e., this is a no-op).
+
+The function in this example tries to cast a value to a string::
+
+    function example(a: any)
+        {
+        local s: string;
+
+        if ( a is string )
+            s = (a as string);
+        }
+
+
 Other operators
 ---------------
 
diff --git a/doc/script-reference/statements.rst b/doc/script-reference/statements.rst
index 14e0cc3c32..9e061d4df7 100644
--- a/doc/script-reference/statements.rst
+++ b/doc/script-reference/statements.rst
@@ -20,6 +20,9 @@ Declarations
 +----------------------------+-----------------------------+
 | :bro:keyword:`const`       | Declare a constant          |
 +----------------------------+-----------------------------+
+| :bro:keyword:`option`      | Declare a configuration     |
+|                            | option                      |
++----------------------------+-----------------------------+
 | :bro:keyword:`type`        | Declare a user-defined type |
 +----------------------------+-----------------------------+
 | :bro:keyword:`redef`       | Redefine a global value or  |
@@ -176,6 +179,25 @@ all loaded Bro scripts.
     or "global" keywords (i.e., "const" replaces "local" and "global").
 
 
+.. bro:keyword:: option
+
+    A variable declared with the "option" keyword is a configuration option.
+
+    Options are required to be initialized at the
+    time of declaration.  Normally, the type is inferred from the initializer,
+    but the type can be explicitly specified.  Example::
+
+        option hostname = "host-1";
+        option peers: set[addr] = {};
+
+    The value of an option cannot be changed by an assignment statement.
+
+    The scope of an option is global.
+
+    Note that an "option" declaration cannot also use the "local", "global",
+    or "const" keywords.
+
+
 .. bro:keyword:: type
 
    The "type" keyword is used to declare a user-defined type.  The name
@@ -549,6 +571,42 @@ Here are the statements that the Bro scripting language supports.
     do not indicate the presence of a `compound statement`_), and that no
     semicolon is needed at the end of a "switch" statement.
 
+    There is an alternative form of the switch statement that supports
+    switching by type rather than value.  This form of the switch statement
+    uses type-based versions of "case":
+
+    - "case type t: ...": Take branch if the value of the switch expression
+      could be casted to type t (where "t" is the name of a Bro script type,
+      either built-in or user-defined).
+
+    - "case type t as x: ...": Same as above, but the casted value is
+      available through ID "x".
+
+    Multiple types can be listed per branch, separated by commas (the "type"
+    keyword must be repeated for each type in the list).
+
+    Example::
+
+        function example(v: any)
+            {
+            switch (v) {
+            case type count as c:
+                    print "It's a count", c;
+                    break;
+
+            case type bool, type addr:
+                    print "It's a bool or address";
+                    break;
+            }
+            }
+
+    Note that a single switch statement switches either by type or by value,
+    but not both.
+
+    Also note that the type-based switch statement will trigger a runtime
+    error if any cast in any "case" is an unsupported cast (see the
+    documentation of the type casting operator "as").
+
 
 .. bro:keyword:: when
 
diff --git a/doc/script-reference/types.rst b/doc/script-reference/types.rst
index 651ebfb411..cfb47270ff 100644
--- a/doc/script-reference/types.rst
+++ b/doc/script-reference/types.rst
@@ -91,6 +91,10 @@ Here is a more detailed description of each type:
     type, but a unary plus or minus applied to a "count" results in an
     "int".
 
+    In addition, "count" types support bitwise operations.  You can use
+    ``&``, ``|``, and ``^`` for bitwise ``and``, ``or``, and ``xor``.  You
+    can also use ``~`` for bitwise (one's) complement.
+
 .. bro:type:: double
 
     A numeric type representing a double-precision floating-point
@@ -194,11 +198,11 @@ Here is a more detailed description of each type:
 
 .. bro:type:: pattern
 
-    A type representing regular-expression patterns which can be used
+    A type representing regular-expression patterns that can be used
     for fast text-searching operations.  Pattern constants are created
-    by enclosing text within forward slashes (/) and is the same syntax
+    by enclosing text within forward slashes (``/``) and use the same syntax
     as the patterns supported by the `flex lexical analyzer
-    <http://flex.sourceforge.net/manual/Patterns.html>`_.  The speed of
+    <http://westes.github.io/flex/manual/Patterns.html>`_.  The speed of
     regular expression matching does not depend on the complexity or
     size of the patterns.  Patterns support two types of matching, exact
     and embedded.
@@ -233,6 +237,32 @@ Here is a more detailed description of each type:
     is false since "oob" does not appear at the start of "foobar".  The
     ``!in`` operator would yield the negation of ``in``.
 
+    You can create a disjunction (either-or) of two patterns
+    using the ``|`` operator.  For example::
+
+	/foo/ | /bar/ in "foobar"
+
+    yields true, like in the similar example above.  You can also
+    create the conjunction (concatenation) of patterns using the ``&``
+    operator.  For example::
+
+	/foo/ & /bar/ in "foobar"
+
+    will yield true because the pattern /(foo)(bar)/ appears in
+    the string "foobar".
+
+    When specifying a pattern, you can add a final ``i`` specifier to
+    mark it as case-insensitive.  For example, ``/foo|bar/i`` will match
+    a "foo", "Foo", "BaR", etc.
+
+    You can also introduce a case-insensitive sub-pattern by enclosing it
+    in ``(?i:``<pattern>``)``.  So, for example, ``/foo|(?i:bar)/`` will
+    match "foo" and "BaR", but *not* "Foo".
+
+    For both ways of specifying case-insensitivity, characters enclosed
+    in double quotes maintain their case-sensitivity.  So for example
+    /"foo"/i will not match "Foo", but it will match "foo".
+
 .. bro:type:: port
 
     A type representing transport-level port numbers (besides TCP and
@@ -514,6 +544,15 @@ Here is a more detailed description of each type:
 
         |s|
 
+    You can compute the union, intersection, or difference of two sets
+    using the ``|``, ``&``, and ``-`` operators.  You can compare
+    sets for equality (they have exactly the same elements) using ``==``.
+    The ``<`` operator returns ``T`` if the lefthand operand is a proper
+    subset of the righthand operand.  Similarly, ``<=`` returns ``T``
+    if the lefthand operator is a subset (not necessarily proper, i.e.,
+    it may be equal to the righthand operand).  The operators ``!=``, ``>``
+    and ``>=`` provide the expected complementary operations.
+
     See the :bro:keyword:`for` statement for info on how to iterate over
     the elements in a set.
 
@@ -569,6 +608,20 @@ Here is a more detailed description of each type:
 
         |v|
 
+    A particularly common operation on a vector is to append an element
+    to its end.  You can do so using:
+
+    .. code:: bro
+
+        v += e;
+
+    where if e's type is ``X``, v's type is ``vector of X``.  Note that
+    this expression is equivalent to:
+
+    .. code:: bro
+
+        v[|v|] = e;
+
     Vectors of integral types (``int`` or ``count``) support the pre-increment
     (``++``) and pre-decrement operators (``--``), which will increment or
     decrement each element in the vector.
@@ -585,6 +638,9 @@ Here is a more detailed description of each type:
     The resulting vector of bool is the logical "and" (or logical "or") of
     each element of the operand vectors.
 
+    Vectors of type ``count`` can also be operands for the bitwise and/or/xor
+    operators, ``&``, ``|`` and ``^``.
+
     See the :bro:keyword:`for` statement for info on how to iterate over
     the elements in a vector.
 
diff --git a/doc/scripting/data_struct_vector_declaration.bro b/doc/scripting/data_struct_vector_declaration.bro
index 6d684d09b1..e9b31880f6 100644
--- a/doc/scripting/data_struct_vector_declaration.bro
+++ b/doc/scripting/data_struct_vector_declaration.bro
@@ -3,10 +3,10 @@ event bro_init()
     local v1: vector of count;
     local v2 = vector(1, 2, 3, 4);
     
-    v1[|v1|] = 1;
-    v1[|v1|] = 2;
-    v1[|v1|] = 3;
-    v1[|v1|] = 4;
+    v1 += 1;
+    v1 += 2;
+    v1 += 3;
+    v1 += 4;
     
     print fmt("contents of v1: %s", v1);
     print fmt("length of v1: %d", |v1|);
diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst
index 6808afe021..54ae83bf81 100644
--- a/doc/scripting/index.rst
+++ b/doc/scripting/index.rst
@@ -171,7 +171,7 @@ write scripts for Bro but for understanding Bro itself.
 Gaining familiarity with the specific events generated by Bro is a big
 step towards building a mind set for working with Bro scripts.  The
 majority of events generated by Bro are defined in the
-built-in-function files or ``.bif`` files which also act as the basis for
+built-in-function (``*.bif``) files which also act as the basis for
 online event documentation.  These in-line comments are compiled into
 an online documentation system using Broxygen.  Whether starting a
 script from scratch or reading and maintaining someone else's script,
@@ -212,11 +212,11 @@ later.
 While Bro is capable of packet level processing, its strengths lay in
 the context of a connection between an originator and a responder.  As
 such, there are events defined for the primary parts of the connection
-life-cycle as you'll see from the small selection of
-connection-related events below.  
+life-cycle such as the following:
 
-.. btest-include:: ${BRO_SRC_ROOT}/build/scripts/base/bif/event.bif.bro
-   :lines: 69-72,88,106-109,129,132-137,148
+* :bro:see:`new_connection`
+* :bro:see:`connection_timeout`
+* :bro:see:`connection_state_remove`
 
 Of the events listed, the event that will give us the best insight
 into the connection record data type will be
@@ -325,29 +325,14 @@ variable declared while scripts using a different namespace or no
 namespace altogether will not have access to the variable.
 Alternatively, if a global variable is declared within an ``export { ... }``
 block that variable is available to any other script through the
-naming convention of ``MODULE::variable_name``.
-
-The declaration below is taken from the
-:doc:`/scripts/policy/protocols/conn/known-hosts.bro` script and
-declares a variable called ``known_hosts`` as a global set of unique
-IP addresses within the ``Known`` namespace and exports it for use
-outside of the ``Known`` namespace.  Were we to want to use the
-``known_hosts`` variable we'd be able to access it through
-``Known::known_hosts``.  
-
-.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/conn/known-hosts.bro
-   :lines: 8-10, 32, 37
-
-The sample above also makes use of an ``export { ... }`` block.  When the module
-keyword is used in a script, the variables declared are said to be in
-that module's "namespace".  Where as a global variable can be accessed
-by its name alone when it is not declared within a module, a global
-variable declared within a module must be exported and then accessed
-via ``MODULE_NAME::VARIABLE_NAME``.  As in the example above, we would be
-able to access the ``known_hosts`` in a separate script variable via
-``Known::known_hosts`` due to the fact that ``known_hosts`` was declared as
-a global variable within an export block under the ``Known`` namespace.
+naming convention of ``<module name>::<variable name>``, i.e. the variable
+needs to be "scoped" by the name of the module in which it was declared.
 
+When the ``module`` keyword is used in a script, the variables declared
+are said to be in that module's "namespace".  Where as a global variable
+can be accessed by its name alone when it is not declared within a
+module, a global variable declared within a module must be exported and
+then accessed via ``<module name>::<variable name>``.
 
 Constants
 ~~~~~~~~~
@@ -1009,8 +994,6 @@ which is a factor of 5 to an alternate file, while writing the
 remaining logs to factor.log.  
 
 .. btest-include:: ${DOC_ROOT}/scripting/framework_logging_factorial_03.bro
-   :lines: 38-62
-   :linenos:
 
 To dynamically alter the file in which a stream writes its logs, a
 filter can specify a function that returns a string to be used as the
diff --git a/scripts/base/files/pe/consts.bro b/scripts/base/files/pe/consts.bro
index 35ad9c3c61..3dcfddec79 100644
--- a/scripts/base/files/pe/consts.bro
+++ b/scripts/base/files/pe/consts.bro
@@ -65,7 +65,7 @@ export {
 		[9]  = "WINDOWS_CE_GUI",
 		[10] = "EFI_APPLICATION",
 		[11] = "EFI_BOOT_SERVICE_DRIVER",
-		[12] = "EFI_RUNTIME_
DRIVER",
+		[12] = "EFI_RUNTIME_DRIVER",
 		[13] = "EFI_ROM",
 		[14] = "XBOX"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
diff --git a/scripts/base/files/pe/main.bro b/scripts/base/files/pe/main.bro
index b2723e4138..972e8a31c8 100644
--- a/scripts/base/files/pe/main.bro
+++ b/scripts/base/files/pe/main.bro
@@ -126,7 +126,7 @@ event pe_section_header(f: fa_file, h: PE::SectionHeader) &priority=5
 
 	if ( ! f$pe?$section_names )
 		f$pe$section_names = vector();
-	f$pe$section_names[|f$pe$section_names|] = h$name;
+	f$pe$section_names += h$name;
 	}
 
 event file_state_remove(f: fa_file) &priority=-5
diff --git a/scripts/base/files/x509/README b/scripts/base/files/x509/README
index 8b50366cd2..515b0e0b1c 100644
--- a/scripts/base/files/x509/README
+++ b/scripts/base/files/x509/README
@@ -1 +1,2 @@
 Support for X509 certificates with the file analysis framework.
+Also supports parsing OCSP requests and responses.
diff --git a/scripts/base/files/x509/main.bro b/scripts/base/files/x509/main.bro
index bbf99f6a4d..b6fdde5494 100644
--- a/scripts/base/files/x509/main.bro
+++ b/scripts/base/files/x509/main.bro
@@ -10,23 +10,17 @@ export {
 	type Info: record {
 		## Current timestamp.
 		ts: time &log;
-
 		## File id of this certificate.
 		id: string &log;
-
 		## Basic information about the certificate.
 		certificate: X509::Certificate &log;
-
 		## The opaque wrapping the certificate. Mainly used
 		## for the verify operations.
 		handle: opaque of x509;
-
 		## All extensions that were encountered in the certificate.
 		extensions: vector of X509::Extension &default=vector();
-
 		## Subject alternative name extension of the certificate.
 		san: X509::SubjectAlternativeName &optional &log;
-
 		## Basic constraints extension of the certificate.
 		basic_constraints: X509::BasicConstraints &optional &log;
 	};
@@ -38,6 +32,24 @@ export {
 event bro_init() &priority=5
 	{
 	Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509, $path="x509"]);
+
+	# We use MIME types internally to distinguish between user and CA certificates.
+	# The first certificate in a connection always gets tagged as user-cert, all
+	# following certificates get tagged as CA certificates. Certificates gotten via
+	# other means (e.g. identified from HTTP traffic when they are transfered in plain
+	# text) get tagged as application/pkix-cert.
+	Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-user-cert");
+	Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-ca-cert");
+	Files::register_for_mime_type(Files::ANALYZER_X509, "application/pkix-cert");
+
+	# Always calculate hashes. They are not necessary for base scripts
+	# but very useful for identification, and required for policy scripts
+	Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-user-cert");
+	Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-ca-cert");
+	Files::register_for_mime_type(Files::ANALYZER_MD5, "application/pkix-cert");
+	Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-user-cert");
+	Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-ca-cert");
+	Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/pkix-cert");
 	}
 
 redef record Files::Info += {
@@ -48,16 +60,13 @@ redef record Files::Info += {
 
 event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5
 	{
-	if ( ! f$info?$mime_type )
-		f$info$mime_type = "application/pkix-cert";
-
 	f$info$x509 = [$ts=f$info$ts, $id=f$id, $certificate=cert, $handle=cert_ref];
 	}
 
 event x509_extension(f: fa_file, ext: X509::Extension) &priority=5
 	{
 	if ( f$info?$x509 )
-		f$info$x509$extensions[|f$info$x509$extensions|] = ext;
+		f$info$x509$extensions += ext;
 	}
 
 event x509_ext_basic_constraints(f: fa_file, ext: X509::BasicConstraints) &priority=5
diff --git a/scripts/base/frameworks/broker/__load__.bro b/scripts/base/frameworks/broker/__load__.bro
index 018d772f4f..77dd69d554 100644
--- a/scripts/base/frameworks/broker/__load__.bro
+++ b/scripts/base/frameworks/broker/__load__.bro
@@ -1,2 +1,3 @@
 @load ./main
 @load ./store
+@load ./log
diff --git a/scripts/base/frameworks/broker/log.bro b/scripts/base/frameworks/broker/log.bro
new file mode 100644
index 0000000000..2461cb8d54
--- /dev/null
+++ b/scripts/base/frameworks/broker/log.bro
@@ -0,0 +1,80 @@
+@load ./main
+
+module Broker;
+
+export {
+	## The Broker logging stream identifier.
+	redef enum Log::ID += { LOG };
+
+	## The type of a Broker activity being logged.
+	type Type: enum {
+		## An informational status update.
+		STATUS,
+		## An error situation.
+		ERROR
+	};
+
+	## A record type containing the column fields of the Broker log.
+	type Info: record {
+		## The network time at which a Broker event occurred.
+		ts:                  time   &log;
+		## The type of the Broker event.
+		ty:                  Type &log;
+		## The event being logged.
+		ev:                  string &log;
+		## The peer (if any) with which a Broker event is
+		## concerned.
+		peer:                NetworkInfo &log &optional;
+		## An optional message describing the Broker event in more detail
+		message:             string &log &optional;
+	};
+}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Broker::LOG, [$columns=Info, $path="broker"]);
+	}
+
+function log_status(ev: string, endpoint: EndpointInfo, msg: string)
+	{
+	local r: Info;
+
+	r = [$ts = network_time(),
+	     $ev = ev,
+	     $ty = STATUS,
+	     $message = msg];
+
+	if ( endpoint?$network )
+		r$peer = endpoint$network;
+
+	Log::write(Broker::LOG, r);
+	}
+
+event Broker::peer_added(endpoint: EndpointInfo, msg: string)
+	{
+	log_status("peer-added", endpoint, msg);
+	}
+
+event Broker::peer_removed(endpoint: EndpointInfo, msg: string)
+	{
+	log_status("peer-removed", endpoint, msg);
+	}
+
+event Broker::peer_lost(endpoint: EndpointInfo, msg: string)
+	{
+	log_status("connection-terminated", endpoint, msg);
+	}
+
+event Broker::error(code: ErrorCode, msg: string)
+	{
+	local ev = cat(code);
+	ev = subst_string(ev, "Broker::", "");
+	ev = subst_string(ev, "_", "-");
+	ev = to_lower(ev);
+	
+	Log::write(Broker::LOG, [$ts = network_time(),
+	           $ev = ev,
+	           $ty = ERROR,
+	           $message = msg]);
+	}
+
diff --git a/scripts/base/frameworks/broker/main.bro b/scripts/base/frameworks/broker/main.bro
index 835a9ed796..0db239fb88 100644
--- a/scripts/base/frameworks/broker/main.bro
+++ b/scripts/base/frameworks/broker/main.bro
@@ -1,55 +1,182 @@
-##! Various data structure definitions for use with Bro's communication system.
-
-module Log;
-
-export {
-    type Log::ID: enum {
-        ## Dummy place-holder.
-        UNKNOWN
-    };
-}
+##! The Broker-based communication API and its various options.
 
 module Broker;
 
 export {
+	## Default port for Broker communication. Where not specified
+	## otherwise, this is the port to connect to and listen on.
+	const default_port = 9999/tcp &redef;
 
-	## A name used to identify this endpoint to peers.
+	## Default interval to retry listening on a port if it's currently in
+	## use already.  Use of the BRO_DEFAULT_LISTEN_RETRY environment variable
+	## (set as a number of seconds) will override this option and also
+	## any values given to :bro:see:`Broker::listen`.
+	const default_listen_retry = 30sec &redef;
+
+	## Default address on which to listen.
 	##
-	## .. bro:see:: Broker::connect Broker::listen
-	const endpoint_name = "" &redef;
+	## .. bro:see:: Broker::listen
+	const default_listen_address = getenv("BRO_DEFAULT_LISTEN_ADDRESS") &redef;
 
-	## Change communication behavior.
-	type EndpointFlags: record {
-		## Whether to restrict message topics that can be published to peers.
-		auto_publish: bool &default = T;
-		## Whether to restrict what message topics or data store identifiers
-		## the local endpoint advertises to peers (e.g. subscribing to
-		## events or making a master data store available).
-		auto_advertise: bool &default = T;
+	## Default interval to retry connecting to a peer if it cannot be made to
+	## work initially, or if it ever becomes disconnected.  Use of the
+	## BRO_DEFAULT_CONNECT_RETRY environment variable (set as number of
+	## seconds) will override this option and also any values given to
+	## :bro:see:`Broker::peer`.
+	const default_connect_retry = 30sec &redef;
+
+	## If true, do not use SSL for network connections. By default, SSL will
+	## even be used if no certificates / CAs have been configured. In that case
+	## (which is the default) the communication will be encrypted, but not
+	## authenticated.
+	const disable_ssl = F &redef;
+
+	## Path to a file containing concatenated trusted certificates 
+	## in PEM format. If set, Bro will require valid certificates for
+	## all peers.
+	const ssl_cafile = "" &redef;
+
+	## Path to an OpenSSL-style directory of trusted certificates.
+	## If set, Bro will require valid certificates for
+	## all peers.
+	const ssl_capath = "" &redef;
+
+	## Path to a file containing a X.509 certificate for this
+	## node in PEM format. If set, Bro will require valid certificates for
+	## all peers.
+	const ssl_certificate = "" &redef;
+
+	## Passphrase to decrypt the private key specified by
+	## :bro:see:`Broker::ssl_keyfile`. If set, Bro will require valid
+	## certificates for all peers.
+	const ssl_passphrase = "" &redef;
+
+	## Path to the file containing the private key for this node's
+	## certificate. If set, Bro will require valid certificates for
+	## all peers.
+	const ssl_keyfile = "" &redef;
+
+	## The number of buffered messages at the Broker/CAF layer after which
+	## a subscriber considers themselves congested (i.e. tune the congestion
+	## control mechanisms).
+	const congestion_queue_size = 200 &redef;
+
+	## Max number of threads to use for Broker/CAF functionality.  Setting to
+	## zero implies using the value of BRO_BROKER_MAX_THREADS environment
+	## variable, if set, or else typically defaults to 4 (actually 2 threads
+	## when simply reading offline pcaps as there's not expected to be any
+	## communication and more threads just adds more overhead).
+	const max_threads = 0 &redef;
+
+	## Max number of microseconds for under-utilized Broker/CAF
+	## threads to sleep.  Using zero will cause this to be automatically
+	## determined or just use CAF's default setting.
+	const max_sleep = 0 &redef;
+
+	## Forward all received messages to subscribing peers.
+	const forward_messages = F &redef;
+
+	## The default topic prefix where logs will be published.  The log's stream
+	## id is appended when writing to a particular stream.
+	const default_log_topic_prefix = "bro/logs/" &redef;
+
+	## The default implementation for :bro:see:`Broker::log_topic`.
+	function default_log_topic(id: Log::ID, path: string): string
+		{
+		return default_log_topic_prefix + cat(id);
+		}
+
+	## A function that will be called for each log entry to determine what
+	## broker topic string will be used for sending it to peers.  The
+	## default implementation will return a value based on
+	## :bro:see:`Broker::default_log_topic_prefix`.
+	##
+	## id: the ID associated with the log stream entry that will be sent.
+	##
+	## path: the path to which the log stream entry will be output.
+	##
+	## Returns: a string representing the broker topic to which the log
+	##          will be sent.
+	const log_topic: function(id: Log::ID, path: string): string = default_log_topic &redef;
+
+	type ErrorCode: enum {
+		## The unspecified default error code.
+		UNSPECIFIED = 1,
+		## Version incompatibility.
+		PEER_INCOMPATIBLE = 2,
+		## Referenced peer does not exist.
+		PEER_INVALID = 3,
+		## Remote peer not listening.
+		PEER_UNAVAILABLE = 4,
+		## A peering request timed out.
+		PEER_TIMEOUT = 5,
+		## Master with given name already exists.
+		MASTER_EXISTS = 6,
+		## Master with given name does not exist.
+		NO_SUCH_MASTER = 7,
+		## The given data store key does not exist.
+		NO_SUCH_KEY = 8,
+		## The store operation timed out.
+		REQUEST_TIMEOUT = 9,
+		## The operation expected a different type than provided.
+		TYPE_CLASH = 10,
+		## The data value cannot be used to carry out the desired operation.
+		INVALID_DATA = 11,
+		## The storage backend failed to execute the operation.
+		BACKEND_FAILURE = 12,
+		## The storage backend failed to execute the operation.
+		STALE_DATA = 13,
+		## Catch-all for a CAF-level problem.
+		CAF_ERROR = 100
 	};
 
-	## Fine-grained tuning of communication behavior for a particular message.
-	type SendFlags: record {
-		## Send the message to the local endpoint.
-		self: bool &default = F;
-		## Send the message to peer endpoints that advertise interest in
-		## the topic associated with the message.
-		peers: bool &default = T;
-		## Send the message to peer endpoints even if they don't advertise
-		## interest in the topic associated with the message.
-		unsolicited: bool &default = F;
+	## The possible states of a peer endpoint.
+	type PeerStatus: enum {
+		## The peering process is initiated.
+		INITIALIZING,
+		## Connection establishment in process.
+		CONNECTING,
+		## Connection established, peering pending.
+		CONNECTED,
+		## Successfully peered.
+		PEERED,
+		## Connection to remote peer lost.
+		DISCONNECTED,
+		## Reconnecting to peer after a lost connection.
+		RECONNECTING,
 	};
 
+	type NetworkInfo: record {
+		## The IP address or hostname where the endpoint listens.
+		address: string &log;
+		## The port where the endpoint is bound to.
+		bound_port: port &log;
+	};
+
+	type EndpointInfo: record {
+		## A unique identifier of the node.
+		id: string;
+		## Network-level information.
+		network: NetworkInfo &optional;
+	};
+
+	type PeerInfo: record {
+		peer: EndpointInfo;
+		status: PeerStatus;
+	};
+
+	type PeerInfos: vector of PeerInfo;
+
 	## Opaque communication data.
 	type Data: record {
-		d: opaque of Broker::Data &optional;
+		data: opaque of Broker::Data &optional;
 	};
 
-	## Opaque communication data.
+	## Opaque communication data sequence.
 	type DataVector: vector of Broker::Data;
 
 	## Opaque event communication data.
-	type EventArgs: record {
+	type Event: record {
 		## The name of the event.  Not set if invalid event or arguments.
 		name: string &optional;
 		## The arguments to the event.
@@ -63,52 +190,25 @@ export {
 		val: Broker::Data;
 	};
 
-	## Enable use of communication.
-	##
-	## flags: used to tune the local Broker endpoint behavior.
-	##
-	## Returns: true if communication is successfully initialized.
-	global enable: function(flags: EndpointFlags &default = EndpointFlags()): bool;
-
-	## Changes endpoint flags originally supplied to :bro:see:`Broker::enable`.
-	##
-	## flags: the new endpoint behavior flags to use.
-	##
-	## Returns: true if flags were changed.
-	global set_endpoint_flags: function(flags: EndpointFlags &default = EndpointFlags()): bool;
-
-	## Allow sending messages to peers if associated with the given topic.
-	## This has no effect if auto publication behavior is enabled via the flags
-	## supplied to :bro:see:`Broker::enable` or :bro:see:`Broker::set_endpoint_flags`.
-	##
-	## topic: a topic to allow messages to be published under.
-	##
-	## Returns: true if successful.
-	global publish_topic: function(topic: string): bool;
-
-	## Disallow sending messages to peers if associated with the given topic.
-	## This has no effect if auto publication behavior is enabled via the flags
-	## supplied to :bro:see:`Broker::enable` or :bro:see:`Broker::set_endpoint_flags`.
-	##
-	## topic: a topic to disallow messages to be published under.
-	##
-	## Returns: true if successful.
-	global unpublish_topic: function(topic: string): bool;
-
 	## Listen for remote connections.
 	##
-	## p: the TCP port to listen on.
-	##
 	## a: an address string on which to accept connections, e.g.
-	##    "127.0.0.1".  An empty string refers to @p INADDR_ANY.
+	##    "127.0.0.1".  An empty string refers to INADDR_ANY.
 	##
-	## reuse: equivalent to behavior of SO_REUSEADDR.
+	## p: the TCP port to listen on. The value 0 means that the OS should choose
+	##    the next available free port.
 	##
-	## Returns: true if the local endpoint is now listening for connections.
+	## retry: If non-zero, retries listening in regular intervals if the port cannot be
+	##        acquired immediately. 0 disables retries.  If the
+	##        BRO_DEFAULT_LISTEN_RETRY environment variable is set (as number
+	##        of seconds), it overrides any value given here.
 	##
-	## .. bro:see:: Broker::incoming_connection_established
-	global listen: function(p: port, a: string &default = "", reuse: bool &default = T): bool;
-
+	## Returns: the bound port or 0/? on failure.
+	##
+	## .. bro:see:: Broker::status
+	global listen: function(a: string &default = default_listen_address,
+	                        p: port &default = default_port,
+	                        retry: interval &default = default_listen_retry): port;
 	## Initiate a remote connection.
 	##
 	## a: an address to connect to, e.g. "localhost" or "127.0.0.1".
@@ -117,69 +217,82 @@ export {
 	##
 	## retry: an interval at which to retry establishing the
 	##        connection with the remote peer if it cannot be made initially, or
-	##        if it ever becomes disconnected.
+	##        if it ever becomes disconnected.  If the
+	##        BRO_DEFAULT_CONNECT_RETRY environment variable is set (as number
+	##        of seconds), it overrides any value given here.
 	##
 	## Returns: true if it's possible to try connecting with the peer and
-	##          it's a new peer.  The actual connection may not be established
+	##          it's a new peer. The actual connection may not be established
 	##          until a later point in time.
 	##
-	## .. bro:see:: Broker::outgoing_connection_established
-	global connect: function(a: string, p: port, retry: interval): bool;
+	## .. bro:see:: Broker::status
+	global peer: function(a: string, p: port &default=default_port,
+	                      retry: interval &default=default_connect_retry): bool;
 
 	## Remove a remote connection.
 	##
-	## a: the address used in previous successful call to :bro:see:`Broker::connect`.
+	## Note that this does not terminate the connection to the peer, it
+	## just means that we won't exchange any further information with it
+	## unless peering resumes later.
 	##
-	## p: the port used in previous successful call to :bro:see:`Broker::connect`.
+	## a: the address used in previous successful call to :bro:see:`Broker::peer`.
+	##
+	## p: the port used in previous successful call to :bro:see:`Broker::peer`.
 	##
 	## Returns: true if the arguments match a previously successful call to
-	##          :bro:see:`Broker::connect`.
-	global disconnect: function(a: string, p: port): bool;
+	##          :bro:see:`Broker::peer`.
+	##
+	## TODO: We do not have a function yet to terminate a connection.
+	global unpeer: function(a: string, p: port): bool;
 
-	## Print a simple message to any interested peers.  The receiver can use
-	## :bro:see:`Broker::print_handler` to handle messages.
+	## Get a list of all peer connections.
 	##
-	## topic: a topic associated with the printed message.
+	## Returns: a list of all peer connections.
+	global peers: function(): vector of PeerInfo;
+
+	## Get a unique identifier for the local broker endpoint.
 	##
-	## msg: the print message to send to peers.
+	## Returns: a unique identifier for the local broker endpoint.
+	global node_id: function(): string;
+
+	## Sends all pending log messages to remote peers.  This normally
+	## doesn't need to be used except for test cases that are time-sensitive.
+	global flush_logs: function(): count;
+
+	## Publishes the value of an identifier to a given topic.  The subscribers
+	## will update their local value for that identifier on receipt.
 	##
-	## flags: tune the behavior of how the message is sent.
+	## topic: a topic associated with the message.
+	##
+	## id: the identifier to publish.
 	##
 	## Returns: true if the message is sent.
-	global send_print: function(topic: string, msg: string, flags: SendFlags &default = SendFlags()): bool;
+	global publish_id: function(topic: string, id: string): bool;
 
-	## Register interest in all peer print messages that use a certain topic
-	## prefix. Use :bro:see:`Broker::print_handler` to handle received
-	## messages.
+	## Register interest in all peer event messages that use a certain topic
+	## prefix.  Note that subscriptions may not be altered immediately after
+	## calling (except during :bro:see:`bro_init`).
 	##
 	## topic_prefix: a prefix to match against remote message topics.
 	##               e.g. an empty prefix matches everything and "a" matches
 	##               "alice" and "amy" but not "bob".
 	##
-	## Returns: true if it's a new print subscription and it is now registered.
-	global subscribe_to_prints: function(topic_prefix: string): bool;
+	## Returns: true if it's a new event subscription and it is now registered.
+	global subscribe: function(topic_prefix: string): bool;
 
-	## Unregister interest in all peer print messages that use a topic prefix.
+	## Unregister interest in all peer event messages that use a topic prefix.
+	## Note that subscriptions may not be altered immediately after calling
+	## (except during :bro:see:`bro_init`).
 	##
 	## topic_prefix: a prefix previously supplied to a successful call to
-	##               :bro:see:`Broker::subscribe_to_prints`.
+	##               :bro:see:`Broker::subscribe`.
 	##
 	## Returns: true if interest in the topic prefix is no longer advertised.
-	global unsubscribe_to_prints: function(topic_prefix: string): bool;
-
-	## Send an event to any interested peers.
-	##
-	## topic: a topic associated with the event message.
-	##
-	## args: event arguments as made by :bro:see:`Broker::event_args`.
-	##
-	## flags: tune the behavior of how the message is sent.
-	##
-	## Returns: true if the message is sent.
-	global send_event: function(topic: string, args: EventArgs, flags: SendFlags &default = SendFlags()): bool;
+	global unsubscribe: function(topic_prefix: string): bool;
 
 	## Automatically send an event to any interested peers whenever it is
-	## locally dispatched (e.g. using "event my_event(...);" in a script).
+	## locally dispatched. (For example, using "event my_event(...);" in a
+	## script.)
 	##
 	## topic: a topic string associated with the event message.
 	##        Peers advertise interest by registering a subscription to some
@@ -187,83 +300,18 @@ export {
 	##
 	## ev: a Bro event value.
 	##
-	## flags: tune the behavior of how the message is sent.
-	##
 	## Returns: true if automatic event sending is now enabled.
-	global auto_event: function(topic: string, ev: any, flags: SendFlags &default = SendFlags()): bool;
+	global auto_publish: function(topic: string, ev: any): bool;
 
 	## Stop automatically sending an event to peers upon local dispatch.
 	##
-	## topic: a topic originally given to :bro:see:`Broker::auto_event`.
+	## topic: a topic originally given to :bro:see:`Broker::auto_publish`.
 	##
-	## ev: an event originally given to :bro:see:`Broker::auto_event`.
+	## ev: an event originally given to :bro:see:`Broker::auto_publish`.
 	##
 	## Returns: true if automatic events will not occur for the topic/event
 	##          pair.
-	global auto_event_stop: function(topic: string, ev: any): bool;
-
-	## Register interest in all peer event messages that use a certain topic
-	## prefix.
-	##
-	## topic_prefix: a prefix to match against remote message topics.
-	##               e.g. an empty prefix matches everything and "a" matches
-	##               "alice" and "amy" but not "bob".
-	##
-	## Returns: true if it's a new event subscription and it is now registered.
-	global subscribe_to_events: function(topic_prefix: string): bool;
-
-	## Unregister interest in all peer event messages that use a topic prefix.
-	##
-	## topic_prefix: a prefix previously supplied to a successful call to
-	##               :bro:see:`Broker::subscribe_to_events`.
-	##
-	## Returns: true if interest in the topic prefix is no longer advertised.
-	global unsubscribe_to_events: function(topic_prefix: string): bool;
-
-	## Enable remote logs for a given log stream.
-	##
-	## id: the log stream to enable remote logs for.
-	##
-	## flags: tune the behavior of how log entry messages are sent.
-	##
-	## Returns: true if remote logs are enabled for the stream.
-	global enable_remote_logs: function(id: Log::ID, flags: SendFlags &default = SendFlags()): bool;
-
-	## Disable remote logs for a given log stream.
-	##
-	## id: the log stream to disable remote logs for.
-	##
-	## Returns: true if remote logs are disabled for the stream.
-	global disable_remote_logs: function(id: Log::ID): bool;
-
-	## Check if remote logs are enabled for a given log stream.
-	##
-	## id: the log stream to check.
-	##
-	## Returns: true if remote logs are enabled for the given stream.
-	global remote_logs_enabled: function(id: Log::ID): bool;
-
-	## Register interest in all peer log messages that use a certain topic
-	## prefix. Logs are implicitly sent with topic "bro/log/<stream-name>" and
-	## the receiving side processes them through the logging framework as usual.
-	##
-	## topic_prefix: a prefix to match against remote message topics.
-	##               e.g. an empty prefix matches everything and "a" matches
-	##               "alice" and "amy" but not "bob".
-	##
-	## Returns: true if it's a new log subscription and it is now registered.
-	global subscribe_to_logs: function(topic_prefix: string): bool;
-
-	## Unregister interest in all peer log messages that use a topic prefix.
-	## Logs are implicitly sent with topic "bro/log/<stream-name>" and the
-	## receiving side processes them through the logging framework as usual.
-	##
-	## topic_prefix: a prefix previously supplied to a successful call to
-	##               :bro:see:`Broker::subscribe_to_logs`.
-	##
-	## Returns: true if interest in the topic prefix is no longer advertised.
-	global unsubscribe_to_logs: function(topic_prefix: string): bool;
-
+	global auto_unpublish: function(topic: string, ev: any): bool;
 }
 
 @load base/bif/comm.bif
@@ -271,106 +319,75 @@ export {
 
 module Broker;
 
-@ifdef ( Broker::__enable )
+event retry_listen(a: string, p: port, retry: interval)
+	{
+	listen(a, p, retry);
+	}
 
-function enable(flags: EndpointFlags &default = EndpointFlags()) : bool
-    {
-    return __enable(flags);
-    }
+function listen(a: string, p: port, retry: interval): port
+	{
+	local bound = __listen(a, p);
 
-function set_endpoint_flags(flags: EndpointFlags &default = EndpointFlags()): bool
-    {
-    return __set_endpoint_flags(flags);
-    }
+	if ( bound == 0/tcp )
+		{
+		local e = getenv("BRO_DEFAULT_LISTEN_RETRY");
 
-function publish_topic(topic: string): bool
-    {
-    return __publish_topic(topic);
-    }
+		if ( e != "" )
+			retry = double_to_interval(to_double(e));
 
-function unpublish_topic(topic: string): bool
-    {
-    return __unpublish_topic(topic);
-    }
+		if ( retry != 0secs )
+			schedule retry { retry_listen(a, p, retry) };
+		}
 
-function listen(p: port, a: string &default = "", reuse: bool &default = T): bool
-    {
-    return __listen(p, a, reuse);
-    }
+	return bound;
+	}
 
-function connect(a: string, p: port, retry: interval): bool
-    {
-    return __connect(a, p, retry);
-    }
+function peer(a: string, p: port, retry: interval): bool
+	{
+	return __peer(a, p, retry);
+	}
 
-function disconnect(a: string, p: port): bool
-    {
-    return __disconnect(a, p);
-    }
+function unpeer(a: string, p: port): bool
+	{
+	return __unpeer(a, p);
+	}
 
-function send_print(topic: string, msg: string, flags: SendFlags &default = SendFlags()): bool
-    {
-    return __send_print(topic, msg, flags);
-    }
+function peers(): vector of PeerInfo
+	{
+	return __peers();
+	}
 
-function subscribe_to_prints(topic_prefix: string): bool
-    {
-    return __subscribe_to_prints(topic_prefix);
-    }
+function node_id(): string
+	{
+	return __node_id();
+	}
 
-function unsubscribe_to_prints(topic_prefix: string): bool
-    {
-    return __unsubscribe_to_prints(topic_prefix);
-    }
+function flush_logs(): count
+	{
+	return __flush_logs();
+	}
 
-function send_event(topic: string, args: EventArgs, flags: SendFlags &default = SendFlags()): bool
-    {
-    return __event(topic, args, flags);
-    }
+function publish_id(topic: string, id: string): bool
+	{
+	return __publish_id(topic, id);
+	}
 
-function auto_event(topic: string, ev: any, flags: SendFlags &default = SendFlags()): bool
-    {
-    return __auto_event(topic, ev, flags);
-    }
+function subscribe(topic_prefix: string): bool
+	{
+	return __subscribe(topic_prefix);
+	}
 
-function auto_event_stop(topic: string, ev: any): bool
-    {
-    return __auto_event_stop(topic, ev);
-    }
+function unsubscribe(topic_prefix: string): bool
+	{
+	return __unsubscribe(topic_prefix);
+	}
 
-function subscribe_to_events(topic_prefix: string): bool
-    {
-    return __subscribe_to_events(topic_prefix);
-    }
+function auto_publish(topic: string, ev: any): bool
+	{
+	return __auto_publish(topic, ev);
+	}
 
-function unsubscribe_to_events(topic_prefix: string): bool
-    {
-    return __unsubscribe_to_events(topic_prefix);
-    }
-
-function enable_remote_logs(id: Log::ID, flags: SendFlags &default = SendFlags()): bool
-    {
-    return __enable_remote_logs(id, flags);
-    }
-
-function disable_remote_logs(id: Log::ID): bool
-    {
-    return __disable_remote_logs(id);
-    }
-
-function remote_logs_enabled(id: Log::ID): bool
-    {
-    return __remote_logs_enabled(id);
-    }
-
-function subscribe_to_logs(topic_prefix: string): bool
-    {
-    return __subscribe_to_logs(topic_prefix);
-    }
-
-function unsubscribe_to_logs(topic_prefix: string): bool
-    {
-    return __unsubscribe_to_logs(topic_prefix);
-    }
-
-@endif
+function auto_unpublish(topic: string, ev: any): bool
+	{
+	return __auto_unpublish(topic, ev);
+	}
diff --git a/scripts/base/frameworks/broker/store.bro b/scripts/base/frameworks/broker/store.bro
index 8640e80648..2e216afa93 100644
--- a/scripts/base/frameworks/broker/store.bro
+++ b/scripts/base/frameworks/broker/store.bro
@@ -1,4 +1,4 @@
-##! Various data structure definitions for use with Bro's communication system.
+##! The Broker-based data store API and its various options.
 
 @load ./main
 @load base/bif/data.bif
@@ -6,6 +6,24 @@
 module Broker;
 
 export {
+	## The default frequency at which clones will attempt to
+	## reconnect/resynchronize with their master in the event that they become
+	## disconnected.
+	const default_clone_resync_interval = 10sec &redef;
+
+	## The duration after which a clone that is disconnected from its master
+	## will begin to treat its local cache as stale.  In the stale state,
+	## queries to the cache will timeout.  A negative value indicates that
+	## the local cache is never treated as stale.
+	const default_clone_stale_interval = 5min &redef;
+
+	## The maximum amount of time that a disconnected clone will
+	## buffer data store mutation commands.  If the clone reconnects before
+	## this time, it will replay all stored commands.  Note that this doesn't
+	## completely prevent the loss of store updates: all mutation messages
+	## are fire-and-forget and not explicitly acknowledged by the master.
+	## A negative/zero value indicates to never buffer commands.
+	const default_clone_mutation_buffer_interval = 2min &redef;
 
 	## Whether a data store query could be completed or not.
 	type QueryStatus: enum {
@@ -13,15 +31,6 @@ export {
 		FAILURE,
 	};
 
-	## An expiry time for a key-value pair inserted in to a data store.
-	type ExpiryTime: record {
-		## Absolute point in time at which to expire the entry.
-		absolute: time &optional;
-		## A point in time relative to the last modification time at which
-		## to expire the entry.  New modifications will delay the expiration.
-		since_last_modification: interval &optional;
-	};
-
 	## The result of a data store query.
 	type QueryResult: record {
 		## Whether the query completed or not.
@@ -42,13 +51,17 @@ export {
 	## Options to tune the SQLite storage backend.
 	type SQLiteOptions: record {
 		## File system path of the database.
-		path: string &default = "store.sqlite";
+		## If left empty, will be derived from the name of the store,
+		## and use the '.sqlite' file suffix.
+		path: string &default = "";
 	};
 
 	## Options to tune the RocksDB storage backend.
 	type RocksDBOptions: record {
 		## File system path of the database.
-		path: string &default = "store.rocksdb";
+		## If left empty, will be derived from the name of the store,
+		## and use the '.rocksdb' file suffix.
+		path: string &default = "";
 	};
 
 	## Options to tune the particular storage backends.
@@ -57,54 +70,52 @@ export {
 		rocksdb: RocksDBOptions &default = RocksDBOptions();
 	};
 
-@ifdef ( Broker::__enable )
-
 	## Create a master data store which contains key-value pairs.
 	##
-	## id: a unique name for the data store.
+	## name: a unique name for the data store.
 	##
 	## b: the storage backend to use.
 	##
 	## options: tunes how some storage backends operate.
 	##
 	## Returns: a handle to the data store.
-	global create_master: function(id: string, b: BackendType &default = MEMORY,
-	                               options: BackendOptions &default = BackendOptions()): opaque of Broker::Handle;
+	global create_master: function(name: string, b: BackendType &default = MEMORY,
+	                               options: BackendOptions &default = BackendOptions()): opaque of Broker::Store;
 
 	## Create a clone of a master data store which may live with a remote peer.
-	## A clone automatically synchronizes to the master by automatically
+	## A clone automatically synchronizes to the master by
 	## receiving modifications and applying them locally.  Direct modifications
 	## are not possible, they must be sent through the master store, which then
 	## automatically broadcasts the changes out to clones.  But queries may be
 	## made directly against the local cloned copy, which may be resolved
 	## quicker than reaching out to a remote master store.
 	##
-	## id: the unique name which identifies the master data store.
+	## name: the unique name which identifies the master data store.
 	##
-	## b: the storage backend to use.
+	## resync_interval: the frequency at which a clone that is disconnected from
+	##                  its master attempts to reconnect with it.
 	##
-	## options: tunes how some storage backends operate.
+	## stale_interval: the duration after which a clone that is disconnected
+	##                 from its master will begin to treat its local cache as
+	##                 stale.  In this state, queries to the clone will timeout.
+	##                 A negative value indicates that the local cache is never
+	##                 treated as stale.
 	##
-	## resync: the interval at which to re-attempt synchronizing with the master
-	##         store should the connection be lost.  If the clone has not yet
-	##         synchronized for the first time, updates and queries queue up
-	##         until the synchronization completes.  After, if the connection
-	##         to the master store is lost, queries continue to use the clone's
-	##         version, but updates will be lost until the master is once again
-	##         available.
+	## mutation_buffer_interval: the amount of time to buffer data store update
+	##                           messages once a clone detects its master is
+	##                           unavailable.  If the clone reconnects before
+	##                           this time, it will replay all buffered
+	##                           commands.  Note that this doesn't completely
+	##                           prevent the loss of store updates: all mutation
+	##                           messages are fire-and-forget and not explicitly
+	##                           acknowledged by the master.  A negative/zero
+	##                           value indicates that commands never buffer.
 	##
 	## Returns: a handle to the data store.
-	global create_clone: function(id: string, b: BackendType &default = MEMORY,
-	                              options: BackendOptions &default = BackendOptions(),
-	                              resync: interval &default = 1sec): opaque of Broker::Handle;
-
-	## Create a frontend interface to an existing master data store that allows
-	## querying and updating its contents.
-	##
-	## id: the unique name which identifies the master data store.
-	##
-	## Returns: a handle to the data store.
-	global create_frontend: function(id: string): opaque of Broker::Handle;
+	global create_clone: function(name: string,
+	                              resync_interval: interval &default = default_clone_resync_interval,
+	                              stale_interval: interval &default = default_clone_stale_interval,
+	                              mutation_buffer_interval: interval &default = default_clone_mutation_buffer_interval): opaque of Broker::Store;
 
 	## Close a data store.
 	##
@@ -112,11 +123,68 @@ export {
 	##
 	## Returns: true if store was valid and is now closed.  The handle can no
 	##          longer be used for data store operations.
-	global close_by_handle: function(h: opaque of Broker::Handle): bool;
+	global close: function(h: opaque of Broker::Store): bool;
 
-	###########################
-	# non-blocking update API #
-	###########################
+	## Check if a store is closed or not.
+	##
+	## Returns: true if the store is closed.
+	global is_closed: function(h: opaque of Broker::Store): bool;
+
+	## Get the name of a store.
+	##
+	## Returns: the name of the store.
+	global store_name: function(h: opaque of Broker::Store): string;
+
+	## Check if a key exists in a data store.
+	## 
+	## h: the handle of the store to query.
+	##
+	## k: the key to lookup.
+	##
+	## Returns: True if the key exists in the data store.
+	global exists: function(h: opaque of Broker::Store, k: any): QueryResult;
+
+	## Lookup the value associated with a key in a data store.
+	##
+	## h: the handle of the store to query.
+	##
+	## k: the key to lookup.
+	##
+	## Returns: the result of the query.
+	global get: function(h: opaque of Broker::Store, k: any): QueryResult;
+
+	## Insert a key-value pair in to the store, but only if the key does not
+	## already exist.
+	##
+	## h: the handle of the store to modify.
+	##
+	## k: the key to insert.
+	##
+	## v: the value to insert.
+	##
+	## e: the expiration interval of the key-value pair.
+	##
+	## Returns: the result of the query which is a boolean data value that is
+	##          true if the insertion happened, or false if it was rejected
+	##          due to the key already existing.
+	global put_unique: function(h: opaque of Broker::Store,
+	                            k: any, v: any, e: interval &default=0sec): QueryResult;
+
+	## Retrieve a specific index from an existing container value. This
+	## is supported for values of types set, table, and vector.
+	##
+	## h: the handle of the store to query.
+	##
+	## k: the key of the container value to lookup.
+	##
+	## i: the index to retrieve from the container value.
+	## 
+	## Returns: For tables and vectors, the value at the given index, or
+	##          failure if the index doesn't exist. For sets, a boolean
+	##          indicating whether the index exists. Returns failure if the key
+	##          does not exist at all.
+	global get_index_from_value: function(h: opaque of Broker::Store,
+	                                      k: any, i: any): QueryResult;
 
 	## Insert a key-value pair in to the store.
 	##
@@ -126,12 +194,11 @@ export {
 	##
 	## v: the value to insert.
 	##
-	## e: the expiration time of the key-value pair.
+	## e: the expiration interval of the key-value pair.
 	##
 	## Returns: false if the store handle was not valid.
-	global insert: function(h: opaque of Broker::Handle,
-	                        k: Broker::Data, v: Broker::Data,
-	                        e: Broker::ExpiryTime &default = Broker::ExpiryTime()): bool;
+	global put: function(h: opaque of Broker::Store,
+	                     k: any, v: any, e: interval &default=0sec) : bool;
 
 	## Remove a key-value pair from the store.
 	##
@@ -140,261 +207,186 @@ export {
 	## k: the key to remove.
 	##
 	## Returns: false if the store handle was not valid.
-	global erase: function(h: opaque of Broker::Handle, k: Broker::Data): bool;
+	global erase: function(h: opaque of Broker::Store, k: any) : bool;
 
-	## Remove all key-value pairs from the store.
+	## Increments an existing value by a given amount. This is supported for all
+	## numerical types, as well as for timestamps.
 	##
 	## h: the handle of the store to modify.
 	##
+	## k: the key whose associated value is to be modified. The key must
+	##    already exist.
+	##
+	## a: the amount to increment the value by. 
+	##
+	## e: the new expiration interval of the modified key. If null, the
+	##    current expiration time isn't changed.
+	##
 	## Returns: false if the store handle was not valid.
-	global clear: function(h: opaque of Broker::Handle): bool;
+	global increment: function(h: opaque of Broker::Store, k: any,
+	                           a: any &default = 1,
+	                           e: interval &default=0sec) : bool;
 
-	## Increment an integer value in a data store.
+	## Decrements an existing value by a given amount. This is supported for all
+	## numerical types, as well as for timestamps.
 	##
 	## h: the handle of the store to modify.
 	##
-	## k: the key whose associated value is to be modified.
+	## k: the key whose associated value is to be modified. The key must
+	##    already exist.
 	##
-	## by: the amount to increment the value by.  A non-existent key will first
-	##     create it with an implicit value of zero before incrementing.
+	## amount: the amount to decrement the value by. 
+	##
+	## e: the new expiration interval of the modified key. If null, the current
+	##    expiration time isn't changed.
 	##
 	## Returns: false if the store handle was not valid.
-	global increment: function(h: opaque of Broker::Handle,
-	                           k: Broker::Data, by: int &default = +1): bool;
+	global decrement: function(h: opaque of Broker::Store, k: any,
+	                           a: any &default = 1,
+	                           e: interval &default=0sec) : bool;
 
-	## Decrement an integer value in a data store.
+	## Extends an existing string with another.
 	##
 	## h: the handle of the store to modify.
 	##
-	## k: the key whose associated value is to be modified.
+	## k: the key whose associated value is to be modified. The key must
+	##    already exist.
 	##
-	## by: the amount to decrement the value by.  A non-existent key will first
-	##     create it with an implicit value of zero before decrementing.
+	## s: the string to append.
+	##
+	## e: the new expiration interval of the modified key. If null, the
+	##    current expiration time isn't changed.
 	##
 	## Returns: false if the store handle was not valid.
-	global decrement: function(h: opaque of Broker::Handle,
-	                           k: Broker::Data, by: int &default = +1): bool;
+	global append: function(h: opaque of Broker::Store, k: any, s: string, 
+	                        e: interval &default=0sec) : bool;
 
-	## Add an element to a set value in a data store.
+	## Inserts an element into an existing set.
 	##
 	## h: the handle of the store to modify.
 	##
-	## k: the key whose associated value is to be modified.
+	## k: the key whose associated value is to be modified. The key must
+	##    already exist.
 	##
-	## element: the element to add to the set.  A non-existent key will first
-	##          create it with an implicit empty set value before modifying.
+	## i: the index to insert into the set.
+	##
+	## e: the new expiration interval of the modified key. If null, the
+	##    current expiration time isn't changed.
 	##
 	## Returns: false if the store handle was not valid.
-	global add_to_set: function(h: opaque of Broker::Handle,
-	                            k: Broker::Data, element: Broker::Data): bool;
+	global insert_into_set: function(h: opaque of Broker::Store,
+	                                 k: any, i: any, 
+	                                 e: interval &default=0sec) : bool;
 
-	## Remove an element from a set value in a data store.
+	## Inserts an element into an existing table.
 	##
 	## h: the handle of the store to modify.
 	##
-	## k: the key whose associated value is to be modified.
+	## k: the key whose associated value is to be modified. The key must
+	##    already exist.
 	##
-	## element: the element to remove from the set.  A non-existent key will
-	##          implicitly create an empty set value associated with the key.
+	## i: the index to insert into the table
+	## 
+	## v: the value to associate with the index.
+	##
+	## e: the new expiration interval of the modified key. If null, the
+	##    current expiration time isn't changed.
 	##
 	## Returns: false if the store handle was not valid.
-	global remove_from_set: function(h: opaque of Broker::Handle,
-	                                 k: Broker::Data, element: Broker::Data): bool;
+	global insert_into_table: function(h: opaque of Broker::Store,
+	                                   k: any, i: any, v: any,
+	                                   e: interval &default=0sec) : bool;
 
-	## Add a new item to the head of a vector value in a data store.
+	## Removes an element from an existing set or table.
 	##
-	## h: the handle of store to modify.
+	## h: the handle of the store to modify.
 	##
-	## k: the key whose associated value is to be modified.
+	## k: the key whose associated value is to be modified. The key must
+	##    already exist.
 	##
-	## items: the element to insert in to the vector.  A non-existent key will
-	##        first create an empty vector value before modifying.
+	## i: the index to remove from the set or table.
+	##
+	## e: the new expiration interval of the modified key. If null, the
+	##    current expiration time isn't changed.
 	##
 	## Returns: false if the store handle was not valid.
-	global push_left: function(h: opaque of Broker::Handle, k: Broker::Data,
-	                           items: Broker::DataVector): bool;
+	global remove_from: function(h: opaque of Broker::Store,
+	                             k: any, i: any, 
+	                             e: interval &default=0sec) : bool;
 
-	## Add a new item to the tail of a vector value in a data store.
+	## Appends an element to an existing vector.
 	##
-	## h: the handle of store to modify.
+	## h: the handle of the store to modify.
 	##
-	## k: the key whose associated value is to be modified.
+	## k: the key whose associated value is to be modified. The key must
+	##    already exist.
 	##
-	## items: the element to insert in to the vector.  A non-existent key will
-	##        first create an empty vector value before modifying.
+	## b: the value to append to the vector.
+	##
+	## e: the new expiration interval of the modified key. If null, the
+	##    current expiration time isn't changed.
 	##
 	## Returns: false if the store handle was not valid.
-	global push_right: function(h: opaque of Broker::Handle, k: Broker::Data,
-	                            items: Broker::DataVector): bool;
+	global push: function(h: opaque of Broker::Store,
+	                      k: any, v: any, 
+	                      e: interval &default=0sec) : bool;
+
+	## Removes the last element of an existing vector.
+	##
+	## h: the handle of the store to modify.
+	##
+	## k: the key whose associated value is to be modified. The key must
+	##    already exist.
+	##
+	## e: the new expiration interval of the modified key. If null, the
+	##    current expiration time isn't changed.
+	##
+	## Returns: false if the store handle was not valid.
+	global pop: function(h: opaque of Broker::Store,
+	                     k: any,
+	                     e: interval &default=0sec) : bool;
+
+	## Returns a set with all of a store's keys. The results reflect a snapshot
+	## in time that may diverge from reality soon afterwards.   When acessing
+	## any of the element, it may no longer actually be there. The function is
+	## also expensive for large stores, as it copies the complete set.
+	##
+	## Returns: a set with the keys.  If you expect the keys to be of
+	##          non-uniform type, consider using
+	##          :bro:see:`Broker::set_iterator` to iterate over the result.
+	global keys: function(h: opaque of Broker::Store): QueryResult;
+
+	## Deletes all of a store's content, it will be empty afterwards.
+	##
+	## Returns: false if the store handle was not valid.
+	global clear: function(h: opaque of Broker::Store) : bool;
 
 	##########################
-	# non-blocking query API #
-	##########################
-
-	## Pop the head of a data store vector value.
-	##
-	## h: the handle of the store to query.
-	##
-	## k: the key associated with the vector to modify.
-	##
-	## Returns: the result of the query.
-	global pop_left: function(h: opaque of Broker::Handle,
-	                          k: Broker::Data): QueryResult;
-
-	## Pop the tail of a data store vector value.
-	##
-	## h: the handle of the store to query.
-	##
-	## k: the key associated with the vector to modify.
-	##
-	## Returns: the result of the query.
-	global pop_right: function(h: opaque of Broker::Handle,
-	                           k: Broker::Data): QueryResult;
-
-	## Lookup the value associated with a key in a data store.
-	##
-	## h: the handle of the store to query.
-	##
-	## k: the key to lookup.
-	##
-	## Returns: the result of the query.
-	global lookup: function(h: opaque of Broker::Handle,
-	                       k: Broker::Data): QueryResult;
-
-	## Check if a data store contains a given key.
-	##
-	## h: the handle of the store to query.
-	##
-	## k: the key to check for existence.
-	##
-	## Returns: the result of the query (uses :bro:see:`Broker::BOOL`).
-	global exists: function(h: opaque of Broker::Handle,
-	                        k: Broker::Data): QueryResult;
-
-	## Retrieve all keys in a data store.
-	##
-	## h: the handle of the store to query.
-	##
-	## Returns: the result of the query (uses :bro:see:`Broker::VECTOR`).
-	global keys: function(h: opaque of Broker::Handle): QueryResult;
-
-	## Get the number of key-value pairs in a data store.
-	##
-	## h: the handle of the store to query.
-	##
-	## Returns: the result of the query (uses :bro:see:`Broker::COUNT`).
-	global size: function(h: opaque of Broker::Handle): QueryResult;
-
-	##########################
-	# data API               #
+	# Data API               #
 	##########################
 
 	## Convert any Bro value to communication data.
 	##
+	## .. note:: Normally you won't need to use this function as data
+	##    conversion happens implicitly when passing Bro values into Broker
+	##    functions.
+	##
 	## d: any Bro value to attempt to convert (not all types are supported).
 	##
-	## Returns: the converted communication data.  The returned record's optional
-	##          field will not be set if the conversion was not possible (this can
-	##          happen if the Bro data type does not support being converted to
-	##          communication data).
+	## Returns: the converted communication data.  If the supplied Bro data
+	##          type does not support conversion to communication data, the
+	##          returned record's optional field will not be set.
 	global data: function(d: any): Broker::Data;
 
 	## Retrieve the type of data associated with communication data.
 	##
 	## d: the communication data.
 	##
-	## Returns: the data type associated with the communication data.
+	## Returns: The data type associated with the communication data.
+	##          Note that broker represents records in the same way as
+	##          vectors, so there is no "record" type.
 	global data_type: function(d: Broker::Data): Broker::DataType;
 
-	## Convert communication data with a type of :bro:see:`Broker::BOOL` to
-	## an actual Bro value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the value retrieved from the communication data.
-	global refine_to_bool: function(d: Broker::Data): bool;
-
-	## Convert communication data with a type of :bro:see:`Broker::INT` to
-	## an actual Bro value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the value retrieved from the communication data.
-	global refine_to_int: function(d: Broker::Data): int;
-
-	## Convert communication data with a type of :bro:see:`Broker::COUNT` to
-	## an actual Bro value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the value retrieved from the communication data.
-	global refine_to_count: function(d: Broker::Data): count;
-
-	## Convert communication data with a type of :bro:see:`Broker::DOUBLE` to
-	## an actual Bro value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the value retrieved from the communication data.
-	global refine_to_double: function(d: Broker::Data): double;
-
-	## Convert communication data with a type of :bro:see:`Broker::STRING` to
-	## an actual Bro value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the value retrieved from the communication data.
-	global refine_to_string: function(d: Broker::Data): string;
-
-	## Convert communication data with a type of :bro:see:`Broker::ADDR` to
-	## an actual Bro value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the value retrieved from the communication data.
-	global refine_to_addr: function(d: Broker::Data): addr;
-
-	## Convert communication data with a type of :bro:see:`Broker::SUBNET` to
-	## an actual Bro value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the value retrieved from the communication data.
-	global refine_to_subnet: function(d: Broker::Data): subnet;
-
-	## Convert communication data with a type of :bro:see:`Broker::PORT` to
-	## an actual Bro value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the value retrieved from the communication data.
-	global refine_to_port: function(d: Broker::Data): port;
-
-	## Convert communication data with a type of :bro:see:`Broker::TIME` to
-	## an actual Bro value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the value retrieved from the communication data.
-	global refine_to_time: function(d: Broker::Data): time;
-
-	## Convert communication data with a type of :bro:see:`Broker::INTERVAL` to
-	## an actual Bro value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the value retrieved from the communication data.
-	global refine_to_interval: function(d: Broker::Data): interval;
-
-	## Convert communication data with a type of :bro:see:`Broker::ENUM` to
-	## the name of the enum value.  :bro:see:`lookup_ID` may be used to convert
-	## the name to the actual enum value.
-	##
-	## d: the communication data to convert.
-	##
-	## Returns: the enum name retrieved from the communication data.
-	global refine_to_enum_name: function(d: Broker::Data): string;
-
 	## Create communication data of type "set".
 	global set_create: function(): Broker::Data;
 
@@ -403,7 +395,7 @@ export {
 	## s: the set to clear.
 	##
 	## Returns: always true.
-	global set_clear: function(s: Broker::Data): bool;
+	global set_clear: function(s: Broker::Data) : bool;
 
 	## Get the number of elements within a set.
 	##
@@ -419,7 +411,7 @@ export {
 	## key: the element to check for existence.
 	##
 	## Returns: true if the key exists in the set.
-	global set_contains: function(s: Broker::Data, key: Broker::Data): bool;
+	global set_contains: function(s: Broker::Data, key: any) : bool;
 
 	## Insert an element into a set.
 	##
@@ -428,7 +420,7 @@ export {
 	## key: the element to insert.
 	##
 	## Returns: true if the key was inserted, or false if it already existed.
-	global set_insert: function(s: Broker::Data, key: Broker::Data): bool;
+	global set_insert: function(s: Broker::Data, key: any) : bool;
 
 	## Remove an element from a set.
 	##
@@ -437,7 +429,7 @@ export {
 	## key: the element to remove.
 	##
 	## Returns: true if the element existed in the set and is now removed.
-	global set_remove: function(s: Broker::Data, key: Broker::Data): bool;
+	global set_remove: function(s: Broker::Data, key: any) : bool;
 
 	## Create an iterator for a set.  Note that this makes a copy of the set
 	## internally to ensure the iterator is always valid.
@@ -453,7 +445,7 @@ export {
 	##
 	## Returns: true if there are no more elements to iterator over, i.e.
 	##          the iterator is one-past-the-final-element.
-	global set_iterator_last: function(it: opaque of Broker::SetIterator): bool;
+	global set_iterator_last: function(it: opaque of Broker::SetIterator) : bool;
 
 	## Advance an iterator.
 	##
@@ -462,7 +454,7 @@ export {
 	## Returns: true if the iterator, after advancing, still references an element
 	##          in the collection.  False if the iterator, after advancing, is
 	##          one-past-the-final-element.
-	global set_iterator_next: function(it: opaque of Broker::SetIterator): bool;
+	global set_iterator_next: function(it: opaque of Broker::SetIterator) : bool;
 
 	## Retrieve the data at an iterator's current position.
 	##
@@ -479,7 +471,7 @@ export {
 	## t: the table to clear.
 	##
 	## Returns: always true.
-	global table_clear: function(t: Broker::Data): bool;
+	global table_clear: function(t: Broker::Data) : bool;
 
 	## Get the number of elements within a table.
 	##
@@ -495,7 +487,7 @@ export {
 	## key: the key to check for existence.
 	##
 	## Returns: true if the key exists in the table.
-	global table_contains: function(t: Broker::Data, key: Broker::Data): bool;
+	global table_contains: function(t: Broker::Data, key: any) : bool;
 
 	## Insert a key-value pair into a table.
 	##
@@ -507,7 +499,7 @@ export {
 	##
 	## Returns: true if the key-value pair was inserted, or false if the key
 	##          already existed in the table.
-	global table_insert: function(t: Broker::Data, key: Broker::Data, val: Broker::Data): Broker::Data;
+	global table_insert: function(t: Broker::Data, key: any, val: any): Broker::Data;
 
 	## Remove a key-value pair from a table.
 	##
@@ -517,7 +509,7 @@ export {
 	##
 	## Returns: the value associated with the key.  If the key did not exist, then
 	##          the optional field of the returned record is not set.
-	global table_remove: function(t: Broker::Data, key: Broker::Data): Broker::Data;
+	global table_remove: function(t: Broker::Data, key: any): Broker::Data;
 
 	## Retrieve a value from a table.
 	##
@@ -527,7 +519,7 @@ export {
 	##
 	## Returns: the value associated with the key.  If the key did not exist, then
 	##          the optional field of the returned record is not set.
-	global table_lookup: function(t: Broker::Data, key: Broker::Data): Broker::Data;
+	global table_lookup: function(t: Broker::Data, key: any): Broker::Data;
 
 	## Create an iterator for a table.  Note that this makes a copy of the table
 	## internally to ensure the iterator is always valid.
@@ -543,7 +535,7 @@ export {
 	##
 	## Returns: true if there are no more elements to iterator over, i.e.
 	##          the iterator is one-past-the-final-element.
-	global table_iterator_last: function(it: opaque of Broker::TableIterator): bool;
+	global table_iterator_last: function(it: opaque of Broker::TableIterator) : bool;
 
 	## Advance an iterator.
 	##
@@ -552,7 +544,7 @@ export {
 	## Returns: true if the iterator, after advancing, still references an element
 	##          in the collection.  False if the iterator, after advancing, is
 	##          one-past-the-final-element.
-	global table_iterator_next: function(it: opaque of Broker::TableIterator): bool;
+	global table_iterator_next: function(it: opaque of Broker::TableIterator) : bool;
 
 	## Retrieve the data at an iterator's current position.
 	##
@@ -569,7 +561,7 @@ export {
 	## v: the vector to clear.
 	##
 	## Returns: always true.
-	global vector_clear: function(v: Broker::Data): bool;
+	global vector_clear: function(v: Broker::Data) : bool;
 
 	## Get the number of elements within a vector.
 	##
@@ -589,7 +581,7 @@ export {
 	##      current size of the vector, the element is inserted at the end.
 	##
 	## Returns: always true.
-	global vector_insert: function(v: Broker::Data, d: Broker::Data, idx: count): bool;
+	global vector_insert: function(v: Broker::Data, idx: count, d: any) : bool;
 
 	## Replace an element in a vector at a particular position.
 	##
@@ -601,7 +593,7 @@ export {
 	##
 	## Returns: the value that was just evicted.  If the index was larger than any
 	##          valid index, the optional field of the returned record is not set.
-	global vector_replace: function(v: Broker::Data, d: Broker::Data, idx: count): Broker::Data;
+	global vector_replace: function(v: Broker::Data, idx: count, d: any): Broker::Data;
 
 	## Remove an element from a vector at a particular position.
 	##
@@ -637,7 +629,7 @@ export {
 	##
 	## Returns: true if there are no more elements to iterator over, i.e.
 	##          the iterator is one-past-the-final-element.
-	global vector_iterator_last: function(it: opaque of Broker::VectorIterator): bool;
+	global vector_iterator_last: function(it: opaque of Broker::VectorIterator) : bool;
 
 	## Advance an iterator.
 	##
@@ -646,7 +638,7 @@ export {
 	## Returns: true if the iterator, after advancing, still references an element
 	##          in the collection.  False if the iterator, after advancing, is
 	##          one-past-the-final-element.
-	global vector_iterator_next: function(it: opaque of Broker::VectorIterator): bool;
+	global vector_iterator_next: function(it: opaque of Broker::VectorIterator) : bool;
 
 	## Retrieve the data at an iterator's current position.
 	##
@@ -678,7 +670,7 @@ export {
 	## idx: the index to replace.
 	##
 	## Returns: false if the index was larger than any valid index, else true.
-	global record_assign: function(r: Broker::Data, d: Broker::Data, idx: count): bool;
+	global record_assign: function(r: Broker::Data, idx: count, d: any) : bool;
 
 	## Lookup a field in a record at a particular position.
 	##
@@ -705,7 +697,7 @@ export {
 	##
 	## Returns: true if there are no more elements to iterator over, i.e.
 	##          the iterator is one-past-the-final-element.
-	global record_iterator_last: function(it: opaque of Broker::RecordIterator): bool;
+	global record_iterator_last: function(it: opaque of Broker::RecordIterator) : bool;
 
 	## Advance an iterator.
 	##
@@ -714,7 +706,7 @@ export {
 	## Returns: true if the iterator, after advancing, still references an element
 	##          in the collection.  False if the iterator, after advancing, is
 	##          one-past-the-final-element.
-	global record_iterator_next: function(it: opaque of Broker::RecordIterator): bool;
+	global record_iterator_next: function(it: opaque of Broker::RecordIterator) : bool;
 
 	## Retrieve the data at an iterator's current position.
 	##
@@ -722,124 +714,121 @@ export {
 	##
 	## Returns: element in the collection that the iterator currently references.
 	global record_iterator_value: function(it: opaque of Broker::RecordIterator): Broker::Data;
-
-@endif
 }
 
 @load base/bif/store.bif
 
 module Broker;
 
-@ifdef ( Broker::__enable )
-
-function create_master(id: string, b: BackendType &default = MEMORY,
-                       options: BackendOptions &default = BackendOptions()): opaque of Broker::Handle
+function create_master(name: string, b: BackendType &default = MEMORY,
+                       options: BackendOptions &default = BackendOptions()): opaque of Broker::Store
 	{
-	return __create_master(id, b, options);
+	return __create_master(name, b, options);
 	}
 
-function create_clone(id: string, b: BackendType &default = MEMORY,
-                      options: BackendOptions &default = BackendOptions(),
-                      resync: interval &default = 1sec): opaque of Broker::Handle
+function create_clone(name: string,
+                      resync_interval: interval &default = default_clone_resync_interval,
+                      stale_interval: interval &default = default_clone_stale_interval,
+                      mutation_buffer_interval: interval &default = default_clone_mutation_buffer_interval): opaque of Broker::Store
 	{
-	return __create_clone(id, b, options, resync);
+	return __create_clone(name, resync_interval, stale_interval,
+	                      mutation_buffer_interval);
 	}
 
-function create_frontend(id: string): opaque of Broker::Handle
+function close(h: opaque of Broker::Store): bool
 	{
-	return __create_frontend(id);
+	return __close(h);
 	}
 
-function close_by_handle(h: opaque of Broker::Handle): bool
+function is_closed(h: opaque of Broker::Store): bool
 	{
-	return __close_by_handle(h);
+	return __is_closed(h);
 	}
 
-function insert(h: opaque of Broker::Handle, k: Broker::Data, v: Broker::Data,
-                e: Broker::ExpiryTime &default = Broker::ExpiryTime()): bool
+function store_name(h: opaque of Broker::Store): string
 	{
-	return __insert(h, k, v, e);
+	return __store_name(h);
 	}
 
-function erase(h: opaque of Broker::Handle, k: Broker::Data): bool
-	{
-	return __erase(h, k);
-	}
-
-function clear(h: opaque of Broker::Handle): bool
-	{
-	return __clear(h);
-	}
-
-function increment(h: opaque of Broker::Handle,
-                           k: Broker::Data, by: int &default = +1): bool
-	{
-	return __increment(h, k, by);
-	}
-
-function decrement(h: opaque of Broker::Handle,
-                           k: Broker::Data, by: int &default = +1): bool
-	{
-	return __decrement(h, k, by);
-	}
-
-function add_to_set(h: opaque of Broker::Handle,
-                            k: Broker::Data, element: Broker::Data): bool
-	{
-	return __add_to_set(h, k, element);
-	}
-
-function remove_from_set(h: opaque of Broker::Handle,
-                                 k: Broker::Data, element: Broker::Data): bool
-	{
-	return __remove_from_set(h, k, element);
-	}
-
-function push_left(h: opaque of Broker::Handle, k: Broker::Data,
-                           items: Broker::DataVector): bool
-	{
-	return __push_left(h, k, items);
-	}
-
-function push_right(h: opaque of Broker::Handle, k: Broker::Data,
-                            items: Broker::DataVector): bool
-	{
-	return __push_right(h, k, items);
-	}
-
-function pop_left(h: opaque of Broker::Handle, k: Broker::Data): QueryResult
-	{
-	return __pop_left(h, k);
-	}
-
-function pop_right(h: opaque of Broker::Handle, k: Broker::Data): QueryResult
-	{
-	return __pop_right(h, k);
-	}
-
-function lookup(h: opaque of Broker::Handle, k: Broker::Data): QueryResult
-	{
-	return __lookup(h, k);
-	}
-
-function exists(h: opaque of Broker::Handle, k: Broker::Data): QueryResult
+function exists(h: opaque of Broker::Store, k: any): QueryResult
 	{
 	return __exists(h, k);
 	}
 
-function keys(h: opaque of Broker::Handle): QueryResult
+function get(h: opaque of Broker::Store, k: any): QueryResult
+	{
+	return __get(h, k);
+	}
+
+function put_unique(h: opaque of Broker::Store, k: any, v: any,
+             e: interval &default=0sec): QueryResult
+    {
+    return __put_unique(h, k, v, e);
+    }
+
+function get_index_from_value(h: opaque of Broker::Store, k: any, i: any): QueryResult
+	{
+	return __get_index_from_value(h, k, i);
+	}
+
+function keys(h: opaque of Broker::Store): QueryResult
 	{
 	return __keys(h);
 	}
 
-function size(h: opaque of Broker::Handle): QueryResult
+function put(h: opaque of Broker::Store, k: any, v: any, e: interval) : bool
 	{
-	return __size(h);
+	return __put(h, k, v, e);
 	}
 
-function data(d: any): Broker::Data
+function erase(h: opaque of Broker::Store, k: any) : bool
 	{
-	return __data(d);
+	return __erase(h, k);
+	}
+
+function increment(h: opaque of Broker::Store, k: any, a: any, e: interval) : bool
+	{
+	return __increment(h, k, a, e);
+	}
+
+function decrement(h: opaque of Broker::Store, k: any, a: any, e: interval) : bool
+	{
+	return __decrement(h, k, a, e);
+	}
+
+function append(h: opaque of Broker::Store, k: any, s: string, e: interval) : bool
+	{
+	return __append(h, k, s, e);
+	}
+
+function insert_into_set(h: opaque of Broker::Store, k: any, i: any, e: interval) : bool
+	{
+	return __insert_into_set(h, k, i, e);
+	}
+
+function insert_into_table(h: opaque of Broker::Store, k: any, i: any, v: any, e: interval) : bool
+	{
+	return __insert_into_table(h, k, i, v, e);
+	}
+
+function remove_from(h: opaque of Broker::Store, k: any, i: any, e: interval) : bool
+	{
+	return __remove_from(h, k, i, e);
+	}
+
+function push(h: opaque of Broker::Store, k: any, v: any, e: interval) : bool
+	{
+	return __push(h, k, v, e);
+	}
+
+function pop(h: opaque of Broker::Store, k: any, e: interval) : bool
+	{
+	return __pop(h, k, e);
+	}
+
+function clear(h: opaque of Broker::Store) : bool
+	{
+	return __clear(h);
 	}
 
 function data_type(d: Broker::Data): Broker::DataType
@@ -847,59 +836,9 @@ function data_type(d: Broker::Data): Broker::DataType
 	return __data_type(d);
 	}
 
-function refine_to_bool(d: Broker::Data): bool
+function data(d: any): Broker::Data
 	{
-	return __refine_to_bool(d);
-	}
-
-function refine_to_int(d: Broker::Data): int
-	{
-	return __refine_to_int(d);
-	}
-
-function refine_to_count(d: Broker::Data): count
-	{
-	return __refine_to_count(d);
-	}
-
-function refine_to_double(d: Broker::Data): double
-	{
-	return __refine_to_double(d);
-	}
-
-function refine_to_string(d: Broker::Data): string
-	{
-	return __refine_to_string(d);
-	}
-
-function refine_to_addr(d: Broker::Data): addr
-	{
-	return __refine_to_addr(d);
-	}
-
-function refine_to_subnet(d: Broker::Data): subnet
-	{
-	return __refine_to_subnet(d);
-	}
-
-function refine_to_port(d: Broker::Data): port
-	{
-	return __refine_to_port(d);
-	}
-
-function refine_to_time(d: Broker::Data): time
-	{
-	return __refine_to_time(d);
-	}
-
-function refine_to_interval(d: Broker::Data): interval
-	{
-	return __refine_to_interval(d);
-	}
-
-function refine_to_enum_name(d: Broker::Data): string
-	{
-	return __refine_to_enum_name(d);
+	return __data(d);
 	}
 
 function set_create(): Broker::Data
@@ -907,7 +846,7 @@ function set_create(): Broker::Data
 	return __set_create();
 	}
 
-function set_clear(s: Broker::Data): bool
+function set_clear(s: Broker::Data) : bool
 	{
 	return __set_clear(s);
 	}
@@ -917,17 +856,17 @@ function set_size(s: Broker::Data): count
 	return __set_size(s);
 	}
 
-function set_contains(s: Broker::Data, key: Broker::Data): bool
+function set_contains(s: Broker::Data, key: any) : bool
 	{
 	return __set_contains(s, key);
 	}
 
-function set_insert(s: Broker::Data, key: Broker::Data): bool
+function set_insert(s: Broker::Data, key: any) : bool
 	{
 	return __set_insert(s, key);
 	}
 
-function set_remove(s: Broker::Data, key: Broker::Data): bool
+function set_remove(s: Broker::Data, key: any) : bool
 	{
 	return __set_remove(s, key);
 	}
@@ -937,12 +876,12 @@ function set_iterator(s: Broker::Data): opaque of Broker::SetIterator
 	return __set_iterator(s);
 	}
 
-function set_iterator_last(it: opaque of Broker::SetIterator): bool
+function set_iterator_last(it: opaque of Broker::SetIterator) : bool
 	{
 	return __set_iterator_last(it);
 	}
 
-function set_iterator_next(it: opaque of Broker::SetIterator): bool
+function set_iterator_next(it: opaque of Broker::SetIterator) : bool
 	{
 	return __set_iterator_next(it);
 	}
@@ -957,7 +896,7 @@ function table_create(): Broker::Data
 	return __table_create();
 	}
 
-function table_clear(t: Broker::Data): bool
+function table_clear(t: Broker::Data) : bool
 	{
 	return __table_clear(t);
 	}
@@ -967,22 +906,22 @@ function table_size(t: Broker::Data): count
 	return __table_size(t);
 	}
 
-function table_contains(t: Broker::Data, key: Broker::Data): bool
+function table_contains(t: Broker::Data, key: any) : bool
 	{
 	return __table_contains(t, key);
 	}
 
-function table_insert(t: Broker::Data, key: Broker::Data, val: Broker::Data): Broker::Data
+function table_insert(t: Broker::Data, key: any, val: any): Broker::Data
 	{
 	return __table_insert(t, key, val);
 	}
 
-function table_remove(t: Broker::Data, key: Broker::Data): Broker::Data
+function table_remove(t: Broker::Data, key: any): Broker::Data
 	{
 	return __table_remove(t, key);
 	}
 
-function table_lookup(t: Broker::Data, key: Broker::Data): Broker::Data
+function table_lookup(t: Broker::Data, key: any): Broker::Data
 	{
 	return __table_lookup(t, key);
 	}
@@ -992,12 +931,12 @@ function table_iterator(t: Broker::Data): opaque of Broker::TableIterator
 	return __table_iterator(t);
 	}
 
-function table_iterator_last(it: opaque of Broker::TableIterator): bool
+function table_iterator_last(it: opaque of Broker::TableIterator) : bool
 	{
 	return __table_iterator_last(it);
 	}
 
-function table_iterator_next(it: opaque of Broker::TableIterator): bool
+function table_iterator_next(it: opaque of Broker::TableIterator) : bool
 	{
 	return __table_iterator_next(it);
 	}
@@ -1012,7 +951,7 @@ function vector_create(): Broker::Data
 	return __vector_create();
 	}
 
-function vector_clear(v: Broker::Data): bool
+function vector_clear(v: Broker::Data) : bool
 	{
 	return __vector_clear(v);
 	}
@@ -1022,14 +961,14 @@ function vector_size(v: Broker::Data): count
 	return __vector_size(v);
 	}
 
-function vector_insert(v: Broker::Data, d: Broker::Data, idx: count): bool
+function vector_insert(v: Broker::Data, idx: count, d: any) : bool
 	{
-	return __vector_insert(v, d, idx);
+	return __vector_insert(v, idx, d);
 	}
 
-function vector_replace(v: Broker::Data, d: Broker::Data, idx: count): Broker::Data
+function vector_replace(v: Broker::Data, idx: count, d: any): Broker::Data
 	{
-	return __vector_replace(v, d, idx);
+	return __vector_replace(v, idx, d);
 	}
 
 function vector_remove(v: Broker::Data, idx: count): Broker::Data
@@ -1047,12 +986,12 @@ function vector_iterator(v: Broker::Data): opaque of Broker::VectorIterator
 	return __vector_iterator(v);
 	}
 
-function vector_iterator_last(it: opaque of Broker::VectorIterator): bool
+function vector_iterator_last(it: opaque of Broker::VectorIterator) : bool
 	{
 	return __vector_iterator_last(it);
 	}
 
-function vector_iterator_next(it: opaque of Broker::VectorIterator): bool
+function vector_iterator_next(it: opaque of Broker::VectorIterator) : bool
 	{
 	return __vector_iterator_next(it);
 	}
@@ -1072,9 +1011,9 @@ function record_size(r: Broker::Data): count
 	return __record_size(r);
 	}
 
-function record_assign(r: Broker::Data, d: Broker::Data, idx: count): bool
+function record_assign(r: Broker::Data, idx: count, d: any) : bool
 	{
-	return __record_assign(r, d, idx);
+	return __record_assign(r, idx, d);
 	}
 
 function record_lookup(r: Broker::Data, idx: count): Broker::Data
@@ -1087,12 +1026,12 @@ function record_iterator(r: Broker::Data): opaque of Broker::RecordIterator
 	return __record_iterator(r);
 	}
 
-function record_iterator_last(it: opaque of Broker::RecordIterator): bool
+function record_iterator_last(it: opaque of Broker::RecordIterator) : bool
 	{
 	return __record_iterator_last(it);
 	}
 
-function record_iterator_next(it: opaque of Broker::RecordIterator): bool
+function record_iterator_next(it: opaque of Broker::RecordIterator) : bool
 	{
 	return __record_iterator_next(it);
 	}
@@ -1102,4 +1041,3 @@ function record_iterator_value(it: opaque of Broker::RecordIterator): Broker::Da
 	return __record_iterator_value(it);
 	}
 
-@endif
diff --git a/scripts/base/frameworks/cluster/__load__.bro b/scripts/base/frameworks/cluster/__load__.bro
index 1717b833ae..20060357a4 100644
--- a/scripts/base/frameworks/cluster/__load__.bro
+++ b/scripts/base/frameworks/cluster/__load__.bro
@@ -1,11 +1,16 @@
 # Load the core cluster support.
 @load ./main
+@load ./pools
 
 @if ( Cluster::is_enabled() )
 
 # Give the node being started up it's peer name.
 redef peer_description = Cluster::node;
 
+@if ( Cluster::enable_round_robin_logging )
+redef Broker::log_topic = Cluster::rr_log_topic;
+@endif
+
 # Add a cluster prefix.
 @prefixes += cluster
 
@@ -19,13 +24,6 @@ redef peer_description = Cluster::node;
 
 @load ./setup-connections
 
-# Don't load the listening script until we're a bit more sure that the
-# cluster framework is actually being enabled.
-@load frameworks/communication/listen
-
-## Set the port that this node is supposed to listen on.
-redef Communication::listen_port = Cluster::nodes[Cluster::node]$p;
-
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
 @load ./nodes/manager
 # If no logger is defined, then the manager receives logs.
diff --git a/scripts/base/frameworks/cluster/main.bro b/scripts/base/frameworks/cluster/main.bro
index 261f3f1026..25c0f4f63e 100644
--- a/scripts/base/frameworks/cluster/main.bro
+++ b/scripts/base/frameworks/cluster/main.bro
@@ -7,10 +7,111 @@
 ##! ``@load base/frameworks/cluster``.
 
 @load base/frameworks/control
+@load base/frameworks/broker
 
 module Cluster;
 
 export {
+	## Whether to distribute log messages among available logging nodes.
+	const enable_round_robin_logging = T &redef;
+
+	## The topic name used for exchanging general messages that are relevant to
+	## any node in a cluster.  Used with broker-enabled cluster communication.
+	const broadcast_topic = "bro/cluster/broadcast" &redef;
+
+	## The topic name used for exchanging messages that are relevant to
+	## logger nodes in a cluster.  Used with broker-enabled cluster communication.
+	const logger_topic = "bro/cluster/logger" &redef;
+
+	## The topic name used for exchanging messages that are relevant to
+	## manager nodes in a cluster.  Used with broker-enabled cluster communication.
+	const manager_topic = "bro/cluster/manager" &redef;
+
+	## The topic name used for exchanging messages that are relevant to
+	## proxy nodes in a cluster.  Used with broker-enabled cluster communication.
+	const proxy_topic = "bro/cluster/proxy" &redef;
+
+	## The topic name used for exchanging messages that are relevant to
+	## worker nodes in a cluster.  Used with broker-enabled cluster communication.
+	const worker_topic = "bro/cluster/worker" &redef;
+
+	## The topic name used for exchanging messages that are relevant to
+	## time machine nodes in a cluster.  Used with broker-enabled cluster communication.
+	const time_machine_topic = "bro/cluster/time_machine" &redef;
+
+	## The topic prefix used for exchanging messages that are relevant to
+	## a named node in a cluster.  Used with broker-enabled cluster communication.
+	const node_topic_prefix = "bro/cluster/node/" &redef;
+
+	## Name of the node on which master data stores will be created if no other
+	## has already been specified by the user in :bro:see:`Cluster::stores`.
+	## An empty value means "use whatever name corresponds to the manager
+	## node".
+	const default_master_node = "" &redef;
+
+	## The type of data store backend that will be used for all data stores if
+	## no other has already been specified by the user in :bro:see:`Cluster::stores`.
+	const default_backend = Broker::MEMORY &redef;
+
+	## The type of persistent data store backend that will be used for all data
+	## stores if no other has already been specified by the user in
+	## :bro:see:`Cluster::stores`.  This will be used when script authors call
+	## :bro:see:`Cluster::create_store` with the *persistent* argument set true.
+	const default_persistent_backend = Broker::SQLITE &redef;
+
+	## Setting a default dir will, for persistent backends that have not
+	## been given an explicit file path via :bro:see:`Cluster::stores`,
+	## automatically create a path within this dir that is based on the name of
+	## the data store.
+	const default_store_dir = "" &redef;
+
+	## Information regarding a cluster-enabled data store.
+	type StoreInfo: record {
+		## The name of the data store.
+		name: string &optional;
+		## The store handle.
+		store: opaque of Broker::Store &optional;
+		## The name of the cluster node on which the master version of the data
+		## store resides.
+		master_node: string &default=default_master_node;
+		## Whether the data store is the master version or a clone.
+		master: bool &default=F;
+		## The type of backend used for storing data.
+		backend: Broker::BackendType &default=default_backend;
+		## Parameters used for configuring the backend.
+		options: Broker::BackendOptions &default=Broker::BackendOptions();
+		## A resync/reconnect interval to pass through to
+		## :bro:see:`Broker::create_clone`.
+		clone_resync_interval: interval &default=Broker::default_clone_resync_interval;
+		## A staleness duration to pass through to
+		## :bro:see:`Broker::create_clone`.
+		clone_stale_interval: interval &default=Broker::default_clone_stale_interval;
+		## A mutation buffer interval to pass through to
+		## :bro:see:`Broker::create_clone`.
+		clone_mutation_buffer_interval: interval &default=Broker::default_clone_mutation_buffer_interval;
+	};
+
+	## A table of cluster-enabled data stores that have been created, indexed
+	## by their name.  This table will be populated automatically by
+	## :bro:see:`Cluster::create_store`, but if you need to customize
+	## the options related to a particular data store, you may redef this
+	## table.  Calls to :bro:see:`Cluster::create_store` will first check
+	## the table for an entry of the same name and, if found, will use the
+	## predefined options there when setting up the store.
+	global stores: table[string] of StoreInfo &default=StoreInfo() &redef;
+
+	## Sets up a cluster-enabled data store.  They will also still properly
+	## function for uses that are not operating a cluster.
+	##
+	## name: the name of the data store to create.
+	##
+	## persistent: whether the data store must be persistent.
+	##
+	## Returns: the store's information.  For master stores, the store will be
+	##          ready to use immediately.  For clones, the store field will not
+	##          be set until the node containing the master store has connected.
+	global create_store: function(name: string, persistent: bool &default=F): StoreInfo;
+
 	## The cluster logging stream identifier.
 	redef enum Log::ID += { LOG };
 
@@ -18,6 +119,8 @@ export {
 	type Info: record {
 		## The time at which a cluster message was generated.
 		ts:       time;
+		## The name of the node that is creating the log record.
+		node: string;
 		## A message indicating information about the cluster's operation.
 		message:  string;
 	} &log;
@@ -46,43 +149,6 @@ export {
 		TIME_MACHINE,
 	};
 
-	## Events raised by a manager and handled by the workers.
-	const manager2worker_events = /Drop::.*/ &redef;
-
-	## Events raised by a manager and handled by proxies.
-	const manager2proxy_events = /EMPTY/ &redef;
-
-	## Events raised by a manager and handled by loggers.
-	const manager2logger_events = /EMPTY/ &redef;
-
-	## Events raised by proxies and handled by loggers.
-	const proxy2logger_events = /EMPTY/ &redef;
-
-	## Events raised by proxies and handled by a manager.
-	const proxy2manager_events = /EMPTY/ &redef;
-
-	## Events raised by proxies and handled by workers.
-	const proxy2worker_events = /EMPTY/ &redef;
-
-	## Events raised by workers and handled by loggers.
-	const worker2logger_events = /EMPTY/ &redef;
-
-	## Events raised by workers and handled by a manager.
-	const worker2manager_events = /(TimeMachine::command|Drop::.*)/ &redef;
-
-	## Events raised by workers and handled by proxies.
-	const worker2proxy_events = /EMPTY/ &redef;
-
-	## Events raised by TimeMachine instances and handled by a manager.
-	const tm2manager_events = /EMPTY/ &redef;
-
-	## Events raised by TimeMachine instances and handled by workers.
-	const tm2worker_events = /EMPTY/ &redef;
-
-	## Events sent by the control host (i.e., BroControl) when dynamically
-	## connecting to a running instance to update settings or request data.
-	const control_events = Control::controller_events &redef;
-
 	## Record type to indicate a node in a cluster.
 	type Node: record {
 		## Identifies the type of cluster node in this node's configuration.
@@ -92,22 +158,17 @@ export {
 		## If the *ip* field is a non-global IPv6 address, this field
 		## can specify a particular :rfc:`4007` ``zone_id``.
 		zone_id:      string      &default="";
-		## The port to which this local node can connect when
-		## establishing communication.
+		## The port that this node will listen on for peer connections.
 		p:            port;
 		## Identifier for the interface a worker is sniffing.
 		interface:    string      &optional;
-		## Name of the logger node this node uses.  For manager, proxies and workers.
-		logger:       string      &optional;
 		## Name of the manager node this node uses.  For workers and proxies.
 		manager:      string      &optional;
-		## Name of the proxy node this node uses.  For workers and managers.
-		proxy:        string      &optional;
-		## Names of worker nodes that this node connects with.
-		## For managers and proxies.
-		workers:      set[string] &optional;
 		## Name of a time machine node with which this node connects.
 		time_machine: string      &optional;
+		## A unique identifier assigned to the node by the broker framework.
+		## This field is only set while a node is connected.
+		id: string                &optional;
 	};
 
 	## This function can be called at any time to determine if the cluster
@@ -134,6 +195,8 @@ export {
 	## named cluster-layout.bro somewhere in the BROPATH.  It will be
 	## automatically loaded if the CLUSTER_NODE environment variable is set.
 	## Note that BroControl handles all of this automatically.
+	## The table is typically indexed by node names/labels (e.g. "manager"
+	## or "worker-1").
 	const nodes: table[string] of Node = {} &redef;
 
 	## Indicates whether or not the manager will act as the logger and receive
@@ -147,9 +210,67 @@ export {
 	const node = getenv("CLUSTER_NODE") &redef;
 
 	## Interval for retrying failed connections between cluster nodes.
+	## If set, the BRO_DEFAULT_CONNECT_RETRY (given in number of seconds)
+	## overrides this option.
 	const retry_interval = 1min &redef;
+
+	## When using broker-enabled cluster framework, nodes broadcast this event
+	## to exchange their user-defined name along with a string that uniquely
+	## identifies it for the duration of its lifetime.  This string may change
+	## if the node dies and has to reconnect later.
+	global hello: event(name: string, id: string);
+
+	## When using broker-enabled cluster framework, this event will be emitted
+	## locally whenever a cluster node connects or reconnects.
+	global node_up: event(name: string, id: string);
+
+	## When using broker-enabled cluster framework, this event will be emitted
+	## locally whenever a connected cluster node becomes disconnected.
+	global node_down: event(name: string, id: string);
+
+	## Write a message to the cluster logging stream.
+	global log: function(msg: string);
+
+	## Retrieve the topic associated with a specific node in the cluster.
+	##
+	## name: the name of the cluster node (e.g. "manager").
+	##
+	## Returns: a topic string that may used to send a message exclusively to
+	##          a given cluster node.
+	global node_topic: function(name: string): string;
 }
 
+global active_worker_ids: set[string] = set();
+
+type NamedNode: record {
+	name: string;
+	node: Node;
+};
+
+function nodes_with_type(node_type: NodeType): vector of NamedNode
+	{
+	local rval: vector of NamedNode = vector();
+	local names: vector of string = vector();
+
+	for ( name in Cluster::nodes )
+		names += name;
+
+	names = sort(names, strcmp);
+
+	for ( i in names )
+		{
+		name = names[i];
+		local n = Cluster::nodes[name];
+
+		if ( n$node_type != node_type )
+			next;
+
+		rval += NamedNode($name=name, $node=n);
+		}
+
+	return rval;
+	}
+
 function is_enabled(): bool
 	{
 	return (node != "");
@@ -160,16 +281,70 @@ function local_node_type(): NodeType
 	return is_enabled() ? nodes[node]$node_type : NONE;
 	}
 
-event remote_connection_handshake_done(p: event_peer) &priority=5
+function node_topic(name: string): string
 	{
-	if ( p$descr in nodes && nodes[p$descr]$node_type == WORKER )
-		++worker_count;
+	return node_topic_prefix + name;
 	}
 
-event remote_connection_closed(p: event_peer) &priority=5
+event Cluster::hello(name: string, id: string) &priority=10
 	{
-	if ( p$descr in nodes && nodes[p$descr]$node_type == WORKER )
-		--worker_count;
+	if ( name !in nodes )
+		{
+		Reporter::error(fmt("Got Cluster::hello msg from unexpected node: %s", name));
+		return;
+		}
+
+	local n = nodes[name];
+
+	if ( n?$id )
+		{
+		if ( n$id != id )
+			Reporter::error(fmt("Got Cluster::hello msg from duplicate node:%s",
+								name));
+		}
+	else
+		event Cluster::node_up(name, id);
+
+	n$id = id;
+	Cluster::log(fmt("got hello from %s (%s)", name, id));
+
+	if ( n$node_type == WORKER )
+		{
+		add active_worker_ids[id];
+		worker_count = |active_worker_ids|;
+		}
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) &priority=10
+	{
+	if ( ! Cluster::is_enabled() )
+		return;
+
+	local e = Broker::make_event(Cluster::hello, node, Broker::node_id());
+	Broker::publish(Cluster::broadcast_topic, e);
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string) &priority=10
+	{
+	for ( node_name in nodes )
+		{
+		local n = nodes[node_name];
+
+		if ( n?$id && n$id == endpoint$id )
+			{
+			Cluster::log(fmt("node down: %s", node_name));
+			delete n$id;
+
+			if ( n$node_type == WORKER )
+				{
+				delete active_worker_ids[endpoint$id];
+				worker_count = |active_worker_ids|;
+				}
+
+			event Cluster::node_down(node_name, endpoint$id);
+			break;
+			}
+		}
 	}
 
 event bro_init() &priority=5
@@ -183,3 +358,90 @@ event bro_init() &priority=5
 
 	Log::create_stream(Cluster::LOG, [$columns=Info, $path="cluster"]);
 	}
+
+function create_store(name: string, persistent: bool &default=F): Cluster::StoreInfo
+	{
+	local info = stores[name];
+	info$name = name;
+
+	if ( Cluster::default_store_dir != "" )
+		{
+		local default_options = Broker::BackendOptions();
+		local path = Cluster::default_store_dir + "/" + name;
+
+		if ( info$options$sqlite$path == default_options$sqlite$path )
+			info$options$sqlite$path = path + ".sqlite";
+
+		if ( info$options$rocksdb$path == default_options$rocksdb$path )
+			info$options$rocksdb$path = path + ".rocksdb";
+		}
+
+	if ( persistent )
+		{
+		switch ( info$backend ) {
+		case Broker::MEMORY:
+			info$backend = Cluster::default_persistent_backend;
+			break;
+		case Broker::SQLITE:
+			fallthrough;
+		case Broker::ROCKSDB:
+			# no-op: user already asked for a specific persistent backend.
+			break;
+		default:
+			Reporter::error(fmt("unhandled data store type: %s", info$backend));
+			break;
+		}
+		}
+
+	if ( ! Cluster::is_enabled() )
+		{
+		if ( info?$store )
+			{
+			Reporter::warning(fmt("duplicate cluster store creation for %s", name));
+			return info;
+			}
+
+		info$store = Broker::create_master(name, info$backend, info$options);
+		info$master = T;
+		stores[name] = info;
+		return info;
+		}
+
+	if ( info$master_node == "" )
+		{
+		local mgr_nodes = nodes_with_type(Cluster::MANAGER);
+
+		if ( |mgr_nodes| == 0 )
+			Reporter::fatal(fmt("empty master node name for cluster store " +
+								"'%s', but there's no manager node to default",
+			                    name));
+
+		info$master_node = mgr_nodes[0]$name;
+		}
+	else if ( info$master_node !in Cluster::nodes )
+		Reporter::fatal(fmt("master node '%s' for cluster store '%s' does not exist",
+		                    info$master_node, name));
+
+	if ( Cluster::node == info$master_node )
+		{
+		info$store = Broker::create_master(name, info$backend, info$options);
+		info$master = T;
+		stores[name] = info;
+		Cluster::log(fmt("created master store: %s", name));
+		return info;
+		}
+
+	info$master = F;
+	stores[name] = info;
+	info$store = Broker::create_clone(info$name,
+	                                  info$clone_resync_interval,
+	                                  info$clone_stale_interval,
+	                                  info$clone_mutation_buffer_interval);
+	Cluster::log(fmt("created clone store: %s", info$name));
+	return info;
+	}
+
+function log(msg: string)
+	{
+	Log::write(Cluster::LOG, [$ts = network_time(), $node = node, $message = msg]);
+	}
diff --git a/scripts/base/frameworks/cluster/pools.bro b/scripts/base/frameworks/cluster/pools.bro
new file mode 100644
index 0000000000..ac8673b7e8
--- /dev/null
+++ b/scripts/base/frameworks/cluster/pools.bro
@@ -0,0 +1,458 @@
+##! Defines an interface for managing pools of cluster nodes.  Pools are
+##! a useful way to distribute work or data among nodes within a cluster.
+
+@load ./main
+@load base/utils/hash_hrw
+
+module Cluster;
+
+export {
+	## Store state of a cluster within the context of a work pool.
+	type PoolNode: record {
+		## The node name (e.g. "manager").
+		name: string;
+		## An alias of *name* used to prevent hashing collisions when creating
+		## *site_id*.
+		alias: string;
+		## A 32-bit unique identifier for the pool node, derived from name/alias.
+		site_id: count;
+		## Whether the node is currently alive and can receive work.
+		alive: bool &default=F;
+	};
+
+	## A pool specification.
+	type PoolSpec: record {
+		## A topic string that can be used to reach all nodes within a pool.
+		topic: string &default = "";
+		## The type of nodes that are contained within the pool.
+		node_type: Cluster::NodeType &default = Cluster::PROXY;
+		## The maximum number of nodes that may belong to the pool.
+		## If not set, then all available nodes will be added to the pool,
+		## else the cluster framework will automatically limit the pool
+		## membership according to the threshhold.
+		max_nodes: count &optional;
+		## Whether the pool requires exclusive access to nodes.  If true,
+		## then *max_nodes* nodes will not be assigned to any other pool.
+		## When using this flag, *max_nodes* must also be set.
+		exclusive: bool &default = F;
+	};
+
+	type PoolNodeTable: table[string] of PoolNode;
+	type RoundRobinTable: table[string] of int;
+
+	## A pool used for distributing data/work among a set of cluster nodes.
+	type Pool: record {
+		## The specification of the pool that was used when registering it.
+		spec: PoolSpec &default = PoolSpec();
+		## Nodes in the pool, indexed by their name (e.g. "manager").
+		nodes: PoolNodeTable &default = PoolNodeTable();
+		## A list of nodes in the pool in a deterministic order.
+		node_list: vector of PoolNode &default = vector();
+		## The Rendezvous hashing structure.
+		hrw_pool: HashHRW::Pool &default = HashHRW::Pool();
+		## Round-Robin table indexed by arbitrary key and storing the next
+		## index of *node_list* that will be eligible to receive work (if it's
+		## alive at the time of next request).
+		rr_key_seq: RoundRobinTable &default = RoundRobinTable();
+		## Number of pool nodes that are currently alive.
+		alive_count: count &default = 0;
+	};
+
+	## The specification for :bro:see:`Cluster::proxy_pool`.
+	global proxy_pool_spec: PoolSpec =
+		PoolSpec($topic = "bro/cluster/pool/proxy",
+				 $node_type = Cluster::PROXY) &redef;
+
+	## The specification for :bro:see:`Cluster::worker_pool`.
+	global worker_pool_spec: PoolSpec =
+		PoolSpec($topic = "bro/cluster/pool/worker",
+				 $node_type = Cluster::WORKER) &redef;
+
+	## The specification for :bro:see:`Cluster::logger_pool`.
+	global logger_pool_spec: PoolSpec =
+		PoolSpec($topic = "bro/cluster/pool/logger",
+				 $node_type = Cluster::LOGGER) &redef;
+
+	## A pool containing all the proxy nodes of a cluster.
+	## The pool's node membership/availability is automatically
+	## maintained by the cluster framework.
+	global proxy_pool: Pool;
+
+	## A pool containing all the worker nodes of a cluster.
+	## The pool's node membership/availability is automatically
+	## maintained by the cluster framework.
+	global worker_pool: Pool;
+
+	## A pool containing all the logger nodes of a cluster.
+	## The pool's node membership/availability is automatically
+	## maintained by the cluster framework.
+	global logger_pool: Pool;
+
+	## Registers and initializes a pool.
+	global register_pool: function(spec: PoolSpec): Pool;
+
+	## Retrieve the topic associated with the node mapped via Rendezvous hash
+	## of an arbitrary key.
+	##
+	## pool: the pool of nodes to consider.
+	##
+	## key: data used for input to the hashing function that will uniformly
+	##      distribute keys among available nodes.
+	##
+	## Returns: a topic string associated with a cluster node that is alive
+	##          or an empty string if nothing is alive.
+	global hrw_topic: function(pool: Pool, key: any): string;
+
+	## Retrieve the topic associated with the node in a round-robin fashion.
+	##
+	## pool: the pool of nodes to consider.
+	##
+	## key: an arbitrary string to identify the purpose for which you're
+	##      requesting the topic.  e.g. consider using namespacing of your script
+	##      like "Intel::cluster_rr_key".
+	##
+	## Returns: a topic string associated with a cluster node that is alive,
+	##          or an empty string if nothing is alive.
+	global rr_topic: function(pool: Pool, key: string): string;
+
+	## Distributes log message topics among logger nodes via round-robin.
+	## This will be automatically assigned to :bro:see:`Broker::log_topic`
+	## if :bro:see:`Cluster::enable_round_robin_logging` is enabled.
+	## If no logger nodes are active, then this will return the value
+	## of :bro:see:`Broker::default_log_topic`.
+	global rr_log_topic: function(id: Log::ID, path: string): string;
+}
+
+## Initialize a node as a member of a pool.
+##
+## pool: the pool to which the node will belong.
+##
+## name: the name of the node (e.g. "manager").
+##
+## Returns: F if a node of the same name already exists in the pool, else T.
+global init_pool_node: function(pool: Pool, name: string): bool;
+
+## Mark a pool node as alive/online/available. :bro:see:`Cluster::hrw_topic`
+## will distribute keys to nodes marked as alive.
+##
+## pool: the pool to which the node belongs.
+##
+## name: the name of the node to mark.
+##
+## Returns: F if the node does not exist in the pool, else T.
+global mark_pool_node_alive: function(pool: Pool, name: string): bool;
+
+## Mark a pool node as dead/offline/unavailable. :bro:see:`Cluster::hrw_topic`
+## will not distribute keys to nodes marked as dead.
+##
+## pool: the pool to which the node belongs.
+##
+## name: the name of the node to mark.
+##
+## Returns: F if the node does not exist in the pool, else T.
+global mark_pool_node_dead: function(pool: Pool, name: string): bool;
+
+global registered_pools: vector of Pool = vector();
+
+function register_pool(spec: PoolSpec): Pool
+	{
+	local rval = Pool($spec = spec);
+	registered_pools += rval;
+	return rval;
+	}
+
+function hrw_topic(pool: Pool, key: any): string
+	{
+	if ( |pool$hrw_pool$sites| == 0 )
+		return "";
+
+	local site = HashHRW::get_site(pool$hrw_pool, key);
+	local pn: PoolNode = site$user_data;
+	return node_topic_prefix + pn$name;
+	}
+
+function rr_topic(pool: Pool, key: string): string
+	{
+	if ( key !in pool$rr_key_seq )
+		pool$rr_key_seq[key] = 0;
+
+	local next_idx = pool$rr_key_seq[key];
+	local start = next_idx;
+	local rval = "";
+
+	if ( next_idx >= |pool$node_list| )
+		return rval;
+
+	while ( T )
+		{
+		local pn = pool$node_list[next_idx];
+
+		++next_idx;
+
+		if ( next_idx == |pool$node_list| )
+			next_idx = 0;
+
+		if ( pn$alive )
+			{
+			rval = node_topic_prefix + pn$name;
+			break;
+			}
+
+		if ( next_idx == start )
+			# no nodes alive
+			break;
+		}
+
+	pool$rr_key_seq[key] = next_idx;
+	return rval;
+	}
+
+function rr_log_topic(id: Log::ID, path: string): string
+	{
+	local rval = rr_topic(logger_pool, "Cluster::rr_log_topic");
+
+	if ( rval != "" )
+		return rval;
+
+	rval = Broker::default_log_topic(id, path);
+	return rval;
+	}
+
+event Cluster::node_up(name: string, id: string) &priority=10
+	{
+	for ( i in registered_pools )
+		{
+		local pool = registered_pools[i];
+
+		if ( name in pool$nodes )
+			mark_pool_node_alive(pool, name);
+		}
+	}
+
+event Cluster::node_down(name: string, id: string) &priority=10
+	{
+	for ( i in registered_pools )
+		{
+		local pool = registered_pools[i];
+
+		if ( name in pool$nodes )
+			mark_pool_node_dead(pool, name);
+		}
+	}
+
+function site_id_in_pool(pool: Pool, site_id: count): bool
+	{
+	for ( i in pool$nodes )
+		{
+		local pn = pool$nodes[i];
+
+		if ( pn$site_id == site_id )
+			return T;
+		}
+
+	return F;
+	}
+
+function init_pool_node(pool: Pool, name: string): bool
+	{
+	if ( name in pool$nodes )
+		return F;
+
+	local loop = T;
+	local c = 0;
+
+	while ( loop )
+		{
+		# site id collisions are unlikely, but using aliases handles it...
+		# alternatively could terminate and ask user to pick a new node name
+		# if it ends up colliding.
+		local alias = name + fmt(".%s", c);
+		local site_id = fnv1a32(alias);
+
+		if ( site_id_in_pool(pool, site_id) )
+			++c;
+		else
+			{
+			local pn = PoolNode($name=name, $alias=alias, $site_id=site_id,
+			                    $alive=Cluster::node == name);
+			pool$nodes[name] = pn;
+			pool$node_list += pn;
+
+			if ( pn$alive )
+				++pool$alive_count;
+
+			loop = F;
+			}
+		}
+
+	return T;
+	}
+
+function mark_pool_node_alive(pool: Pool, name: string): bool
+	{
+	if ( name !in pool$nodes )
+		return F;
+
+	local pn = pool$nodes[name];
+
+	if ( ! pn$alive )
+		{
+		pn$alive = T;
+		++pool$alive_count;
+		}
+
+	HashHRW::add_site(pool$hrw_pool, HashHRW::Site($id=pn$site_id, $user_data=pn));
+	return T;
+	}
+
+function mark_pool_node_dead(pool: Pool, name: string): bool
+	{
+	if ( name !in pool$nodes )
+		return F;
+
+	local pn = pool$nodes[name];
+
+	if ( pn$alive )
+		{
+		pn$alive = F;
+		--pool$alive_count;
+		}
+
+	HashHRW::rem_site(pool$hrw_pool, HashHRW::Site($id=pn$site_id, $user_data=pn));
+	return T;
+	}
+
+event bro_init()
+	{
+	worker_pool = register_pool(worker_pool_spec);
+	proxy_pool = register_pool(proxy_pool_spec);
+	logger_pool = register_pool(logger_pool_spec);
+	}
+
+type PoolEligibilityTracking: record {
+	eligible_nodes: vector of NamedNode &default = vector();
+	next_idx: count &default = 0;
+	excluded: count &default = 0;
+};
+
+global pool_eligibility: table[Cluster::NodeType] of PoolEligibilityTracking = table();
+
+function pool_sorter(a: Pool, b: Pool): int
+	{
+	return strcmp(a$spec$topic, b$spec$topic);
+	}
+
+# Needs to execute before the bro_init in setup-connections
+event bro_init() &priority=-5
+	{
+	if ( ! Cluster::is_enabled() )
+		return;
+
+	# Sorting now ensures the node distribution process is stable even if
+	# there's a change in the order of time-of-registration between Bro runs.
+	sort(registered_pools, pool_sorter);
+
+	pool_eligibility[Cluster::WORKER] =
+		PoolEligibilityTracking($eligible_nodes = nodes_with_type(Cluster::WORKER));
+	pool_eligibility[Cluster::PROXY] =
+		PoolEligibilityTracking($eligible_nodes = nodes_with_type(Cluster::PROXY));
+	pool_eligibility[Cluster::LOGGER] =
+		PoolEligibilityTracking($eligible_nodes = nodes_with_type(Cluster::LOGGER));
+
+	if ( manager_is_logger )
+		{
+		local mgr = nodes_with_type(Cluster::MANAGER);
+		
+		if ( |mgr| > 0 )
+			{
+			local eln = pool_eligibility[Cluster::LOGGER]$eligible_nodes;
+			eln += mgr[0];
+			}
+		}
+
+	local pool: Pool;
+	local pet: PoolEligibilityTracking;
+	local en: vector of NamedNode;
+
+	for ( i in registered_pools )
+		{
+		pool = registered_pools[i];
+
+		if ( pool$spec$node_type !in pool_eligibility )
+			Reporter::fatal(fmt("invalid pool node type: %s", pool$spec$node_type));
+
+		if ( ! pool$spec$exclusive )
+			next;
+
+		if ( ! pool$spec?$max_nodes )
+			Reporter::fatal("Cluster::PoolSpec 'max_nodes' field must be set when using the 'exclusive' flag");
+
+		pet = pool_eligibility[pool$spec$node_type];
+		pet$excluded += pool$spec$max_nodes;
+		}
+
+	for ( nt in pool_eligibility )
+		{
+		pet = pool_eligibility[nt];
+
+		if ( pet$excluded > |pet$eligible_nodes| )
+			Reporter::fatal(fmt("not enough %s nodes to satisfy pool exclusivity requirements: need %d nodes", nt, pet$excluded));
+		}
+
+	for ( i in registered_pools )
+		{
+		pool = registered_pools[i];
+
+		if ( ! pool$spec$exclusive )
+			next;
+
+		pet = pool_eligibility[pool$spec$node_type];
+
+		local e = 0;
+
+		while ( e < pool$spec$max_nodes )
+			{
+			init_pool_node(pool, pet$eligible_nodes[e]$name);
+			++e;
+			}
+
+		local nen: vector of NamedNode = vector();
+
+		for ( j in pet$eligible_nodes )
+			{
+			if ( j < e )
+				next;
+
+			nen += pet$eligible_nodes[j];
+			}
+
+		pet$eligible_nodes = nen;
+		}
+
+	for ( i in registered_pools )
+		{
+		pool = registered_pools[i];
+
+		if ( pool$spec$exclusive )
+			next;
+
+		pet = pool_eligibility[pool$spec$node_type];
+		local nodes_to_init = |pet$eligible_nodes|;
+		
+		if ( pool$spec?$max_nodes &&
+			 pool$spec$max_nodes < |pet$eligible_nodes| )
+			nodes_to_init = pool$spec$max_nodes;
+
+		local nodes_inited = 0;
+
+		while ( nodes_inited < nodes_to_init )
+			{
+			init_pool_node(pool, pet$eligible_nodes[pet$next_idx]$name);
+			++nodes_inited;
+			++pet$next_idx;
+
+			if ( pet$next_idx == |pet$eligible_nodes| )
+				pet$next_idx = 0;
+			}
+		}
+	}
diff --git a/scripts/base/frameworks/cluster/setup-connections.bro b/scripts/base/frameworks/cluster/setup-connections.bro
index 971a55d444..63ddbdd8b0 100644
--- a/scripts/base/frameworks/cluster/setup-connections.bro
+++ b/scripts/base/frameworks/cluster/setup-connections.bro
@@ -2,142 +2,125 @@
 ##! as defined by :bro:id:`Cluster::nodes`.
 
 @load ./main
-@load base/frameworks/communication
-
-@if ( Cluster::node in Cluster::nodes )
+@load ./pools
+@load base/frameworks/broker
 
 module Cluster;
 
-event bro_init() &priority=9
+function connect_peer(node_type: NodeType, node_name: string)
 	{
-	local me = nodes[node];
+	local nn = nodes_with_type(node_type);
 
-	for ( i in Cluster::nodes )
+	for ( i in nn )
 		{
-		local n = nodes[i];
+		local n = nn[i];
 
-		# Connections from the control node for runtime control and update events.
-		# Every node in a cluster is eligible for control from this host.
-		if ( n$node_type == CONTROL )
-			Communication::nodes["control"] = [$host=n$ip, $zone_id=n$zone_id,
-			                                   $connect=F, $class="control",
-			                                   $events=control_events];
+		if ( n$name != node_name )
+			next;
 
-		if ( me$node_type == LOGGER )
-			{
-			if ( n$node_type == MANAGER && n$logger == node )
-				Communication::nodes[i] =
-				    [$host=n$ip, $zone_id=n$zone_id, $connect=F,
-				     $class=i, $events=manager2logger_events, $request_logs=T];
-			if ( n$node_type == PROXY && n$logger == node )
-				Communication::nodes[i] =
-				    [$host=n$ip, $zone_id=n$zone_id, $connect=F,
-				     $class=i, $events=proxy2logger_events, $request_logs=T];
-			if ( n$node_type == WORKER && n$logger == node )
-				Communication::nodes[i] =
-				    [$host=n$ip, $zone_id=n$zone_id, $connect=F,
-				     $class=i, $events=worker2logger_events, $request_logs=T];
-			}
-		else if ( me$node_type == MANAGER )
-			{
-			if ( n$node_type == LOGGER && me$logger == i )
-				Communication::nodes["logger"] =
-				    [$host=n$ip, $zone_id=n$zone_id, $p=n$p,
-				     $connect=T, $retry=retry_interval,
-				     $class=node];
-
-			if ( n$node_type == WORKER && n$manager == node )
-				Communication::nodes[i] =
-				    [$host=n$ip, $zone_id=n$zone_id, $connect=F,
-				     $class=i, $events=worker2manager_events,
-				     $request_logs=Cluster::manager_is_logger];
-
-			if ( n$node_type == PROXY && n$manager == node )
-				Communication::nodes[i] =
-				    [$host=n$ip, $zone_id=n$zone_id, $connect=F,
-				     $class=i, $events=proxy2manager_events,
-				     $request_logs=Cluster::manager_is_logger];
-
-			if ( n$node_type == TIME_MACHINE && me?$time_machine && me$time_machine == i )
-				Communication::nodes["time-machine"] = [$host=nodes[i]$ip,
-				                                        $zone_id=nodes[i]$zone_id,
-				                                        $p=nodes[i]$p,
-				                                        $connect=T, $retry=retry_interval,
-				                                        $events=tm2manager_events];
-			}
-
-		else if ( me$node_type == PROXY )
-			{
-			if ( n$node_type == LOGGER && me$logger == i )
-				Communication::nodes["logger"] =
-				    [$host=n$ip, $zone_id=n$zone_id, $p=n$p,
-				     $connect=T, $retry=retry_interval,
-				     $class=node];
-
-			if ( n$node_type == WORKER && n$proxy == node )
-				Communication::nodes[i] =
-					[$host=n$ip, $zone_id=n$zone_id, $connect=F, $class=i,
-					 $sync=T, $auth=T, $events=worker2proxy_events];
-
-			# accepts connections from the previous one.
-			# (This is not ideal for setups with many proxies)
-			# FIXME: Once we're using multiple proxies, we should also figure out some $class scheme ...
-			if ( n$node_type == PROXY )
-				{
-				if ( n?$proxy )
-					Communication::nodes[i]
-					     = [$host=n$ip, $zone_id=n$zone_id, $p=n$p,
-					        $connect=T, $auth=F, $sync=T, $retry=retry_interval];
-				else if ( me?$proxy && me$proxy == i )
-					Communication::nodes[me$proxy]
-					     = [$host=nodes[i]$ip, $zone_id=nodes[i]$zone_id,
-					        $connect=F, $auth=T, $sync=T];
-				}
-
-			# Finally the manager, to send it status updates.
-			if ( n$node_type == MANAGER && me$manager == i )
-				Communication::nodes["manager"] = [$host=nodes[i]$ip,
-				                                   $zone_id=nodes[i]$zone_id,
-				                                   $p=nodes[i]$p,
-				                                   $connect=T, $retry=retry_interval,
-				                                   $class=node,
-				                                   $events=manager2proxy_events];
-			}
-		else if ( me$node_type == WORKER )
-			{
-			if ( n$node_type == LOGGER && me$logger == i )
-				Communication::nodes["logger"] =
-				    [$host=n$ip, $zone_id=n$zone_id, $p=n$p,
-				     $connect=T, $retry=retry_interval,
-				     $class=node];
-
-			if ( n$node_type == MANAGER && me$manager == i )
-				Communication::nodes["manager"] = [$host=nodes[i]$ip,
-				                                   $zone_id=nodes[i]$zone_id,
-				                                   $p=nodes[i]$p,
-				                                   $connect=T, $retry=retry_interval,
-				                                   $class=node,
-				                                   $events=manager2worker_events];
-
-			if ( n$node_type == PROXY && me$proxy == i )
-				Communication::nodes["proxy"] = [$host=nodes[i]$ip,
-				                                 $zone_id=nodes[i]$zone_id,
-				                                 $p=nodes[i]$p,
-				                                 $connect=T, $retry=retry_interval,
-				                                 $sync=T, $class=node,
-				                                 $events=proxy2worker_events];
-
-			if ( n$node_type == TIME_MACHINE &&
-			     me?$time_machine && me$time_machine == i )
-				Communication::nodes["time-machine"] = [$host=nodes[i]$ip,
-				                                        $zone_id=nodes[i]$zone_id,
-				                                        $p=nodes[i]$p,
-				                                        $connect=T,
-				                                        $retry=retry_interval,
-				                                        $events=tm2worker_events];
-
-			}
+		local status = Broker::peer(cat(n$node$ip), n$node$p,
+		                            Cluster::retry_interval);
+		Cluster::log(fmt("initiate peering with %s:%s, retry=%s, status=%s",
+		                 n$node$ip, n$node$p, Cluster::retry_interval,
+		                 status));
 		}
 	}
 
-@endif
+function connect_peers_with_type(node_type: NodeType)
+	{
+	local rval: vector of NamedNode = vector();
+	local nn = nodes_with_type(node_type);
+
+	for ( i in nn )
+		{
+		local n = nn[i];
+		local status = Broker::peer(cat(n$node$ip), n$node$p,
+		                            Cluster::retry_interval);
+		Cluster::log(fmt("initiate peering with %s:%s, retry=%s, status=%s",
+		                 n$node$ip, n$node$p, Cluster::retry_interval,
+		                 status));
+		}
+	}
+
+event bro_init() &priority=-10
+	{
+	if ( getenv("BROCTL_CHECK_CONFIG") != "" )
+		return;
+
+	local self = nodes[node];
+
+	for ( i in registered_pools )
+		{
+		local pool = registered_pools[i];
+
+		if ( node in pool$nodes )
+			Broker::subscribe(pool$spec$topic);
+		}
+
+	switch ( self$node_type ) {
+	case NONE:
+		return;
+	case CONTROL:
+		break;
+	case LOGGER:
+		Broker::subscribe(Cluster::logger_topic);
+		Broker::subscribe(Broker::default_log_topic_prefix);
+		break;
+	case MANAGER:
+		Broker::subscribe(Cluster::manager_topic);
+
+		if ( Cluster::manager_is_logger )
+			Broker::subscribe(Broker::default_log_topic_prefix);
+
+		break;
+	case PROXY:
+		Broker::subscribe(Cluster::proxy_topic);
+		break;
+	case WORKER:
+		Broker::subscribe(Cluster::worker_topic);
+		break;
+	case TIME_MACHINE:
+		Broker::subscribe(Cluster::time_machine_topic);
+		break;
+	default:
+		Reporter::error(fmt("Unhandled cluster node type: %s", self$node_type));
+		return;
+	}
+
+	Broker::subscribe(Cluster::broadcast_topic);
+	Broker::subscribe(node_topic(node));
+
+	Broker::listen(Broker::default_listen_address,
+	               self$p,
+	               Broker::default_listen_retry);
+
+	Cluster::log(fmt("listening on %s:%s", Broker::default_listen_address, self$p));
+
+	switch ( self$node_type ) {
+	case MANAGER:
+		connect_peers_with_type(LOGGER);
+
+		if ( self?$time_machine )
+			connect_peer(TIME_MACHINE, self$time_machine);
+
+		break;
+	case PROXY:
+		connect_peers_with_type(LOGGER);
+
+		if ( self?$manager )
+			connect_peer(MANAGER, self$manager);
+
+		break;
+	case WORKER:
+		connect_peers_with_type(LOGGER);
+		connect_peers_with_type(PROXY);
+
+		if ( self?$manager )
+			connect_peer(MANAGER, self$manager);
+
+		if ( self?$time_machine )
+			connect_peer(TIME_MACHINE, self$time_machine);
+
+		break;
+	}
+	}
diff --git a/scripts/base/frameworks/communication/README b/scripts/base/frameworks/communication/README
deleted file mode 100644
index 6f73c8c6a4..0000000000
--- a/scripts/base/frameworks/communication/README
+++ /dev/null
@@ -1,2 +0,0 @@
-The communication framework facilitates connecting to remote Bro or
-Broccoli instances to share state and transfer events.
diff --git a/scripts/base/frameworks/communication/__load__.bro b/scripts/base/frameworks/communication/__load__.bro
deleted file mode 100644
index a10fe855df..0000000000
--- a/scripts/base/frameworks/communication/__load__.bro
+++ /dev/null
@@ -1 +0,0 @@
-@load ./main
diff --git a/scripts/base/frameworks/communication/main.bro b/scripts/base/frameworks/communication/main.bro
deleted file mode 100644
index af4eb9fca5..0000000000
--- a/scripts/base/frameworks/communication/main.bro
+++ /dev/null
@@ -1,354 +0,0 @@
-##! Facilitates connecting to remote Bro or Broccoli instances to share state
-##! and/or transfer events.
-
-@load base/frameworks/packet-filter
-@load base/utils/addrs
-
-module Communication;
-
-export {
-
-	## The communication logging stream identifier.
-	redef enum Log::ID += { LOG };
-
-	## Which interface to listen on. The addresses ``0.0.0.0`` and ``[::]``
-	## are wildcards.
-	const listen_interface = 0.0.0.0 &redef;
-
-	## Which port to listen on.  Note that BroControl sets this
-	## automatically.
-	const listen_port = 47757/tcp &redef;
-
-	## This defines if a listening socket should use SSL.
-	const listen_ssl = F &redef;
-
-	## Defines if a listening socket can bind to IPv6 addresses.
-	##
-	## Note that this is overridden by the BroControl IPv6Comm option.
-	const listen_ipv6 = F &redef;
-
-	## If :bro:id:`Communication::listen_interface` is a non-global
-	## IPv6 address and requires a specific :rfc:`4007` ``zone_id``,
-	## it can be specified here.
-	const listen_ipv6_zone_id = "" &redef;
-
-	## Defines the interval at which to retry binding to
-	## :bro:id:`Communication::listen_interface` on
-	## :bro:id:`Communication::listen_port` if it's already in use.
-	const listen_retry = 30 secs &redef;
-
-	## Default compression level.  Compression level is 0-9, with 0 = no
-	## compression.
-	global compression_level = 0 &redef;
-
-	## A record type containing the column fields of the communication log.
-	type Info: record {
-		## The network time at which a communication event occurred.
-		ts:                  time   &log;
-		## The peer name (if any) with which a communication event is
-		## concerned.
-		peer:                string &log &optional;
-		## Where the communication event message originated from, that
-		## is, either from the scripting layer or inside the Bro process.
-		src_name:            string &log &optional;
-		## .. todo:: currently unused.
-		connected_peer_desc: string &log &optional;
-		## .. todo:: currently unused.
-		connected_peer_addr: addr   &log &optional;
-		## .. todo:: currently unused.
-		connected_peer_port: port   &log &optional;
-		## The severity of the communication event message.
-		level:               string &log &optional;
-		## A message describing the communication event between Bro or
-		## Broccoli instances.
-		message:             string &log;
-	};
-
-	## A remote peer to which we would like to talk.
-	## If there's no entry for a peer, it may still connect
-	## and request state, but not send us any.
-	type Node: record {
-		## Remote address.
-		host: addr;
-
-		## If the *host* field is a non-global IPv6 address, this field
-		## can specify a particular :rfc:`4007` ``zone_id``.
-		zone_id: string &optional;
-
-		## Port of the remote Bro communication endpoint if we are
-		## initiating the connection (based on the *connect* field).
-		p: port &optional;
-
-		## When accepting a connection, the configuration only
-		## applies if the class matches the one transmitted by
-		## the peer.
-		##
-		## When initiating a connection, the class is sent to
-		## the other side.
-		class: string &optional;
-
-		## Events requested from remote side.
-		events: pattern &optional;
-
-		## Whether we are going to connect (rather than waiting
-		## for the other side to connect to us).
-		connect: bool &default = F;
-
-		## If disconnected, reconnect after this many seconds.
-		retry: interval &default = 0 secs;
-
-		## Whether to accept remote events.
-		accept_input: bool &default = T;
-
-		## Whether to perform state synchronization with peer.
-		sync: bool &default = F;
-
-		## Whether to request logs from the peer.
-		request_logs: bool &default = F;
-
-		## When performing state synchronization, whether we consider
-		## our state to be authoritative (only one side can be
-		## authoritative).  If so, we will send the peer our current
-		## set when the connection is set up.
-		auth: bool &default = F;
-
-		## If not set, no capture filter is sent.
-		## If set to an empty string, then the default capture filter
-		## is sent.
-		capture_filter: string &optional;
-
-		## Whether to use SSL-based communication.
-		ssl: bool &default = F;
-
-		## Compression level is 0-9, with 0 = no compression.
-		compression: count &default = compression_level;
-
-		## The remote peer.
-		peer: event_peer &optional;
-
-		## Indicates the status of the node.
-		connected: bool &default = F;
-	};
-
-	## The table of Bro or Broccoli nodes that Bro will initiate connections
-	## to or respond to connections from.  Note that BroControl sets this
-	## automatically.
-	global nodes: table[string] of Node &redef;
-
-	## A table of peer nodes for which this node issued a
-	## :bro:id:`Communication::connect_peer` call but with which a connection
-	## has not yet been established or with which a connection has been
-	## closed and is currently in the process of retrying to establish.
-	## When a connection is successfully established, the peer is removed
-	## from the table.
-	global pending_peers: table[peer_id] of Node;
-
-	## A table of peer nodes for which this node has an established connection.
-	## Peers are automatically removed if their connection is closed and
-	## automatically added back if a connection is re-established later.
-	global connected_peers: table[peer_id] of Node;
-
-	## Connect to a node in :bro:id:`Communication::nodes` independent
-	## of its "connect" flag.
-	##
-	## peer: the string used to index a particular node within the
-	##      :bro:id:`Communication::nodes` table.
-	global connect_peer: function(peer: string);
-}
-
-const src_names = {
-	[REMOTE_SRC_CHILD]  = "child",
-	[REMOTE_SRC_PARENT] = "parent",
-	[REMOTE_SRC_SCRIPT] = "script",
-};
-
-event bro_init() &priority=5
-	{
-	Log::create_stream(Communication::LOG, [$columns=Info, $path="communication"]);
-	}
-
-function do_script_log_common(level: count, src: count, msg: string)
-	{
-	Log::write(Communication::LOG, [$ts = network_time(),
-	                                $level = (level == REMOTE_LOG_INFO ? "info" : "error"),
-	                                $src_name = src_names[src],
-	                                $peer = get_event_peer()$descr,
-	                                $message = msg]);
-	}
-
-# This is a core generated event.
-event remote_log(level: count, src: count, msg: string)
-	{
-	do_script_log_common(level, src, msg);
-	}
-
-# This is a core generated event.
-event remote_log_peer(p: event_peer, level: count, src: count, msg: string)
-	{
-	local rmsg = fmt("[#%d/%s:%d] %s", p$id, addr_to_uri(p$host), p$p, msg);
-	do_script_log_common(level, src, rmsg);
-	}
-
-function do_script_log(p: event_peer, msg: string)
-	{
-	do_script_log_common(REMOTE_LOG_INFO, REMOTE_SRC_SCRIPT, msg);
-	}
-
-function connect_peer(peer: string)
-	{
-	local node = nodes[peer];
-	local p = listen_port;
-
-	if ( node?$p )
-		p = node$p;
-
-	local class = node?$class ? node$class : "";
-	local zone_id = node?$zone_id ? node$zone_id : "";
-	local id = connect(node$host, zone_id, p, class, node$retry, node$ssl);
-
-	if ( id == PEER_ID_NONE )
-		Log::write(Communication::LOG, [$ts = network_time(),
-		                                $peer = get_event_peer()$descr,
-		                                $message = "can't trigger connect"]);
-	pending_peers[id] = node;
-	}
-
-
-function setup_peer(p: event_peer, node: Node)
-	{
-	if ( node?$events )
-		{
-		do_script_log(p, fmt("requesting events matching %s", node$events));
-		request_remote_events(p, node$events);
-		}
-
-	if ( node?$capture_filter && node$capture_filter != "" )
-		{
-		local filter = node$capture_filter;
-		do_script_log(p, fmt("sending capture_filter: %s", filter));
-		send_capture_filter(p, filter);
-		}
-
-	if ( node$accept_input )
-		{
-		do_script_log(p, "accepting state");
-		set_accept_state(p, T);
-		}
-
-	set_compression_level(p, node$compression);
-
-	if ( node$sync )
-		{
-		do_script_log(p, "requesting synchronized state");
-		request_remote_sync(p, node$auth);
-		}
-
-	if ( node$request_logs )
-		{
-		do_script_log(p, "requesting logs");
-		request_remote_logs(p);
-		}
-
-	node$peer = p;
-	node$connected = T;
-	connected_peers[p$id] = node;
-	}
-
-event remote_connection_established(p: event_peer)
-	{
-	if ( is_remote_event() )
-		return;
-
-	do_script_log(p, "connection established");
-
-	if ( p$id in pending_peers )
-		{
-		# We issued the connect.
-		local node = pending_peers[p$id];
-		setup_peer(p, node);
-		delete pending_peers[p$id];
-		}
-	else
-		{ # The other side connected to us.
-		local found = F;
-		for ( i in nodes )
-			{
-			node = nodes[i];
-			if ( node$host == p$host )
-				{
-				local c = 0;
-
-				# See if classes match = either both have
-				# the same class, or neither of them has
-				# a class.
-				if ( p?$class && p$class != "" )
-					++c;
-
-				if ( node?$class && node$class != "" )
-					++c;
-
-				if ( c == 1 ||
-				     (c == 2 && p$class != node$class) )
-					next;
-
-				found = T;
-				setup_peer(p, node);
-				break;
-				}
-			}
-
-		if ( ! found )
-			set_compression_level(p, compression_level);
-		}
-
-	complete_handshake(p);
-	}
-
-event remote_connection_closed(p: event_peer)
-	{
-	if ( is_remote_event() )
-		return;
-
-	do_script_log(p, "connection closed");
-
-	if ( p$id in connected_peers )
-		{
-		local node = connected_peers[p$id];
-		node$connected = F;
-
-		delete connected_peers[p$id];
-
-		if ( node$retry != 0secs )
-			# The core will retry.
-			pending_peers[p$id] = node;
-		}
-	}
-
-event remote_state_inconsistency(operation: string, id: string,
-				expected_old: string, real_old: string)
-	{
-	if ( is_remote_event() )
-		return;
-
-	local msg = fmt("state inconsistency: %s should be %s but is %s before %s",
-	                id, expected_old, real_old, operation);
-	Log::write(Communication::LOG, [$ts = network_time(),
-	                                $peer = get_event_peer()$descr,
-	                                $message = msg]);
-	}
-
-
-# Actually initiate the connections that need to be established.
-event bro_init() &priority = -10 # let others modify nodes
-	{
-	if ( |nodes| > 0 )
-		enable_communication();
-
-	for ( tag in nodes )
-		{
-		if ( ! nodes[tag]$connect )
-			next;
-
-		connect_peer(tag);
-		}
-	}
diff --git a/scripts/base/frameworks/config/README b/scripts/base/frameworks/config/README
new file mode 100644
index 0000000000..3640d1e8c4
--- /dev/null
+++ b/scripts/base/frameworks/config/README
@@ -0,0 +1,2 @@
+The configuration framework provides a way to change the Bro configuration
+in "option" values at run-time.
diff --git a/scripts/base/frameworks/config/__load__.bro b/scripts/base/frameworks/config/__load__.bro
new file mode 100644
index 0000000000..0a7a8d0713
--- /dev/null
+++ b/scripts/base/frameworks/config/__load__.bro
@@ -0,0 +1,2 @@
+@load ./main
+@load ./input
diff --git a/scripts/base/frameworks/config/input.bro b/scripts/base/frameworks/config/input.bro
new file mode 100644
index 0000000000..aaef2e59b1
--- /dev/null
+++ b/scripts/base/frameworks/config/input.bro
@@ -0,0 +1,77 @@
+##! File input for the configuration framework using the input framework.
+
+@load ./main
+@load base/frameworks/cluster
+
+module Config;
+
+export {
+	## Configuration files that will be read off disk. Files are reread
+	## every time they are updated so updates should be atomic with "mv"
+	## instead of writing the file in place.
+	##
+	## If the same configuration option is defined in several files with
+	## different values, behavior is unspecified.
+	const config_files: set[string] = {} &redef;
+
+	## Read specified configuration file and apply values; updates to file
+	## are not tracked.
+	global read_config: function(filename: string);
+}
+
+global current_config: table[string] of string = table();
+
+type ConfigItem: record {
+	option_nv: string;
+};
+
+type EventFields: record {
+	option_name: string;
+	option_val: string;
+};
+
+event config_line(description: Input::EventDescription, tpe: Input::Event, p: EventFields)
+	{
+	}
+
+event bro_init() &priority=5
+	{
+	if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER )
+		return;
+
+	for ( fi in config_files )
+		Input::add_table([$reader=Input::READER_CONFIG,
+			$mode=Input::REREAD,
+			$source=fi,
+			$name=cat("config-", fi),
+			$idx=ConfigItem,
+			$val=ConfigItem,
+			$want_record=F,
+			$destination=current_config]);
+	}
+
+event InputConfig::new_value(name: string, source: string, id: string, value: any)
+	{
+	if ( sub_bytes(name, 1,  15) != "config-oneshot-" && source !in config_files )
+		return;
+
+	Config::set_value(id, value, source);
+	}
+
+function read_config(filename: string)
+	{
+	# Only read the configuration on the manager. The other nodes are being fed from
+	# the manager.
+	if ( Cluster::is_enabled() && Cluster::local_node_type() != Cluster::MANAGER )
+		return;
+
+	local iname = cat("config-oneshot-", filename);
+
+	Input::add_event([$reader=Input::READER_CONFIG,
+		$mode=Input::MANUAL,
+		$source=filename,
+		$name=iname,
+		$fields=EventFields,
+		$ev=config_line]);
+	Input::remove(iname);
+	}
diff --git a/scripts/base/frameworks/config/main.bro b/scripts/base/frameworks/config/main.bro
new file mode 100644
index 0000000000..6268ee4a8d
--- /dev/null
+++ b/scripts/base/frameworks/config/main.bro
@@ -0,0 +1,165 @@
+##! The configuration framework provides a way to change Bro options
+##! (as specified by the "option" keyword) at runtime. It also logs runtime
+##! changes to options to config.log.
+
+@load base/frameworks/cluster
+
+module Config;
+
+export {
+	## The config logging stream identifier.
+	redef enum Log::ID += { LOG };
+
+	## Represents the data in config.log.
+	type Info: record {
+		## Timestamp at which the configuration change occured.
+		ts: time &log;
+		## ID of the value that was changed.
+		id: string &log;
+		## Value before the change.
+		old_value: string &log;
+		## Value after the change.
+		new_value: string &log;
+		## Optional location that triggered the change.
+		location: string &optional &log;
+	};
+
+	## Event that can be handled to access the :bro:type:`Config::Info`
+	## record as it is sent on to the logging framework.
+	global log_config: event(rec: Info);
+
+	## Broker topic for announcing new configuration value. Sending new_value,
+	## peers can send configuration changes that will be distributed accross
+	## the entire cluster.
+	const change_topic = "bro/config/change";
+
+	## This function is the config framework layer around the lower-level
+	## :bro:see:`Option::set` call. Config::set_value will set the configuration
+	## value for all nodes in the cluster, no matter where it was called. Note
+	## that `bro:see:`Option::set` does not distribute configuration changes
+	## to other nodes.
+	##
+	## ID: The ID of the option to update.
+	##
+	## val: The new value of the option.
+	##
+	## location: Optional parameter detailing where this change originated from.
+	##
+	## Returns: true on success, false when an error ocured.
+	global set_value: function(ID: string, val: any, location: string &default = "" &optional): bool;
+}
+
+@if ( Cluster::is_enabled() )
+type OptionCacheValue: record {
+	val: any;
+	location: string;
+};
+
+global option_cache: table[string] of OptionCacheValue;
+
+event bro_init()
+	{
+	Broker::subscribe(change_topic);
+	}
+
+event Config::cluster_set_option(ID: string, val: any, location: string)
+	{
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+	option_cache[ID] = OptionCacheValue($val=val, $location=location);
+@endif
+	Option::set(ID, val, location);
+	}
+
+function set_value(ID: string, val: any, location: string &default = "" &optional): bool
+	{
+	local cache_val: any;
+	# first cache value in case setting it succeeds and we have to store it.
+	if ( Cluster::local_node_type() == Cluster::MANAGER )
+		cache_val = copy(val);
+	# First try setting it locally - abort if not possible.
+	if ( ! Option::set(ID, val, location) )
+		return F;
+	# If setting worked, copy the new value into the cache on the manager
+	if ( Cluster::local_node_type() == Cluster::MANAGER )
+		option_cache[ID] = OptionCacheValue($val=cache_val, $location=location);
+
+	# If it turns out that it is possible - send it to everyone else to apply.
+	Broker::publish(change_topic, Config::cluster_set_option, ID, val, location);
+
+	if ( Cluster::local_node_type() != Cluster::MANAGER )
+		{
+		Broker::relay(change_topic, change_topic, Config::cluster_set_option, ID, val, location);
+		}
+	return T;
+	}
+@else
+# Standalone implementation
+function set_value(ID: string, val: any, location: string &default = "" &optional): bool
+	{
+	return Option::set(ID, val, location);
+	}
+@endif
+
+@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER )
+# Handling of new worker nodes.
+event Cluster::node_up(name: string, id: string) &priority=-10
+	{
+	# When a node connects, send it all current Option values.
+	if ( name in Cluster::nodes )
+		for ( ID in option_cache )
+			Broker::publish(Cluster::node_topic(name), Config::cluster_set_option, ID, option_cache[ID]$val, option_cache[ID]$location);
+	}
+@endif
+
+
+function format_value(value: any) : string
+	{
+	local tn = type_name(value);
+	local part: string_vec = vector();
+	if ( /^set/ in tn )
+		{
+		local it: set[bool] = value;
+		for ( sv in it )
+			part += cat(sv);
+		return join_string_vec(part, ",");
+		}
+	else if ( /^vector/ in tn )
+		{
+		local vit: vector of any = value;
+		for ( i in vit )
+			part += cat(vit[i]);
+		return join_string_vec(part, ",");
+		}
+	else if ( tn == "string" )
+		return value;
+
+	return cat(value);
+	}
+
+function config_option_changed(ID: string, new_value: any, location: string): any
+	{
+	local log = Info($ts=network_time(), $id=ID, $old_value=format_value(lookup_ID(ID)), $new_value=format_value(new_value));
+	if ( location != "" )
+		log$location = location;
+	Log::write(LOG, log);
+	return new_value;
+	}
+
+event bro_init() &priority=10
+	{
+	Log::create_stream(LOG, [$columns=Info, $ev=log_config, $path="config"]);
+
+	# Limit logging to the manager - everyone else just feeds off it.
+@if ( !Cluster::is_enabled() || Cluster::local_node_type() == Cluster::MANAGER )
+	# Iterate over all existing options and add ourselves as change handlers with
+	# a low priority so that we can log the changes.
+	local gids = global_ids();
+	for ( i in gids )
+		{
+		if ( ! gids[i]$option_value )
+			next;
+
+		Option::set_change_handler(i, config_option_changed, -100);
+		}
+@endif
+	}
diff --git a/scripts/base/frameworks/control/main.bro b/scripts/base/frameworks/control/main.bro
index 17003cb5a6..e374806b55 100644
--- a/scripts/base/frameworks/control/main.bro
+++ b/scripts/base/frameworks/control/main.bro
@@ -5,6 +5,13 @@
 module Control;
 
 export {
+	## The topic prefix used for exchanging control messages via Broker.
+	const topic_prefix = "bro/control";
+
+	## Whether the controllee should call :bro:see:`Broker::listen`.
+	## In a cluster, this isn't needed since the setup process calls it.
+	const controllee_listen = T &redef;
+
 	## The address of the host that will be controlled.
 	const host = 0.0.0.0 &redef;
 
@@ -22,12 +29,6 @@ export {
 	## This can be used by commands that take an argument.
 	const arg = "" &redef;
 
-	## Events that need to be handled by controllers.
-	const controller_events = /Control::.*_request/ &redef;
-	
-	## Events that need to be handled by controllees.
-	const controllee_events = /Control::.*_response/ &redef;
-
 	## The commands that can currently be given on the command line for
 	## remote control.
 	const commands: set[string] = {
@@ -73,8 +74,7 @@ export {
 	global shutdown_response: event();
 }
 
-
 event terminate_event()
 	{
-	terminate_communication();
+	terminate();
 	}
diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig
index d3bed97efa..23b1c1d074 100644
--- a/scripts/base/frameworks/files/magic/general.sig
+++ b/scripts/base/frameworks/files/magic/general.sig
@@ -116,7 +116,7 @@ signature file-reg-utf16 {
 
 # Microsoft Registry format (typically DESKTOP.DAT)
 signature file-regf {
-	file-mime "application vnd.ms-regf", 49
+	file-mime "application/vnd.ms-regf", 49
 	file-magic /^\x72\x65\x67\x66/
 }
 
diff --git a/scripts/base/frameworks/files/main.bro b/scripts/base/frameworks/files/main.bro
index ed73028236..71147a77aa 100644
--- a/scripts/base/frameworks/files/main.bro
+++ b/scripts/base/frameworks/files/main.bro
@@ -135,6 +135,20 @@ export {
 	## The default per-file reassembly buffer size.
 	const reassembly_buffer_size = 524288 &redef;
 
+	## Lookup to see if a particular file id exists and is still valid.
+	##
+	## fuid: the file id.
+	##
+	## Returns: T if the file uid is known.
+	global file_exists: function(fuid: string): bool;
+
+	## Lookup an :bro:see:`fa_file` record with the file id.
+	##
+	## fuid: the file id.
+	##
+	## Returns: the associated :bro:see:`fa_file` record.
+	global lookup_file: function(fuid: string): fa_file;
+
 	## Allows the file reassembler to be used if it's necessary because the
 	## file is transferred out of order.
 	##
@@ -338,6 +352,16 @@ function set_info(f: fa_file)
 		f$info$is_orig = f$is_orig;
 	}
 
+function file_exists(fuid: string): bool
+	{
+	return __file_exists(fuid);
+	}
+
+function lookup_file(fuid: string): fa_file
+	{
+	return __lookup_file(fuid);
+	}
+
 function set_timeout_interval(f: fa_file, t: interval): bool
 	{
 	return __set_timeout_interval(f$id, t);
diff --git a/scripts/base/frameworks/input/__load__.bro b/scripts/base/frameworks/input/__load__.bro
index 9280af0258..1d81e43573 100644
--- a/scripts/base/frameworks/input/__load__.bro
+++ b/scripts/base/frameworks/input/__load__.bro
@@ -3,4 +3,5 @@
 @load ./readers/raw
 @load ./readers/benchmark
 @load ./readers/binary
+@load ./readers/config
 @load ./readers/sqlite
diff --git a/scripts/base/frameworks/input/readers/ascii.bro b/scripts/base/frameworks/input/readers/ascii.bro
index 1b486ddba0..ff1d30f3a9 100644
--- a/scripts/base/frameworks/input/readers/ascii.bro
+++ b/scripts/base/frameworks/input/readers/ascii.bro
@@ -9,7 +9,7 @@ export {
 	## Please note that the separator has to be exactly one character long.
 	const separator = Input::separator &redef;
 
-	## Separator between set elements.
+	## Separator between set and vector elements.
 	## Please note that the separator has to be exactly one character long.
 	const set_separator = Input::set_separator &redef;
 
@@ -18,4 +18,33 @@ export {
 
 	## String to use for an unset &optional field.
 	const unset_field = Input::unset_field &redef;
+
+	## Fail on invalid lines. If set to false, the ascii
+	## input reader will jump over invalid lines, reporting
+	## warnings in reporter.log. If set to true, errors in
+	## input lines will be handled as fatal errors for the
+	## reader thread; reading will abort immediately and
+	## an error will be logged to reporter.log.
+	## Individual readers can use a different value using
+	## the $config table.
+	## fail_on_invalid_lines = T was the default behavior
+	## until Bro 2.6.
+	const fail_on_invalid_lines = F &redef;
+
+	## Fail on file read problems. If set to true, the ascii
+	## input reader will fail when encountering any problems
+	## while reading a file different from invalid lines.
+	## Examples of such problems are permission problems, or
+	## missing files.
+	## When set to false, these problems will be ignored. This
+	## has an especially big effect for the REREAD mode, which will
+	## seamlessly recover from read errors when a file is
+	## only temporarily inaccessible. For MANUAL or STREAM files,
+	## errors will most likely still be fatal since no automatic
+	## re-reading of the file is attempted.
+	## Individual readers can use a different value using
+	## the $config table.
+	## fail_on_file_problem = T was the default behavior
+	## until Bro 2.6.
+	const fail_on_file_problem = F &redef;
 }
diff --git a/scripts/base/frameworks/input/readers/config.bro b/scripts/base/frameworks/input/readers/config.bro
new file mode 100644
index 0000000000..0d334b9b65
--- /dev/null
+++ b/scripts/base/frameworks/input/readers/config.bro
@@ -0,0 +1,44 @@
+##! Interface for the config input reader.
+
+module InputConfig;
+
+export {
+	## Separator between set and vector elements.
+	## Please note that the separator has to be exactly one character long.
+	const set_separator = Input::set_separator &redef;
+
+	## String to use for empty fields.
+	## By default this is the empty string, meaning that an empty input field
+	## will result in an empty set.
+	const empty_field = "" &redef;
+
+	## Fail on file read problems. If set to true, the config
+	## input reader will fail when encountering any problems
+	## while reading a file different from invalid lines.
+	## Examples of such problems are permission problems, or
+	## missing files.
+	## When set to false, these problems will be ignored. This
+	## has an especially big effect for the REREAD mode, which will
+	## seamlessly recover from read errors when a file is
+	## only temporarily inaccessible. For MANUAL or STREAM files,
+	## errors will most likely still be fatal since no automatic
+	## re-reading of the file is attempted.
+	## Individual readers can use a different value using
+	## the $config table.
+	const fail_on_file_problem = F &redef;
+
+	## Event that is called when a config option is added or changes.
+	##
+	## Note - this does not track the reason for a change (new, changed),
+	## and also does not track removals. If you need this, combine the event
+	## with a table reader.
+	##
+	## name: Name of the input stream.
+	##
+	## source: Source of the input stream.
+	##
+	## id: ID of the configuration option being set.
+	##
+	## value: New value of the configuration option being set.
+	global new_value: event(name: string, source: string, id: string, value: any);
+}
diff --git a/scripts/base/frameworks/intel/cluster.bro b/scripts/base/frameworks/intel/cluster.bro
index 820a5497a2..99b920e00d 100644
--- a/scripts/base/frameworks/intel/cluster.bro
+++ b/scripts/base/frameworks/intel/cluster.bro
@@ -6,69 +6,100 @@
 
 module Intel;
 
-redef record Item += {
-	## This field is used internally for cluster transparency to avoid 
-	## re-dispatching intelligence items over and over from workers.
-	first_dispatch: bool &default=T;
-};
+export {
+	## Broker topic for management of intel items. Sending insert_item and
+	## remove_item events, peers can manage intelligence data.
+	const item_topic = "bro/intel/items" &redef;
+
+	## Broker topic for management of intel indicators as stored on workers
+	## for matching. Sending insert_indicator and remove_indicator events,
+	## the back-end manages indicators.
+	const indicator_topic = "bro/intel/indicators" &redef;
+
+	## Broker topic for matching events, generated by workers and sent to
+	## the back-end for metadata enrichment and logging.
+	const match_topic = "bro/intel/match" &redef;
+}
+
+# Internal events for cluster data distribution.
+global insert_item: event(item: Item);
+global insert_indicator: event(item: Item);
 
 # If this process is not a manager process, we don't want the full metadata.
 @if ( Cluster::local_node_type() != Cluster::MANAGER )
 redef have_full_data = F;
 @endif
 
-# Internal event for cluster data distribution.
-global cluster_new_item: event(item: Item);
-
-# Primary intelligence management is done by the manager.
-# The manager informs the workers about new items and item removal.
-redef Cluster::manager2worker_events += /^Intel::(cluster_new_item|purge_item)$/;
-# A worker queries the manager to insert, remove or indicate the match of an item.
-redef Cluster::worker2manager_events += /^Intel::(cluster_new_item|remove_item|match_no_items)$/;
-
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
+event bro_init()
+	{
+	Broker::subscribe(item_topic);
+	Broker::subscribe(match_topic);
+
+	Broker::auto_publish(indicator_topic, remove_indicator);
+	}
+
 # Handling of new worker nodes.
-event remote_connection_handshake_done(p: event_peer)
+event Cluster::node_up(name: string, id: string)
 	{
 	# When a worker connects, send it the complete minimal data store.
-	# It will be kept up to date after this by the cluster_new_item event.
-	if ( Cluster::nodes[p$descr]$node_type == Cluster::WORKER )
+	# It will be kept up to date after this by the insert_indicator event.
+	if ( name in Cluster::nodes && Cluster::nodes[name]$node_type == Cluster::WORKER )
 		{
-		send_id(p, "Intel::min_data_store");
+		Broker::publish_id(Cluster::node_topic(name), "Intel::min_data_store");
 		}
 	}
 
-# Handling of matches triggered by worker nodes.
-event Intel::match_no_items(s: Seen) &priority=5
+# On the manager, the new_item event indicates a new indicator that
+# has to be distributed.
+event Intel::new_item(item: Item) &priority=5
+	{
+	if ( Cluster::proxy_pool$alive_count == 0 )
+		Broker::publish(indicator_topic, Intel::insert_indicator, item);
+	else
+		Cluster::relay_rr(Cluster::proxy_pool, "Intel::new_item_relay_rr",
+		                  indicator_topic, Intel::insert_indicator, item);
+	}
+
+# Handling of item insertion triggered by remote node.
+event Intel::insert_item(item: Intel::Item) &priority=5
+	{
+	Intel::_insert(item, T);
+	}
+
+# Handling of item removal triggered by remote node.
+event Intel::remove_item(item: Item, purge_indicator: bool) &priority=5
+	{
+	remove(item, purge_indicator);
+	}
+
+# Handling of match triggered by remote node.
+event Intel::match_remote(s: Seen) &priority=5
 	{
 	if ( Intel::find(s) )
 		event Intel::match(s, Intel::get_items(s));
 	}
-
-# Handling of item removal triggered by worker nodes.
-event Intel::remove_item(item: Item, purge_indicator: bool)
-	{
-	remove(item, purge_indicator);
-	}
 @endif
 
-# Handling of item insertion.
-event Intel::new_item(item: Intel::Item) &priority=5
+@if ( Cluster::local_node_type() == Cluster::WORKER )
+event bro_init()
 	{
-	# The cluster manager always rebroadcasts intelligence.
-	# Workers redistribute it if it was locally generated.
-	if ( Cluster::local_node_type() == Cluster::MANAGER ||
-	     item$first_dispatch )
-		{
-		item$first_dispatch=F;
-		event Intel::cluster_new_item(item);
-		}
+	Broker::subscribe(indicator_topic);
+
+	Broker::auto_publish(match_topic, match_remote);
+	Broker::auto_publish(item_topic, remove_item);
 	}
 
-# Handling of item insertion by remote node.
-event Intel::cluster_new_item(item: Intel::Item) &priority=5
+# On a worker, the new_item event requires to trigger the insertion
+# on the manager to update the back-end data store.
+event Intel::new_item(item: Intel::Item) &priority=5
 	{
-	# Ignore locally generated events to avoid event storms.
-	if ( is_remote_event() )
-		Intel::insert(item);
+	Broker::publish(item_topic, Intel::insert_item, item);
 	}
+
+# Handling of new indicators published by the manager.
+event Intel::insert_indicator(item: Intel::Item) &priority=5
+	{
+	Intel::_insert(item, F);
+	}
+@endif
diff --git a/scripts/base/frameworks/intel/main.bro b/scripts/base/frameworks/intel/main.bro
index aa51af5ee0..ffa115e92c 100644
--- a/scripts/base/frameworks/intel/main.bro
+++ b/scripts/base/frameworks/intel/main.bro
@@ -177,12 +177,12 @@ export {
 }
 
 # Internal handler for matches with no metadata available.
-global match_no_items: event(s: Seen);
+global match_remote: event(s: Seen);
 
-# Internal events for cluster data distribution.
+# Internal events for (cluster) data distribution.
 global new_item: event(item: Item);
 global remove_item: event(item: Item, purge_indicator: bool);
-global purge_item: event(item: Item);
+global remove_indicator: event(item: Item);
 
 # Optionally store metadata.  This is used internally depending on
 # if this is a cluster deployment or not.
@@ -248,7 +248,7 @@ function expire_subnet_data(data: table[subnet] of MetaDataTable, idx: subnet):
 	for ( src in meta_tbl )
 		add metas[meta_tbl[src]];
 
-	return expire_item(cat(idx), ADDR, metas);
+	return expire_item(cat(idx), SUBNET, metas);
 	}
 
 function expire_string_data(data: table[string, Type] of MetaDataTable, idx: any): interval
@@ -357,7 +357,7 @@ function Intel::seen(s: Seen)
 			}
 		else
 			{
-			event Intel::match_no_items(s);
+			event Intel::match_remote(s);
 			}
 		}
 	}
@@ -389,9 +389,11 @@ hook extend_match(info: Info, s: Seen, items: set[Item]) &priority=5
 		}
 	}
 
-function insert(item: Item)
+# Function to insert metadata of an item. The function returns T
+# if the given indicator is new.
+function insert_meta_data(item: Item): bool
 	{
-	# Create and fill out the metadata item.
+	# Prepare the metadata entry.
 	local meta = item$meta;
 	local meta_tbl: table [string] of MetaData;
 	local is_new: bool = T;
@@ -399,63 +401,101 @@ function insert(item: Item)
 	# All intelligence is case insensitive at the moment.
 	local lower_indicator = to_lower(item$indicator);
 
-	if ( item$indicator_type == ADDR )
+	switch ( item$indicator_type )
 		{
-		local host = to_addr(item$indicator);
-		if ( have_full_data )
-			{
+		case ADDR:
+			local host = to_addr(item$indicator);
+
 			if ( host !in data_store$host_data )
 				data_store$host_data[host] = table();
 			else
+				{
 				is_new = F;
+				# Reset expiration timer.
+				data_store$host_data[host] = data_store$host_data[host];
+				}
 
 			meta_tbl = data_store$host_data[host];
-			}
+			break;
+		case SUBNET:
+			local net = to_subnet(item$indicator);
 
-		add min_data_store$host_data[host];
-		}
-	else if ( item$indicator_type == SUBNET )
-		{
-		local net = to_subnet(item$indicator);
-		if ( have_full_data )
-			{
 			if ( !check_subnet(net, data_store$subnet_data) )
 				data_store$subnet_data[net] = table();
 			else
+				{
 				is_new = F;
+				# Reset expiration timer.
+				data_store$subnet_data[net] = data_store$subnet_data[net];
+				}
 
 			meta_tbl = data_store$subnet_data[net];
-			}
-
-		add min_data_store$subnet_data[net];
-		}
-	else
-		{
-		if ( have_full_data )
-			{
+			break;
+		default:
 			if ( [lower_indicator, item$indicator_type] !in data_store$string_data )
 				data_store$string_data[lower_indicator, item$indicator_type] = table();
 			else
+				{
 				is_new = F;
+				# Reset expiration timer.
+				data_store$string_data[lower_indicator, item$indicator_type] =
+					data_store$string_data[lower_indicator, item$indicator_type];
+				}
 
 			meta_tbl = data_store$string_data[lower_indicator, item$indicator_type];
-			}
+			break;
+		}
 
-		add min_data_store$string_data[lower_indicator, item$indicator_type];
+	# Insert new metadata or update if already present.
+	meta_tbl[meta$source] = meta;
+
+	return is_new;
+	}
+
+# Function to encapsulate insertion logic. The first_dispatch parameter
+# indicates whether the item might be new for other nodes.
+function _insert(item: Item, first_dispatch: bool &default = T)
+	{
+	# Assume that the item is new by default.
+	local is_new: bool = T;
+
+	# All intelligence is case insensitive at the moment.
+	local lower_indicator = to_lower(item$indicator);
+
+	# Insert indicator into MinDataStore (might exist already).
+	switch ( item$indicator_type )
+		{
+		case ADDR:
+			local host = to_addr(item$indicator);
+			add min_data_store$host_data[host];
+			break;
+		case SUBNET:
+			local net = to_subnet(item$indicator);
+			add min_data_store$subnet_data[net];
+			break;
+		default:
+			add min_data_store$string_data[lower_indicator, item$indicator_type];
+			break;
 		}
 
 	if ( have_full_data )
 		{
-		# Insert new metadata or update if already present
-		meta_tbl[meta$source] = meta;
+		# Insert new metadata or update if already present.
+		is_new = insert_meta_data(item);
 		}
 
-	if ( is_new )
-		# Trigger insert for cluster in case the item is new
-		# or insert was called on a worker
+	if ( first_dispatch && is_new )
+		# Announce a (possibly) new item if this is the first dispatch and
+		# we know it is new or have to assume that on a worker.
 		event Intel::new_item(item);
 	}
 
+function insert(item: Item)
+	{
+	# Insert possibly new item.
+	_insert(item, T);
+	}
+
 # Function to check whether an item is present.
 function item_exists(item: Item): bool
 	{
@@ -536,12 +576,12 @@ function remove(item: Item, purge_indicator: bool)
 				break;
 			}
 		# Trigger deletion in minimal data stores
-		event Intel::purge_item(item);
+		event Intel::remove_indicator(item);
 		}
 	}
 
 # Handling of indicator removal in minimal data stores.
-event purge_item(item: Item)
+event remove_indicator(item: Item)
 	{
 	switch ( item$indicator_type )
 		{
@@ -558,4 +598,3 @@ event purge_item(item: Item)
 			break;
 		}
 	}
-
diff --git a/scripts/base/frameworks/logging/main.bro b/scripts/base/frameworks/logging/main.bro
index 998a0e0f6c..798b54839e 100644
--- a/scripts/base/frameworks/logging/main.bro
+++ b/scripts/base/frameworks/logging/main.bro
@@ -300,7 +300,7 @@ export {
 	##          the correct type.
 	##
 	## .. bro:see:: Log::remove_filter Log::add_default_filter
-	##    Log::remove_default_filter
+	##    Log::remove_default_filter Log::get_filter Log::get_filter_names
 	global add_filter: function(id: ID, filter: Filter) : bool;
 
 	## Removes a filter from an existing logging stream.
@@ -315,9 +315,21 @@ export {
 	##          if no filter associated with *name* was found.
 	##
 	## .. bro:see:: Log::remove_filter Log::add_default_filter
-	##    Log::remove_default_filter
+	##    Log::remove_default_filter Log::get_filter Log::get_filter_names
 	global remove_filter: function(id: ID, name: string) : bool;
 
+	## Gets the names of all filters associated with an existing
+	## logging stream.
+	##
+	## id: The ID of a logging stream from which to obtain the list
+	##     of filter names.
+	##
+	## Returns: The set of filter names associated with the stream.
+	##
+	## ..bro:see:: Log::remove_filter Log::add_default_filter
+	##   Log::remove_default_filter Log::get_filter
+	global get_filter_names: function(id: ID) : set[string];
+
 	## Gets a filter associated with an existing logging stream.
 	##
 	## id: The ID associated with a logging stream from which to
@@ -331,7 +343,7 @@ export {
 	##          :bro:id:`Log::no_filter` sentinel value.
 	##
 	## .. bro:see:: Log::add_filter Log::remove_filter Log::add_default_filter
-	##              Log::remove_default_filter
+	##              Log::remove_default_filter Log::get_filter_names
 	global get_filter: function(id: ID, name: string) : Filter;
 
 	## Writes a new log line/entry to a logging stream.
@@ -432,6 +444,8 @@ export {
 
 global all_streams: table[ID] of Stream = table();
 
+global stream_filters: table[ID] of set[string] = table();
+
 # We keep a script-level copy of all filters so that we can manipulate them.
 global filters: table[ID, string] of Filter;
 
@@ -525,16 +539,41 @@ function remove_stream(id: ID) : bool
 	{
 	delete active_streams[id];
 	delete all_streams[id];
+
+	if ( id in stream_filters )
+		{
+		for ( i in stream_filters[id] )
+			delete filters[id, i];
+
+		delete stream_filters[id];
+		}
 	return __remove_stream(id);
 	}
 
 function disable_stream(id: ID) : bool
 	{
 	delete active_streams[id];
-
 	return __disable_stream(id);
 	}
 
+function enable_stream(id: ID) : bool
+	{
+	if ( ! __enable_stream(id) )
+		return F;
+
+	if ( id in all_streams )
+		active_streams[id] = all_streams[id];
+	}
+
+# convenience function to add a filter name to stream_filters
+function add_stream_filters(id: ID, name: string)
+	{
+	if ( id in stream_filters )
+		add stream_filters[id][name];
+	else
+		stream_filters[id] = set(name);
+	}
+
 function add_filter(id: ID, filter: Filter) : bool
 	{
 	local stream = all_streams[id];
@@ -545,13 +584,22 @@ function add_filter(id: ID, filter: Filter) : bool
 	if ( ! filter?$path && ! filter?$path_func )
 		filter$path_func = default_path_func;
 
-	filters[id, filter$name] = filter;
-	return __add_filter(id, filter);
+	local res = __add_filter(id, filter);
+	if ( res )
+		{
+		add_stream_filters(id, filter$name);
+		filters[id, filter$name] = filter;
+		}
+	return res;
 	}
 
 function remove_filter(id: ID, name: string) : bool
 	{
+	if ( id in stream_filters )
+		delete stream_filters[id][name];
+
 	delete filters[id, name];
+
 	return __remove_filter(id, name);
 	}
 
@@ -563,6 +611,14 @@ function get_filter(id: ID, name: string) : Filter
 	return no_filter;
 	}
 
+function get_filter_names(id: ID) : set[string]
+	{
+	if ( id in stream_filters )
+		return stream_filters[id];
+	else
+		return set();
+	}
+
 function write(id: ID, columns: any) : bool
 	{
 	return __write(id, columns);
diff --git a/scripts/base/frameworks/logging/writers/ascii.bro b/scripts/base/frameworks/logging/writers/ascii.bro
index c10c86145e..6f2b03aafd 100644
--- a/scripts/base/frameworks/logging/writers/ascii.bro
+++ b/scripts/base/frameworks/logging/writers/ascii.bro
@@ -26,6 +26,13 @@ export {
 	## This option is also available as a per-filter ``$config`` option.
 	const use_json = F &redef;
 
+	## Define the gzip level to compress the logs.  If 0, then no gzip
+	## compression is performed. Enabling compression also changes
+	## the log file name extension to include ".gz".
+	##
+	## This option is also available as a per-filter ``$config`` option.
+	const gzip_level = 0 &redef;
+
 	## Format of timestamps when writing out JSON. By default, the JSON
 	## formatter will use double values for timestamps which represent the
 	## number of seconds from the UNIX epoch.
@@ -72,9 +79,12 @@ export {
 # runs the writer's default postprocessor command on it.
 function default_rotation_postprocessor_func(info: Log::RotationInfo) : bool
 	{
+	# If the filename has a ".gz" extension, then keep it.
+	local gz = info$fname[-3:] == ".gz" ? ".gz" : "";
+
 	# Move file to name including both opening and closing time.
-	local dst = fmt("%s.%s.log", info$path,
-			strftime(Log::default_rotation_date_format, info$open));
+	local dst = fmt("%s.%s.log%s", info$path,
+			strftime(Log::default_rotation_date_format, info$open), gz);
 
 	system(fmt("/bin/mv %s %s", info$fname, dst));
 
diff --git a/scripts/base/frameworks/netcontrol/catch-and-release.bro b/scripts/base/frameworks/netcontrol/catch-and-release.bro
index 2d28274f77..57f135de10 100644
--- a/scripts/base/frameworks/netcontrol/catch-and-release.bro
+++ b/scripts/base/frameworks/netcontrol/catch-and-release.bro
@@ -225,9 +225,22 @@ global blocks: table[addr] of BlockInfo = {}
 
 
 @if ( Cluster::is_enabled() )
-@load base/frameworks/cluster
-redef Cluster::manager2worker_events += /NetControl::catch_release_block_(new|delete)/;
-redef Cluster::worker2manager_events += /NetControl::catch_release_(add|delete|encountered)/;
+
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::worker_topic, NetControl::catch_release_block_new);
+	Broker::auto_publish(Cluster::worker_topic, NetControl::catch_release_block_delete);
+	}
+@else
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::manager_topic, NetControl::catch_release_add);
+	Broker::auto_publish(Cluster::manager_topic, NetControl::catch_release_delete);
+	Broker::auto_publish(Cluster::manager_topic, NetControl::catch_release_encountered);
+	}
+@endif
+
 @endif
 
 function cr_check_rule(r: Rule): bool
diff --git a/scripts/base/frameworks/netcontrol/cluster.bro b/scripts/base/frameworks/netcontrol/cluster.bro
index 9abe44b34d..d70ab6d1c1 100644
--- a/scripts/base/frameworks/netcontrol/cluster.bro
+++ b/scripts/base/frameworks/netcontrol/cluster.bro
@@ -16,10 +16,25 @@ export {
 	global cluster_netcontrol_delete_rule: event(id: string, reason: string);
 }
 
-## Workers need ability to forward commands to manager.
-redef Cluster::worker2manager_events += /NetControl::cluster_netcontrol_(add|remove|delete)_rule/;
-## Workers need to see the result events from the manager.
-redef Cluster::manager2worker_events += /NetControl::rule_(added|removed|timeout|error|exists|new|destroyed)/;
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::worker_topic, NetControl::rule_added);
+	Broker::auto_publish(Cluster::worker_topic, NetControl::rule_removed);
+	Broker::auto_publish(Cluster::worker_topic, NetControl::rule_timeout);
+	Broker::auto_publish(Cluster::worker_topic, NetControl::rule_error);
+	Broker::auto_publish(Cluster::worker_topic, NetControl::rule_exists);
+	Broker::auto_publish(Cluster::worker_topic, NetControl::rule_new);
+	Broker::auto_publish(Cluster::worker_topic, NetControl::rule_destroyed);
+	}
+@else
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::manager_topic, NetControl::cluster_netcontrol_add_rule);
+	Broker::auto_publish(Cluster::manager_topic, NetControl::cluster_netcontrol_remove_rule);
+	Broker::auto_publish(Cluster::manager_topic, NetControl::cluster_netcontrol_delete_rule);
+	}
+@endif
 
 function activate(p: PluginState, priority: int)
 	{
diff --git a/scripts/base/frameworks/netcontrol/main.bro b/scripts/base/frameworks/netcontrol/main.bro
index 3e9b35fa8c..a9418508af 100644
--- a/scripts/base/frameworks/netcontrol/main.bro
+++ b/scripts/base/frameworks/netcontrol/main.bro
@@ -555,19 +555,19 @@ function quarantine_host(infected: addr, dns: addr, quarantine: addr, t: interva
 	local orules: vector of string = vector();
 	local edrop: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected))];
 	local rdrop: Rule = [$ty=DROP, $target=FORWARD, $entity=edrop, $expire=t, $location=location];
-	orules[|orules|] = add_rule(rdrop);
+	orules += add_rule(rdrop);
 
 	local todnse: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(dns), $dst_p=53/udp)];
 	local todnsr = Rule($ty=MODIFY, $target=FORWARD, $entity=todnse, $expire=t, $location=location, $mod=FlowMod($dst_h=quarantine), $priority=+5);
-	orules[|orules|] = add_rule(todnsr);
+	orules += add_rule(todnsr);
 
 	local fromdnse: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(dns), $src_p=53/udp, $dst_h=addr_to_subnet(infected))];
 	local fromdnsr = Rule($ty=MODIFY, $target=FORWARD, $entity=fromdnse, $expire=t, $location=location, $mod=FlowMod($src_h=dns), $priority=+5);
-	orules[|orules|] = add_rule(fromdnsr);
+	orules += add_rule(fromdnsr);
 
 	local wle: Entity = [$ty=FLOW, $flow=Flow($src_h=addr_to_subnet(infected), $dst_h=addr_to_subnet(quarantine), $dst_p=80/tcp)];
 	local wlr = Rule($ty=WHITELIST, $target=FORWARD, $entity=wle, $expire=t, $location=location, $priority=+5);
-	orules[|orules|] = add_rule(wlr);
+	orules += add_rule(wlr);
 
 	return orules;
 	}
@@ -637,7 +637,7 @@ event NetControl::init() &priority=-20
 function activate_impl(p: PluginState, priority: int)
 	{
 	p$_priority = priority;
-	plugins[|plugins|] = p;
+	plugins += p;
 	sort(plugins, function(p1: PluginState, p2: PluginState) : int { return p2$_priority - p1$_priority; });
 
 	plugin_ids[plugin_counter] = p;
@@ -734,7 +734,7 @@ function find_rules_subnet(sn: subnet) : vector of Rule
 		for ( rule_id in rules_by_subnets[sn_entry] )
 			{
 			if ( rule_id in rules )
-				ret[|ret|] = rules[rule_id];
+				ret += rules[rule_id];
 			else
 				Reporter::error("find_rules_subnet - internal data structure error, missing rule");
 			}
diff --git a/scripts/base/frameworks/netcontrol/plugins/acld.bro b/scripts/base/frameworks/netcontrol/plugins/acld.bro
index 2c4760e066..99a9166ce9 100644
--- a/scripts/base/frameworks/netcontrol/plugins/acld.bro
+++ b/scripts/base/frameworks/netcontrol/plugins/acld.bro
@@ -6,8 +6,6 @@ module NetControl;
 @load ../plugin
 @load base/frameworks/broker
 
-@ifdef ( Broker::__enable )
-
 export {
 	type AclRule : record {
 		command: string;
@@ -243,7 +241,7 @@ function acld_add_rule_fun(p: PluginState, r: Rule) : bool
 	if ( ar$command == "" )
 		return F;
 
-	Broker::send_event(p$acld_config$acld_topic, Broker::event_args(acld_add_rule, p$acld_id, r, ar));
+	Broker::publish(p$acld_config$acld_topic, acld_add_rule, p$acld_id, r, ar);
 	return T;
 	}
 
@@ -266,19 +264,20 @@ function acld_remove_rule_fun(p: PluginState, r: Rule, reason: string) : bool
 			ar$comment = reason;
 		}
 
-	Broker::send_event(p$acld_config$acld_topic, Broker::event_args(acld_remove_rule, p$acld_id, r, ar));
+	Broker::publish(p$acld_config$acld_topic, acld_remove_rule, p$acld_id, r, ar);
 	return T;
 	}
 
 function acld_init(p: PluginState)
 	{
-	Broker::enable();
-	Broker::connect(cat(p$acld_config$acld_host), p$acld_config$acld_port, 1sec);
-	Broker::subscribe_to_events(p$acld_config$acld_topic);
+	Broker::subscribe(p$acld_config$acld_topic);
+	Broker::peer(cat(p$acld_config$acld_host), p$acld_config$acld_port);
 	}
 
-event Broker::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
+	local peer_address = cat(endpoint$network$address);
+	local peer_port = endpoint$network$bound_port;
 	if ( [peer_port, peer_address] !in netcontrol_acld_peers )
 		# ok, this one was none of ours...
 		return;
@@ -315,5 +314,3 @@ function create_acld(config: AcldConfig) : PluginState
 
 	return p;
 	}
-
-@endif
diff --git a/scripts/base/frameworks/netcontrol/plugins/broker.bro b/scripts/base/frameworks/netcontrol/plugins/broker.bro
index cb1d5dd786..4bfb231c94 100644
--- a/scripts/base/frameworks/netcontrol/plugins/broker.bro
+++ b/scripts/base/frameworks/netcontrol/plugins/broker.bro
@@ -8,8 +8,6 @@ module NetControl;
 @load ../plugin
 @load base/frameworks/broker
 
-@ifdef ( Broker::__enable )
-
 export {
 	## This record specifies the configuration that is passed to :bro:see:`NetControl::create_broker`.
 	type BrokerConfig: record {
@@ -151,7 +149,7 @@ function broker_add_rule_fun(p: PluginState, r: Rule) : bool
 	if ( ! broker_check_rule(p, r) )
 		return F;
 
-	Broker::send_event(p$broker_config$topic, Broker::event_args(broker_add_rule, p$broker_id, r));
+	Broker::publish(p$broker_config$topic, Broker::make_event(broker_add_rule, p$broker_id, r));
 	return T;
 	}
 
@@ -160,19 +158,20 @@ function broker_remove_rule_fun(p: PluginState, r: Rule, reason: string) : bool
 	if ( ! broker_check_rule(p, r) )
 		return F;
 
-	Broker::send_event(p$broker_config$topic, Broker::event_args(broker_remove_rule, p$broker_id, r, reason));
+	Broker::publish(p$broker_config$topic, Broker::make_event(broker_remove_rule, p$broker_id, r, reason));
 	return T;
 	}
 
 function broker_init(p: PluginState)
 	{
-	Broker::enable();
-	Broker::connect(cat(p$broker_config$host), p$broker_config$bport, 1sec);
-	Broker::subscribe_to_events(p$broker_config$topic);
+	Broker::subscribe(p$broker_config$topic);
+	Broker::peer(cat(p$broker_config$host), p$broker_config$bport);
 	}
 
-event Broker::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
+	local peer_address = cat(endpoint$network$address);
+	local peer_port = endpoint$network$bound_port;
 	if ( [peer_port, peer_address] !in netcontrol_broker_peers )
 		return;
 
@@ -219,5 +218,3 @@ function create_broker(config: BrokerConfig, can_expire: bool) : PluginState
 
 	return p;
 	}
-
-@endif
diff --git a/scripts/base/frameworks/netcontrol/plugins/openflow.bro b/scripts/base/frameworks/netcontrol/plugins/openflow.bro
index 07be594b57..f1403a70a8 100644
--- a/scripts/base/frameworks/netcontrol/plugins/openflow.bro
+++ b/scripts/base/frameworks/netcontrol/plugins/openflow.bro
@@ -158,17 +158,17 @@ function entity_to_match(p: PluginState, e: Entity): vector of OpenFlow::ofp_mat
 
 	if ( e$ty == CONNECTION )
 		{
-		v[|v|] = OpenFlow::match_conn(e$conn); # forward and...
-		v[|v|] = OpenFlow::match_conn(e$conn, T); # reverse
+		v += OpenFlow::match_conn(e$conn); # forward and...
+		v += OpenFlow::match_conn(e$conn, T); # reverse
 		return openflow_match_pred(p, e, v);
 		}
 
 	if ( e$ty == MAC )
 		{
-		v[|v|] = OpenFlow::ofp_match(
+		v += OpenFlow::ofp_match(
 			$dl_src=e$mac
 		);
-		v[|v|] = OpenFlow::ofp_match(
+		v += OpenFlow::ofp_match(
 			$dl_dst=e$mac
 		);
 
@@ -182,12 +182,12 @@ function entity_to_match(p: PluginState, e: Entity): vector of OpenFlow::ofp_mat
 		if ( is_v6_subnet(e$ip) )
 			dl_type = OpenFlow::ETH_IPv6;
 
-		v[|v|] = OpenFlow::ofp_match(
+		v += OpenFlow::ofp_match(
 			$dl_type=dl_type,
 			$nw_src=e$ip
 		);
 
-		v[|v|] = OpenFlow::ofp_match(
+		v += OpenFlow::ofp_match(
 			$dl_type=dl_type,
 			$nw_dst=e$ip
 		);
@@ -231,7 +231,7 @@ function entity_to_match(p: PluginState, e: Entity): vector of OpenFlow::ofp_mat
 			m$tp_dst = port_to_count(f$dst_p);
 			}
 
-		v[|v|] = m;
+		v += m;
 
 		return openflow_match_pred(p, e, v);
 		}
@@ -318,7 +318,7 @@ function openflow_add_rule(p: PluginState, r: Rule) : bool
 			++flow_mod$cookie;
 			}
 		else
-			event rule_error(r, p, "Error while executing OpenFlow::flow_mod");
+			event NetControl::rule_error(r, p, "Error while executing OpenFlow::flow_mod");
 		}
 
 	return T;
@@ -338,7 +338,7 @@ function openflow_remove_rule(p: PluginState, r: Rule, reason: string) : bool
 			of_messages[r$cid, flow_mod$command] = OfTable($p=p, $r=r);
 	else
 			{
-			event rule_error(r, p, "Error while executing OpenFlow::flow_mod");
+			event NetControl::rule_error(r, p, "Error while executing OpenFlow::flow_mod");
 			return F;
 			}
 
diff --git a/scripts/base/frameworks/notice/__load__.bro b/scripts/base/frameworks/notice/__load__.bro
index bcf3cd6898..54e704c744 100644
--- a/scripts/base/frameworks/notice/__load__.bro
+++ b/scripts/base/frameworks/notice/__load__.bro
@@ -8,18 +8,5 @@
 @load ./actions/page
 @load ./actions/add-geodata
 
-# There shouldn't be any default overhead from loading these since they 
-# *should* only do anything when notices have the ACTION_EMAIL action applied.
-@load ./extend-email/hostnames
-
-# The cluster framework must be loaded first.
-@load base/frameworks/cluster
-
-@if ( Cluster::is_enabled() )
-@load ./cluster
-@else
-@load ./non-cluster
-@endif
-
 # Load here so that it can check whether clustering is enabled.
-@load ./actions/pp-alarms
\ No newline at end of file
+@load ./actions/pp-alarms
diff --git a/scripts/base/frameworks/notice/actions/pp-alarms.bro b/scripts/base/frameworks/notice/actions/pp-alarms.bro
index 453c82e3d1..a385d8c626 100644
--- a/scripts/base/frameworks/notice/actions/pp-alarms.bro
+++ b/scripts/base/frameworks/notice/actions/pp-alarms.bro
@@ -155,9 +155,11 @@ function pretty_print_alarm(out: file, n: Info)
 	
 @if ( Cluster::is_enabled() )
 	pdescr = "local";
-	
-	if ( n?$src_peer )
-		pdescr = n$src_peer?$descr ? n$src_peer$descr : fmt("%s", n$src_peer$host);
+
+	if ( n?$peer_descr )
+		pdescr = n$peer_descr;
+	else if ( n?$peer_name )
+		pdescr = n$peer_name;
 
 	pdescr = fmt("<%s> ", pdescr);
 @endif
diff --git a/scripts/base/frameworks/notice/cluster.bro b/scripts/base/frameworks/notice/cluster.bro
deleted file mode 100644
index 3c3fbc6d36..0000000000
--- a/scripts/base/frameworks/notice/cluster.bro
+++ /dev/null
@@ -1,53 +0,0 @@
-##! Implements notice functionality across clusters.  Worker nodes
-##! will disable notice/alarm logging streams and forward notice
-##! events to the manager node for logging/processing.
-
-@load ./main
-@load base/frameworks/cluster
-
-module Notice;
-
-export {
-	## This is the event used to transport notices on the cluster.
-	##
-	## n: The notice information to be sent to the cluster manager for
-	##    further processing.
-	global cluster_notice: event(n: Notice::Info);
-}
-
-## Manager can communicate notice suppression to workers.
-redef Cluster::manager2worker_events += /Notice::begin_suppression/;
-## Workers need ability to forward notices to manager.
-redef Cluster::worker2manager_events += /Notice::cluster_notice/;
-
-@if ( Cluster::local_node_type() != Cluster::MANAGER )
-event Notice::begin_suppression(n: Notice::Info)
-	{
-	local suppress_until = n$ts + n$suppress_for;
-	suppressing[n$note, n$identifier] = suppress_until;
-	}
-@endif
-
-@if ( Cluster::local_node_type() == Cluster::MANAGER )
-event Notice::cluster_notice(n: Notice::Info)
-	{
-	# Raise remotely received notices on the manager
-	NOTICE(n);
-	}
-@endif
-
-module GLOBAL;
-
-## This is the entry point in the global namespace for the notice framework.
-function NOTICE(n: Notice::Info)
-	{
-	# Suppress this notice if necessary.
-	if ( Notice::is_being_suppressed(n) )
-		return;
-
-	if ( Cluster::local_node_type() == Cluster::MANAGER )
-		Notice::internal_NOTICE(n);
-	else
-		# For non-managers, send the notice on to the manager.
-		event Notice::cluster_notice(n);
-	}
diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro
index a203f6a772..3d4e354394 100644
--- a/scripts/base/frameworks/notice/main.bro
+++ b/scripts/base/frameworks/notice/main.bro
@@ -4,6 +4,8 @@
 ##! what is bad activity for sites.  More extensive documentation about using
 ##! the notice framework can be found in :doc:`/frameworks/notice`.
 
+@load base/frameworks/cluster
+
 module Notice;
 
 export {
@@ -117,9 +119,10 @@ export {
 		## Associated count, or perhaps a status code.
 		n:              count          &log &optional;
 
-		## Peer that raised this notice.
-		src_peer:       event_peer     &optional;
-		## Textual description for the peer that raised this notice.
+		## Name of remote peer that raised this notice.
+		peer_name:      string         &optional;
+		## Textual description for the peer that raised this notice,
+		## including name, host address and port.
 		peer_descr:     string         &log &optional;
 
 		## The actions which have been applied to this notice.
@@ -261,9 +264,14 @@ export {
 
 	## This event is generated when a notice begins to be suppressed.
 	##
-	## n: The record containing notice data regarding the notice type
-	##    about to be suppressed.
-	global begin_suppression: event(n: Notice::Info);
+	## ts: time indicating then when the notice to be suppressed occured.
+	##
+	## suppress_for: length of time that this notice should be suppressed.
+	##
+	## note: The :bro:type:`Notice::Type` of the notice.
+	##
+	## identifier: The identifier string of the notice that should be suppressed.
+	global begin_suppression: event(ts: time, suppress_for: interval, note: Type, identifier: string);
 
 	## A function to determine if an event is supposed to be suppressed.
 	##
@@ -311,8 +319,36 @@ export {
 	##
 	## n: The record of notice data.
 	global internal_NOTICE: function(n: Notice::Info);
+
+	## This is the event used to transport notices on the cluster.
+	##
+	## n: The notice information to be sent to the cluster manager for
+	##    further processing.
+	global cluster_notice: event(n: Notice::Info);
 }
 
+module GLOBAL;
+
+function NOTICE(n: Notice::Info)
+	{
+	if ( Notice::is_being_suppressed(n) )
+		return;
+
+	@if ( Cluster::is_enabled() )
+		if ( Cluster::local_node_type() == Cluster::MANAGER )
+			Notice::internal_NOTICE(n);
+		else
+			{
+			n$peer_name = n$peer_descr = Cluster::node;
+			Broker::publish(Cluster::manager_topic, Notice::cluster_notice, n);
+			}
+	@else
+		Notice::internal_NOTICE(n);
+	@endif
+	}
+
+module Notice;
+
 # This is used as a hack to implement per-item expiration intervals.
 function per_notice_suppression_interval(t: table[Notice::Type, string] of time, idx: any): interval
 	{
@@ -363,24 +399,6 @@ event bro_init() &priority=5
 		     $interv=24hrs, $postprocessor=log_mailing_postprocessor]);
 	}
 
-# TODO: fix this.
-#function notice_tags(n: Notice::Info) : table[string] of string
-#	{
-#	local tgs: table[string] of string = table();
-#	if ( is_remote_event() )
-#		{
-#		if ( n$src_peer$descr != "" )
-#			tgs["es"] = n$src_peer$descr;
-#		else
-#			tgs["es"] = fmt("%s/%s", n$src_peer$host, n$src_peer$p);
-#		}
-#	else
-#		{
-#		tgs["es"] = peer_description;
-#		}
-#	return tgs;
-#	}
-
 function email_headers(subject_desc: string, dest: string): string
 	{
 	local header_text = string_cat(
@@ -501,11 +519,25 @@ hook Notice::notice(n: Notice::Info) &priority=-5
 	if ( n?$identifier &&
 	     [n$note, n$identifier] !in suppressing &&
 	     n$suppress_for != 0secs )
-		{
-		local suppress_until = n$ts + n$suppress_for;
-		suppressing[n$note, n$identifier] = suppress_until;
-		event Notice::begin_suppression(n);
-		}
+	    {
+		event Notice::begin_suppression(n$ts, n$suppress_for, n$note, n$identifier);
+	    }
+	}
+
+event Notice::begin_suppression(ts: time, suppress_for: interval, note: Type,
+								identifier: string)
+	{
+	local suppress_until = ts + suppress_for;
+	suppressing[note, identifier] = suppress_until;
+	}
+
+event bro_init()
+	{
+	if ( ! Cluster::is_enabled() )
+		return;
+
+	Broker::auto_publish(Cluster::worker_topic, Notice::begin_suppression);
+	Broker::auto_publish(Cluster::proxy_topic, Notice::begin_suppression);
 	}
 
 function is_being_suppressed(n: Notice::Info): bool
@@ -607,12 +639,6 @@ function apply_policy(n: Notice::Info)
 			n$dst = n$iconn$resp_h;
 		}
 
-	if ( ! n?$src_peer )
-		n$src_peer = get_event_peer();
-	if ( ! n?$peer_descr )
-		n$peer_descr = n$src_peer?$descr ?
-		                   n$src_peer$descr : fmt("%s", n$src_peer$host);
-
 	if ( ! n?$email_body_sections )
 		n$email_body_sections = vector();
 	if ( ! n?$email_delay_tokens )
@@ -647,6 +673,7 @@ function internal_NOTICE(n: Notice::Info)
 	hook Notice::notice(n);
 	}
 
-module GLOBAL;
-
-global NOTICE: function(n: Notice::Info);
+event Notice::cluster_notice(n: Notice::Info)
+	{
+	NOTICE(n);
+	}
diff --git a/scripts/base/frameworks/notice/non-cluster.bro b/scripts/base/frameworks/notice/non-cluster.bro
deleted file mode 100644
index a9f503a9f3..0000000000
--- a/scripts/base/frameworks/notice/non-cluster.bro
+++ /dev/null
@@ -1,14 +0,0 @@
-
-@load ./main
-
-module GLOBAL;
-
-## This is the entry point in the global namespace for the notice framework.
-function NOTICE(n: Notice::Info)
-	{
-	# Suppress this notice if necessary.
-	if ( Notice::is_being_suppressed(n) )
-		return;
-
-	Notice::internal_NOTICE(n);
-	}
diff --git a/scripts/base/frameworks/notice/weird.bro b/scripts/base/frameworks/notice/weird.bro
index 6c8ba14974..42bed543ee 100644
--- a/scripts/base/frameworks/notice/weird.bro
+++ b/scripts/base/frameworks/notice/weird.bro
@@ -106,6 +106,7 @@ export {
 		["baroque_SYN"]                         = ACTION_LOG,
 		["base64_illegal_encoding"]             = ACTION_LOG,
 		["connection_originator_SYN_ack"]       = ACTION_LOG_PER_ORIG,
+		["contentline_size_exceeded"]           = ACTION_LOG,
 		["corrupt_tcp_options"]                 = ACTION_LOG_PER_ORIG,
 		["crud_trailing_HTTP_request"]          = ACTION_LOG,
 		["data_after_reset"]                    = ACTION_LOG,
diff --git a/scripts/base/frameworks/openflow/cluster.bro b/scripts/base/frameworks/openflow/cluster.bro
index 28de1db3c3..9ae4274bb7 100644
--- a/scripts/base/frameworks/openflow/cluster.bro
+++ b/scripts/base/frameworks/openflow/cluster.bro
@@ -13,8 +13,14 @@ export {
 	global cluster_flow_clear: event(name: string);
 }
 
-## Workers need ability to forward commands to manager.
-redef Cluster::worker2manager_events += /OpenFlow::cluster_flow_(mod|clear)/;
+@if ( Cluster::local_node_type() != Cluster::MANAGER )
+# Workers need ability to forward commands to manager.
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::manager_topic, OpenFlow::cluster_flow_mod);
+	Broker::auto_publish(Cluster::manager_topic, OpenFlow::cluster_flow_clear);
+	}
+@endif
 
 # the flow_mod function wrapper
 function flow_mod(controller: Controller, match: ofp_match, flow_mod: ofp_flow_mod): bool
diff --git a/scripts/base/frameworks/openflow/plugins/broker.bro b/scripts/base/frameworks/openflow/plugins/broker.bro
index fee2dc573d..f37f0b8afc 100644
--- a/scripts/base/frameworks/openflow/plugins/broker.bro
+++ b/scripts/base/frameworks/openflow/plugins/broker.bro
@@ -5,8 +5,6 @@
 
 module OpenFlow;
 
-@ifdef ( Broker::__enable )
-
 export {
 	redef enum Plugin += {
 		BROKER,
@@ -49,27 +47,28 @@ function broker_describe(state: ControllerState): string
 
 function broker_flow_mod_fun(state: ControllerState, match: ofp_match, flow_mod: OpenFlow::ofp_flow_mod): bool
 	{
-	Broker::send_event(state$broker_topic, Broker::event_args(broker_flow_mod, state$_name, state$broker_dpid, match, flow_mod));
+	Broker::publish(state$broker_topic, Broker::make_event(broker_flow_mod, state$_name, state$broker_dpid, match, flow_mod));
 
 	return T;
 	}
 
 function broker_flow_clear_fun(state: OpenFlow::ControllerState): bool
 	{
-	Broker::send_event(state$broker_topic, Broker::event_args(broker_flow_clear, state$_name, state$broker_dpid));
+	Broker::publish(state$broker_topic, Broker::make_event(broker_flow_clear, state$_name, state$broker_dpid));
 
 	return T;
 	}
 
 function broker_init(state: OpenFlow::ControllerState)
 	{
-	Broker::enable();
-	Broker::connect(cat(state$broker_host), state$broker_port, 1sec);
-	Broker::subscribe_to_events(state$broker_topic); # openflow success and failure events are directly sent back via the other plugin via broker.
+	Broker::peer(cat(state$broker_host), state$broker_port);
+	Broker::subscribe(state$broker_topic); # openflow success and failure events are directly sent back via the other plugin via broker.
 	}
 
-event Broker::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
+	local peer_address = cat(endpoint$network$address);
+	local peer_port = endpoint$network$bound_port;
 	if ( [peer_port, peer_address] !in broker_peers )
 		# ok, this one was none of ours...
 		return;
@@ -94,5 +93,3 @@ function broker_new(name: string, host: addr, host_port: port, topic: string, dp
 
 	return c;
 	}
-
-@endif
diff --git a/scripts/base/frameworks/openflow/plugins/ryu.bro b/scripts/base/frameworks/openflow/plugins/ryu.bro
index f022fe0f03..cc400293a0 100644
--- a/scripts/base/frameworks/openflow/plugins/ryu.bro
+++ b/scripts/base/frameworks/openflow/plugins/ryu.bro
@@ -88,7 +88,7 @@ function ryu_flow_mod(state: OpenFlow::ControllerState, match: ofp_match, flow_m
 	local flow_actions: vector of ryu_flow_action = vector();
 
 	for ( i in flow_mod$actions$out_ports )
-		flow_actions[|flow_actions|] = ryu_flow_action($_type="OUTPUT", $_port=flow_mod$actions$out_ports[i]);
+		flow_actions += ryu_flow_action($_type="OUTPUT", $_port=flow_mod$actions$out_ports[i]);
 
 	# Generate our ryu_flow_mod record for the ReST API call.
 	local mod: ryu_ofp_flow_mod = ryu_ofp_flow_mod(
diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.bro
index 0c1c4cd302..8ff399176b 100644
--- a/scripts/base/frameworks/software/main.bro
+++ b/scripts/base/frameworks/software/main.bro
@@ -6,6 +6,7 @@
 
 @load base/utils/directions-and-hosts
 @load base/utils/numbers
+@load base/frameworks/cluster
 
 module Software;
 
@@ -68,8 +69,9 @@ export {
 	## Hosts whose software should be detected and tracked.
 	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
 	const asset_tracking = LOCAL_HOSTS &redef;
-	
+
 	## Other scripts should call this function when they detect software.
+	##
 	## id: The connection id where the software was discovered.
 	##
 	## info: A record representing the software discovered.
@@ -84,6 +86,16 @@ export {
 	##           is compared lexicographically.
 	global cmp_versions: function(v1: Version, v2: Version): int;
 	
+	## Sometimes software will expose itself on the network with 
+	## slight naming variations.  This table provides a mechanism 
+	## for a piece of software to be renamed to a single name 
+	## even if it exposes itself with an alternate name.  The 
+	## yielded string is the name that will be logged and generally
+	## used for everything.
+	global alternate_names: table[string] of string {
+		["Flash Player"] = "Flash",
+	} &default=function(a: string): string { return a; };
+
 	## Type to represent a collection of :bro:type:`Software::Info` records.
 	## It's indexed with the name of a piece of software such as "Firefox" 
 	## and it yields a :bro:type:`Software::Info` record with more
@@ -92,15 +104,21 @@ export {
 	
 	## The set of software associated with an address.  Data expires from
 	## this table after one day by default so that a detected piece of 
-	## software will be logged once each day.
-	global tracked: table[addr] of SoftwareSet 
-		&create_expire=1day 
-		&synchronized
-		&redef;
+	## software will be logged once each day.  In a cluster, this table is
+	## uniformly distributed among proxy nodes.
+	global tracked: table[addr] of SoftwareSet &create_expire=1day;
 	
 	## This event can be handled to access the :bro:type:`Software::Info`
 	## record as it is sent on to the logging framework.
 	global log_software: event(rec: Info);
+
+	## This event can be handled to access software information whenever it's
+	## version is found to have changed.
+	global version_change: event(old: Info, new: Info);
+
+	## This event is raised when software is about to be registered for
+	## tracking in :bro:see:`Software::tracked`.
+	global register: event(info: Info);
 }
 
 event bro_init() &priority=5
@@ -125,7 +143,7 @@ function parse(unparsed_version: string): Description
 	local v: Version;
 	
 	# Parse browser-alike versions separately
-	if ( /^(Mozilla|Opera)\/[0-9]\./ in unparsed_version )
+	if ( /^(Mozilla|Opera)\/[0-9]+\./ in unparsed_version )
 		{
 		return parse_mozilla(unparsed_version);
 		}
@@ -133,11 +151,17 @@ function parse(unparsed_version: string): Description
 		{
 		# The regular expression should match the complete version number
 		# and software name.
-		local version_parts = split_string_n(unparsed_version, /\/?( [\(])?v?[0-9\-\._, ]{2,}/, T, 1);
+		local clean_unparsed_version = gsub(unparsed_version, /\\x/, "%");
+		clean_unparsed_version = unescape_URI(clean_unparsed_version);
+		local version_parts = split_string_n(clean_unparsed_version, /([\/\-_]|( [\(v]+))?[0-9\-\._, ]{2,}/, T, 1);
 		if ( 0 in version_parts )
 			{
+			# Remove any bits of junk at end of first part.
+			if ( /([\/\-_]|( [\(v]+))$/ in version_parts[0] )
+				version_parts[0] = strip(sub(version_parts[0], /([\/\-_]|( [\(v]+))/, ""));
+
 			if ( /^\(/ in version_parts[0] )
-				software_name = strip(sub(version_parts[0], /[\(]/, ""));
+				software_name = strip(sub(version_parts[0], /\(/, ""));
 			else
 				software_name = strip(version_parts[0]);
 			}
@@ -192,7 +216,7 @@ function parse(unparsed_version: string): Description
 			}
 		}
 	
-	return [$version=v, $unparsed_version=unparsed_version, $name=software_name];
+	return [$version=v, $unparsed_version=unparsed_version, $name=alternate_names[software_name]];
 	}
 
 
@@ -227,6 +251,13 @@ function parse_mozilla(unparsed_version: string): Description
 				v = parse(parts[1])$version;
 			}
 		}
+	else if ( /Edge\// in unparsed_version )
+		{
+		software_name="Edge";
+		parts = split_string_all(unparsed_version, /Edge\/[0-9\.]*/);
+		if ( 1 in parts )
+			v = parse(parts[1])$version;
+		}
 	else if ( /Version\/.*Safari\// in unparsed_version )
 		{
 		software_name = "Safari";
@@ -280,6 +311,14 @@ function parse_mozilla(unparsed_version: string): Description
 				v = parse(parts[1])$version;
 			}
 		}
+	else if ( /Flash%20Player/ in unparsed_version )
+		{
+		software_name = "Flash";
+		parts = split_string_all(unparsed_version, /[\/ ]/);
+		if ( 2 in parts )
+			v = parse(parts[2])$version;
+		}
+	
 	else if ( /AdobeAIR\/[0-9\.]*/ in unparsed_version )
 		{
 		software_name = "AdobeAIR";
@@ -406,63 +445,70 @@ function software_fmt(i: Info): string
 	return fmt("%s %s", i$name, software_fmt_version(i$version));
 	}
 
-# Insert a mapping into the table
-# Overides old entries for the same software and generates events if needed.
-event register(id: conn_id, info: Info)
+event Software::register(info: Info)
 	{
-	# Host already known?
-	if ( info$host !in tracked )
-		tracked[info$host] = table();
+	local ts: SoftwareSet;
+
+	if ( info$host in tracked )
+		ts = tracked[info$host];
+	else
+		ts = tracked[info$host] = SoftwareSet();
 
-	local ts = tracked[info$host];
 	# Software already registered for this host?  We don't want to endlessly
 	# log the same thing.
 	if ( info$name in ts )
 		{
 		local old = ts[info$name];
-		
-		# If the version hasn't changed, then we're just redetecting the
-		# same thing, then we don't care.  This results in no extra logging.
-		# But if the $force_log value is set then we'll continue.
-		if ( ! info$force_log && cmp_versions(old$version, info$version) == 0 )
+		local changed = cmp_versions(old$version, info$version) != 0;
+
+		if ( changed )
+			event Software::version_change(old, info);	
+		else if ( ! info$force_log )
+			# If the version hasn't changed, then we're just redetecting the
+			# same thing, then we don't care. 
 			return;
 		}
+
 	ts[info$name] = info;
-	
 	Log::write(Software::LOG, info);
 	}
 
 function found(id: conn_id, info: Info): bool
 	{
-	if ( info$force_log || addr_matches_host(info$host, asset_tracking) )
-		{
-		if ( !info?$ts ) 
-			info$ts=network_time();
-		
-		if ( info?$version ) # we have a version number and don't have to parse. check if the name is also set...
-			{
-				if ( ! info?$name ) 
-					{
-					Reporter::error("Required field name not present in Software::found");
-					return F;
-					}
-			}
-		else  # no version present, we have to parse...
-			{
-			if ( !info?$unparsed_version ) 
-				{
-				Reporter::error("No unparsed version string present in Info record with version in Software::found");
-				return F;
-				}
-			local sw = parse(info$unparsed_version);
-			info$unparsed_version = sw$unparsed_version;
-			info$name = sw$name;
-			info$version = sw$version;
-			}
-		
-		event register(id, info);
-		return T;
-		}
-	else
+	if ( ! info$force_log && ! addr_matches_host(info$host, asset_tracking) )
 		return F;
+
+	if ( ! info?$ts ) 
+		info$ts = network_time();
+
+	if ( info?$version )
+		{
+		if ( ! info?$name )
+			{
+			Reporter::error("Required field name not present in Software::found");
+			return F;
+			}
+		}
+	else if ( ! info?$unparsed_version )
+		{
+		Reporter::error("No unparsed version string present in Info record with version in Software::found");
+		return F;
+		}
+
+	if ( ! info?$version )
+		{
+		local sw = parse(info$unparsed_version);
+		info$unparsed_version = sw$unparsed_version;
+		info$name = sw$name;
+		info$version = sw$version;
+		}
+
+	@if ( Cluster::is_enabled() )
+		Cluster::publish_hrw(Cluster::proxy_pool, info$host, Software::register,
+		                     info);
+	@else
+		event Software::register(info);
+	@endif
+
+	return T;
 	}
diff --git a/scripts/base/frameworks/sumstats/cluster.bro b/scripts/base/frameworks/sumstats/cluster.bro
index c1e0cb0257..f92b4112ff 100644
--- a/scripts/base/frameworks/sumstats/cluster.bro
+++ b/scripts/base/frameworks/sumstats/cluster.bro
@@ -55,18 +55,20 @@ export {
 	global cluster_threshold_crossed: event(ss_name: string, key: SumStats::Key, thold_index: count);
 }
 
-# Add events to the cluster framework to make this work.
-redef Cluster::manager2worker_events += /SumStats::cluster_(ss_request|get_result|threshold_crossed)/;
-redef Cluster::manager2worker_events += /SumStats::(get_a_key)/;
-redef Cluster::worker2manager_events += /SumStats::cluster_(send_result|key_intermediate_response)/;
-redef Cluster::worker2manager_events += /SumStats::(send_a_key|send_no_key)/;
-
 # This variable is maintained to know what keys have recently sent or received
 # intermediate updates so they don't overwhelm the manager.
 global recent_global_view_keys: set[string, Key] &create_expire=1min;
 
 @if ( Cluster::local_node_type() != Cluster::MANAGER )
 
+event bro_init() &priority=100
+	{
+	Broker::auto_publish(Cluster::manager_topic, SumStats::cluster_send_result);
+	Broker::auto_publish(Cluster::manager_topic, SumStats::cluster_key_intermediate_response);
+	Broker::auto_publish(Cluster::manager_topic, SumStats::send_a_key);
+	Broker::auto_publish(Cluster::manager_topic, SumStats::send_no_key);
+	}
+
 # Result tables indexed on a uid that are currently being sent to the
 # manager.
 global sending_results: table[string] of ResultTable = table() &read_expire=1min;
@@ -207,6 +209,14 @@ function request_key(ss_name: string, key: Key): Result
 
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
 
+event bro_init() &priority=100
+	{
+	Broker::auto_publish(Cluster::worker_topic, SumStats::cluster_ss_request);
+	Broker::auto_publish(Cluster::worker_topic, SumStats::cluster_get_result);
+	Broker::auto_publish(Cluster::worker_topic, SumStats::cluster_threshold_crossed);
+	Broker::auto_publish(Cluster::worker_topic, SumStats::get_a_key);
+	}
+
 # This variable is maintained by manager nodes as they collect and aggregate
 # results.
 # Index on a uid.
diff --git a/scripts/base/frameworks/sumstats/main.bro b/scripts/base/frameworks/sumstats/main.bro
index edd80ede0f..69a853fd5a 100644
--- a/scripts/base/frameworks/sumstats/main.bro
+++ b/scripts/base/frameworks/sumstats/main.bro
@@ -267,7 +267,7 @@ function add_observe_plugin_dependency(calc: Calculation, depends_on: Calculatio
 	{
 	if ( calc !in calc_deps )
 		calc_deps[calc] = vector();
-	calc_deps[calc][|calc_deps[calc]|] = depends_on;
+	calc_deps[calc] += depends_on;
 	}
 
 event bro_init() &priority=100000
@@ -348,7 +348,7 @@ function add_calc_deps(calcs: vector of Calculation, c: Calculation)
 			{
 			if ( calc_deps[c][i] in calc_deps )
 				add_calc_deps(calcs, calc_deps[c][i]);
-			calcs[|c|] = calc_deps[c][i];
+			calcs += calc_deps[c][i];
 			#print fmt("add dep for %s [%s] ", c, calc_deps[c][i]);
 			}
 		}
@@ -387,7 +387,7 @@ function create(ss: SumStat)
 					skip_calc=T;
 				}
 			if ( ! skip_calc )
-				reducer$calc_funcs[|reducer$calc_funcs|] = calc;
+				reducer$calc_funcs += calc;
 			}
 
 		if ( reducer$stream !in reducer_store )
@@ -399,7 +399,7 @@ function create(ss: SumStat)
 	schedule ss$epoch { SumStats::finish_epoch(ss) };
 	}
 
-function observe(id: string, key: Key, obs: Observation)
+function observe(id: string, orig_key: Key, obs: Observation)
 	{
 	if ( id !in reducer_store )
 		return;
@@ -407,8 +407,7 @@ function observe(id: string, key: Key, obs: Observation)
 	# Try to add the data to all of the defined reducers.
 	for ( r in reducer_store[id] )
 		{
-		if ( r?$normalize_key )
-			key = r$normalize_key(copy(key));
+		local key = r?$normalize_key ? r$normalize_key(copy(orig_key)) : orig_key;
 
 		# If this reducer has a predicate, run the predicate
 		# and skip this key if the predicate return false.
diff --git a/scripts/base/frameworks/sumstats/non-cluster.bro b/scripts/base/frameworks/sumstats/non-cluster.bro
index 9fdd012404..100e8dad4a 100644
--- a/scripts/base/frameworks/sumstats/non-cluster.bro
+++ b/scripts/base/frameworks/sumstats/non-cluster.bro
@@ -6,28 +6,25 @@ event SumStats::process_epoch_result(ss: SumStat, now: time, data: ResultTable)
 	{
 	# TODO: is this the right processing group size?
 	local i = 50;
+	local keys_to_delete: vector of SumStats::Key = vector();
+
 	for ( key in data )
 		{
 		ss$epoch_result(now, key, data[key]);
-		delete data[key];
+		keys_to_delete += key;
 
-		if ( |data| == 0 )
-			{
-			if ( ss?$epoch_finished )
-				ss$epoch_finished(now);
-
-			# Now that no data is left we can finish.
-			return;
-			}
-
-		i = i-1;
-		if ( i == 0 )
-			{
-			# TODO: is this the right interval?
-			schedule 0.01 secs { process_epoch_result(ss, now, data) };
+		if ( --i == 0 )
 			break;
-			}
 		}
+
+	for ( idx in keys_to_delete )
+		delete data[keys_to_delete[idx]];
+
+	if ( |data| > 0 )
+		# TODO: is this the right interval?
+		schedule 0.01 secs { SumStats::process_epoch_result(ss, now, data) };
+	else if ( ss?$epoch_finished )
+		ss$epoch_finished(now);
 	}
 
 event SumStats::finish_epoch(ss: SumStat)
@@ -46,9 +43,9 @@ event SumStats::finish_epoch(ss: SumStat)
 				if ( ss?$epoch_finished )
 					ss$epoch_finished(now);
 				}
-			else
+			else if ( |data| > 0 )
 				{
-				event SumStats::process_epoch_result(ss, now, data);
+				event SumStats::process_epoch_result(ss, now, copy(data));
 				}
 			}
 		
@@ -89,4 +86,4 @@ function request_key(ss_name: string, key: Key): Result
 		else
 			return table();
 		}
-	}
\ No newline at end of file
+	}
diff --git a/scripts/base/frameworks/sumstats/plugins/sample.bro b/scripts/base/frameworks/sumstats/plugins/sample.bro
index 0200e85949..2f96c5eb30 100644
--- a/scripts/base/frameworks/sumstats/plugins/sample.bro
+++ b/scripts/base/frameworks/sumstats/plugins/sample.bro
@@ -43,7 +43,7 @@ function sample_add_sample(obs:Observation, rv: ResultVal)
 	++rv$sample_elements;
 
 	if ( |rv$samples| < rv$num_samples )
-		rv$samples[|rv$samples|] = obs;
+		rv$samples += obs;
 	else
 		{
 		local ra = rand(rv$sample_elements);
diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index ffee527bb7..8febc9dae3 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -1,4 +1,4 @@
-@load base/bif/const.bif.bro
+@load base/bif/const.bif
 @load base/bif/types.bif
 
 # Type declarations
@@ -442,10 +442,13 @@ type fa_file: record {
 
 ## Metadata that's been inferred about a particular file.
 type fa_metadata: record {
-	## The strongest matching mime type if one was discovered.
+	## The strongest matching MIME type if one was discovered.
 	mime_type: string &optional;
-	## All matching mime types if any were discovered.
+	## All matching MIME types if any were discovered.
 	mime_types: mime_matches &optional;
+	## Specifies whether the MIME type was inferred using signatures,
+	## or provided directly by the protocol the file appeared in.
+	inferred: bool &default=T;
 };
 
 ## Fields of a SYN packet.
@@ -528,7 +531,7 @@ type EventStats: record {
 	dispatched: count; ##< Total number of events dispatched so far.
 };
 
-## Summary statistics of all regular expression matchers.
+## Holds statistics for all types of reassembly.
 ##
 ## .. bro:see:: get_reassembler_stats
 type ReassemblerStats: record {
@@ -600,6 +603,29 @@ type ThreadStats: record {
 	num_threads: count;
 };
 
+## Statistics about Broker communication.
+##
+## .. bro:see:: get_broker_stats
+type BrokerStats: record {
+	num_peers: count;
+	## Number of active data stores.
+	num_stores: count;
+	## Number of pending data store queries.
+	num_pending_queries: count;
+	## Number of total log messages received.
+	num_events_incoming: count;
+	## Number of total log messages sent.
+	num_events_outgoing: count;
+	## Number of total log records received.
+	num_logs_incoming: count;
+	## Number of total log records sent.
+	num_logs_outgoing: count;
+	## Number of total identifiers received.
+	num_ids_incoming: count;
+	## Number of total identifiers sent.
+	num_ids_outgoing: count;
+};
+
 ## Deprecated.
 ##
 ## .. todo:: Remove. It's still declared internally but doesn't seem  used anywhere
@@ -628,6 +654,7 @@ type script_id: record {
 	exported: bool;	##< True if the identifier is exported.
 	constant: bool;	##< True if the identifier is a constant.
 	enum_constant: bool;	##< True if the identifier is an enum value.
+	option_value: bool;	##< True if the identifier is an option.
 	redefinable: bool;	##< True if the identifier is declared with the :bro:attr:`&redef` attribute.
 	value: any &optional;	##< The current value of the identifier.
 };
@@ -733,7 +760,7 @@ type IPAddrAnonymizationClass: enum {
 ## A locally unique ID identifying a communication peer. The ID is returned by
 ## :bro:id:`connect`.
 ##
-## .. bro:see:: connect Communication
+## .. bro:see:: connect
 type peer_id: count;
 
 ## A communication peer.
@@ -756,7 +783,7 @@ type event_peer: record {
 	p: port;
 	is_local: bool;		##< True if this record describes the local process.
 	descr: string;		##< The peer's :bro:see:`peer_description`.
-	class: string &optional;	##< The self-assigned *class* of the peer. See :bro:see:`Communication::Node`.
+	class: string &optional;	##< The self-assigned *class* of the peer.
 };
 
 ## Deprecated.
@@ -845,6 +872,9 @@ type geo_location: record {
 	longitude: double &optional;	##< Longitude.
 } &log;
 
+## The directory containing MaxMind DB (.mmdb) files to use for GeoIP support.
+const mmdb_dir: string = "" &redef;
+
 ## Computed entropy values. The record captures a number of measures that are
 ## computed in parallel. See `A Pseudorandom Number Sequence Test Program
 ## <http://www.fourmilab.ch/random>`_ for more information, Bro uses the same
@@ -1770,9 +1800,11 @@ type gtp_delete_pdp_ctx_response_elements: record {
 };
 
 # Prototypes of Bro built-in functions.
-@load base/bif/strings.bif
 @load base/bif/bro.bif
+@load base/bif/stats.bif
 @load base/bif/reporter.bif
+@load base/bif/strings.bif
+@load base/bif/option.bif
 
 ## Deprecated. This is superseded by the new logging framework.
 global log_file_name: function(tag: string): string &redef;
@@ -2142,6 +2174,28 @@ export {
 		rep_dur: interval;
 		## The length in bytes of the reply.
 		rep_len: count;
+		## The user id of the reply.
+		rpc_uid: count;
+		## The group id of the reply.
+		rpc_gid: count;
+		## The stamp of the reply.
+		rpc_stamp: count;
+		## The machine name of the reply.
+		rpc_machine_name: string;
+		## The auxiliary ids of the reply.
+		rpc_auxgids: index_vec;
+	};
+
+	## NFS file attributes. Field names are based on RFC 1813.
+	##
+	## .. bro:see:: nfs_proc_sattr
+	type sattr_t: record {
+		mode: count &optional; ##< Mode
+		uid: count	&optional; ##< User ID.
+		gid: count	&optional; ##< Group ID.
+		size: count &optional; ##< Size.
+		atime: time_how_t &optional; ##< Time of last access.
+		mtime: time_how_t &optional; ##< Time of last modification.
 	};
 
 	## NFS file attributes. Field names are based on RFC 1813.
@@ -2164,6 +2218,14 @@ export {
 		ctime: time;	##< Time of creation.
 	};
 
+	## NFS symlinkdata attributes. Field names are based on RFC 1813
+	##
+	## .. bro:see:: nfs_proc_symlink
+	type symlinkdata_t: record {
+		symlink_attributes: sattr_t; ##< The initial attributes for the symbolic link
+		nfspath: string &optional;	##< The string containing the symbolic link data.
+	};
+
 	## NFS *readdir* arguments.
 	##
 	## .. bro:see:: nfs_proc_readdir
@@ -2172,6 +2234,40 @@ export {
 		fname: string;	##< The name of the file we are interested in.
 	};
 
+	## NFS *rename* arguments.
+	##
+	## .. bro:see:: nfs_proc_rename
+	type renameopargs_t : record {
+		src_dirfh : string;
+		src_fname : string;
+		dst_dirfh : string;
+		dst_fname : string;
+	};
+
+	## NFS *symlink* arguments.
+	##
+	## .. bro:see:: nfs_proc_symlink
+	type symlinkargs_t: record {
+		link : diropargs_t;  ##< The location of the link to be created.
+		symlinkdata: symlinkdata_t; ##< The symbolic link to be created.
+	};
+
+	## NFS *link* arguments.
+	##
+	## .. bro:see:: nfs_proc_link
+	type linkargs_t: record {
+		fh : string; ##< The file handle for the existing file system object.
+		link : diropargs_t;  ##< The location of the link to be created.
+	};
+
+	## NFS *sattr* arguments.
+	##
+	## .. bro:see:: nfs_proc_sattr
+	type sattrargs_t: record {
+		fh : string; ##< The file handle for the existing file system object.
+		new_attributes: sattr_t; ##< The new attributes for the file.
+	};
+
 	## NFS lookup reply. If the lookup failed, *dir_attr* may be set. If the
 	## lookup succeeded, *fh* is always set and *obj_attr* and *dir_attr*
 	## may be set.
@@ -2230,6 +2326,23 @@ export {
 		mtime: time;	##< Modification time.
 	};
 
+	## NFS *link* reply.
+	##
+	## .. bro:see:: nfs_proc_link
+	type link_reply_t: record {
+		post_attr: fattr_t &optional; ##< Optional post-operation attributes of the file system object identified by file
+		preattr: wcc_attr_t &optional;	##< Optional attributes associated w/ file.
+		postattr: fattr_t &optional;	##< Optional attributes associated w/ file.
+	};
+
+	## NFS *sattr* reply. If the request fails, *pre|post* attr may be set.
+	## If the request succeeds, *pre|post* attr are set.
+	##
+	type sattr_reply_t: record {
+		dir_pre_attr: wcc_attr_t &optional;	##< Optional attributes associated w/ dir.
+		dir_post_attr: fattr_t &optional;	##< Optional attributes associated w/ dir.
+	};
+
 	## NFS *write* reply. If the request fails, *pre|post* attr may be set.
 	## If the request succeeds, *pre|post* attr may be set and all other
 	## fields are set.
@@ -2264,6 +2377,16 @@ export {
 		dir_post_attr: fattr_t &optional;	##< Optional attributes associated w/ dir.
 	};
 
+	## NFS reply for *rename*. Corresponds to *wcc_data* in the spec.
+	##
+	## .. bro:see:: nfs_proc_rename
+	type renameobj_reply_t: record {
+		src_dir_pre_attr: wcc_attr_t;
+		src_dir_post_attr: fattr_t;
+		dst_dir_pre_attr: wcc_attr_t;
+		dst_dir_post_attr: fattr_t;
+	};
+
 	## NFS *readdir* arguments. Used for both *readdir* and *readdirplus*.
 	##
 	## .. bro:see:: nfs_proc_readdir
@@ -2317,6 +2440,71 @@ export {
 	};
 } # end export
 
+
+module MOUNT3;
+export {
+
+	## Record summarizing the general results and status of MOUNT3
+	## request/reply pairs.
+	##
+	## Note that when *rpc_stat* or *mount_stat* indicates not successful,
+	## the reply record passed to the corresponding event will be empty and
+	## contain uninitialized fields, so don't use it. Also note that time
+	# and duration values might not be fully accurate. For TCP, we record
+	# times when the corresponding chunk of data is delivered to the
+	# analyzer. Depending on the reassembler, this might be well after the
+	# first packet of the request was received.
+	#
+	# .. bro:see:: mount_proc_mnt mount_proc_dump mount_proc_umnt
+	#    mount_proc_umntall mount_proc_export mount_proc_not_implemented
+	type info_t: record {
+		## The RPC status.
+		rpc_stat: rpc_status;
+		## The MOUNT status.
+		mnt_stat: status_t;
+		## The start time of the request.
+		req_start: time;
+		## The duration of the request.
+		req_dur: interval;
+		## The length in bytes of the request.
+		req_len: count;
+		## The start time of the reply.
+		rep_start: time;
+		## The duration of the reply.
+		rep_dur: interval;
+		## The length in bytes of the reply.
+		rep_len: count;
+		## The user id of the reply.
+		rpc_uid: count;
+		## The group id of the reply.
+		rpc_gid: count;
+		## The stamp of the reply.
+		rpc_stamp: count;
+		## The machine name of the reply.
+		rpc_machine_name: string;
+		## The auxiliary ids of the reply.
+		rpc_auxgids: index_vec;
+	};
+
+	## MOUNT *mnt* arguments.
+	##
+	## .. bro:see:: mount_proc_mnt
+	type dirmntargs_t : record {
+		dirname: string;	##< Name of directory to mount
+	};
+
+	## MOUNT lookup reply. If the mount failed, *dir_attr* may be set. If the
+	## mount succeeded, *fh* is always set.
+	##
+	## .. bro:see:: mount_proc_mnt
+	type mnt_reply_t: record {
+		dirfh: string &optional;	##< Dir handle
+		auth_flavors: vector of auth_flavor_t &optional;	##< Returned authentication flavors
+	};
+
+} # end export
+
+
 module Threading;
 
 export {
@@ -2801,6 +2989,73 @@ export {
 		security_blob	: string &optional;
 	};
 
+	type SMB1::Trans2_Args: record {
+	     ## Total parameter count
+	     total_param_count: count;
+	     ## Total data count
+	     total_data_count: count;
+	     ## Max parameter count
+	     max_param_count: count;
+	     ## Max data count
+	     max_data_count: count;
+	     ## Max setup count
+	     max_setup_count: count;
+	     ## Flags
+	     flags: count;
+	     ## Timeout
+	     trans_timeout: count;
+	     ## Parameter count
+	     param_count: count;
+	     ## Parameter offset
+	     param_offset: count;
+	     ## Data count
+	     data_count: count;
+	     ## Data offset
+	     data_offset: count;
+	     ## Setup count
+	     setup_count: count;
+	};
+
+	type SMB1::Trans_Sec_Args: record {
+	     ## Total parameter count
+	     total_param_count: count;
+	     ## Total data count
+	     total_data_count: count;
+	     ## Parameter count
+	     param_count: count;
+	     ## Parameter offset
+	     param_offset: count;
+	     ## Parameter displacement
+	     param_displacement: count;
+	     ## Data count
+	     data_count: count;
+	     ## Data offset
+	     data_offset: count;
+	     ## Data displacement
+	     data_displacement: count;
+	};
+
+	type SMB1::Trans2_Sec_Args: record {
+	     ## Total parameter count
+	     total_param_count: count;
+	     ## Total data count
+	     total_data_count: count;
+	     ## Parameter count
+	     param_count: count;
+	     ## Parameter offset
+	     param_offset: count;
+	     ## Parameter displacement
+	     param_displacement: count;
+	     ## Data count
+	     data_count: count;
+	     ## Data offset
+	     data_offset: count;
+	     ## Data displacement
+	     data_displacement: count;
+	     ## File ID
+	     FID: count;
+	};
+
 	type SMB1::Find_First2_Request_Args: record {
 		## File attributes to apply as a constraint to the search
 		search_attrs		: count;
@@ -3021,28 +3276,188 @@ export {
 		## The type of share being accessed. Physical disk, named pipe, or printer.
 		share_type: count;
 	};
+
+	## The request sent by the client to request either creation of or access to a file.
+	##
+	## For more information, see MS-SMB2:2.2.13
+	##
+	## .. bro:see:: smb2_create_request
+	type SMB2::CreateRequest: record {
+		## Name of the file
+		filename       : string;
+		## Defines the action the server MUST take if the file that is specified already exists.
+		disposition    : count;
+		## Specifies the options to be applied when creating or opening the file.
+		create_options : count;
+	};
+
+	## The response to an SMB2 *create_request* request, which is sent by the client to request
+	## either creation of or access to a file.
+	##
+	## For more information, see MS-SMB2:2.2.14
+	##
+	## .. bro:see:: smb2_create_response
+	type SMB2::CreateResponse: record {
+		## The SMB2 GUID for the file.
+		file_id       : SMB2::GUID;
+		## Size of the file.
+		size          : count;
+		## Timestamps associated with the file in question.
+		times         : SMB::MACTimes;
+		## File attributes.
+		attrs         : SMB2::FileAttrs;
+		## The action taken in establishing the open.
+		create_action : count;
+	};
 }
 
 module GLOBAL;
 
-## A list of router addresses offered by a DHCP server.
-##
-## .. bro:see:: dhcp_ack dhcp_offer
-type dhcp_router_list: table[count] of addr;
+module DHCP;
 
-## A DHCP message.
-##
-## .. bro:see:: dhcp_ack dhcp_decline dhcp_discover dhcp_inform dhcp_nak
-##    dhcp_offer dhcp_release dhcp_request
-type dhcp_msg: record {
-	op: count;	##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
-	m_type: count;	##< The type of DHCP message.
-	xid: count;	##< Transaction ID of a DHCP session.
-	h_addr: string;	##< Hardware address of the client.
-	ciaddr: addr;	##< Original IP address of the client.
-	yiaddr: addr;	##< IP address assigned to the client.
-};
+export {
+	## A list of addresses offered by a DHCP server.  Could be routers,
+	## DNS servers, or other.
+	##
+	## .. bro:see:: dhcp_message
+	type DHCP::Addrs: vector of addr;
 
+	## A DHCP message.
+	## .. bro:see:: dhcp_message
+	type DHCP::Msg: record {
+		op: count;      ##< Message OP code. 1 = BOOTREQUEST, 2 = BOOTREPLY
+		m_type: count;  ##< The type of DHCP message.
+		xid: count;     ##< Transaction ID of a DHCP session.
+		## Number of seconds since client began address acquisition
+		## or renewal process
+		secs: interval;
+		flags: count;
+		ciaddr: addr;   ##< Original IP address of the client.
+		yiaddr: addr;   ##< IP address assigned to the client.
+		siaddr: addr;   ##< IP address of the server.
+		giaddr: addr;   ##< IP address of the relaying gateway.
+		chaddr: string; ##< Client hardware address.
+		sname:  string &default=""; ##< Server host name.
+		file_n: string &default=""; ##< Boot file name.
+	};
+
+	## DHCP Client Identifier (Option 61)
+	## .. bro:see:: dhcp_message
+	type DHCP::ClientID: record {
+		hwtype: count;
+		hwaddr: string;
+	};
+
+	## DHCP Client FQDN Option information (Option 81)
+	type DHCP::ClientFQDN: record {
+		## An unparsed bitfield of flags (refer to RFC 4702).
+		flags: count;
+		## This field is deprecated in the standard.
+		rcode1: count;
+		## This field is deprecated in the standard.
+		rcode2: count;
+		## The Domain Name part of the option carries all or part of the FQDN
+		## of a DHCP client.
+		domain_name: string;
+	};
+
+	## DHCP Relay Agent Information Option (Option 82)
+	## .. bro:see:: dhcp_message
+	type DHCP::SubOpt: record {
+		code: count;
+		value: string;
+	};
+
+	type DHCP::SubOpts: vector of DHCP::SubOpt;
+
+	type DHCP::Options: record {
+		## The ordered list of all DHCP option numbers.
+		options:         index_vec &optional;
+
+		## Subnet Mask Value (option 1)
+		subnet_mask:     addr &optional;
+
+		## Router addresses (option 3)
+		routers:         DHCP::Addrs &optional;
+
+		## DNS Server addresses (option 6)
+		dns_servers:     DHCP::Addrs &optional;
+
+		## The Hostname of the client (option 12)
+		host_name:       string &optional;
+
+		## The DNS domain name of the client (option 15)
+		domain_name:     string &optional;
+
+		## Enable/Disable IP Forwarding (option 19)
+		forwarding:      bool &optional;
+
+		## Broadcast Address (option 28)
+		broadcast:       addr &optional;
+
+		## Vendor specific data. This can frequently
+		## be unparsed binary data. (option 43)
+		vendor:          string &optional;
+
+		## NETBIOS name server list (option 44)
+		nbns:            DHCP::Addrs &optional;
+
+		## Address requested by the client (option 50)
+		addr_request:    addr &optional;
+
+		## Lease time offered by the server. (option 51)
+		lease:           interval &optional;
+
+		## Server address to allow clients to distinguish
+		## between lease offers. (option 54)
+		serv_addr:       addr &optional;
+
+		## DHCP Parameter Request list (option 55)
+		param_list:      index_vec &optional;
+
+		## Textual error message (option 56)
+		message:         string &optional;
+
+		## Maximum Message Size (option 57)
+		max_msg_size:    count &optional;
+
+		## This option specifies the time interval from address
+		## assignment until the client transitions to the
+		## RENEWING state. (option 58)
+		renewal_time:    interval &optional;
+
+		## This option specifies the time interval from address
+		## assignment until the client transitions to the
+		## REBINDING state. (option 59)
+		rebinding_time:  interval &optional;
+
+		## This option is used by DHCP clients to optionally
+		## identify the vendor type and configuration of a DHCP
+		## client. (option 60)
+		vendor_class:    string &optional;
+
+		## DHCP Client Identifier (Option 61)
+		client_id:       DHCP::ClientID &optional;
+
+		## User Class opaque value (Option 77)
+		user_class:      string &optional;
+
+		## DHCP Client FQDN (Option 81)
+		client_fqdn:     DHCP::ClientFQDN &optional;
+
+		## DHCP Relay Agent Information Option (Option 82)
+		sub_opt:         DHCP::SubOpts &optional;
+
+		## Auto Config option to let host know if it's allowed to
+		## auto assign an IP address. (Option 116)
+		auto_config:     bool &optional;
+
+		## URL to find a proxy.pac for auto proxy config (Option 252)
+		auto_proxy_config: string &optional;
+	};
+}
+
+module GLOBAL;
 ## A DNS message.
 ##
 ## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
@@ -3835,6 +4250,8 @@ export {
 
 module KRB;
 export {
+	## Kerberos keytab file name. Used to decrypt tickets encountered on the wire.
+	const keytab = "" &redef;
 	## KDC Options. See :rfc:`4120`
 	type KRB::KDC_Options: record {
 		## The ticket to be issued should have its forwardable flag set.
@@ -3955,6 +4372,10 @@ export {
 		service_name	: string;
 		## Cipher the ticket was encrypted with
 		cipher		: count;
+		## Cipher text of the ticket
+		ciphertext  : string &optional;
+		## Authentication info
+		authenticationinfo: string &optional;
 	};
 
 	type KRB::Ticket_Vector: vector of KRB::Ticket;
@@ -4394,6 +4815,17 @@ export {
 	const max_frag_data = 30000 &redef;
 }
 
+module NCP;
+export {
+	## The maximum number of bytes to allocate when parsing NCP frames.
+	const max_frame_size = 65536 &redef;
+}
+
+module Cluster;
+export {
+	type Cluster::Pool: record {};
+}
+
 module GLOBAL;
 
 ## Seed for hashes computed internally for probabilistic data structures. Using
@@ -4406,16 +4838,9 @@ const global_hash_seed: string = "" &redef;
 ## The maximum is currently 128 bits.
 const bits_per_uid: count = 96 &redef;
 
-# Load these frameworks here because they use fairly deep integration with
-# BiFs and script-land defined types.
-@load base/frameworks/broker
-@load base/frameworks/logging
-@load base/frameworks/input
-@load base/frameworks/analyzer
-@load base/frameworks/files
-
-@load base/bif
-
-# Load BiFs defined by plugins.
-@load base/bif/plugins
-
+## Whether usage of the old communication system is considered an error or
+## not.  The default Bro configuration no longer works with the non-Broker
+## communication system unless you have manually taken action to initialize
+## and set up the old comm. system.  Deprecation warnings are still emitted
+## when setting this flag, but they will not result in a fatal error.
+const old_comm_usage_is_ok: bool = F &redef;
diff --git a/scripts/base/init-default.bro b/scripts/base/init-default.bro
index 65b41305c7..463f5c2942 100644
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@@ -14,6 +14,7 @@
 @load base/utils/exec
 @load base/utils/files
 @load base/utils/geoip-distance
+@load base/utils/hash_hrw
 @load base/utils/numbers
 @load base/utils/paths
 @load base/utils/patterns
@@ -32,10 +33,10 @@
 @load base/frameworks/signatures
 @load base/frameworks/packet-filter
 @load base/frameworks/software
-@load base/frameworks/communication
 @load base/frameworks/control
 @load base/frameworks/cluster
 @load base/frameworks/intel
+@load base/frameworks/config
 @load base/frameworks/reporter
 @load base/frameworks/sumstats
 @load base/frameworks/tunnels
@@ -61,8 +62,6 @@
 @load base/protocols/rfb
 @load base/protocols/sip
 @load base/protocols/snmp
-# This DOES NOT enable the SMB analyzer.  It's just some base support
-# for other protocols.
 @load base/protocols/smb
 @load base/protocols/smtp
 @load base/protocols/socks
diff --git a/scripts/base/init-frameworks-and-bifs.bro b/scripts/base/init-frameworks-and-bifs.bro
new file mode 100644
index 0000000000..f772e2d223
--- /dev/null
+++ b/scripts/base/init-frameworks-and-bifs.bro
@@ -0,0 +1,15 @@
+# Load these frameworks here because they use fairly deep integration with
+# BiFs and script-land defined types.  They are also more likely to
+# make use of calling BIFs for variable initializations, and that
+# can't be done until init-bare.bro has been loaded completely (hence
+# the separate file).
+@load base/frameworks/logging
+@load base/frameworks/broker
+@load base/frameworks/input
+@load base/frameworks/analyzer
+@load base/frameworks/files
+
+@load base/bif
+
+# Load BiFs defined by plugins.
+@load base/bif/plugins
diff --git a/scripts/base/misc/version.bro b/scripts/base/misc/version.bro
index 259b7b1127..1dce1310df 100644
--- a/scripts/base/misc/version.bro
+++ b/scripts/base/misc/version.bro
@@ -86,5 +86,5 @@ export {
 
 function at_least(version_string: string): bool
 	{
-	return Version::parse(version_string)$version_number >= Version::number;
+	return Version::number >= Version::parse(version_string)$version_number;
 	}
diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.bro
index f0dab79d90..e96b27873c 100644
--- a/scripts/base/protocols/conn/main.bro
+++ b/scripts/base/protocols/conn/main.bro
@@ -86,8 +86,9 @@ export {
 		## d       packet with payload ("data")
 		## f       packet with FIN bit set
 		## r       packet with RST bit set
-		## c       packet with a bad checksum
+		## c       packet with a bad checksum (applies to UDP too)
 		## t       packet with retransmitted payload
+		## w       packet with a zero window advertisement
 		## i       inconsistent packet (e.g. FIN+RST bits set)
 		## q       multi-flag packet (SYN+FIN or SYN+RST bits set)
 		## ^       connection direction was flipped by Bro's heuristic
@@ -95,9 +96,15 @@ export {
 		##
 		## If the event comes from the originator, the letter is in
 		## upper-case; if it comes from the responder, it's in
-		## lower-case. Multiple packets of the same type will only be
-		## noted once (e.g. we only record one "d" in each direction,
-		## regardless of how many data packets were seen.)
+		## lower-case.  The 'a', 'd', 'i' and 'q' flags are
+		## recorded a maximum of one time in either direction regardless
+		## of how many are actually seen.  'f', 'h', 'r' and
+		## 's' can be recorded multiple times for either direction
+		## if the associated sequence number differs from the
+		## last-seen packet of the same flag type.
+		## 'c', 't' and 'w' are recorded in a logarithmic fashion:
+		## the second instance represents that the event was seen
+		## (at least) 10 times; the third instance, 100 times; etc.
 		history:      string          &log &optional;
 		## Number of packets that the originator sent.
 		## Only set if :bro:id:`use_conn_size_analyzer` = T.
@@ -116,7 +123,7 @@ export {
 		## If this connection was over a tunnel, indicate the
 		## *uid* values for any encapsulating parent connections
 		## used over the lifetime of this inner connection.
-		tunnel_parents: set[string] &log;
+		tunnel_parents: set[string] &log &optional;
 	};
 
 	## Event that can be handled to access the :bro:type:`Conn::Info`
@@ -207,7 +214,11 @@ function set_conn(c: connection, eoc: bool)
 	c$conn$uid=c$uid;
 	c$conn$id=c$id;
 	if ( c?$tunnel && |c$tunnel| > 0 )
+		{
+		if ( ! c$conn?$tunnel_parents )
+			c$conn$tunnel_parents = set();
 		add c$conn$tunnel_parents[c$tunnel[|c$tunnel|-1]$uid];
+		}
 	c$conn$proto=get_port_transport_proto(c$id$resp_p);
 	if( |Site::local_nets| > 0 )
 		{
@@ -253,7 +264,11 @@ event tunnel_changed(c: connection, e: EncapsulatingConnVector) &priority=5
 	{
 	set_conn(c, F);
 	if ( |e| > 0 )
+		{
+		if ( ! c$conn?$tunnel_parents )
+			c$conn$tunnel_parents = set();
 		add c$conn$tunnel_parents[e[|e|-1]$uid];
+		}
 	c$tunnel = e;
 	}
 
diff --git a/scripts/base/protocols/dce-rpc/consts.bro b/scripts/base/protocols/dce-rpc/consts.bro
index d9e0993b03..80f7ea4e5e 100644
--- a/scripts/base/protocols/dce-rpc/consts.bro
+++ b/scripts/base/protocols/dce-rpc/consts.bro
@@ -149,10 +149,6 @@ export {
 		# IActivation
 		["4d9f4ab8-7d1c-11cf-861e-0020af6e7c57",0] = "RemoteActivation",
 
-		# IRemoteSCMActivator
-		["000001a0-0000-0000-c000-000000000046",3] = "RemoteGetClassObject",
-		["000001a0-0000-0000-c000-000000000046",4] = "RemoteCreateInstance",
-
 		# nspi
 		["f5cc5a18-4264-101a-8c59-08002b2f8426",0] = "NspiBind",
 		["f5cc5a18-4264-101a-8c59-08002b2f8426",1] = "NspiUnbind",
@@ -222,8 +218,8 @@ export {
 		["000001a0-0000-0000-c000-000000000046",0] = "QueryInterfaceIRemoteSCMActivator",
 		["000001a0-0000-0000-c000-000000000046",1] = "AddRefIRemoteISCMActivator",
 		["000001a0-0000-0000-c000-000000000046",2] = "ReleaseIRemoteISCMActivator",
-		#["000001a0-0000-0000-c000-000000000046",3] = "RemoteGetClassObject",
-		#["000001a0-0000-0000-c000-000000000046",4] = "RemoteCreateInstance",
+		["000001a0-0000-0000-c000-000000000046",3] = "RemoteGetClassObject",
+		["000001a0-0000-0000-c000-000000000046",4] = "RemoteCreateInstance",
 
 		# netlogon
 		["12345678-1234-abcd-ef00-01234567cffb",0] = "NetrLogonUasLogon",
diff --git a/scripts/base/protocols/dhcp/consts.bro b/scripts/base/protocols/dhcp/consts.bro
index 5afdfc9415..0bf16ded96 100644
--- a/scripts/base/protocols/dhcp/consts.bro
+++ b/scripts/base/protocols/dhcp/consts.bro
@@ -4,17 +4,186 @@
 module DHCP;
 
 export {
-
-	## Types of DHCP messages. See :rfc:`1533`.
+	## Types of DHCP messages. See :rfc:`1533`, :rfc:`3203`,
+	## :rfc:`4388`, :rfc:`6926`, and :rfc:`7724`.
 	const message_types = {
-		[1] = "DHCP_DISCOVER",
-		[2] = "DHCP_OFFER",
-		[3] = "DHCP_REQUEST",
-		[4] = "DHCP_DECLINE",
-		[5] = "DHCP_ACK",
-		[6] = "DHCP_NAK",
-		[7] = "DHCP_RELEASE",
-		[8] = "DHCP_INFORM",
+		[1]  = "DISCOVER",
+		[2]  = "OFFER",
+		[3]  = "REQUEST",
+		[4]  = "DECLINE",
+		[5]  = "ACK",
+		[6]  = "NAK",
+		[7]  = "RELEASE",
+		[8]  = "INFORM",
+		[9]  = "FORCERENEW",       # RFC3203
+		[10] = "LEASEQUERY",       # RFC4388
+		[11] = "LEASEUNASSIGNED",  # RFC4388
+		[12] = "LEASEUNKNOWN",     # RFC4388
+		[13] = "LEASEACTIVE",      # RFC4388
+		[14] = "BULKLEASEQUERY",   # RFC6926
+		[15] = "LEASEQUERYDONE",   # RFC6926
+		[16] = "ACTIVELEASEQUERY", # RFC7724
+		[17] = "LEASEQUERYSTATUS", # RFC7724
+		[18] = "TLS",              # RFC7724
 	} &default = function(n: count): string { return fmt("unknown-message-type-%d", n); };
 
+	## Option types mapped to their names.
+	const option_types: table[int] of string = {
+		[0] = "Pad",
+		[1] = "Subnet Mask",
+		[2] = "Time Offset",
+		[3] = "Router",
+		[4] = "Time Server",
+		[5] = "Name Server",
+		[6] = "Domain Server",
+		[7] = "Log Server",
+		[8] = "Quotes Server",
+		[9] = "LPR Server",
+		[10] = "Impress Server",
+		[11] = "RLP Server",
+		[12] = "Hostname",
+		[13] = "Boot File Size",
+		[14] = "Merit Dump File",
+		[15] = "Domain Name",
+		[16] = "Swap Server",
+		[17] = "Root Path",
+		[18] = "Extension File",
+		[19] = "Forward On/Off",
+		[20] = "SrcRte On/Off",
+		[21] = "Policy Filter",
+		[22] = "Max DG Assembly",
+		[23] = "Default IP TTL",
+		[24] = "MTU Timeout",
+		[25] = "MTU Plateau",
+		[26] = "MTU Interface",
+		[27] = "MTU Subnet",
+		[28] = "Broadcast Address",
+		[29] = "Mask Discovery",
+		[30] = "Mask Supplier",
+		[31] = "Router Discovery",
+		[32] = "Router Request",
+		[33] = "Static Route",
+		[34] = "Trailers",
+		[35] = "ARP Timeout",
+		[36] = "Ethernet",
+		[37] = "Default TCP TTL",
+		[38] = "Keepalive Time",
+		[39] = "Keepalive Data",
+		[40] = "NIS Domain",
+		[41] = "NIS Servers",
+		[42] = "NTP Servers",
+		[43] = "Vendor Specific",
+		[44] = "NETBIOS Name Srv",
+		[45] = "NETBIOS Dist Srv",
+		[46] = "NETBIOS Node Type",
+		[47] = "NETBIOS Scope",
+		[48] = "X Window Font",
+		[49] = "X Window Manager",
+		[50] = "Address Request",
+		[51] = "Address Time",
+		[52] = "Overload",
+		[53] = "DHCP Msg Type",
+		[54] = "DHCP Server Id",
+		[55] = "Parameter List",
+		[56] = "DHCP Message",
+		[57] = "DHCP Max Msg Size",
+		[58] = "Renewal Time",
+		[59] = "Rebinding Time",
+		[60] = "Class Id",
+		[61] = "Client Id",
+		[62] = "NetWare/IP Domain",
+		[63] = "NetWare/IP Option",
+		[64] = "NIS-Domain-Name",
+		[65] = "NIS-Server-Addr",
+		[66] = "Server-Name",
+		[67] = "Bootfile-Name",
+		[68] = "Home-Agent-Addrs",
+		[69] = "SMTP-Server",
+		[70] = "POP3-Server",
+		[71] = "NNTP-Server",
+		[72] = "WWW-Server",
+		[73] = "Finger-Server",
+		[74] = "IRC-Server",
+		[75] = "StreetTalk-Server",
+		[76] = "STDA-Server",
+		[77] = "User-Class",
+		[78] = "Directory Agent",
+		[79] = "Service Scope",
+		[80] = "Rapid Commit",
+		[81] = "Client FQDN",
+		[82] = "Relay Agent Information",
+		[83] = "iSNS",
+		[85] = "NDS Servers",
+		[86] = "NDS Tree Name",
+		[87] = "NDS Context",
+		[88] = "BCMCS Controller Domain Name list",
+		[89] = "BCMCS Controller IPv4 address option",
+		[90] = "Authentication",
+		[91] = "client-last-transaction-time option",
+		[92] = "associated-ip option",
+		[93] = "Client System",
+		[94] = "Client NDI",
+		[95] = "LDAP",
+		[97] = "UUID/GUID",
+		[98] = "User-Auth",
+		[99] = "GEOCONF_CIVIC",
+		[100] = "PCode",
+		[101] = "TCode",
+		[112] = "Netinfo Address",
+		[113] = "Netinfo Tag",
+		[114] = "URL",
+		[116] = "Auto-Config",
+		[117] = "Name Service Search",
+		[118] = "Subnet Selection Option",
+		[119] = "Domain Search",
+		[120] = "SIP Servers DHCP Option",
+		[121] = "Classless Static Route Option",
+		[122] = "CCC",
+		[123] = "GeoConf Option",
+		[124] = "V-I Vendor Class",
+		[125] = "V-I Vendor-Specific Information",
+		[128] = "PXE - undefined (vendor specific)",
+		[129] = "PXE - undefined (vendor specific)",
+		[130] = "PXE - undefined (vendor specific)",
+		[131] = "PXE - undefined (vendor specific)",
+		[132] = "IEEE 802.1Q VLAN ID",
+		[133] = "IEEE 802.1D/p Layer 2 Priority",
+		[134] = "Diffserv Code Point (DSCP) for VoIP signalling and media streams",
+		[135] = "HTTP Proxy for phone-specific applications",
+		[136] = "OPTION_PANA_AGENT",
+		[137] = "OPTION_V4_LOST",
+		[138] = "OPTION_CAPWAP_AC_V4",
+		[139] = "OPTION-IPv4_Address-MoS",
+		[140] = "OPTION-IPv4_FQDN-MoS",
+		[141] = "SIP UA Configuration Service Domains",
+		[142] = "OPTION-IPv4_Address-ANDSF",
+		[144] = "GeoLoc",
+		[145] = "FORCERENEW_NONCE_CAPABLE",
+		[146] = "RDNSS Selection",
+		[150] = "TFTP server address",
+		[151] = "status-code",
+		[152] = "base-time",
+		[153] = "start-time-of-state",
+		[154] = "query-start-time",
+		[155] = "query-end-time",
+		[156] = "dhcp-state",
+		[157] = "data-source",
+		[158] = "OPTION_V4_PCP_SERVER",
+		[159] = "OPTION_V4_PORTPARAMS",
+		[160] = "DHCP Captive-Portal",
+		[161] = "OPTION_MUD_URL_V4 (TEMPORARY - registered 2016-11-17)",
+		[175] = "Etherboot (Tentatively Assigned - 2005-06-23)",
+		[176] = "IP Telephone (Tentatively Assigned - 2005-06-23)",
+		[177] = "PacketCable and CableHome (replaced by 122)",
+		[208] = "PXELINUX Magic",
+		[209] = "Configuration File",
+		[210] = "Path Prefix",
+		[211] = "Reboot Time",
+		[212] = "OPTION_6RD",
+		[213] = "OPTION_V4_ACCESS_DOMAIN",
+		[220] = "Subnet Allocation Option",
+		[221] = "Virtual Subnet Selection (VSS) Option",
+		[252] = "auto-proxy-config",
+		[255] = "End",
+	} &default = function(n: int): string { return fmt("unknown-option-type-%d", n); };
 }
diff --git a/scripts/base/protocols/dhcp/dpd.sig b/scripts/base/protocols/dhcp/dpd.sig
index 010920e2d8..85aa23ea16 100644
--- a/scripts/base/protocols/dhcp/dpd.sig
+++ b/scripts/base/protocols/dhcp/dpd.sig
@@ -1,5 +1,5 @@
 signature dhcp_cookie {
   ip-proto == udp
-  payload /^.*\x63\x82\x53\x63/
+  payload /^.{236}\x63\x82\x53\x63/
   enable "dhcp"
-}
\ No newline at end of file
+}
diff --git a/scripts/base/protocols/dhcp/main.bro b/scripts/base/protocols/dhcp/main.bro
index bfc3d98117..2f0bb6c933 100644
--- a/scripts/base/protocols/dhcp/main.bro
+++ b/scripts/base/protocols/dhcp/main.bro
@@ -1,12 +1,11 @@
-##! Analyzes DHCP traffic in order to log DHCP leases given to clients.
-##! This script ignores large swaths of the protocol, since it is rather
-##! noisy on most networks, and focuses on the end-result: assigned leases.
-##!
-##! If you'd like to track known DHCP devices and to log the hostname
-##! supplied by the client, see
-##! :doc:`/scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro`.
+##! Analyze DHCP traffic and provide a log that is organized around
+##! the idea of a DHCP "conversation" defined by messages exchanged within
+##! a relatively short period of time using the same transaction ID.
+##! The log will have information from clients and servers to give a more
+##! complete picture of what happened.
 
-@load ./utils.bro
+@load base/frameworks/cluster
+@load ./consts
 
 module DHCP;
 
@@ -17,22 +16,88 @@ export {
 	type Info: record {
 		## The earliest time at which a DHCP message over the
 		## associated connection is observed.
-		ts:		time		&log;
-		## A unique identifier of the connection over which DHCP is
-		## occurring.
-		uid:		string		&log;
-		## The connection's 4-tuple of endpoint addresses/ports.
-		id:		conn_id		&log;
+		ts:             time        &log;
+
+		## A series of unique identifiers of the connections over which
+		## DHCP is occurring.  This behavior with multiple connections is
+		## unique to DHCP because of the way it uses broadcast packets
+		## on local networks.
+		uids:           set[string] &log;
+
+		## IP address of the client.  If a transaction
+		## is only a client sending INFORM messages then
+		## there is no lease information exchanged so this
+		## is helpful to know who sent the messages.
+		## Getting an address in this field does require
+		## that the client sources at least one DHCP message
+		## using a non-broadcast address.
+		client_addr:    addr        &log &optional;
+		## IP address of the server involved in actually
+		## handing out the lease.  There could be other
+		## servers replying with OFFER messages which won't
+		## be represented here.  Getting an address in this
+		## field also requires that the server handing out
+		## the lease also sources packets from a non-broadcast
+		## IP address.
+		server_addr:    addr        &log &optional;
+
+		## Client port number seen at time of server handing out IP (expected
+		## as 68/udp).
+		client_port:    port             &optional;
+		## Server port number seen at time of server handing out IP (expected
+		## as 67/udp).
+		server_port:    port             &optional;
+
 		## Client's hardware address.
-		mac:		string		&log &optional;
-		## Client's actual assigned IP address.
-		assigned_ip:	addr		&log &optional;
+		mac:            string      &log &optional;
+
+		## Name given by client in Hostname option 12.
+		host_name:      string      &log &optional;
+		## FQDN given by client in Client FQDN option 81.
+		client_fqdn:    string      &log &optional;
+		## Domain given by the server in option 15.
+		domain:         string      &log &optional;
+
+		## IP address requested by the client.
+		requested_addr: addr        &log &optional;
+		## IP address assigned by the server.
+		assigned_addr:  addr        &log &optional;
 		## IP address lease interval.
-		lease_time:	interval	&log &optional;
-		## A random number chosen by the client for this transaction.
-		trans_id:	count		&log;
+		lease_time:     interval    &log &optional;
+
+		## Message typically accompanied with a DHCP_DECLINE
+		## so the client can tell the server why it rejected
+		## an address.
+		client_message: string      &log &optional;
+		## Message typically accompanied with a DHCP_NAK to let
+		## the client know why it rejected the request.
+		server_message: string      &log &optional;
+
+		## The DHCP message types seen by this DHCP transaction
+		msg_types:      vector of string &log &default=string_vec();
+
+		## Duration of the DHCP "session" representing the 
+		## time from the first message to the last.
+		duration:       interval    &log &default=0secs;
 	};
 
+	## The maximum amount of time that a transation ID will be watched
+	## for to try and tie messages together into a single DHCP
+	## transaction narrative.
+	const DHCP::max_txid_watch_time = 30secs &redef;
+
+	## This event is used internally to distribute data around clusters
+	## since DHCP doesn't follow the normal "connection" model used by
+	## most protocols. It can also be handled to extend the DHCP log.
+	## bro:see::`DHCP::log_info`.
+	global DHCP::aggregate_msgs: event(ts: time, id: conn_id, uid: string, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options);
+
+	## This is a global variable that is only to be used in the
+	## :bro::see::`DHCP::aggregate_msgs` event. It can be used to avoid
+	## looking up the info record for a transaction ID in every event handler
+	## for :bro:see::`DHCP::aggregate_msgs`.
+	global DHCP::log_info: Info;
+
 	## Event that can be handled to access the DHCP
 	## record as it is sent on to the logging framework.
 	global log_dhcp: event(rec: Info);
@@ -43,8 +108,13 @@ redef record connection += {
 	dhcp: Info &optional;
 };
 
+redef record Info += {
+	last_message_ts: time &optional;
+};
+
 # 67/udp is the server's port, 68/udp the client.
-const ports = { 67/udp, 68/udp };
+# 4011/udp seems to be some proxyDHCP thing.
+const ports = { 67/udp, 68/udp, 4011/udp };
 redef likely_server_ports += { 67/udp };
 
 event bro_init() &priority=5
@@ -53,27 +123,150 @@ event bro_init() &priority=5
 	Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
 	}
 
-event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string) &priority=5
+@if ( Cluster::is_enabled() )
+event bro_init()
 	{
-	local info: Info;
-	info$ts          = network_time();
-	info$id          = c$id;
-	info$uid         = c$uid;
-	info$lease_time  = lease;
-	info$trans_id    = msg$xid;
+	Broker::auto_publish(Cluster::manager_topic, DHCP::aggregate_msgs);
+	}
+@endif
 
-	if ( msg$h_addr != "" )
-		info$mac = msg$h_addr;
+function join_data_expiration(t: table[count] of Info, idx: count): interval
+	{
+	local info = t[idx];
 
-	if ( reverse_ip(msg$yiaddr) != 0.0.0.0 )
-		info$assigned_ip = reverse_ip(msg$yiaddr);
+	local now = network_time();
+	# If a message hasn't been seen in the past 5 seconds or the
+	# total time watching has been more than the maximum time
+	# allowed by the configuration then log this data and expire it.
+	# Also, if Bro is shutting down.
+	if ( (now - info$last_message_ts) > 5sec ||
+	     (now - info$ts) > max_txid_watch_time ||
+	     bro_is_terminating() )
+		{
+		Log::write(LOG, info);
+
+		# Go ahead and expire the data now that the log
+		# entry has been written.
+		return 0secs;
+		}
 	else
-		info$assigned_ip = c$id$orig_h;
-
-	c$dhcp = info;
+		{
+		return 5secs;
+		}
 	}
 
-event dhcp_ack(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string) &priority=-5
+# This is where the data is stored as it's centralized. All data for a log must
+# arrive within the expiration interval if it's to be logged fully. On a cluster,
+# this data is only maintained on the manager.
+global join_data: table[count] of Info = table()
+	&create_expire=10secs &expire_func=join_data_expiration;
+
+
+
+@if ( ! Cluster::is_enabled() || Cluster::local_node_type() == Cluster::MANAGER )
+# We are handling this event at priority 1000 because we really want
+# the DHCP::log_info global to be set correctly before a user might try
+# to access it.
+event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options) &priority=1000
 	{
-	Log::write(DHCP::LOG, c$dhcp);
+	if ( msg$xid !in join_data )
+		{
+		join_data[msg$xid] = Info($ts=ts,
+		                          $uids=set(uid));
+		}
+
+	log_info = join_data[msg$xid];
+	}
+
+event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options) &priority=5
+	{
+	log_info$duration = ts - log_info$ts;
+
+	if ( uid !in log_info$uids )
+		add log_info$uids[uid];
+
+	log_info$msg_types += DHCP::message_types[msg$m_type];
+
+	# Let's watch for messages in any DHCP message type
+	# and split them out based on client and server.
+	if ( options?$message )
+		{
+		if ( is_orig )
+			log_info$client_message = options$message;
+		else
+			log_info$server_message = options$message;
+		}
+
+	# Update the last message time so that we can do some data
+	# expiration handling.
+	log_info$last_message_ts = ts;
+
+	if ( is_orig ) # client requests
+		{
+		# Assign the client addr in case this is a session
+		# of only INFORM messages (no lease handed out).
+		# This also works if a normal lease handout uses
+		# unicast.
+		if ( id$orig_h != 0.0.0.0 && id$orig_h != 255.255.255.255 )
+			log_info$client_addr = id$orig_h;
+
+		if ( options?$host_name )
+			log_info$host_name = options$host_name;
+
+		if ( options?$client_fqdn )
+			log_info$client_fqdn = options$client_fqdn$domain_name;
+
+		if ( options?$client_id &&
+		     options$client_id$hwtype == 1 ) # ETHERNET
+			log_info$mac = options$client_id$hwaddr;
+
+		if ( options?$addr_request )
+			log_info$requested_addr = options$addr_request;
+		}
+	else # server reply messages
+		{
+		# Only log the address of the server if it handed out
+		# an IP address.
+		if ( msg$yiaddr != 0.0.0.0 &&
+		     id$resp_h != 255.255.255.255 )
+			{
+			log_info$server_addr = id$resp_h;
+			log_info$server_port = id$resp_p;
+			log_info$client_port = id$orig_p;
+			}
+
+		# Only use the client hardware address from the server
+		# if we didn't already pick one up from the client.
+		if ( msg$chaddr != "" && !log_info?$mac )
+			log_info$mac = msg$chaddr;
+
+		if ( msg$yiaddr != 0.0.0.0 )
+			log_info$assigned_addr = msg$yiaddr;
+
+		# If no client address has been seen yet, let's use the assigned addr.
+		if ( ! log_info?$client_addr && log_info?$assigned_addr )
+			log_info$client_addr = log_info$assigned_addr;
+
+		if ( options?$domain_name )
+			log_info$domain = options$domain_name;
+
+		if ( options?$lease )
+			log_info$lease_time = options$lease;
+		}
+	}
+@endif
+
+
+
+# Aggregate DHCP messages to the manager.
+event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options) &priority=-5
+	{
+	event DHCP::aggregate_msgs(network_time(), c$id, c$uid, is_orig, msg, options);
+	}
+
+event bro_done() &priority=-5
+	{
+	# Log any remaining data that hasn't already been logged!
+	for ( i in DHCP::join_data )
+		join_data_expiration(DHCP::join_data, i);
 	}
diff --git a/scripts/base/protocols/dhcp/utils.bro b/scripts/base/protocols/dhcp/utils.bro
deleted file mode 100644
index 9d5a422128..0000000000
--- a/scripts/base/protocols/dhcp/utils.bro
+++ /dev/null
@@ -1,19 +0,0 @@
-##! Utilities specific for DHCP processing.
-
-module DHCP;
-
-export {
-	## Reverse the octets of an IPv4 address.
-	##
-	## ip: An IPv4 address.
-	##
-	## Returns: A reversed IPv4 address.
-	global reverse_ip: function(ip: addr): addr;
-}
-
-function reverse_ip(ip: addr): addr
-	{
-	local octets = split_string(cat(ip), /\./);
-	return to_addr(cat(octets[3], ".", octets[2], ".", octets[1], ".", octets[0]));
-	}
-
diff --git a/scripts/base/protocols/dns/consts.bro b/scripts/base/protocols/dns/consts.bro
index 026588f777..dfcbc4031f 100644
--- a/scripts/base/protocols/dns/consts.bro
+++ b/scripts/base/protocols/dns/consts.bro
@@ -21,8 +21,8 @@ export {
 		[29] = "LOC", [30] = "EID", [31] = "NIMLOC", [32] = "NB",
 		[33] = "SRV", [34] = "ATMA", [35] = "NAPTR", [36] = "KX",
 		[37] = "CERT", [38] = "A6", [39] = "DNAME", [40] = "SINK",
-	 	[EDNS] = "EDNS", [42] = "APL", [43] = "DS", [44] = "SINK",
-		[45] = "SSHFP", [46] = "RRSIG", [47] = "NSEC", [48] = "DNSKEY",
+		[EDNS] = "EDNS", [42] = "APL", [43] = "DS", [44] = "SSHFP",
+		[45] = "IPSECKEY", [46] = "RRSIG", [47] = "NSEC", [48] = "DNSKEY",
 		[49] = "DHCID", [99] = "SPF", [100] = "DINFO", [101] = "UID",
 		[102] = "GID", [103] = "UNSPEC", [249] = "TKEY", [250] = "TSIG",
 		[251] = "IXFR", [252] = "AXFR", [253] = "MAILB", [254] = "MAILA",
diff --git a/scripts/base/protocols/dns/main.bro b/scripts/base/protocols/dns/main.bro
index db5d30b55c..127a06b5a0 100644
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@@ -2,7 +2,6 @@
 ##! their responses.
 
 @load base/utils/queue
-@load base/frameworks/notice/weird
 @load ./consts
 
 module DNS;
@@ -177,9 +176,6 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
 
 	for ( i in infos )
 		{
-		local wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg", $uid=infos[i]$uid,
-		                       $id=infos[i]$id);
-		Weird::weird(wi);
 		Log::write(DNS::LOG, infos[i]);
 		}
 	}
@@ -187,21 +183,19 @@ function log_unmatched_msgs_queue(q: Queue::Queue)
 function log_unmatched_msgs(msgs: PendingMessages)
 	{
 	for ( trans_id in msgs )
+		{
 		log_unmatched_msgs_queue(msgs[trans_id]);
+		}
 
 	clear_table(msgs);
 	}
 
 function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info)
 	{
-	local wi: Weird::Info;
 	if ( id !in msgs )
 		{
 		if ( |msgs| > max_pending_query_ids )
 			{
-			wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg", $uid=msg$uid,
-			                       $id=msg$id);
-			Weird::weird(wi);
 			# Throw away all unmatched on assumption they'll never be matched.
 			log_unmatched_msgs(msgs);
 			}
@@ -212,9 +206,6 @@ function enqueue_new_msg(msgs: PendingMessages, id: count, msg: Info)
 		{
 		if ( Queue::len(msgs[id]) > max_pending_msgs )
 			{
-			wi = Weird::Info($ts=network_time(), $name="dns_unmatched_msg_quantity", $uid=msg$uid,
-			                       $id=msg$id);
-			Weird::weird(wi);
 			log_unmatched_msgs_queue(msgs[id]);
 			# Throw away all unmatched on assumption they'll never be matched.
 			msgs[id] = Queue::init();
@@ -271,7 +262,6 @@ hook set_session(c: connection, msg: dns_msg, is_query: bool) &priority=5
 			# Create a new DNS session and put it in the reply queue so
 			# we can wait for a matching query.
 			c$dns = new_session(c, msg$id);
-			event conn_weird("dns_unmatched_reply", c, "");
 			enqueue_new_msg(c$dns_state$pending_replies, msg$id, c$dns);
 			}
 		}
@@ -334,11 +324,11 @@ hook DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
 			{
 			if ( ! c$dns?$answers )
 				c$dns$answers = vector();
-			c$dns$answers[|c$dns$answers|] = reply;
+			c$dns$answers += reply;
 
 			if ( ! c$dns?$TTLs )
 				c$dns$TTLs = vector();
-			c$dns$TTLs[|c$dns$TTLs|] = ans$TTL;
+			c$dns$TTLs += ans$TTL;
 			}
 		}
 	}
diff --git a/scripts/base/protocols/ftp/gridftp.bro b/scripts/base/protocols/ftp/gridftp.bro
index 68be66d53a..38f6d8186c 100644
--- a/scripts/base/protocols/ftp/gridftp.bro
+++ b/scripts/base/protocols/ftp/gridftp.bro
@@ -75,6 +75,9 @@ event ConnThreshold::bytes_threshold_crossed(c: connection, threshold: count, is
 	if ( threshold < size_threshold || "gridftp-data" in c$service || c$duration > max_time )
 		return;
 
+	if ( ! data_channel_initial_criteria(c) )
+		return;
+
 	add c$service["gridftp-data"];
 	event GridFTP::data_channel_detected(c);
 
diff --git a/scripts/base/protocols/http/entities.bro b/scripts/base/protocols/http/entities.bro
index bec89b536d..3670d7879a 100644
--- a/scripts/base/protocols/http/entities.bro
+++ b/scripts/base/protocols/http/entities.bro
@@ -87,14 +87,14 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 			if ( ! c$http?$orig_fuids )
 				c$http$orig_fuids = string_vec(f$id);
 			else
-				c$http$orig_fuids[|c$http$orig_fuids|] = f$id;
+				c$http$orig_fuids += f$id;
 
 			if ( f$info?$filename )
 				{
 				if ( ! c$http?$orig_filenames )
 					c$http$orig_filenames = string_vec(f$info$filename);
 				else
-					c$http$orig_filenames[|c$http$orig_filenames|] = f$info$filename;
+					c$http$orig_filenames += f$info$filename;
 				}
 			}
 
@@ -103,14 +103,14 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 			if ( ! c$http?$resp_fuids )
 				c$http$resp_fuids = string_vec(f$id);
 			else
-				c$http$resp_fuids[|c$http$resp_fuids|] = f$id;
+				c$http$resp_fuids += f$id;
 
 			if ( f$info?$filename )
 				{
 				if ( ! c$http?$resp_filenames )
 					c$http$resp_filenames = string_vec(f$info$filename);
 				else
-					c$http$resp_filenames[|c$http$resp_filenames|] = f$info$filename;
+					c$http$resp_filenames += f$info$filename;
 				}
 
 			}
@@ -130,14 +130,14 @@ event file_sniff(f: fa_file, meta: fa_metadata) &priority=5
 		if ( ! f$http?$orig_mime_types )
 			f$http$orig_mime_types = string_vec(meta$mime_type);
 		else
-			f$http$orig_mime_types[|f$http$orig_mime_types|] = meta$mime_type;
+			f$http$orig_mime_types += meta$mime_type;
 		}
 	else
 		{
 		if ( ! f$http?$resp_mime_types )
 			f$http$resp_mime_types = string_vec(meta$mime_type);
 		else
-			f$http$resp_mime_types[|f$http$resp_mime_types|] = meta$mime_type;
+			f$http$resp_mime_types += meta$mime_type;
 		}
 	}
 
diff --git a/scripts/base/protocols/http/utils.bro b/scripts/base/protocols/http/utils.bro
index 88549f8404..67f13f2640 100644
--- a/scripts/base/protocols/http/utils.bro
+++ b/scripts/base/protocols/http/utils.bro
@@ -47,7 +47,7 @@ function extract_keys(data: string, kv_splitter: pattern): string_vec
 		{
 		local key_val = split_string1(parts[part_index], /=/);
 		if ( 0 in key_val )
-			key_vec[|key_vec|] = key_val[0];
+			key_vec += key_val[0];
 		}
 	return key_vec;
 	}
diff --git a/scripts/base/protocols/irc/dcc-send.bro b/scripts/base/protocols/irc/dcc-send.bro
index 437724004a..9454fef7b0 100644
--- a/scripts/base/protocols/irc/dcc-send.bro
+++ b/scripts/base/protocols/irc/dcc-send.bro
@@ -11,6 +11,7 @@
 
 @load ./main
 @load base/utils/files
+@load base/frameworks/cluster
 
 module IRC;
 
@@ -23,9 +24,33 @@ export {
 		## Sniffed mime type of the file.
 		dcc_mime_type:         string &log &optional;
 	};
+
+	## The broker topic name to which expected DCC transfer updates are
+	## relayed.
+	const dcc_transfer_update_topic = "bro/irc/dcc_transfer_update" &redef;
 }
 
-global dcc_expected_transfers: table[addr, port] of Info &synchronized &read_expire=5mins;
+global dcc_expected_transfers: table[addr, port] of Info &read_expire=5mins;
+
+event dcc_transfer_add(host: addr, p: port, info: Info)
+	{
+	dcc_expected_transfers[host, p] = info;
+	Analyzer::schedule_analyzer(0.0.0.0, host, p,
+	                            Analyzer::ANALYZER_IRC_DATA, 5 min);
+	}
+
+event dcc_transfer_remove(host: addr, p: port)
+	{
+	delete dcc_expected_transfers[host, p];
+	}
+
+event bro_init()
+	{
+	local lnt = Cluster::local_node_type();
+
+	if ( lnt == Cluster::WORKER )
+		Broker::subscribe(dcc_transfer_update_topic);
+	}
 
 function log_dcc(f: fa_file)
 	{
@@ -51,6 +76,9 @@ function log_dcc(f: fa_file)
 		delete irc$dcc_mime_type;
 
 		delete dcc_expected_transfers[cid$resp_h, cid$resp_p];
+		Cluster::relay_rr(Cluster::proxy_pool, dcc_transfer_update_topic,
+		                  dcc_transfer_update_topic, dcc_transfer_remove,
+		                  cid$resp_h, cid$resp_p);
 		return;
 		}
 	}
@@ -74,6 +102,9 @@ event irc_dcc_message(c: connection, is_orig: bool,
 	local p = count_to_port(dest_port, tcp);
 	Analyzer::schedule_analyzer(0.0.0.0, address, p, Analyzer::ANALYZER_IRC_DATA, 5 min);
 	dcc_expected_transfers[address, p] = c$irc;
+	Cluster::relay_rr(Cluster::proxy_pool, dcc_transfer_update_topic,
+	                  dcc_transfer_update_topic, dcc_transfer_add,
+	                  address, p, c$irc);
 	}
 
 event scheduled_analyzer_applied(c: connection, a: Analyzer::Tag) &priority=10
@@ -86,5 +117,10 @@ event scheduled_analyzer_applied(c: connection, a: Analyzer::Tag) &priority=10
 event connection_state_remove(c: connection) &priority=-5
 	{
 	if ( [c$id$resp_h, c$id$resp_p] in dcc_expected_transfers )
+		{
 		delete dcc_expected_transfers[c$id$resp_h, c$id$resp_p];
+		Cluster::relay_rr(Cluster::proxy_pool, dcc_transfer_update_topic,
+		                  dcc_transfer_update_topic, dcc_transfer_remove,
+		                  c$id$resp_h, c$id$resp_p);
+		}
 	}
diff --git a/scripts/base/protocols/krb/files.bro b/scripts/base/protocols/krb/files.bro
index cd2127c605..43e782c696 100644
--- a/scripts/base/protocols/krb/files.bro
+++ b/scripts/base/protocols/krb/files.bro
@@ -78,40 +78,23 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 	if ( f$source != "KRB_TCP" && f$source != "KRB" )
 		return;
 
-	local info: Info;
-
-	if ( ! c?$krb )
-		{
-		info$ts  = network_time();
-		info$uid = c$uid;
-		info$id  = c$id;
-		}
-	else
-		info = c$krb;
+	set_session(c);
 
 	if ( is_orig )
 		{
-		info$client_cert = f$info;
-		info$client_cert_fuid = f$id;
+		c$krb$client_cert = f$info;
+		c$krb$client_cert_fuid = f$id;
 		}
 	else
 		{
-		info$server_cert = f$info;
-		info$server_cert_fuid = f$id;
+		c$krb$server_cert = f$info;
+		c$krb$server_cert_fuid = f$id;
 		}
-
-	c$krb = info;
-
-	Files::add_analyzer(f, Files::ANALYZER_X509);
-	# Always calculate hashes. They are not necessary for base scripts
-	# but very useful for identification, and required for policy scripts
-	Files::add_analyzer(f, Files::ANALYZER_MD5);
-	Files::add_analyzer(f, Files::ANALYZER_SHA1);
 	}
 
 function fill_in_subjects(c: connection)
 	{
-	if ( !c?$krb )
+	if ( ! c?$krb )
 		return;
 
 	if ( c$krb?$client_cert && c$krb$client_cert?$x509 && c$krb$client_cert$x509?$certificate )
diff --git a/scripts/base/protocols/krb/main.bro b/scripts/base/protocols/krb/main.bro
index 13200a559e..02abced683 100644
--- a/scripts/base/protocols/krb/main.bro
+++ b/scripts/base/protocols/krb/main.bro
@@ -10,41 +10,41 @@ export {
 
 	type Info: record {
 		## Timestamp for when the event happened.
-		ts:			time    &log;
+		ts:            time     &log;
 		## Unique ID for the connection.
-		uid:			string  &log;
+		uid:           string   &log;
 		## The connection's 4-tuple of endpoint addresses/ports.
-		id:			conn_id &log;
+		id:            conn_id  &log;
 
 		## Request type - Authentication Service ("AS") or
 		## Ticket Granting Service ("TGS")
-		request_type:		string &log &optional;
+		request_type:  string   &log &optional;
 		## Client
-		client:			string &log &optional;
+		client:        string   &log &optional;
 		## Service
-		service:		string &log;
+		service:       string   &log &optional;
 
 		## Request result
-		success:		bool &log &optional;
+		success:       bool     &log &optional;
 		## Error code
-		error_code: 		count &optional;
+		error_code:    count    &optional;
 		## Error message
-		error_msg: 		string &log &optional;
+		error_msg:     string   &log &optional;
 
 		## Ticket valid from
-		from:			time &log &optional;
+		from:          time     &log &optional;
 		## Ticket valid till
-		till:			time &log &optional;
+		till:          time     &log &optional;
 		## Ticket encryption type
-		cipher:			string &log &optional;
+		cipher:        string   &log &optional;
 
 		## Forwardable ticket requested
-		forwardable: 		bool &log &optional;
+		forwardable:   bool     &log &optional;
 		## Renewable ticket requested
-		renewable:		bool &log &optional;
+		renewable:     bool     &log &optional;
 
 		## We've already logged this
-		logged: 		bool &default=F;
+		logged:        bool     &default=F;
 	};
 
 	## The server response error texts which are *not* logged.
@@ -80,172 +80,140 @@ event bro_init() &priority=5
 	Log::create_stream(KRB::LOG, [$columns=Info, $ev=log_krb, $path="kerberos"]);
 	}
 
-event krb_error(c: connection, msg: Error_Msg) &priority=5
+function set_session(c: connection): bool
 	{
-	local info: Info;
-
-	if ( msg?$error_text && msg$error_text in ignored_errors )
+	if ( ! c?$krb )
 		{
-		if ( c?$krb ) delete c$krb;
-		return;
+		c$krb = Info($ts  = network_time(),
+		             $uid = c$uid,
+		             $id  = c$id);
 		}
-
-	if ( c?$krb && c$krb$logged )
-		return;
-
-	if ( c?$krb )
-		info = c$krb;
-
-	if ( ! info?$ts )
-		{
-		info$ts  = network_time();
-		info$uid = c$uid;
-		info$id  = c$id;
-		}
-
-	if ( ! info?$client && ( msg?$client_name || msg?$client_realm ) )
-		info$client = fmt("%s%s", msg?$client_name ? msg$client_name + "/" : "",
-				 	  msg?$client_realm ? msg$client_realm : "");
-
-	info$service = msg$service_name;
-	info$success = F;
-
-	info$error_code = msg$error_code;
-
-	if ( msg?$error_text )			info$error_msg = msg$error_text;
-	else if ( msg$error_code in error_msg ) info$error_msg = error_msg[msg$error_code];
-
-	c$krb = info;
+	
+	return c$krb$logged;
 	}
 
-event krb_error(c: connection, msg: Error_Msg) &priority=-5
+function do_log(c: connection)
 	{
-	if ( c?$krb )
+	if ( c?$krb && ! c$krb$logged )
 		{
 		Log::write(KRB::LOG, c$krb);
 		c$krb$logged = T;
 		}
 	}
 
-event krb_as_request(c: connection, msg: KDC_Request) &priority=5
+event krb_error(c: connection, msg: Error_Msg) &priority=5
 	{
-	if ( c?$krb && c$krb$logged )
+	if ( set_session(c) )
 		return;
 
-	local info: Info;
-
-	if ( !c?$krb )
+	if ( msg?$error_text && msg$error_text in ignored_errors )
 		{
-		info$ts  = network_time();
-		info$uid = c$uid;
-		info$id  = c$id;
+		if ( c?$krb ) 
+			delete c$krb;
+
+		return;
 		}
-	else
-		info = c$krb;
 
-	info$request_type = "AS";
-	info$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg$service_realm);
-	info$service = msg$service_name;
+	if ( ! c$krb?$client && ( msg?$client_name || msg?$client_realm ) )
+		c$krb$client = fmt("%s%s", msg?$client_name ? msg$client_name + "/" : "",
+		                           msg?$client_realm ? msg$client_realm : "");
 
-	if ( msg?$from )
-		info$from = msg$from;
+	c$krb$service    = msg$service_name;
+	c$krb$success    = F;
+	c$krb$error_code = msg$error_code;
 
-	info$till = msg$till;
-
-	info$forwardable = msg$kdc_options$forwardable;
-	info$renewable = msg$kdc_options$renewable;
-
-	c$krb = info;
+	if ( msg?$error_text )
+		c$krb$error_msg = msg$error_text;
+	else if ( msg$error_code in error_msg )
+		c$krb$error_msg = error_msg[msg$error_code];
 	}
 
-event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5
+event krb_error(c: connection, msg: Error_Msg) &priority=-5
 	{
-	if ( c?$krb && c$krb$logged )
+	do_log(c);
+	}
+
+event krb_as_request(c: connection, msg: KDC_Request) &priority=5
+	{
+	if ( set_session(c) )
 		return;
 
-	local info: Info;
-	info$ts  = network_time();
-	info$uid = c$uid;
-	info$id  = c$id;
-	info$request_type = "TGS";
-	info$service = msg$service_name;
-	if ( msg?$from ) info$from = msg$from;
-	info$till = msg$till;
+	c$krb$request_type = "AS";
+	c$krb$client       = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg$service_realm);
+	c$krb$service      = msg$service_name;
 
-	info$forwardable = msg$kdc_options$forwardable;
-	info$renewable = msg$kdc_options$renewable;
+	if ( msg?$from )
+		c$krb$from = msg$from;
+	c$krb$till        = msg$till;
 
-	c$krb = info;
+	c$krb$forwardable = msg$kdc_options$forwardable;
+	c$krb$renewable   = msg$kdc_options$renewable;
 	}
 
 event krb_as_response(c: connection, msg: KDC_Response) &priority=5
 	{
-	local info: Info;
-
-	if ( c?$krb && c$krb$logged )
+	if ( set_session(c) )
 		return;
 
-	if ( c?$krb )
-		info = c$krb;
-
-	if ( ! info?$ts )
+	if ( ! c$krb?$client && ( msg?$client_name || msg?$client_realm ) )
 		{
-		info$ts  = network_time();
-		info$uid = c$uid;
-		info$id  = c$id;
+		c$krb$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", 
+	                                msg?$client_realm ? msg$client_realm : "");
 		}
 
-	if ( ! info?$client && ( msg?$client_name || msg?$client_realm ) )
-		info$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg?$client_realm ? msg$client_realm : "");
-
-	info$service = msg$ticket$service_name;
-	info$cipher  = cipher_name[msg$ticket$cipher];
-	info$success = T;
-
-	c$krb = info;
+	c$krb$service = msg$ticket$service_name;
+	c$krb$cipher  = cipher_name[msg$ticket$cipher];
+	c$krb$success = T;
 	}
 
 event krb_as_response(c: connection, msg: KDC_Response) &priority=-5
 	{
-	Log::write(KRB::LOG, c$krb);
-	c$krb$logged = T;
+	do_log(c);
+	}
+
+event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options) &priority=5
+	{
+	if ( set_session(c) )
+		return;
+	}
+
+event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5
+	{
+	if ( set_session(c) )
+		return;
+
+	c$krb$request_type = "TGS";
+	c$krb$service = msg$service_name;
+	if ( msg?$from ) 
+		c$krb$from = msg$from;
+	c$krb$till = msg$till;
+
+	c$krb$forwardable = msg$kdc_options$forwardable;
+	c$krb$renewable   = msg$kdc_options$renewable;
 	}
 
 event krb_tgs_response(c: connection, msg: KDC_Response) &priority=5
 	{
-	local info: Info;
-
-	if ( c?$krb && c$krb$logged )
+	if ( set_session(c) )
 		return;
 
-	if ( c?$krb )
-		info = c$krb;
-
-	if ( ! info?$ts )
+	if ( ! c$krb?$client && ( msg?$client_name || msg?$client_realm ) )
 		{
-		info$ts  = network_time();
-		info$uid = c$uid;
-		info$id  = c$id;
+		c$krb$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", 
+	                                msg?$client_realm ? msg$client_realm : "");
 		}
 
-	if ( ! info?$client && ( msg?$client_name || msg?$client_realm ) )
-		info$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg?$client_realm ? msg$client_realm : "");
-
-	info$service = msg$ticket$service_name;
-	info$cipher  = cipher_name[msg$ticket$cipher];
-	info$success = T;
-
-	c$krb = info;
+	c$krb$service = msg$ticket$service_name;
+	c$krb$cipher  = cipher_name[msg$ticket$cipher];
+	c$krb$success = T;
 	}
 
 event krb_tgs_response(c: connection, msg: KDC_Response) &priority=-5
 	{
-	Log::write(KRB::LOG, c$krb);
-	c$krb$logged = T;
+	do_log(c);
 	}
 
 event connection_state_remove(c: connection) &priority=-5
 	{
-	if ( c?$krb && ! c$krb$logged )
-		Log::write(KRB::LOG, c$krb);
+	do_log(c);
 	}
diff --git a/scripts/base/protocols/radius/main.bro b/scripts/base/protocols/radius/main.bro
index d9c2d08ca8..ea30b27911 100644
--- a/scripts/base/protocols/radius/main.bro
+++ b/scripts/base/protocols/radius/main.bro
@@ -10,52 +10,51 @@ export {
 
 	type Info: record {
 		## Timestamp for when the event happened.
-		ts		: time    &log;
+		ts           : time     &log;
 		## Unique ID for the connection.
-		uid		: string  &log;
+		uid          : string   &log;
 		## The connection's 4-tuple of endpoint addresses/ports.
-		id		: conn_id &log;
+		id           : conn_id  &log;
 		## The username, if present.
-		username	: string &log &optional;
+		username     : string   &log &optional;
 		## MAC address, if present.
-		mac		: string &log &optional;
-		## Remote IP address, if present.
-		remote_ip       : addr &log &optional;
+		mac          : string   &log &optional;
+		## The address given to the network access server, if
+		## present.  This is only a hint from the RADIUS server
+		## and the network access server is not required to honor 
+		## the address.
+		framed_addr  : addr     &log &optional;
+		## Remote IP address, if present.  This is collected
+		## from the Tunnel-Client-Endpoint attribute.
+		remote_ip    : addr     &log &optional;
 		## Connect info, if present.
-		connect_info	: string &log &optional;
+		connect_info : string   &log &optional;
+		## Reply message from the server challenge. This is 
+		## frequently shown to the user authenticating.
+		reply_msg    : string   &log &optional;
 		## Successful or failed authentication.
-		result		: string &log &optional;
-		## Whether this has already been logged and can be ignored.
-		logged		: bool &optional;
+		result       : string   &log &optional;
+		## The duration between the first request and
+		## either the "Access-Accept" message or an error.
+		## If the field is empty, it means that either
+		## the request or response was not seen.
+		ttl          : interval &log &optional;
 
+		## Whether this has already been logged and can be ignored.
+		logged       : bool     &default=F;
 	};
 
-	## The amount of time we wait for an authentication response before
-	## expiring it.
-	const expiration_interval = 10secs &redef;
-
-	## Logs an authentication attempt if we didn't see a response in time.
-	##
-	## t: A table of Info records.
-	##
-	## idx: The index of the connection$radius table corresponding to the
-	##      radius authentication about to expire.
-	##
-	## Returns: 0secs, which when this function is used as an
-	##          :bro:attr:`&expire_func`, indicates to remove the element at
-	##          *idx* immediately.
-	global expire: function(t: table[count] of Info, idx: count): interval;
-
 	## Event that can be handled to access the RADIUS record as it is sent on
-	## to the loggin framework.
+	## to the logging framework.
 	global log_radius: event(rec: Info);
 }
 
 redef record connection += {
-	radius: table[count] of Info &optional &write_expire=expiration_interval &expire_func=expire;
+	radius: Info &optional;
 };
 
 const ports = { 1812/udp };
+redef likely_server_ports += { ports };
 
 event bro_init() &priority=5
 	{
@@ -63,64 +62,86 @@ event bro_init() &priority=5
 	Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, ports);
 	}
 
-event radius_message(c: connection, result: RADIUS::Message)
+event radius_message(c: connection, result: RADIUS::Message) &priority=5
 	{
-	local info: Info;
-
-	if ( c?$radius && result$trans_id in c$radius )
-		info = c$radius[result$trans_id];
-	else
+	if ( ! c?$radius )
 		{
-		c$radius = table();
-		info$ts  = network_time();
-		info$uid = c$uid;
-		info$id  = c$id;
+		c$radius = Info($ts  = network_time(),
+		                $uid = c$uid,
+		                $id  = c$id);
 		}
 
-	switch ( RADIUS::msg_types[result$code] ) {
+	switch ( RADIUS::msg_types[result$code] )
+		{
 		case "Access-Request":
-			if ( result?$attributes ) {
+			if ( result?$attributes )
+				{
 				# User-Name
-				if ( ! info?$username && 1 in result$attributes )
-					info$username = result$attributes[1][0];
+				if ( ! c$radius?$username && 1 in result$attributes )
+					c$radius$username = result$attributes[1][0];
 
 				# Calling-Station-Id (we expect this to be a MAC)
-				if ( ! info?$mac && 31 in result$attributes )
-					info$mac = normalize_mac(result$attributes[31][0]);
+				if ( ! c$radius?$mac && 31 in result$attributes )
+					c$radius$mac = normalize_mac(result$attributes[31][0]);
 
 				# Tunnel-Client-EndPoint (useful for VPNs)
-				if ( ! info?$remote_ip && 66 in result$attributes )
-					info$remote_ip = to_addr(result$attributes[66][0]);
+				if ( ! c$radius?$remote_ip && 66 in result$attributes )
+					c$radius$remote_ip = to_addr(result$attributes[66][0]);
 
 				# Connect-Info
-				if ( ! info?$connect_info && 77 in result$attributes )
-					info$connect_info = result$attributes[77][0];
-			}
+				if ( ! c$radius?$connect_info && 77 in result$attributes )
+					c$radius$connect_info = result$attributes[77][0];
+				}
+			break;
 
+		case "Access-Challenge":
+			if ( result?$attributes )
+				{
+				# Framed-IP-Address
+				if ( ! c$radius?$framed_addr && 8 in result$attributes )
+					c$radius$framed_addr = raw_bytes_to_v4_addr(result$attributes[8][0]);
+
+				if ( ! c$radius?$reply_msg && 18 in result$attributes )
+					c$radius$reply_msg = result$attributes[18][0];
+				}
 			break;
 
 		case "Access-Accept":
-			info$result = "success";
+			c$radius$result = "success";
 			break;
 
 		case "Access-Reject":
-			info$result = "failed";
+			c$radius$result = "failed";
 			break;
-	}
 
-	if ( info?$result && ! info?$logged )
-		{
-		info$logged = T;
-		Log::write(RADIUS::LOG, info);
+		# TODO: Support RADIUS accounting. (add port 1813/udp above too)
+		#case "Accounting-Request":
+		#	break;
+		#
+		#case "Accounting-Response":
+		#	break;
 		}
-
-	c$radius[result$trans_id] = info;
 	}
 
+event radius_message(c: connection, result: RADIUS::Message) &priority=-5
+	{
+	if ( c$radius?$result )
+		{
+		local ttl = network_time() - c$radius$ts;
+		if ( ttl != 0secs )
+			c$radius$ttl = ttl;
 
-function expire(t: table[count] of Info, idx: count): interval
-	 {
-	 t[idx]$result = "unknown";
-	 Log::write(RADIUS::LOG, t[idx]);
-	 return 0secs;
-	 }
+		Log::write(RADIUS::LOG, c$radius);
+
+		delete c$radius;
+		}
+	}
+
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( c?$radius && ! c$radius$logged )
+		{
+		c$radius$result = "unknown";
+		Log::write(RADIUS::LOG, c$radius);
+		}
+	}
diff --git a/scripts/base/protocols/rdp/main.bro b/scripts/base/protocols/rdp/main.bro
index c6d550c3f7..f543fd2cae 100644
--- a/scripts/base/protocols/rdp/main.bro
+++ b/scripts/base/protocols/rdp/main.bro
@@ -236,10 +236,6 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 		{
 		# Count up X509 certs.
 		++c$rdp$cert_count;
-
-		Files::add_analyzer(f, Files::ANALYZER_X509);
-		Files::add_analyzer(f, Files::ANALYZER_MD5);
-		Files::add_analyzer(f, Files::ANALYZER_SHA1);
 		}
 	}
 
diff --git a/scripts/base/protocols/rfb/dpd.sig b/scripts/base/protocols/rfb/dpd.sig
index 40793ad590..c105070b24 100644
--- a/scripts/base/protocols/rfb/dpd.sig
+++ b/scripts/base/protocols/rfb/dpd.sig
@@ -1,6 +1,7 @@
 signature dpd_rfb_server {
 	ip-proto == tcp
 	payload /^RFB/
+	tcp-state responder
 	requires-reverse-signature dpd_rfb_client
 	enable "rfb"
 }
@@ -9,4 +10,4 @@ signature dpd_rfb_client {
 	ip-proto == tcp
 	payload /^RFB/
 	tcp-state originator
-}
\ No newline at end of file
+}
diff --git a/scripts/base/protocols/sip/main.bro b/scripts/base/protocols/sip/main.bro
index f629049928..f4dba22876 100644
--- a/scripts/base/protocols/sip/main.bro
+++ b/scripts/base/protocols/sip/main.bro
@@ -226,7 +226,7 @@ event sip_header(c: connection, is_request: bool, name: string, value: string) &
 				c$sip$user_agent = value;
 				break;
 			case "VIA", "V":
-				c$sip$request_path[|c$sip$request_path|] = split_string1(value, /;[ ]?branch/)[0];
+				c$sip$request_path += split_string1(value, /;[ ]?branch/)[0];
 				break;
 			}
 
@@ -256,7 +256,7 @@ event sip_header(c: connection, is_request: bool, name: string, value: string) &
 				c$sip$response_to = value;
 				break;
 			case "VIA", "V":
-				c$sip$response_path[|c$sip$response_path|] = split_string1(value, /;[ ]?branch/)[0];
+				c$sip$response_path += split_string1(value, /;[ ]?branch/)[0];
 				break;
 			}
 
diff --git a/scripts/base/protocols/smb/README b/scripts/base/protocols/smb/README
index 6e41fd1a28..d10322faad 100644
--- a/scripts/base/protocols/smb/README
+++ b/scripts/base/protocols/smb/README
@@ -1 +1 @@
-Definitions of constants used by the SMB protocol.
+Support for SMB protocol analysis.
diff --git a/scripts/base/protocols/smb/__load__.bro b/scripts/base/protocols/smb/__load__.bro
index 975d204851..d1ed8cdfe9 100644
--- a/scripts/base/protocols/smb/__load__.bro
+++ b/scripts/base/protocols/smb/__load__.bro
@@ -1,3 +1,10 @@
 @load ./consts
 @load ./const-dos-error
 @load ./const-nt-status
+
+@load ./main
+@load ./smb1-main
+@load ./smb2-main
+@load ./files
+
+@load-sigs ./dpd.sig
diff --git a/scripts/base/protocols/smb/const-nt-status.bro b/scripts/base/protocols/smb/const-nt-status.bro
index 8804522ed9..f985e72a3b 100644
--- a/scripts/base/protocols/smb/const-nt-status.bro
+++ b/scripts/base/protocols/smb/const-nt-status.bro
@@ -64,8 +64,8 @@ redef SMB::statuses += {
 	[0x40000007] = [$id="BAD_CURRENT_DIRECTORY", $desc="{Invalid Current Directory} The process cannot switch to the startup current directory %hs. Select OK to set the current directory to %hs, or select CANCEL to exit."],
 	[0x40000008] = [$id="SERIAL_MORE_WRITES", $desc="{Serial IOCTL Complete} A serial I/O operation was completed by another write to a serial port. (The IOCTL_SERIAL_XOFF_COUNTER reached zero.)"],
 	[0x40000009] = [$id="REGISTRY_RECOVERED", $desc="{Registry Recovery} One of the files that contains the system registry data had to be recovered by using a log or alternate copy. The recovery was successful."],
-	[0x4000000A] = [$id="FT_READ_RECOVERY_FROM_BACKUP", $desc="{Redundant Read} To satisfy a read request, the Windows NT fault-tolerant file system successfully read the requested data from a redundant copy. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device."],
-	[0x4000000B] = [$id="FT_WRITE_RECOVERY", $desc="{Redundant Write} To satisfy a write request, the Windows NT fault-tolerant file system successfully wrote a redundant copy of the information. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device."],
+	[0x4000000A] = [$id="FT_READ_RECOVERY_FROM_BACKUP", $desc="{Redundant Read} To satisfy a read request, the Windows NT fault-tolerant file system successfully read the requested data from a redundant copy. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device."],
+	[0x4000000B] = [$id="FT_WRITE_RECOVERY", $desc="{Redundant Write} To satisfy a write request, the Windows NT fault-tolerant file system successfully wrote a redundant copy of the information. This was done because the file system encountered a failure on a member of the fault-tolerant volume but was unable to reassign the failing area of the device."],
 	[0x4000000C] = [$id="SERIAL_COUNTER_TIMEOUT", $desc="{Serial IOCTL Timeout} A serial I/O operation completed because the time-out period expired. (The IOCTL_SERIAL_XOFF_COUNTER had not reached zero.)"],
 	[0x4000000D] = [$id="NULL_LM_PASSWORD", $desc="{Password Too Complex} The Windows password is too complex to be converted to a LAN Manager password. The LAN Manager password that returned is a NULL string."],
 	[0x4000000E] = [$id="IMAGE_MACHINE_TYPE_MISMATCH", $desc="{Machine Type Mismatch} The image file %hs is valid but is for a machine type other than the current machine. Select OK to continue, or CANCEL to fail the DLL load."],
@@ -494,7 +494,7 @@ redef SMB::statuses += {
 	[0xC0000131] = [$id="INVALID_IMAGE_WIN_16", $desc="The specified image file did not have the correct format: it appears to be a 16-bit Windows image."],
 	[0xC0000132] = [$id="LOGON_SERVER_CONFLICT", $desc="The Netlogon service cannot start because another Netlogon service running in the domain conflicts with the specified role."],
 	[0xC0000133] = [$id="TIME_DIFFERENCE_AT_DC", $desc="The time at the primary domain controller is different from the time at the backup domain controller or member server by too large an amount."],
-	[0xC0000134] = [$id="SYNCHRONIZATION_REQUIRED", $desc="The SAM database on a Windows Server is significantly out of synchronization with the copy on the domain controller. A complete synchronization is required."],
+	[0xC0000134] = [$id="SYNCHRONIZATION_REQUIRED", $desc="The SAM database on a Windows Server is significantly out of synchronization with the copy on the domain controller. A complete synchronization is required."],
 	[0xC0000135] = [$id="DLL_NOT_FOUND", $desc="{Unable To Locate Component} This application has failed to start because %hs was not found. Reinstalling the application may fix this problem."],
 	[0xC0000136] = [$id="OPEN_FAILED", $desc="The NtCreateFile API failed. This error should never be returned to an application; it is a place holder for the Windows LAN Manager Redirector to use in its internal error-mapping routines."],
 	[0xC0000137] = [$id="IO_PRIVILEGE_FAILED", $desc="{Privilege Failed} The I/O permissions for the process could not be changed."],
@@ -536,7 +536,7 @@ redef SMB::statuses += {
 	[0xC000015B] = [$id="LOGON_TYPE_NOT_GRANTED", $desc="A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network."],
 	[0xC000015C] = [$id="NOT_REGISTRY_FILE", $desc="The system has attempted to load or restore a file into the registry, and the specified file is not in the format of a registry file."],
 	[0xC000015D] = [$id="NT_CROSS_ENCRYPTION_REQUIRED", $desc="An attempt was made to change a user password in the security account manager without providing the necessary Windows cross-encrypted password."],
-	[0xC000015E] = [$id="DOMAIN_CTRLR_CONFIG_ERROR", $desc="A Windows Server has an incorrect configuration."],
+	[0xC000015E] = [$id="DOMAIN_CTRLR_CONFIG_ERROR", $desc="A Windows Server has an incorrect configuration."],
 	[0xC000015F] = [$id="FT_MISSING_MEMBER", $desc="An attempt was made to explicitly access the secondary copy of information via a device control to the fault tolerance driver and the secondary copy is not present in the system."],
 	[0xC0000160] = [$id="ILL_FORMED_SERVICE_ENTRY", $desc="A configuration registry node that represents a driver service entry was ill-formed and did not contain the required value entries."],
 	[0xC0000161] = [$id="ILLEGAL_CHARACTER", $desc="An illegal character was encountered. For a multibyte character set, this includes a lead byte without a succeeding trail byte. For the Unicode character set this includes the characters 0xFFFF and 0xFFFE."],
@@ -577,7 +577,7 @@ redef SMB::statuses += {
 	[0xC0000188] = [$id="LOG_FILE_FULL", $desc="The log file space is insufficient to support this operation."],
 	[0xC0000189] = [$id="TOO_LATE", $desc="A write operation was attempted to a volume after it was dismounted."],
 	[0xC000018A] = [$id="NO_TRUST_LSA_SECRET", $desc="The workstation does not have a trust secret for the primary domain in the local LSA database."],
-	[0xC000018B] = [$id="NO_TRUST_SAM_ACCOUNT", $desc="The SAM database on the Windows Server does not have a computer account for this workstation trust relationship."],
+	[0xC000018B] = [$id="NO_TRUST_SAM_ACCOUNT", $desc="The SAM database on the Windows Server does not have a computer account for this workstation trust relationship."],
 	[0xC000018C] = [$id="TRUSTED_DOMAIN_FAILURE", $desc="The logon request failed because the trust relationship between the primary domain and the trusted domain failed."],
 	[0xC000018D] = [$id="TRUSTED_RELATIONSHIP_FAILURE", $desc="The logon request failed because the trust relationship between this workstation and the primary domain failed."],
 	[0xC000018E] = [$id="EVENTLOG_FILE_CORRUPT", $desc="The Eventlog log file is corrupt."],
@@ -833,18 +833,18 @@ redef SMB::statuses += {
 	[0xC00002FD] = [$id="KDC_UNKNOWN_ETYPE", $desc="The encryption type requested is not supported by the KDC."],
 	[0xC00002FE] = [$id="SHUTDOWN_IN_PROGRESS", $desc="A system shutdown is in progress."],
 	[0xC00002FF] = [$id="SERVER_SHUTDOWN_IN_PROGRESS", $desc="The server machine is shutting down."],
-	[0xC0000300] = [$id="NOT_SUPPORTED_ON_SBS", $desc="This operation is not supported on a computer running Windows Server 2003 for Small Business Server."],
+	[0xC0000300] = [$id="NOT_SUPPORTED_ON_SBS", $desc="This operation is not supported on a computer running Windows Server 2003 for Small Business Server."],
 	[0xC0000301] = [$id="WMI_GUID_DISCONNECTED", $desc="The WMI GUID is no longer available."],
 	[0xC0000302] = [$id="WMI_ALREADY_DISABLED", $desc="Collection or events for the WMI GUID is already disabled."],
 	[0xC0000303] = [$id="WMI_ALREADY_ENABLED", $desc="Collection or events for the WMI GUID is already enabled."],
 	[0xC0000304] = [$id="MFT_TOO_FRAGMENTED", $desc="The master file table on the volume is too fragmented to complete this operation."],
 	[0xC0000305] = [$id="COPY_PROTECTION_FAILURE", $desc="Copy protection failure."],
-	[0xC0000306] = [$id="CSS_AUTHENTICATION_FAILURE", $desc="Copy protection error—DVD CSS Authentication failed."],
-	[0xC0000307] = [$id="CSS_KEY_NOT_PRESENT", $desc="Copy protection error—The specified sector does not contain a valid key."],
-	[0xC0000308] = [$id="CSS_KEY_NOT_ESTABLISHED", $desc="Copy protection error—DVD session key not established."],
-	[0xC0000309] = [$id="CSS_SCRAMBLED_SECTOR", $desc="Copy protection error—The read failed because the sector is encrypted."],
-	[0xC000030A] = [$id="CSS_REGION_MISMATCH", $desc="Copy protection error—The region of the specified DVD does not correspond to the region setting of the drive."],
-	[0xC000030B] = [$id="CSS_RESETS_EXHAUSTED", $desc="Copy protection error—The region setting of the drive may be permanent."],
+	[0xC0000306] = [$id="CSS_AUTHENTICATION_FAILURE", $desc="Copy protection error-DVD CSS Authentication failed."],
+	[0xC0000307] = [$id="CSS_KEY_NOT_PRESENT", $desc="Copy protection error-The specified sector does not contain a valid key."],
+	[0xC0000308] = [$id="CSS_KEY_NOT_ESTABLISHED", $desc="Copy protection error-DVD session key not established."],
+	[0xC0000309] = [$id="CSS_SCRAMBLED_SECTOR", $desc="Copy protection error-The read failed because the sector is encrypted."],
+	[0xC000030A] = [$id="CSS_REGION_MISMATCH", $desc="Copy protection error-The region of the specified DVD does not correspond to the region setting of the drive."],
+	[0xC000030B] = [$id="CSS_RESETS_EXHAUSTED", $desc="Copy protection error-The region setting of the drive may be permanent."],
 	[0xC0000320] = [$id="PKINIT_FAILURE", $desc="The Kerberos protocol encountered an error while validating the KDC certificate during smart card logon. There is more information in the system event log."],
 	[0xC0000321] = [$id="SMARTCARD_SUBSYSTEM_FAILURE", $desc="The Kerberos protocol encountered an error while attempting to use the smart card subsystem."],
 	[0xC0000322] = [$id="NO_KERB_KEY", $desc="The target server does not have acceptable Kerberos credentials."],
@@ -855,7 +855,7 @@ redef SMB::statuses += {
 	[0xC0000354] = [$id="DEBUGGER_INACTIVE", $desc="An attempt to do an operation on a debug port failed because the port is in the process of being deleted."],
 	[0xC0000355] = [$id="DS_VERSION_CHECK_FAILURE", $desc="This version of Windows is not compatible with the behavior version of the directory forest, domain, or domain controller."],
 	[0xC0000356] = [$id="AUDITING_DISABLED", $desc="The specified event is currently not being audited."],
-	[0xC0000357] = [$id="PRENT4_MACHINE_ACCOUNT", $desc="The machine account was created prior to Windows NT 4.0. The account needs to be recreated."],
+	[0xC0000357] = [$id="PRENT4_MACHINE_ACCOUNT", $desc="The machine account was created prior to Windows NT 4.0. The account needs to be recreated."],
 	[0xC0000358] = [$id="DS_AG_CANT_HAVE_UNIVERSAL_MEMBER", $desc="An account group cannot have a universal group as a member."],
 	[0xC0000359] = [$id="INVALID_IMAGE_WIN_32", $desc="The specified image file did not have the correct format; it appears to be a 32-bit Windows image."],
 	[0xC000035A] = [$id="INVALID_IMAGE_WIN_64", $desc="The specified image file did not have the correct format; it appears to be a 64-bit Windows image."],
@@ -1790,4 +1790,4 @@ redef SMB::statuses += {
 	[0xC03A0017] = [$id="VHD_CHILD_PARENT_SIZE_MISMATCH", $desc="The chain of virtual hard disks is corrupted. There is a mismatch in the virtual sizes of the parent virtual hard disk and differencing disk."],
 	[0xC03A0018] = [$id="VHD_DIFFERENCING_CHAIN_CYCLE_DETECTED", $desc="The chain of virtual hard disks is corrupted. A differencing disk is indicated in its own parent chain."],
 	[0xC03A0019] = [$id="VHD_DIFFERENCING_CHAIN_ERROR_IN_PARENT", $desc="The chain of virtual hard disks is inaccessible. There was an error opening a virtual hard disk further up the chain."],
-};
\ No newline at end of file
+};
diff --git a/scripts/base/protocols/smb/consts.bro b/scripts/base/protocols/smb/consts.bro
index 862a0ae693..f36d029be9 100644
--- a/scripts/base/protocols/smb/consts.bro
+++ b/scripts/base/protocols/smb/consts.bro
@@ -255,10 +255,12 @@ export {
 	} &default=function(i: count): string { return fmt("unknown-%d", i); };
 
 	const dialects: table[count] of string = {
-		[0x0202] = "2.002",
+		[0x0202] = "2.0.2",
 		[0x0210] = "2.1",
 		[0x0300] = "3.0",
-		[0x0302] = "3.02",
+		[0x0302] = "3.0.2",
+		[0x0311] = "3.1.1",
+		[0x02FF] = "2.1+",
 	} &default=function(i: count): string { return fmt("unknown-%d", i); };
 
 	const share_types: table[count] of string = {
diff --git a/scripts/policy/protocols/smb/dpd.sig b/scripts/base/protocols/smb/dpd.sig
similarity index 100%
rename from scripts/policy/protocols/smb/dpd.sig
rename to scripts/base/protocols/smb/dpd.sig
diff --git a/scripts/policy/protocols/smb/files.bro b/scripts/base/protocols/smb/files.bro
similarity index 100%
rename from scripts/policy/protocols/smb/files.bro
rename to scripts/base/protocols/smb/files.bro
diff --git a/scripts/policy/protocols/smb/main.bro b/scripts/base/protocols/smb/main.bro
similarity index 91%
rename from scripts/policy/protocols/smb/main.bro
rename to scripts/base/protocols/smb/main.bro
index f94db17f38..7e8969594d 100644
--- a/scripts/policy/protocols/smb/main.bro
+++ b/scripts/base/protocols/smb/main.bro
@@ -1,10 +1,11 @@
-@load base/protocols/smb
+@load ./consts
+@load ./const-dos-error
+@load ./const-nt-status
 
 module SMB;
 
 export {
 	redef enum Log::ID += { 
-		CMD_LOG,
 		AUTH_LOG,
 		MAPPING_LOG,
 		FILES_LOG
@@ -18,6 +19,7 @@ export {
 		FILE_CLOSE,
 		FILE_DELETE,
 		FILE_RENAME,
+		FILE_SET_ATTRIBUTE,
 
 		PIPE_READ,
 		PIPE_WRITE,
@@ -40,11 +42,6 @@ export {
 		PRINT_CLOSE,
 	} &redef;
 
-	## The server response statuses which are *not* logged.
-	const ignored_command_statuses: set[string] = {
-		"MORE_PROCESSING_REQUIRED",
-	} &redef;
-	
 	## This record is for the smb_files.log
 	type FileInfo: record {
 		## Time when the file was first discovered.
@@ -156,25 +153,12 @@ export {
 		recent_files : set[string] &default=string_set() &read_expire=3min;
 	};
 
-	## Optionally write out the SMB commands log.  This is 
-	## primarily useful for debugging so is disabled by default.
-	const write_cmd_log = F &redef;
-
 	## Everything below here is used internally in the SMB scripts.
 
 	redef record connection += {
 		smb_state : State &optional;
 	};
 	
-	## Internal use only.
-	## Some commands shouldn't be logged by the smb1_message event.
-	const deferred_logging_cmds: set[string] = {
-		"NEGOTIATE",
-		"READ_ANDX",
-		"SESSION_SETUP_ANDX",
-		"TREE_CONNECT_ANDX",
-	};
-
 	## This is an internally used function.
 	const set_current_file: function(smb_state: State, file_id: count) &redef;
 
@@ -195,7 +179,6 @@ redef likely_server_ports += { ports };
 
 event bro_init() &priority=5
 	{
-	Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo, $path="smb_cmd"]);
 	Log::create_stream(SMB::FILES_LOG, [$columns=SMB::FileInfo, $path="smb_files"]);
 	Log::create_stream(SMB::MAPPING_LOG, [$columns=SMB::TreeInfo, $path="smb_mapping"]);
 
diff --git a/scripts/policy/protocols/smb/smb1-main.bro b/scripts/base/protocols/smb/smb1-main.bro
similarity index 92%
rename from scripts/policy/protocols/smb/smb1-main.bro
rename to scripts/base/protocols/smb/smb1-main.bro
index 853d83b01f..44210e88f0 100644
--- a/scripts/policy/protocols/smb/smb1-main.bro
+++ b/scripts/base/protocols/smb/smb1-main.bro
@@ -68,21 +68,14 @@ event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=5
 
 event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=-5
 	{
-	# Is this a response?
-	if ( !is_orig )
-		{
-		if ( SMB::write_cmd_log &&
-		     c$smb_state$current_cmd$status !in SMB::ignored_command_statuses &&
-		     c$smb_state$current_cmd$command !in SMB::deferred_logging_cmds )
-			{
-			Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
-			}
-		delete c$smb_state$pending_cmds[hdr$mid];
-		}
+	if ( is_orig )
+		return;
+
+	delete c$smb_state$pending_cmds[hdr$mid];
 	}
 
 
-event smb1_transaction2_request(c: connection, hdr: SMB1::Header, sub_cmd: count)
+event smb1_transaction2_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Args, sub_cmd: count)
 	{
 	c$smb_state$current_cmd$sub_command = SMB1::trans2_sub_commands[sub_cmd];
 	}
@@ -263,7 +256,7 @@ event smb1_session_setup_andx_response(c: connection, hdr: SMB1::Header, respons
 	# No behavior yet.
 	}
 	
-event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count)
+event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string)
 	{
 	c$smb_state$current_cmd$sub_command = SMB1::trans_sub_commands[sub_cmd];
 	}
@@ -325,18 +318,3 @@ event smb_pipe_request(c: connection, hdr: SMB1::Header, op_num: count)
 
 	c$smb_state$current_cmd$argument = arg;
 	}
-
-event smb1_error(c: connection, hdr: SMB1::Header, is_orig: bool)
-	{
-	if ( ! is_orig )
-		{
-		# This is for deferred commands only.
-		# The more specific messages won't fire for errors
-		if ( SMB::write_cmd_log &&
-		     c$smb_state$current_cmd$status !in SMB::ignored_command_statuses &&
-		     c$smb_state$current_cmd$command in SMB::deferred_logging_cmds )
-			{
-			Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
-			}
-		}
-	}
diff --git a/scripts/policy/protocols/smb/smb2-main.bro b/scripts/base/protocols/smb/smb2-main.bro
similarity index 82%
rename from scripts/policy/protocols/smb/smb2-main.bro
rename to scripts/base/protocols/smb/smb2-main.bro
index 1dc3a10654..ab453f8829 100644
--- a/scripts/policy/protocols/smb/smb2-main.bro
+++ b/scripts/base/protocols/smb/smb2-main.bro
@@ -65,17 +65,16 @@ event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=5
 
 event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=-5
 	{
-	# Is this a response?
-	if ( !is_orig )
-		{
-		if ( SMB::write_cmd_log &&
-		     c$smb_state$current_cmd$status !in SMB::ignored_command_statuses &&
-		     c$smb_state$current_cmd$command !in SMB::deferred_logging_cmds )
-			{
-			Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
-			}
-		delete c$smb_state$pending_cmds[hdr$message_id];
-		}
+	if ( is_orig )
+		return;
+
+	# If the command that is being looked at right now was
+	# marked as PENDING, then we'll skip all of this and wait
+	# for a reply that isn't marked pending.
+	if ( c$smb_state$current_cmd$status == "PENDING" )
+		return;
+
+	delete c$smb_state$pending_cmds[hdr$message_id];
 	}
 
 event smb2_negotiate_request(c: connection, hdr: SMB2::Header, dialects: index_vec) &priority=5
@@ -129,12 +128,12 @@ event smb2_tree_disconnect_request(c: connection, hdr: SMB2::Header) &priority=5
 		}
 	}
 
-event smb2_create_request(c: connection, hdr: SMB2::Header, name: string) &priority=5
+event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest) &priority=5
 	{
-	if ( name == "")
-		name = "<share_root>";
+	if ( request$filename == "")
+		request$filename = "<share_root>";
 
-	c$smb_state$current_file$name = name;
+	c$smb_state$current_file$name = request$filename;
 
 	switch ( c$smb_state$current_tree$share_type )
 		{
@@ -153,28 +152,28 @@ event smb2_create_request(c: connection, hdr: SMB2::Header, name: string) &prior
 		}
 	}
 
-event smb2_create_response(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=5
+event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse) &priority=5
 	{
-	SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile);
+	SMB::set_current_file(c$smb_state, response$file_id$persistent+response$file_id$volatile);
 
-	c$smb_state$current_file$fid = file_id$persistent+file_id$volatile;
-	c$smb_state$current_file$size = file_size;
+	c$smb_state$current_file$fid = response$file_id$persistent+response$file_id$volatile;
+	c$smb_state$current_file$size = response$size;
 
 	if ( c$smb_state$current_tree?$path )
 		c$smb_state$current_file$path = c$smb_state$current_tree$path;
 
 	# I'm seeing negative data from IPC tree transfers
-	if ( time_to_double(times$modified) > 0.0 )
-		c$smb_state$current_file$times = times;
+	if ( time_to_double(response$times$modified) > 0.0 )
+		c$smb_state$current_file$times = response$times;
 
 	# We can identify the file by its file id now so let's stick it 
 	# in the file map.
-	c$smb_state$fid_map[file_id$persistent+file_id$volatile] = c$smb_state$current_file;
+	c$smb_state$fid_map[response$file_id$persistent+response$file_id$volatile] = c$smb_state$current_file;
 	
-	c$smb_state$current_file = c$smb_state$fid_map[file_id$persistent+file_id$volatile];
+	c$smb_state$current_file = c$smb_state$fid_map[response$file_id$persistent+response$file_id$volatile];
 	}
 
-event smb2_create_response(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, file_size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=-5
+event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse) &priority=-5
 	{
 	SMB::write_file_log(c$smb_state);
 	}
@@ -231,6 +230,26 @@ event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID,
 	SMB::write_file_log(c$smb_state);
 	}
 
+event smb2_file_sattr(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=-5
+	{
+	SMB::write_file_log(c$smb_state);
+	}
+
+event smb2_file_sattr(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs) &priority=5
+	{
+	SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile);
+
+	switch ( c$smb_state$current_tree$share_type )
+		{
+		case "DISK":
+			c$smb_state$current_file$action = SMB::FILE_SET_ATTRIBUTE;
+			break;
+		default:
+			c$smb_state$current_file$action = SMB::FILE_SET_ATTRIBUTE;
+			break;
+		}
+	}
+
 event smb2_file_rename(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string) &priority=5
 	{
 	SMB::set_current_file(c$smb_state, file_id$persistent+file_id$volatile);
diff --git a/scripts/base/protocols/smtp/files.bro b/scripts/base/protocols/smtp/files.bro
index 352c2025a3..a65b90b528 100644
--- a/scripts/base/protocols/smtp/files.bro
+++ b/scripts/base/protocols/smtp/files.bro
@@ -49,5 +49,5 @@ event bro_init() &priority=5
 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
 	{
 	if ( c?$smtp && !c$smtp$tls )
-		c$smtp$fuids[|c$smtp$fuids|] = f$id;
+		c$smtp$fuids += f$id;
 	}
diff --git a/scripts/base/protocols/smtp/main.bro b/scripts/base/protocols/smtp/main.bro
index cd0e730d8e..18c75a93c0 100644
--- a/scripts/base/protocols/smtp/main.bro
+++ b/scripts/base/protocols/smtp/main.bro
@@ -295,7 +295,7 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=3
 		c$smtp$process_received_from = F;
 		}
 	if ( c$smtp$path[|c$smtp$path|-1] != ip )
-		c$smtp$path[|c$smtp$path|] = ip;
+		c$smtp$path += ip;
 	}
 
 event connection_state_remove(c: connection) &priority=-5
diff --git a/scripts/base/protocols/socks/main.bro b/scripts/base/protocols/socks/main.bro
index 536e240b81..5d0ecf693d 100644
--- a/scripts/base/protocols/socks/main.bro
+++ b/scripts/base/protocols/socks/main.bro
@@ -6,32 +6,37 @@ module SOCKS;
 export {
 	redef enum Log::ID += { LOG };
 
+	## Whether passwords are captured or not.
+	const default_capture_password = F &redef;
+
 	## The record type which contains the fields of the SOCKS log.
 	type Info: record {
 		## Time when the proxy connection was first detected.
-		ts:          time            &log;
+		ts:               time            &log;
 		## Unique ID for the tunnel - may correspond to connection uid
 		## or be non-existent.
-		uid:         string          &log;
+		uid:              string          &log;
 		## The connection's 4-tuple of endpoint addresses/ports.
-		id:          conn_id         &log;
+		id:               conn_id         &log;
 		## Protocol version of SOCKS.
-		version:     count           &log;
+		version:          count           &log;
 		## Username used to request a login to the proxy.
-		user:        string          &log &optional;
+		user:             string          &log &optional;
 		## Password used to request a login to the proxy.
-		password:    string          &log &optional;
+		password:         string          &log &optional;
 		## Server status for the attempt at using the proxy.
-		status:      string          &log &optional;
+		status:           string          &log &optional;
 		## Client requested SOCKS address. Could be an address, a name
 		## or both.
-		request:     SOCKS::Address  &log &optional;
+		request:          SOCKS::Address  &log &optional;
 		## Client requested port.
-		request_p:   port            &log &optional;
+		request_p:        port            &log &optional;
 		## Server bound address. Could be an address, a name or both.
-		bound:       SOCKS::Address  &log &optional;
+		bound:            SOCKS::Address  &log &optional;
 		## Server bound port.
-		bound_p:     port            &log &optional;
+		bound_p:          port            &log &optional;
+		## Determines if the password will be captured for this request.
+		capture_password: bool            &default=default_capture_password;
 	};
 
 	## Event that can be handled to access the SOCKS
@@ -90,10 +95,12 @@ event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Addres
 event socks_login_userpass_request(c: connection, user: string, password: string) &priority=5
 	{
 	# Authentication only possible with the version 5.
-	set_session(c, 5); 
+	set_session(c, 5);
 
 	c$socks$user = user;
-	c$socks$password = password;
+
+	if ( c$socks$capture_password )
+		c$socks$password = password;
 	}
 
 event socks_login_userpass_reply(c: connection, code: count) &priority=5
diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro
index c421116d66..9b21b9414e 100644
--- a/scripts/base/protocols/ssh/main.bro
+++ b/scripts/base/protocols/ssh/main.bro
@@ -24,7 +24,7 @@ export {
 		## at least one, since some servers might support no authentication at all.
 		## It's important to note that not all of these are failures, since
 		## some servers require two-factor auth (e.g. password AND pubkey)
-		auth_attempts:   count        &log &optional;
+		auth_attempts:   count        &log &default=0;
 		## Direction of the connection. If the client was a local host
 		## logging into an external host, this would be OUTBOUND. INBOUND
 		## would be set for the opposite situation.
@@ -185,13 +185,7 @@ event ssh_auth_attempted(c: connection, authenticated: bool) &priority=5
 		return;
 
 	c$ssh$auth_success = authenticated;
-
-	if ( c$ssh?$auth_attempts )
-		c$ssh$auth_attempts += 1;
-	else
-		{
-		c$ssh$auth_attempts = 1;
-		}
+	c$ssh$auth_attempts += 1;
 
 	if ( authenticated && disable_analyzer_after_detection )
 		disable_analyzer(c$id, c$ssh$analyzer_id);
diff --git a/scripts/base/protocols/ssl/README b/scripts/base/protocols/ssl/README
index 8fa99fd553..1fd0568101 100644
--- a/scripts/base/protocols/ssl/README
+++ b/scripts/base/protocols/ssl/README
@@ -1 +1 @@
-Support for Secure Sockets Layer (SSL) protocol analysis.
+Support for Secure Sockets Layer (SSL)/Transport Layer Security(TLS) protocol analysis.
diff --git a/scripts/base/protocols/ssl/__load__.bro b/scripts/base/protocols/ssl/__load__.bro
index 42287fb039..b8e4d52523 100644
--- a/scripts/base/protocols/ssl/__load__.bro
+++ b/scripts/base/protocols/ssl/__load__.bro
@@ -1,6 +1,7 @@
 @load ./consts
 @load ./main
 @load ./mozilla-ca-list
+@load ./ct-list
 @load ./files
 
 @load-sigs ./dpd.sig
diff --git a/scripts/base/protocols/ssl/consts.bro b/scripts/base/protocols/ssl/consts.bro
index 2f646de516..aaac5aab84 100644
--- a/scripts/base/protocols/ssl/consts.bro
+++ b/scripts/base/protocols/ssl/consts.bro
@@ -163,6 +163,10 @@ export {
 		[42] = "early_data", # new for 1.3, state of draft-16
 		[43] = "supported_versions", # new for 1.3, state of draft-16
 		[44] = "cookie", # new for 1.3, state of draft-16
+		[45] = "psk_key_exchange_modes", # new for 1.3, state of draft-18
+		[46] = "TicketEarlyDataInfo", # new for 1.3, state of draft-16
+		[47] = "certificate_authorities", # new for 1.3, state of draft-18
+		[48] = "oid_filters", # new for 1.3, state of draft-18
 		[13172] = "next_protocol_negotiation",
 		[13175] = "origin_bound_certificates",
 		[13180] = "encrypted_client_certificates",
@@ -403,6 +407,11 @@ export {
 	const TLS_CHACHA20_POLY1305_SHA256 = 0x1303;
 	const TLS_AES_128_CCM_SHA256 = 0x1304;
 	const TLS_AES_128_CCM_8_SHA256 = 0x1305;
+	# Google...
+	const TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0x16b7;
+	const TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0x16b8;
+	const TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384 = 0x16b9;
+	const TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384 = 0x16ba;
 	# draft-bmoeller-tls-downgrade-scsv-01
 	const TLS_FALLBACK_SCSV = 0x5600;
 	# RFC 4492
@@ -596,6 +605,11 @@ export {
 	const TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAC;
 	const TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAD;
 	const TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAE;
+	# draft-ietf-tls-ecdhe-psk-aead-05
+	const TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 = 0xD001;
+	const TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 = 0xD002;
+	const TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 = 0xD003;
+	const TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 = 0xD004;
 
 	const SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE;
 	const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF;
@@ -788,6 +802,10 @@ export {
 		[TLS_CHACHA20_POLY1305_SHA256] = "TLS_CHACHA20_POLY1305_SHA256",
 		[TLS_AES_128_CCM_SHA256] = "TLS_AES_128_CCM_SHA256",
 		[TLS_AES_128_CCM_8_SHA256] = "TLS_AES_128_CCM_8_SHA256",
+		[TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256] = "TLS_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256",
+		[TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256] = "TLS_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+		[TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384] = "TLS_CECPQ1_RSA_WITH_AES_256_GCM_SHA384",
+		[TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384] = "TLS_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384",
 		[TLS_FALLBACK_SCSV] = "TLS_FALLBACK_SCSV",
 		[TLS_ECDH_ECDSA_WITH_NULL_SHA] = "TLS_ECDH_ECDSA_WITH_NULL_SHA",
 		[TLS_ECDH_ECDSA_WITH_RC4_128_SHA] = "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
@@ -974,6 +992,10 @@ export {
 		[TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256] = "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
 		[TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256] = "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
 		[TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256] = "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256",
+		[TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256] = "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256",
+		[TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384] = "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384",
+		[TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256] = "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256",
+		[TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256] = "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256",
 		[SSL_RSA_FIPS_WITH_DES_CBC_SHA] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA",
 		[SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",
 		[SSL_RSA_FIPS_WITH_DES_CBC_SHA_2] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA_2",
diff --git a/scripts/base/protocols/ssl/ct-list.bro b/scripts/base/protocols/ssl/ct-list.bro
new file mode 100644
index 0000000000..1a06c67825
--- /dev/null
+++ b/scripts/base/protocols/ssl/ct-list.bro
@@ -0,0 +1,68 @@
+#
+# Do not edit this file. This file is automatically generated by gen-ct-list.pl
+# File generated at Fri Feb 16 10:41:42 2018
+# File generated from https://www.gstatic.com/ct/log_list/all_logs_list.json
+#
+
+@load base/protocols/ssl
+module SSL;
+redef ct_logs += {
+["\xfa\xd4\xc9\x7c\xc4\x9e\xe2\xf8\xac\x85\xc5\xea\x5c\xea\x09\xd0\x22\x0d\xbb\xf4\xe4\x9c\x6b\x50\x66\x2f\xf8\x68\xf8\x6b\x8c\x28"] = CTInfo($description="Google 'Argon2017' log", $operator="Google", $url="ct.googleapis.com/logs/argon2017/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x54\x6d\x7c\x89\xdd\xea\x9d\xf0\xba\x5f\xf4\x6d\x60\x7a\x37\x4f\x02\x25\xbf\x1c\xf6\x6f\x85\xae\xaf\x15\xdf\x69\x6e\xed\xdb\xa9\x9a\x29\x97\xf2\x99\x76\x1e\xe6\x33\x46\x1e\x27\xf4\xbe\x70\xdd\x59\xd7\xba\xcf\xfe\xd0\x72\x8e\xb0\x57\x0f\x9d\x37\x89\x62\xa3"),
+["\xa4\x50\x12\x69\x05\x5a\x15\x54\x5e\x62\x11\xab\x37\xbc\x10\x3f\x62\xae\x55\x76\xa4\x5e\x4b\x17\x14\x45\x3e\x1b\x22\x10\x6a\x25"] = CTInfo($description="Google 'Argon2018' log", $operator="Google", $url="ct.googleapis.com/logs/argon2018/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd2\x00\x55\x05\xad\xd5\x47\xb4\x19\xbb\xcd\x95\xfb\x29\xd7\x58\x3d\x78\x24\xcd\xce\x46\x9d\xfb\x32\xd4\x71\x4e\x60\x02\x25\x5e\x59\x3e\xd7\xd4\x03\xb8\x6d\x43\x68\x68\x7e\xe8\xa0\x65\x0b\x3e\x6e\x71\x59\x92\x37\xbe\xa9\xe8\xf1\xa3\x2b\xe4\xd9\x0d\x55\x68"),
+["\x63\xf2\xdb\xcd\xe8\x3b\xcc\x2c\xcf\x0b\x72\x84\x27\x57\x6b\x33\xa4\x8d\x61\x77\x8f\xbd\x75\xa6\x38\xb1\xc7\x68\x54\x4b\xd8\x8d"] = CTInfo($description="Google 'Argon2019' log", $operator="Google", $url="ct.googleapis.com/logs/argon2019/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x23\x73\x10\x9b\xe1\xf3\x5e\xf6\x98\x6b\x69\x95\x96\x10\x78\xce\x49\xdb\xb4\x04\xfc\x71\x2c\x5a\x92\x60\x68\x25\xc0\x4a\x1a\xa1\xb0\x61\x2d\x1b\x87\x14\xa9\xba\xf0\x01\x33\x59\x1d\x05\x30\xe9\x42\x15\xe7\x55\xd7\x2a\xf8\xb4\xa2\xba\x45\xc9\x46\x91\x87\x56"),
+["\xb2\x1e\x05\xcc\x8b\xa2\xcd\x8a\x20\x4e\x87\x66\xf9\x2b\xb9\x8a\x25\x20\x67\x6b\xda\xfa\x70\xe7\xb2\x49\x53\x2d\xef\x8b\x90\x5e"] = CTInfo($description="Google 'Argon2020' log", $operator="Google", $url="ct.googleapis.com/logs/argon2020/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xe9\x3c\x76\xa7\x5c\x8a\x63\x8d\x35\xe4\xdc\x88\x62\xf7\x6b\x93\x7e\x9e\xb3\x4b\x80\x73\x5c\xc0\xe0\xf4\x3e\x4c\x64\x58\xfb\x76\x63\x51\x32\x18\x63\xd5\xb2\xbb\xed\xea\xff\x5e\x3b\x24\x6e\x2f\x35\x52\x8b\xb4\x35\x9a\xad\x9c\x15\xa8\x69\x20\xea\x50\x18\xcc"),
+["\xf6\x5c\x94\x2f\xd1\x77\x30\x22\x14\x54\x18\x08\x30\x94\x56\x8e\xe3\x4d\x13\x19\x33\xbf\xdf\x0c\x2f\x20\x0b\xcc\x4e\xf1\x64\xe3"] = CTInfo($description="Google 'Argon2021' log", $operator="Google", $url="ct.googleapis.com/logs/argon2021/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x4d\xe0\x66\x64\xea\xf3\x64\xaa\x38\xc5\x89\x2d\xc7\xd8\x08\xd9\xc8\x44\x71\xed\xdc\xc3\xfb\x5b\xaf\x9c\x64\xa1\x09\x66\x84\x1d\x7c\x68\xa7\xec\xc4\x3f\x8c\x9c\x82\xe0\x18\xd9\x74\x14\xe9\xb4\x79\x81\xa2\x94\x55\x62\xf3\x9c\x0b\x44\x83\xa1\x2b\xc9\x71\x2b"),
+["\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"] = CTInfo($description="Google 'Aviator' log", $operator="Google", $url="ct.googleapis.com/aviator/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xf4\xcc\x69\xb2\xe4\x0e\x90\xa3\x8a\xea\x5a\x70\x09\x4f\xef\x13\x62\xd0\x8d\x49\x60\xff\x1b\x40\x50\x07\x0c\x6d\x71\x86\xda\x25\x49\x8d\x65\xe1\x08\x0d\x47\x34\x6b\xbd\x27\xbc\x96\x21\x3e\x34\xf5\x87\x76\x31\xb1\x7f\x1d\xc9\x85\x3b\x0d\xf7\x1f\x3f\xe9"),
+["\x29\x3c\x51\x96\x54\xc8\x39\x65\xba\xaa\x50\xfc\x58\x07\xd4\xb7\x6f\xbf\x58\x7a\x29\x72\xdc\xa4\xc3\x0c\xf4\xe5\x45\x47\xf4\x78"] = CTInfo($description="Google 'Icarus' log", $operator="Google", $url="ct.googleapis.com/icarus/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x4e\xd2\xbc\xbf\xb3\x08\x0a\xf7\xb9\xea\xa4\xc7\x1c\x38\x61\x04\xeb\x95\xe0\x89\x54\x68\x44\xb1\x66\xbc\x82\x7e\x4f\x50\x6c\x6f\x5c\xa3\xf0\xaa\x3e\xf4\xec\x80\xf0\xdb\x0a\x9a\x7a\xa0\x5b\x72\x00\x7c\x25\x0e\x19\xef\xaf\xb2\x62\x8d\x74\x43\xf4\x26\xf6\x14"),
+["\xa4\xb9\x09\x90\xb4\x18\x58\x14\x87\xbb\x13\xa2\xcc\x67\x70\x0a\x3c\x35\x98\x04\xf9\x1b\xdf\xb8\xe3\x77\xcd\x0e\xc8\x0d\xdc\x10"] = CTInfo($description="Google 'Pilot' log", $operator="Google", $url="ct.googleapis.com/pilot/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x7d\xa8\x4b\x12\x29\x80\xa3\x3d\xad\xd3\x5a\x77\xb8\xcc\xe2\x88\xb3\xa5\xfd\xf1\xd3\x0c\xcd\x18\x0c\xe8\x41\x46\xe8\x81\x01\x1b\x15\xe1\x4b\xf1\x1b\x62\xdd\x36\x0a\x08\x18\xba\xed\x0b\x35\x84\xd0\x9e\x40\x3c\x2d\x9e\x9b\x82\x65\xbd\x1f\x04\x10\x41\x4c\xa0"),
+["\xee\x4b\xbd\xb7\x75\xce\x60\xba\xe1\x42\x69\x1f\xab\xe1\x9e\x66\xa3\x0f\x7e\x5f\xb0\x72\xd8\x83\x00\xc4\x7b\x89\x7a\xa8\xfd\xcb"] = CTInfo($description="Google 'Rocketeer' log", $operator="Google", $url="ct.googleapis.com/rocketeer/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x20\x5b\x18\xc8\x3c\xc1\x8b\xb3\x31\x08\x00\xbf\xa0\x90\x57\x2b\xb7\x47\x8c\x6f\xb5\x68\xb0\x8e\x90\x78\xe9\xa0\x73\xea\x4f\x28\x21\x2e\x9c\xc0\xf4\x16\x1b\xaa\xf9\xd5\xd7\xa9\x80\xc3\x4e\x2f\x52\x3c\x98\x01\x25\x46\x24\x25\x28\x23\x77\x2d\x05\xc2\x40\x7a"),
+["\xbb\xd9\xdf\xbc\x1f\x8a\x71\xb5\x93\x94\x23\x97\xaa\x92\x7b\x47\x38\x57\x95\x0a\xab\x52\xe8\x1a\x90\x96\x64\x36\x8e\x1e\xd1\x85"] = CTInfo($description="Google 'Skydiver' log", $operator="Google", $url="ct.googleapis.com/skydiver/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x12\x6c\x86\x0e\xf6\x17\xb1\x12\x6c\x37\x25\xd2\xad\x87\x3d\x0e\x31\xec\x21\xad\xb1\xcd\xbe\x14\x47\xb6\x71\x56\x85\x7a\x9a\xb7\x3d\x89\x90\x7b\xc6\x32\x3a\xf8\xda\xce\x8b\x01\xfe\x3f\xfc\x71\x91\x19\x8e\x14\x6e\x89\x7a\x5d\xb4\xab\x7e\xe1\x4e\x1e\x7c\xac"),
+["\xa8\x99\xd8\x78\x0c\x92\x90\xaa\xf4\x62\xf3\x18\x80\xcc\xfb\xd5\x24\x51\xe9\x70\xd0\xfb\xf5\x91\xef\x75\xb0\xd9\x9b\x64\x56\x81"] = CTInfo($description="Google 'Submariner' log", $operator="Google", $url="ct.googleapis.com/submariner/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x39\xf8\x9f\x20\x62\xd4\x57\x55\x68\xa2\xef\x49\x2d\xf0\x39\x2d\x9a\xde\x44\xb4\x94\x30\xe0\x9e\x7a\x27\x3c\xab\x70\xf0\xd1\xfa\x51\x90\x63\x16\x57\x41\xad\xab\x6d\x1f\x80\x74\x30\x79\x02\x5e\x2d\x59\x84\x07\x24\x23\xf6\x9f\x35\xb8\x85\xb8\x42\x45\xa4\x4f"),
+["\x1d\x02\x4b\x8e\xb1\x49\x8b\x34\x4d\xfd\x87\xea\x3e\xfc\x09\x96\xf7\x50\x6f\x23\x5d\x1d\x49\x70\x61\xa4\x77\x3c\x43\x9c\x25\xfb"] = CTInfo($description="Google 'Daedalus' log", $operator="Google", $url="ct.googleapis.com/daedalus/", $maximum_merge_delay=604800, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x6e\x0c\x1c\xba\xee\x2b\x6a\x41\x85\x60\x1d\x7b\x7e\xab\x08\x2c\xfc\x0c\x0a\xa5\x08\xb3\x3e\xd5\x70\x24\xd1\x6d\x1d\x2d\xb6\xb7\xf3\x8b\x36\xdc\x23\x4d\x95\x63\x12\xbb\xe4\x86\x8d\xcc\xe9\xd1\xee\xa1\x40\xa2\xdf\x0b\xa3\x06\x0a\x30\xca\x8d\xac\xa4\x29\x56"),
+["\xb0\xcc\x83\xe5\xa5\xf9\x7d\x6b\xaf\x7c\x09\xcc\x28\x49\x04\x87\x2a\xc7\xe8\x8b\x13\x2c\x63\x50\xb7\xc6\xfd\x26\xe1\x6c\x6c\x77"] = CTInfo($description="Google 'Testtube' log", $operator="Google", $url="ct.googleapis.com/testtube/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xc3\xc8\xbc\x4b\xba\xa2\x18\x4b\x3d\x35\x7b\xf4\x64\x91\x61\xea\xeb\x8e\x99\x1d\x90\xed\xd3\xe9\xaf\x39\x3d\x5c\xd3\x46\x91\x45\xe3\xce\xac\x76\x48\x3b\xd1\x7e\x2c\x0a\x63\x00\x65\x8d\xf5\xae\x8e\x8c\xc7\x11\x25\x4f\x43\x2c\x9d\x19\xa1\xe1\x91\xa4\xb3\xfe"),
+["\x1f\xbc\x36\xe0\x02\xed\xe9\x7f\x40\x19\x9e\x86\xb3\x57\x3b\x8a\x42\x17\xd8\x01\x87\x74\x6a\xd0\xda\x03\xa0\x60\x54\xd2\x0d\xf4"] = CTInfo($description="Cloudflare 'Nimbus2017' Log", $operator="Cloudflare", $url="ct.cloudflare.com/logs/nimbus2017/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\x9c\xa9\x07\x8d\x22\x41\xee\x93\xa0\x52\x41\xda\xf4\x80\xf0\x25\xbc\xeb\xfa\xf3\x3c\xd2\x7e\x91\xd8\x3f\x2c\xda\x51\xbd\xc8\xee\x2a\x72\xe3\xff\x18\x56\xe4\x3a\x22\x0f\x22\x3c\xc6\xd5\x30\xb3\x9b\x68\x2e\xab\x56\xc2\x41\x5f\xd6\x64\x57\x14\xb1\x5a\xaf"),
+["\xdb\x74\xaf\xee\xcb\x29\xec\xb1\xfe\xca\x3e\x71\x6d\x2c\xe5\xb9\xaa\xbb\x36\xf7\x84\x71\x83\xc7\x5d\x9d\x4f\x37\xb6\x1f\xbf\x64"] = CTInfo($description="Cloudflare 'Nimbus2018' Log", $operator="Cloudflare", $url="ct.cloudflare.com/logs/nimbus2018/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x02\xc5\x69\x5a\xfa\xc7\xdc\xa7\xb4\x55\x16\x8c\x83\xd6\x50\xa1\x08\xdb\xe6\x0f\xf1\x87\x5c\xf7\x0c\x36\xba\x22\xec\x58\xe4\x3c\x8f\xb2\x4e\x9b\xae\x5b\xeb\x50\xd5\xd9\xce\x82\x20\xd0\x37\x2f\x16\x20\x27\xda\x47\x7a\xc6\x6b\xb8\x39\xb9\x39\x5c\x0f\xe7\x46"),
+["\x74\x7e\xda\x83\x31\xad\x33\x10\x91\x21\x9c\xce\x25\x4f\x42\x70\xc2\xbf\xfd\x5e\x42\x20\x08\xc6\x37\x35\x79\xe6\x10\x7b\xcc\x56"] = CTInfo($description="Cloudflare 'Nimbus2019' Log", $operator="Cloudflare", $url="ct.cloudflare.com/logs/nimbus2019/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x91\x91\xf3\xd6\xfe\x6b\xf1\xaf\x4b\x99\x74\x8c\x7a\x06\x19\x02\x0e\x14\x5b\xe5\x20\xe7\xa1\xad\x35\xf2\x53\x0c\xd1\x59\xba\xe6\xc4\x25\x88\x16\x7f\x81\x5c\x0b\x90\xfe\x66\x46\x30\xb6\xd5\xd3\x0d\x2a\x38\x3a\x46\xa7\x1b\xd6\xf7\x00\x8e\x2c\xc0\x84\x36\xf2"),
+["\x5e\xa7\x73\xf9\xdf\x56\xc0\xe7\xb5\x36\x48\x7d\xd0\x49\xe0\x32\x7a\x91\x9a\x0c\x84\xa1\x12\x12\x84\x18\x75\x96\x81\x71\x45\x58"] = CTInfo($description="Cloudflare 'Nimbus2020' Log", $operator="Cloudflare", $url="ct.cloudflare.com/logs/nimbus2020/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd3\x51\x00\x87\x1e\x28\xd3\x33\xd0\xad\x74\xdc\x62\x38\x02\xb7\x83\x15\x16\xc4\xf4\x3f\x08\xf3\x6f\x54\x70\xac\xcd\x25\x85\x60\xe5\xc4\x06\x0f\x3f\xaf\xe0\xc8\xc0\x97\x36\x43\xa7\xff\xb2\x85\xb2\x32\xfb\xaf\x09\x3b\xf2\xd1\xcc\xa5\x8f\x2b\x5e\x7f\x00\x62"),
+["\x44\x94\x65\x2e\xb0\xee\xce\xaf\xc4\x40\x07\xd8\xa8\xfe\x28\xc0\xda\xe6\x82\xbe\xd8\xcb\x31\xb5\x3f\xd3\x33\x96\xb5\xb6\x81\xa8"] = CTInfo($description="Cloudflare 'Nimbus2021' Log", $operator="Cloudflare", $url="ct.cloudflare.com/logs/nimbus2021/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xc6\x9a\x27\xee\x2a\x6c\xa9\xe8\x48\x79\x4d\x5b\x9a\x9a\x20\xf5\x31\x68\xe0\xf9\x3c\xfb\xda\x0d\xf0\xe6\x07\x97\x54\x36\x24\x65\x57\x9e\x45\x45\x9e\xeb\xaf\x3e\x04\xa8\xd8\x4a\x7e\xea\xf2\xdf\x7c\xd2\xdc\x98\x46\xf1\x3a\xe7\x33\xd3\x7b\x05\x89\xe9\x9a\xb6"),
+["\x56\x14\x06\x9a\x2f\xd7\xc2\xec\xd3\xf5\xe1\xbd\x44\xb2\x3e\xc7\x46\x76\xb9\xbc\x99\x11\x5c\xc0\xef\x94\x98\x55\xd6\x89\xd0\xdd"] = CTInfo($description="DigiCert Log Server", $operator="DigiCert", $url="ct1.digicert-ct.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x02\x46\xc5\xbe\x1b\xbb\x82\x40\x16\xe8\xc1\xd2\xac\x19\x69\x13\x59\xf8\xf8\x70\x85\x46\x40\xb9\x38\xb0\x23\x82\xa8\x64\x4c\x7f\xbf\xbb\x34\x9f\x4a\x5f\x28\x8a\xcf\x19\xc4\x00\xf6\x36\x06\x93\x65\xed\x4c\xf5\xa9\x21\x62\x5a\xd8\x91\xeb\x38\x24\x40\xac\xe8"),
+["\x87\x75\xbf\xe7\x59\x7c\xf8\x8c\x43\x99\x5f\xbd\xf3\x6e\xff\x56\x8d\x47\x56\x36\xff\x4a\xb5\x60\xc1\xb4\xea\xff\x5e\xa0\x83\x0f"] = CTInfo($description="DigiCert Log Server 2", $operator="DigiCert", $url="ct2.digicert-ct.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x5d\x39\x2f\x66\xb8\x4c\x7f\xc1\x2e\x03\xa1\x34\xa3\xe8\x8a\x86\x02\xae\x4a\x11\xc6\xf7\x26\x6a\x37\x9b\xf0\x38\xf8\x5d\x09\x8d\x63\xe8\x31\x6b\x86\x66\xcf\x79\xb3\x25\x3c\x1e\xdf\x78\xb4\xa8\xc5\x69\xfa\xb7\xf0\x82\x79\x62\x43\xf6\xcc\xfe\x81\x66\x84"),
+["\xc1\x16\x4a\xe0\xa7\x72\xd2\xd4\x39\x2d\xc8\x0a\xc1\x07\x70\xd4\xf0\xc4\x9b\xde\x99\x1a\x48\x40\xc1\xfa\x07\x51\x64\xf6\x33\x60"] = CTInfo($description="DigiCert Yeti2018 Log", $operator="DigiCert", $url="yeti2018.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x49\x89\x4a\x14\x32\xcb\x16\x60\x3d\x25\x27\x1a\x89\xa3\x67\xaa\x55\x3c\xa1\x60\xf2\xb7\x12\x18\x31\xfb\x30\x1f\x2f\x44\xb2\x0d\x1a\x89\x7f\x96\x9c\xff\xf2\x8f\x83\xb4\x56\x21\x07\xb4\xbc\x1b\x98\xe4\x1e\x49\x60\x46\x90\x8b\xbd\x60\xaf\x42\x2d\xe7\xab\xfa"),
+["\xe2\x69\x4b\xae\x26\xe8\xe9\x40\x09\xe8\x86\x1b\xb6\x3b\x83\xd4\x3e\xe7\xfe\x74\x88\xfb\xa4\x8f\x28\x93\x01\x9d\xdd\xf1\xdb\xfe"] = CTInfo($description="DigiCert Yeti2019 Log", $operator="DigiCert", $url="yeti2019.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x91\x97\x7f\xa3\x0f\x17\xf8\x54\x95\x58\x05\x52\x7f\xcc\x73\x90\x5a\x21\x70\xfa\x61\xff\x1e\xa9\x4b\x52\x47\x87\xb8\x35\xc2\x70\x99\xe7\x2f\xfc\x1e\x4e\xa3\xcc\x9c\x6c\xea\xdd\xd8\x30\x05\xb3\xd8\x23\xdd\xe1\x59\x02\x77\x1c\x0a\x7b\x11\xa1\x70\x5c\x43\xf4"),
+["\xf0\x95\xa4\x59\xf2\x00\xd1\x82\x40\x10\x2d\x2f\x93\x88\x8e\xad\x4b\xfe\x1d\x47\xe3\x99\xe1\xd0\x34\xa6\xb0\xa8\xaa\x8e\xb2\x73"] = CTInfo($description="DigiCert Yeti2020 Log", $operator="DigiCert", $url="yeti2020.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x51\x10\x06\xf9\x9a\x34\x69\xcd\xe7\xdf\xb8\x9f\x64\xa5\x21\x04\x51\x15\xea\x37\xdc\x0b\x31\x88\x47\x3d\xed\xb2\xaf\x02\x6b\xd0\x4f\xff\x95\xd4\x1f\x2e\x99\x8a\xab\x0f\x68\x01\x1b\x54\xcd\x2e\x23\x74\xe6\xf5\x4d\xb8\x45\x50\x47\x47\xd2\x71\x0c\x49\x4f\x9a"),
+["\x5c\xdc\x43\x92\xfe\xe6\xab\x45\x44\xb1\x5e\x9a\xd4\x56\xe6\x10\x37\xfb\xd5\xfa\x47\xdc\xa1\x73\x94\xb2\x5e\xe6\xf6\xc7\x0e\xca"] = CTInfo($description="DigiCert Yeti2021 Log", $operator="DigiCert", $url="yeti2021.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xe8\x9e\x04\x6d\xca\x48\x02\x5d\x7e\x02\x44\x91\xb1\xb8\x68\x63\x9a\x11\x4e\x3d\xd5\xa0\x57\xda\x7f\x50\xe5\x42\x47\xe2\xed\x16\xde\xfc\x77\x23\x7d\x5b\x6b\xc0\xdf\x23\x68\x2f\xad\x40\x31\xa3\x17\xe7\x6a\xbc\xa8\x56\x24\x04\x3a\x43\xa7\xaf\xea\xaf\x4c\x7b"),
+["\x22\x45\x45\x07\x59\x55\x24\x56\x96\x3f\xa1\x2f\xf1\xf7\x6d\x86\xe0\x23\x26\x63\xad\xc0\x4b\x7f\x5d\xc6\x83\x5c\x6e\xe2\x0f\x02"] = CTInfo($description="DigiCert Yeti2022 Log", $operator="DigiCert", $url="yeti2022.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x9f\xf8\xd8\x1d\xde\xfb\x5b\x51\xb5\xfb\x5d\xf5\xb5\xde\x66\x11\xb0\x9d\x5f\xfd\x6f\xfc\xa8\x98\x5b\x98\x4f\x2d\xc3\x91\x3a\xfb\xfe\xc4\x0f\x0d\xc3\x60\x43\x8c\x1e\xf2\xf9\x11\xb2\xba\xd0\xf6\xbc\xa5\xd2\xb6\x9f\xf9\x5c\x87\xa2\x7d\xfc\xd4\x7d\xd6\x13\x26"),
+["\x6f\xf1\x41\xb5\x64\x7e\x42\x22\xf7\xef\x05\x2c\xef\xae\x7c\x21\xfd\x60\x8e\x27\xd2\xaf\x5a\x6e\x9f\x4b\x8a\x37\xd6\x63\x3e\xe5"] = CTInfo($description="DigiCert Nessie2018 Log", $operator="DigiCert", $url="nessie2018.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x56\xaa\x4b\x6b\x65\xbe\x47\x3d\x57\x0d\x93\xc1\x23\x22\x89\x3b\xe2\x8a\x14\xe6\x19\x4e\x3f\x4c\xa4\x95\xa7\x65\xe1\x54\xab\x37\x39\x6a\x2b\xce\x89\x61\x15\x86\xcf\x06\xcb\x60\x25\x1f\x78\xab\x58\xf1\x63\x21\x93\xd9\x32\xcd\xc3\xbf\xb3\x3e\xd0\xb6\xcf\xc9"),
+["\xfe\x44\x61\x08\xb1\xd0\x1a\xb7\x8a\x62\xcc\xfe\xab\x6a\xb2\xb2\xba\xbf\xf3\xab\xda\xd8\x0a\x4d\x8b\x30\xdf\x2d\x00\x08\x83\x0c"] = CTInfo($description="DigiCert Nessie2019 Log", $operator="DigiCert", $url="nessie2019.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x5f\xed\x27\xb9\xd0\x8a\x22\x67\x7b\x40\x2b\x5e\x96\x13\x2b\x0d\x6d\x0e\x5e\x78\xb9\x44\x4d\x74\xb6\x28\x82\x95\x97\xac\x9a\xbc\x14\x93\x68\x87\x2c\x2a\x13\x1c\x75\x55\xfb\x28\x39\x0f\x89\xff\xaf\x10\x91\x57\x24\x61\x8a\x43\xe9\x54\x33\x8b\x30\xbc\x49\x68"),
+["\xc6\x52\xa0\xec\x48\xce\xb3\xfc\xab\x17\x09\x92\xc4\x3a\x87\x41\x33\x09\xe8\x00\x65\xa2\x62\x52\x40\x1b\xa3\x36\x2a\x17\xc5\x65"] = CTInfo($description="DigiCert Nessie2020 Log", $operator="DigiCert", $url="nessie2020.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xe2\x11\xc8\xc8\xc5\x48\xad\x1f\x68\x4a\x18\x1b\x40\xc6\x04\x93\xc5\x97\xd6\x59\xa4\x7c\x52\x81\xe3\x8f\x06\x9f\xdd\xca\x6e\xc6\x67\x9f\x09\x63\x0c\x76\x3a\x31\x0a\x84\x9d\x67\xca\x1a\x03\x0e\xab\x48\x21\xdd\x02\xb8\xf1\xce\x59\x07\x75\x0a\x48\x81\x59\xe2"),
+["\xee\xc0\x95\xee\x8d\x72\x64\x0f\x92\xe3\xc3\xb9\x1b\xc7\x12\xa3\x69\x6a\x09\x7b\x4b\x6a\x1a\x14\x38\xe6\x47\xb2\xcb\xed\xc5\xf9"] = CTInfo($description="DigiCert Nessie2021 Log", $operator="DigiCert", $url="nessie2021.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf6\x8e\xc0\x8b\x0a\xdb\x18\x12\x17\xe8\xb9\xdc\xe3\xb2\x3a\x39\xf2\xcc\x75\x99\xd1\xcc\xaa\x0f\xe6\xed\x3b\xda\x70\x62\xea\xfa\x48\x38\x4a\x28\x92\xd4\xe2\xd6\x03\x70\x95\x13\xf3\x18\x2d\xb2\x48\x67\xee\x73\x5c\x4b\x0d\xe6\x80\xff\x04\x85\x1a\x0a\x58\x16"),
+["\x51\xa3\xb0\xf5\xfd\x01\x79\x9c\x56\x6d\xb8\x37\x78\x8f\x0c\xa4\x7a\xcc\x1b\x27\xcb\xf7\x9e\x88\x42\x9a\x0d\xfe\xd4\x8b\x05\xe5"] = CTInfo($description="DigiCert Nessie2022 Log", $operator="DigiCert", $url="nessie2022.ct.digicert.com/log/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x27\x24\xdd\x68\x03\x28\xcb\xfe\x63\xbe\x0e\x11\x47\x4d\x7d\x17\x68\xa1\x11\x5d\x4c\x71\xc9\x41\x28\xc7\xb6\xa2\x4b\x97\xec\xc0\xaf\xfc\x2f\x3b\xbf\xe9\xf1\xb1\xfc\xf5\x01\xff\xa9\xfb\x49\x40\x0c\x63\x24\x98\xd7\x79\x2e\xa6\x55\xab\x16\xc6\xbe\x51\xd8\x71"),
+["\xdd\xeb\x1d\x2b\x7a\x0d\x4f\xa6\x20\x8b\x81\xad\x81\x68\x70\x7e\x2e\x8e\x9d\x01\xd5\x5c\x88\x8d\x3d\x11\xc4\xcd\xb6\xec\xbe\xcc"] = CTInfo($description="Symantec log", $operator="DigiCert", $url="ct.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\xea\xac\x1c\x46\x0c\x1b\x55\xdc\x0d\xfc\xb5\x94\x27\x46\x57\x42\x70\x3a\x69\x18\xe2\xbf\x3b\xc4\xdb\xab\xa0\xf4\xb6\x6c\xc0\x53\x3f\x4d\x42\x10\x33\xf0\x58\x97\x8f\x6b\xbe\x72\xf4\x2a\xec\x1c\x42\xaa\x03\x2f\x1a\x7e\x28\x35\x76\x99\x08\x3d\x21\x14\x86"),
+["\xbc\x78\xe1\xdf\xc5\xf6\x3c\x68\x46\x49\x33\x4d\xa1\x0f\xa1\x5f\x09\x79\x69\x20\x09\xc0\x81\xb4\xf3\xf6\x91\x7f\x3e\xd9\xb8\xa5"] = CTInfo($description="Symantec 'Vega' log", $operator="DigiCert", $url="vega.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xea\x95\x9e\x02\xff\xee\xf1\x33\x6d\x4b\x87\xbc\xcd\xfd\x19\x17\x62\xff\x94\xd3\xd0\x59\x07\x3f\x02\x2d\x1c\x90\xfe\xc8\x47\x30\x3b\xf1\xdd\x0d\xb8\x11\x0c\x5d\x1d\x86\xdd\xab\xd3\x2b\x46\x66\xfb\x6e\x65\xb7\x3b\xfd\x59\x68\xac\xdf\xa6\xf8\xce\xd2\x18\x4d"),
+["\xa7\xce\x4a\x4e\x62\x07\xe0\xad\xde\xe5\xfd\xaa\x4b\x1f\x86\x76\x87\x67\xb5\xd0\x02\xa5\x5d\x47\x31\x0e\x7e\x67\x0a\x95\xea\xb2"] = CTInfo($description="Symantec Deneb", $operator="DigiCert", $url="deneb.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\x82\x1e\xa3\xcd\x3a\x80\x84\x1e\x97\xb8\xb7\x07\x19\xae\x76\x1a\x0e\xf8\x55\x76\x9d\x12\x33\x4e\x91\x88\xe4\xd0\x48\x50\x5c\xc1\x9f\x6a\x72\xd6\x01\xf5\x14\xd6\xd0\x38\x6e\xe1\x32\xbc\x67\x0d\x37\xe8\xba\x22\x10\xd1\x72\x86\x79\x28\x96\xf9\x17\x1e\x98"),
+["\x15\x97\x04\x88\xd7\xb9\x97\xa0\x5b\xeb\x52\x51\x2a\xde\xe8\xd2\xe8\xb4\xa3\x16\x52\x64\x12\x1a\x9f\xab\xfb\xd5\xf8\x5a\xd9\x3f"] = CTInfo($description="Symantec 'Sirius' log", $operator="DigiCert", $url="sirius.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa3\x02\x64\x84\x22\xbb\x25\xec\x0d\xe3\xbc\xc2\xc9\x89\x7d\xdd\x45\xd0\xee\xe6\x15\x85\x8f\xd9\xe7\x17\x1b\x13\x80\xea\xed\xb2\x85\x37\xad\x6a\xc5\xd8\x25\x9d\xfa\xf4\xb4\xf3\x6e\x16\x28\x25\x37\xea\xa3\x37\x64\xb2\xc7\x0b\xfd\x51\xe5\xc1\x05\xf4\x0e\xb5"),
+["\xcd\xb5\x17\x9b\x7f\xc1\xc0\x46\xfe\xea\x31\x13\x6a\x3f\x8f\x00\x2e\x61\x82\xfa\xf8\x89\x6f\xec\xc8\xb2\xf5\xb5\xab\x60\x49\x00"] = CTInfo($description="Certly.IO log", $operator="Certly", $url="log.certly.io/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x0b\x23\xcb\x85\x62\x98\x61\x48\x04\x73\xeb\x54\x5d\xf3\xd0\x07\x8c\x2d\x19\x2d\x8c\x36\xf5\xeb\x8f\x01\x42\x0a\x7c\x98\x26\x27\xc1\xb5\xdd\x92\x93\xb0\xae\xf8\x9b\x3d\x0c\xd8\x4c\x4e\x1d\xf9\x15\xfb\x47\x68\x7b\xba\x66\xb7\x25\x9c\xd0\x4a\xc2\x66\xdb\x48"),
+["\x74\x61\xb4\xa0\x9c\xfb\x3d\x41\xd7\x51\x59\x57\x5b\x2e\x76\x49\xa4\x45\xa8\xd2\x77\x09\xb0\xcc\x56\x4a\x64\x82\xb7\xeb\x41\xa3"] = CTInfo($description="Izenpe log", $operator="Izenpe", $url="ct.izenpe.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x27\x64\x39\x0c\x2d\xdc\x50\x18\xf8\x21\x00\xa2\x0e\xed\x2c\xea\x3e\x75\xba\x9f\x93\x64\x09\x00\x11\xc4\x11\x17\xab\x5c\xcf\x0f\x74\xac\xb5\x97\x90\x93\x00\x5b\xb8\xeb\xf7\x27\x3d\xd9\xb2\x0a\x81\x5f\x2f\x0d\x75\x38\x94\x37\x99\x1e\xf6\x07\x76\xe0\xee\xbe"),
+["\x89\x41\x44\x9c\x70\x74\x2e\x06\xb9\xfc\x9c\xe7\xb1\x16\xba\x00\x24\xaa\x36\xd5\x9a\xf4\x4f\x02\x04\x40\x4f\x00\xf7\xea\x85\x66"] = CTInfo($description="Izenpe 'Argi' log", $operator="Izenpe", $url="ct.izenpe.eus/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xc8\x0e\x23\x3e\x9e\x02\x3c\x9a\xb8\x07\x4a\x2a\x05\xff\x4a\x4b\x88\xd4\x8a\x4d\x39\xce\xf7\xc5\xf2\xb6\x37\xe9\xa3\xed\xe4\xf5\x45\x09\x0e\x67\x14\xfd\x53\x24\xd5\x3a\x94\xf2\xea\xb5\x13\xd9\x1d\x8b\x5c\xa7\xc3\xf3\x6b\xd8\x3f\x2d\x3b\x65\x72\x58\xd6"),
+["\x9e\x4f\xf7\x3d\xc3\xce\x22\x0b\x69\x21\x7c\x89\x9e\x46\x80\x76\xab\xf8\xd7\x86\x36\xd5\xcc\xfc\x85\xa3\x1a\x75\x62\x8b\xa8\x8b"] = CTInfo($description="WoSign CT log #1", $operator="WoSign", $url="ct.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xec\x2f\x2b\x75\x4f\x37\xbc\xa3\x43\xba\x8b\x65\x66\x3c\x7d\x6a\xe5\x0c\x2a\xa6\xc2\xe5\x26\xfe\x0c\x7d\x4e\x7c\xf0\x3a\xbc\xe2\xd3\x22\xdc\x01\xd0\x1f\x6e\x43\x9c\x5c\x6e\x83\xad\x9c\x15\xf6\xc4\x8d\x60\xb5\x1d\xbb\xa3\x62\x69\x7e\xeb\xa7\xaa\x01\x9b"),
+["\x41\xb2\xdc\x2e\x89\xe6\x3c\xe4\xaf\x1b\xa7\xbb\x29\xbf\x68\xc6\xde\xe6\xf9\xf1\xcc\x04\x7e\x30\xdf\xfa\xe3\xb3\xba\x25\x92\x63"] = CTInfo($description="WoSign log", $operator="WoSign", $url="ctlog.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xcc\x11\x88\x7b\x2d\x66\xcb\xae\x8f\x4d\x30\x66\x27\x19\x25\x22\x93\x21\x46\xb4\x2f\x01\xd3\xc6\xf9\x2b\xd5\xc8\xba\x73\x9b\x06\xa2\xf0\x8a\x02\x9c\xd0\x6b\x46\x18\x30\x85\xba\xe9\x24\x8b\x0e\xd1\x5b\x70\x28\x0c\x7e\xf1\x3a\x45\x7f\x5a\xf3\x82\x42\x60\x31"),
+["\x63\xd0\x00\x60\x26\xdd\xe1\x0b\xb0\x60\x1f\x45\x24\x46\x96\x5e\xe2\xb6\xea\x2c\xd4\xfb\xc9\x5a\xc8\x66\xa5\x50\xaf\x90\x75\xb7"] = CTInfo($description="WoSign log 2", $operator="WoSign", $url="ctlog2.wosign.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa5\x8c\xe8\x35\x2e\x8e\xe5\x6a\x75\xad\x5c\x4b\x31\x61\x29\x9d\x30\x57\x8e\x02\x13\x5f\xe9\xca\xbb\x52\xa8\x43\x05\x60\xbf\x0d\x73\x57\x77\xb2\x05\xd8\x67\xf6\xf0\x33\xc9\xf9\x44\xde\xb6\x53\x73\xaa\x0c\x55\xc2\x83\x0a\x4b\xce\x5e\x1a\xc7\x17\x1d\xb3\xcd"),
+["\xc9\xcf\x89\x0a\x21\x10\x9c\x66\x6c\xc1\x7a\x3e\xd0\x65\xc9\x30\xd0\xe0\x13\x5a\x9f\xeb\xa8\x5a\xf1\x42\x10\xb8\x07\x24\x21\xaa"] = CTInfo($description="GDCA CT log #1", $operator="Wang Shengnan", $url="ct.gdca.com.cn/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xad\x0f\x30\xad\x9e\x79\xa4\x38\x89\x26\x54\x86\xab\x41\x72\x90\x6f\xfb\xca\x17\xa6\xac\xee\xc6\x9f\x7d\x02\x05\xec\x41\xa8\xc7\x41\x9d\x32\x49\xad\xb0\x39\xbd\x3a\x87\x3e\x7c\xee\x68\x6c\x60\xd1\x47\x2a\x93\xae\xe1\x40\xf4\x0b\xc8\x35\x3c\x1d\x0f\x65\xd3"),
+["\x92\x4a\x30\xf9\x09\x33\x6f\xf4\x35\xd6\x99\x3a\x10\xac\x75\xa2\xc6\x41\x72\x8e\x7f\xc2\xd6\x59\xae\x61\x88\xff\xad\x40\xce\x01"] = CTInfo($description="GDCA CT log #2", $operator="GDCA", $url="ctlog.gdca.com.cn/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x5b\x4a\xc7\x01\xb7\x74\x54\xba\x40\x9c\x43\x75\x94\x3f\xac\xef\xb3\x71\x56\xb8\xd3\xe2\x7b\xae\xa1\xb1\x3e\x53\xaa\x97\x33\xa1\x82\xbb\x5f\x5d\x1c\x0b\xfa\x85\x0d\xbc\xf7\xe5\xa0\xe0\x22\xf0\xa0\x89\xd9\x0a\x7f\x5f\x26\x94\xd3\x24\xe3\x99\x2e\xe4\x15\x8d"),
+["\xdb\x76\xfd\xad\xac\x65\xe7\xd0\x95\x08\x88\x6e\x21\x59\xbd\x8b\x90\x35\x2f\x5f\xea\xd3\xe3\xdc\x5e\x22\xeb\x35\x0a\xcc\x7b\x98"] = CTInfo($description="Comodo 'Dodo' CT log", $operator="Comodo CA Limited", $url="dodo.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x2c\xf5\xc2\x31\xf5\x63\x43\x6a\x16\x4a\x0a\xde\xc2\xee\x1f\x21\x6e\x12\x7e\x1d\xe5\x72\x8f\x74\x0b\x02\x99\xd3\xad\x69\xbc\x02\x35\x79\xf9\x61\xe9\xcf\x00\x08\x4f\x74\xa4\xa3\x34\x9a\xe0\x43\x1c\x23\x7e\x8f\x41\xd5\xee\xc7\x1c\xa3\x82\x8a\x40\xfa\xaa\xe0"),
+["\xac\x3b\x9a\xed\x7f\xa9\x67\x47\x57\x15\x9e\x6d\x7d\x57\x56\x72\xf9\xd9\x81\x00\x94\x1e\x9b\xde\xff\xec\xa1\x31\x3b\x75\x78\x2d"] = CTInfo($description="Venafi log", $operator="Venafi", $url="ctlog.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xa2\x5a\x48\x1f\x17\x52\x95\x35\xcb\xa3\x5b\x3a\x1f\x53\x82\x76\x94\xa3\xff\x80\xf2\x1c\x37\x3c\xc0\xb1\xbd\xc1\x59\x8b\xab\x2d\x65\x93\xd7\xf3\xe0\x04\xd5\x9a\x6f\xbf\xd6\x23\x76\x36\x4f\x23\x99\xcb\x54\x28\xad\x8c\x15\x4b\x65\x59\x76\x41\x4a\x9c\xa6\xf7\xb3\x3b\x7e\xb1\xa5\x49\xa4\x17\x51\x6c\x80\xdc\x2a\x90\x50\x4b\x88\x24\xe9\xa5\x12\x32\x93\x04\x48\x90\x02\xfa\x5f\x0e\x30\x87\x8e\x55\x76\x05\xee\x2a\x4c\xce\xa3\x6a\x69\x09\x6e\x25\xad\x82\x76\x0f\x84\x92\xfa\x38\xd6\x86\x4e\x24\x8f\x9b\xb0\x72\xcb\x9e\xe2\x6b\x3f\xe1\x6d\xc9\x25\x75\x23\x88\xa1\x18\x58\x06\x23\x33\x78\xda\x00\xd0\x38\x91\x67\xd2\xa6\x7d\x27\x97\x67\x5a\xc1\xf3\x2f\x17\xe6\xea\xd2\x5b\xe8\x81\xcd\xfd\x92\x68\xe7\xf3\x06\xf0\xe9\x72\x84\xee\x01\xa5\xb1\xd8\x33\xda\xce\x83\xa5\xdb\xc7\xcf\xd6\x16\x7e\x90\x75\x18\xbf\x16\xdc\x32\x3b\x6d\x8d\xab\x82\x17\x1f\x89\x20\x8d\x1d\x9a\xe6\x4d\x23\x08\xdf\x78\x6f\xc6\x05\xbf\x5f\xae\x94\x97\xdb\x5f\x64\xd4\xee\x16\x8b\xa3\x84\x6c\x71\x2b\xf1\xab\x7f\x5d\x0d\x32\xee\x04\xe2\x90\xec\x41\x9f\xfb\x39\xc1\x02\x03\x01\x00\x01"),
+["\x03\x01\x9d\xf3\xfd\x85\xa6\x9a\x8e\xbd\x1f\xac\xc6\xda\x9b\xa7\x3e\x46\x97\x74\xfe\x77\xf5\x79\xfc\x5a\x08\xb8\x32\x8c\x1d\x6b"] = CTInfo($description="Venafi Gen2 CT log", $operator="Venafi", $url="ctlog-gen2.api.venafi.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x8e\x27\x27\x7a\xb6\x55\x09\x74\xeb\x6c\x4b\x94\x84\x65\xbc\xe4\x15\xf1\xea\x5a\xd8\x7c\x0e\x37\xce\xba\x3f\x6c\x09\xda\xe7\x29\x96\xd3\x45\x50\x6f\xde\x1e\xb4\x1c\xd2\x83\x88\xff\x29\x2f\xce\xa9\xff\xdf\x34\xde\x75\x0f\xc0\xcc\x18\x0d\x94\x2e\xfc\x37\x01"),
+["\xa5\x77\xac\x9c\xed\x75\x48\xdd\x8f\x02\x5b\x67\xa2\x41\x08\x9d\xf8\x6e\x0f\x47\x6e\xc2\x03\xc2\xec\xbe\xdb\x18\x5f\x28\x26\x38"] = CTInfo($description="CNNIC CT log", $operator="CNNIC", $url="ctserver.cnnic.cn/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xbf\xb5\x08\x61\x9a\x29\x32\x04\xd3\x25\x63\xe9\xd8\x85\xe1\x86\xe0\x1f\xd6\x5e\x9a\xf7\x33\x3b\x80\x1b\xe7\xb6\x3e\x5f\x2d\xa1\x66\xf6\x95\x4a\x84\xa6\x21\x56\x79\xe8\xf7\x85\xee\x5d\xe3\x7c\x12\xc0\xe0\x89\x22\x09\x22\x3e\xba\x16\x95\x06\xbd\xa8\xb9\xb1\xa9\xb2\x7a\xd6\x61\x2e\x87\x11\xb9\x78\x40\x89\x75\xdb\x0c\xdc\x90\xe0\xa4\x79\xd6\xd5\x5e\x6e\xd1\x2a\xdb\x34\xf4\x99\x3f\x65\x89\x3b\x46\xc2\x29\x2c\x15\x07\x1c\xc9\x4b\x1a\x54\xf8\x6c\x1e\xaf\x60\x27\x62\x0a\x65\xd5\x9a\xb9\x50\x36\x16\x6e\x71\xf6\x1f\x01\xf7\x12\xa7\xfc\xbf\xf6\x21\xa3\x29\x90\x86\x2d\x77\xde\xbb\x4c\xd4\xcf\xfd\xd2\xcf\x82\x2c\x4d\xd4\xf2\xc2\x2d\xac\xa9\xbe\xea\xc3\x19\x25\x43\xb2\xe5\x9a\x6c\x0d\xc5\x1c\xa5\x8b\xf7\x3f\x30\xaf\xb9\x01\x91\xb7\x69\x12\x12\xe5\x83\x61\xfe\x34\x00\xbe\xf6\x71\x8a\xc7\xeb\x50\x92\xe8\x59\xfe\x15\x91\xeb\x96\x97\xf8\x23\x54\x3f\x2d\x8e\x07\xdf\xee\xda\xb3\x4f\xc8\x3c\x9d\x6f\xdf\x3c\x2c\x43\x57\xa1\x47\x0c\x91\x04\xf4\x75\x4d\xda\x89\x81\xa4\x14\x06\x34\xb9\x98\xc3\xda\xf1\xfd\xed\x33\x36\xd3\x16\x2d\x35\x02\x03\x01\x00\x01"),
+["\x34\xbb\x6a\xd6\xc3\xdf\x9c\x03\xee\xa8\xa4\x99\xff\x78\x91\x48\x6c\x9d\x5e\x5c\xac\x92\xd0\x1f\x7b\xfd\x1b\xce\x19\xdb\x48\xef"] = CTInfo($description="StartCom log", $operator="StartCom", $url="ct.startssl.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x48\xf3\x59\xf3\xf6\x05\x18\xd3\xdb\xb2\xed\x46\x7e\xcf\xc8\x11\xb5\x57\xb1\xa8\xd6\x4c\xe6\x9f\xb7\x4a\x1a\x14\x86\x43\xa9\x48\xb0\xcb\x5a\x3f\x3c\x4a\xca\xdf\xc4\x82\x14\x55\x9a\xf8\xf7\x8e\x40\x55\xdc\xf4\xd2\xaf\xea\x75\x74\xfb\x4e\x7f\x60\x86\x2e\x51"),
+["\xe0\x12\x76\x29\xe9\x04\x96\x56\x4e\x3d\x01\x47\x98\x44\x98\xaa\x48\xf8\xad\xb1\x66\x00\xeb\x79\x02\xa1\xef\x99\x09\x90\x62\x73"] = CTInfo($description="PuChuangSiDa CT log", $operator="Beijing PuChuangSiDa Technology Ltd.", $url="www.certificatetransparency.cn/ct/", $maximum_merge_delay=86400, $key="\x30\x82\x01\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x00\x30\x82\x01\x0a\x02\x82\x01\x01\x00\xac\xcf\x2f\x4b\x70\xac\xf1\x0d\x96\xbf\xe8\x0a\xfe\x44\x9d\xd4\x8c\x17\x9d\xc3\x9a\x10\x11\x84\x13\xed\x8c\xf9\x37\x6d\x83\xe4\x00\x6f\xb1\x4b\xc0\xa6\x89\xc7\x61\x8f\x9a\x34\xbb\x56\x52\xca\x03\x56\x50\xef\x24\x7f\x4b\x49\xe9\x35\x81\xdd\xf0\xe7\x17\xf5\x72\xd2\x23\xc5\xe3\x13\x7f\xd7\x8e\x78\x35\x8f\x49\xde\x98\x04\x8a\x63\xaf\xad\xa2\x39\x70\x95\x84\x68\x4b\x91\x33\xfe\x4c\xe1\x32\x17\xc2\xf2\x61\xb8\x3a\x8d\x39\x7f\xd5\x95\x82\x3e\x56\x19\x50\x45\x6f\xcb\x08\x33\x0d\xd5\x19\x42\x08\x1a\x48\x42\x10\xf1\x68\xc3\xc3\x41\x13\xcb\x0d\x1e\xdb\x02\xb7\x24\x7a\x51\x96\x6e\xbc\x08\xea\x69\xaf\x6d\xef\x92\x98\x8e\x55\xf3\x65\xe5\xe8\x9c\xbe\x1a\x47\x60\x30\x7d\x7a\x80\xad\x56\x83\x7a\x93\xc3\xae\x93\x2b\x6a\x28\x8a\xa6\x5f\x63\x19\x0c\xbe\x7c\x7b\x21\x63\x41\x38\xb7\xf7\xe8\x76\x73\x6b\x85\xcc\xbc\x72\x2b\xc1\x52\xd0\x5b\x5d\x31\x4e\x9d\x2a\xf3\x4d\x9b\x64\x14\x99\x26\xc6\x71\xf8\x7b\xf8\x44\xd5\xe3\x23\x20\xf3\x0a\xd7\x8b\x51\x3e\x72\x80\xd2\x78\x78\x35\x2d\x4a\xe7\x40\x99\x11\x95\x34\xd4\x2f\x7f\xf9\x5f\x35\x37\x02\x03\x01\x00\x01"),
+["\x55\x81\xd4\xc2\x16\x90\x36\x01\x4a\xea\x0b\x9b\x57\x3c\x53\xf0\xc0\xe4\x38\x78\x70\x25\x08\x17\x2f\xa3\xaa\x1d\x07\x13\xd3\x0c"] = CTInfo($description="Comodo 'Sabre' CT log", $operator="Comodo CA Limited", $url="sabre.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf2\x6f\xd2\x89\x0f\x3f\xc5\xf8\x87\x1e\xab\x65\xb3\xd9\xbb\x17\x23\x8c\x06\x0e\x09\x55\x96\x3d\x0a\x08\xa2\xc5\x71\xb3\xd1\xa9\x2f\x28\x3e\x83\x10\xbf\x12\xd0\x44\x66\x15\xef\x54\xe1\x98\x80\xd0\xce\x24\x6d\x3e\x67\x9a\xe9\x37\x23\xce\x52\x93\x86\xda\x80"),
+["\x6f\x53\x76\xac\x31\xf0\x31\x19\xd8\x99\x00\xa4\x51\x15\xff\x77\x15\x1c\x11\xd9\x02\xc1\x00\x29\x06\x8d\xb2\x08\x9a\x37\xd9\x13"] = CTInfo($description="Comodo 'Mammoth' CT log", $operator="Comodo CA Limited", $url="mammoth.ct.comodo.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xef\xe4\x7d\x74\x2e\x15\x15\xb6\xe9\xbb\x23\x8b\xfb\x2c\xb5\xe1\xc7\x80\x98\x47\xfb\x40\x69\x68\xfc\x49\xad\x61\x4e\x83\x47\x3c\x1a\xb7\x8d\xdf\xff\x7b\x30\xb4\xba\xff\x2f\xcb\xa0\x14\xe3\xad\xd5\x85\x3f\x44\x59\x8c\x8c\x60\x8b\xd7\xb8\xb1\xbf\xae\x8c\x67"),
+["\x53\x7b\x69\xa3\x56\x43\x35\xa9\xc0\x49\x04\xe3\x95\x93\xb2\xc2\x98\xeb\x8d\x7a\x6e\x83\x02\x36\x35\xc6\x27\x24\x8c\xd6\xb4\x40"] = CTInfo($description="Nordu 'flimsy' log", $operator="NORDUnet", $url="flimsy.ct.nordu.net:8080/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xe2\xa5\xaa\xe9\xa7\xe1\x05\x48\xb4\x39\xd7\x16\x51\x88\x72\x24\xb3\x57\x4e\x41\xaa\x43\xd3\xcc\x4b\x99\x6a\xa0\x28\x24\x57\x68\x75\x66\xfa\x4d\x8c\x11\xf6\xbb\xc5\x1b\x81\xc3\x90\xc2\xa0\xe8\xeb\xac\xfa\x05\x64\x09\x1a\x89\x68\xcd\x96\x26\x34\x71\x36\x91"),
+["\xaa\xe7\x0b\x7f\x3c\xb8\xd5\x66\xc8\x6c\x2f\x16\x97\x9c\x9f\x44\x5f\x69\xab\x0e\xb4\x53\x55\x89\xb2\xf7\x7a\x03\x01\x04\xf3\xcd"] = CTInfo($description="Nordu 'plausible' log", $operator="NORDUnet", $url="plausible.ct.nordu.net/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xf5\x45\x7d\xfa\x33\xb6\x30\x24\xf3\x91\xa6\xe8\x74\xed\x85\xec\xb3\x34\xdc\xc5\x01\x73\xc3\x2b\x74\x0b\x64\x71\x6e\xaf\xe8\x60\x3d\xb5\xa4\xd3\xc3\xd4\x09\xaa\x87\xe6\xd0\x16\xdd\x02\xc6\xed\x24\xbf\xee\x9f\x21\x1f\xd3\x32\x24\x46\x05\xe3\x8f\x36\x98\xa9"),
+["\xcf\x55\xe2\x89\x23\x49\x7c\x34\x0d\x52\x06\xd0\x53\x53\xae\xb2\x58\x34\xb5\x2f\x1f\x8d\xc9\x52\x68\x09\xf2\x12\xef\xdd\x7c\xa6"] = CTInfo($description="SHECA CT log 1", $operator="SHECA", $url="ctlog.sheca.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x11\xa9\x60\x2b\xb4\x71\x45\x66\xe0\x2e\xde\xd5\x87\x3b\xd5\xfe\xf0\x92\x37\xf4\x68\xc6\x92\xdd\x3f\x1a\xe2\xbc\x0c\x22\xd6\x99\x63\x29\x6e\x32\x28\x14\xc0\x76\x2c\x80\xa8\x22\x51\x91\xd6\xeb\xa6\xd8\xf1\xec\xf0\x07\x7e\xb0\xfc\x76\x70\x76\x72\x7c\x91\xe9"),
+["\x32\xdc\x59\xc2\xd4\xc4\x19\x68\xd5\x6e\x14\xbc\x61\xac\x8f\x0e\x45\xdb\x39\xfa\xf3\xc1\x55\xaa\x42\x52\xf5\x00\x1f\xa0\xc6\x23"] = CTInfo($description="SHECA CT log 2", $operator="SHECA", $url="ct.sheca.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xb1\x8e\x1d\x8a\xaa\x3a\xac\xce\x86\xcb\x53\x76\xe8\xa8\x9d\x59\xbe\x17\x88\x03\x07\xf2\x27\xe0\x82\xbe\xb1\xfc\x67\x3b\x46\xee\xd3\xf1\x8d\xd6\x77\xe8\xa3\xb4\xdb\x09\x5c\xa0\x09\x43\xfc\x5f\xd0\x68\x34\x23\x24\x08\xc2\x4f\xd8\xd2\xb6\x9d\xed\xd5\x8c\xdb"),
+["\x96\x06\xc0\x2c\x69\x00\x33\xaa\x1d\x14\x5f\x59\xc6\xe2\x64\x8d\x05\x49\xf0\xdf\x96\xaa\xb8\xdb\x91\x5a\x70\xd8\xec\xf3\x90\xa5"] = CTInfo($description="Akamai CT Log", $operator="Akamai", $url="ct.akamai.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x43\x79\xeb\x49\x5c\x50\x2a\x4a\x6a\x8f\x59\x93\xbc\xc3\x42\x76\xc2\x99\xf8\x27\x81\x3c\x06\x6c\xd2\xc8\x04\x8f\x74\x7b\xb4\xb5\x21\xf2\xe3\xa8\xdc\x33\xb9\xfe\x25\xe9\x3d\x04\xfc\x3f\xb4\xae\x40\xe3\x45\x7e\x84\x92\x2a\xd8\x52\xeb\x1f\x3f\x73\x13\xd0\xc8"),
+["\x39\x37\x6f\x54\x5f\x7b\x46\x07\xf5\x97\x42\xd7\x68\xcd\x5d\x24\x37\xbf\x34\x73\xb6\x53\x4a\x48\x34\xbc\xf7\x2e\x68\x1c\x83\xc9"] = CTInfo($description="Alpha CT Log", $operator="Matt Palmer", $url="alpha.ctlogs.org/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xa2\xf7\xed\x13\xe1\xd3\x5c\x02\x08\xc4\x8e\x8b\x9b\x8b\x3b\x39\x68\xc7\x92\x6a\x38\xa1\x4f\x23\xc5\xa5\x6f\x6f\xd7\x65\x81\xf8\xc1\x9b\xf4\x9f\xa9\x8b\x45\xf4\xb9\x4e\x1b\xc9\xa2\x69\x17\xa5\x78\x87\xd9\xce\x88\x6f\x41\x03\xbb\xa3\x2a\xe3\x77\x97\x8d\x78"),
+["\x29\x6a\xfa\x2d\x56\x8b\xca\x0d\x2e\xa8\x44\x95\x6a\xe9\x72\x1f\xc3\x5f\xa3\x55\xec\xda\x99\x69\x3a\xaf\xd4\x58\xa7\x1a\xef\xdd"] = CTInfo($description="Let's Encrypt 'Clicky' log", $operator="Let's Encrypt", $url="clicky.ct.letsencrypt.org/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x1f\x1a\x15\x83\x77\x00\x75\x62\xb9\x9f\xf6\x06\x05\xed\x95\x89\x83\x41\x81\x97\xe7\xe0\xd4\x33\xfe\x76\xba\x3b\xc9\x49\xc2\xcd\xf1\xcf\xfe\x12\x70\xd7\xbe\xa8\x22\x5f\xb2\xa4\x67\x02\x7b\x71\xae\x1d\xac\xa8\xe9\xd1\x08\xd5\xce\xef\x33\x7a\xc3\x5f\x00\xdc"),
+["\xb0\xb7\x84\xbc\x81\xc0\xdd\xc4\x75\x44\xe8\x83\xf0\x59\x85\xbb\x90\x77\xd1\x34\xd8\xab\x88\xb2\xb2\xe5\x33\x98\x0b\x8e\x50\x8b"] = CTInfo($description="Up In The Air 'Behind the Sofa' log", $operator="Up In The Air Consulting", $url="ct.filippo.io/behindthesofa/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x59\x39\xb2\xa6\x94\xc6\x32\xb9\xfe\x63\x69\x1e\x30\x3b\xa3\x5b\xd5\xb0\x43\xc9\x50\x1e\x95\xa5\x2d\xa7\x4c\x4a\x49\x8e\x8b\x8f\xb7\xf8\xcc\xe2\x5b\x97\x72\xd5\xea\x3f\xb1\x21\x48\xe8\x44\x6b\x7f\xea\xef\x22\xff\xdf\xf4\x5f\x3b\x6d\x77\x04\xb1\xaf\x90\x8f"),
+};
diff --git a/scripts/base/protocols/ssl/dpd.sig b/scripts/base/protocols/ssl/dpd.sig
index 2ebe1cc634..1b8cad2f76 100644
--- a/scripts/base/protocols/ssl/dpd.sig
+++ b/scripts/base/protocols/ssl/dpd.sig
@@ -1,7 +1,7 @@
 signature dpd_ssl_server {
   ip-proto == tcp
   # Server hello.
-  payload /^((\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...\x03[\x00\x01\x02\x03]|...?\x04..\x00\x02).*/
+  payload /^((\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...((\x03[\x00\x01\x02\x03\x04])|(\x7F[\x00-\x50]))|...?\x04..\x00\x02).*/
   requires-reverse-signature dpd_ssl_client
   enable "ssl"
   tcp-state responder
@@ -10,7 +10,7 @@ signature dpd_ssl_server {
 signature dpd_ssl_client {
   ip-proto == tcp
   # Client hello.
-  payload /^(\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03]|...?\x01[\x00\x03][\x00\x01\x02\x03]).*/
+  payload /^(\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03]|...?\x01[\x00\x03][\x00\x01\x02\x03\x04]).*/
   tcp-state originator
 }
 
diff --git a/scripts/base/protocols/ssl/files.bro b/scripts/base/protocols/ssl/files.bro
index fad0fa0483..d0d89561e3 100644
--- a/scripts/base/protocols/ssl/files.bro
+++ b/scripts/base/protocols/ssl/files.bro
@@ -91,11 +91,26 @@ event bro_init() &priority=5
 	                          $describe        = SSL::describe_file]);
 	}
 
-event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
+event file_sniff(f: fa_file, meta: fa_metadata) &priority=5
 	{
-	if ( ! c?$ssl )
+	if ( |f$conns| != 1 )
 		return;
 
+	if ( ! f?$info || ! f$info?$mime_type )
+		return;
+
+	if ( ! ( f$info$mime_type == "application/x-x509-ca-cert" || f$info$mime_type == "application/x-x509-user-cert"
+	         || f$info$mime_type == "application/pkix-cert" ) )
+		return;
+
+	for ( cid in f$conns )
+		{
+		if ( ! f$conns[cid]?$ssl )
+			return;
+
+		local c = f$conns[cid];
+		}
+
 	if ( ! c$ssl?$cert_chain )
 		{
 		c$ssl$cert_chain = vector();
@@ -104,22 +119,16 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 		c$ssl$client_cert_chain_fuids = string_vec();
 		}
 
-	if ( is_orig )
+	if ( f$is_orig )
 		{
-		c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f$info;
-		c$ssl$client_cert_chain_fuids[|c$ssl$client_cert_chain_fuids|] = f$id;
+		c$ssl$client_cert_chain += f$info;
+		c$ssl$client_cert_chain_fuids += f$id;
 		}
 	else
 		{
-		c$ssl$cert_chain[|c$ssl$cert_chain|] = f$info;
-		c$ssl$cert_chain_fuids[|c$ssl$cert_chain_fuids|] = f$id;
+		c$ssl$cert_chain += f$info;
+		c$ssl$cert_chain_fuids += f$id;
 		}
-
-	Files::add_analyzer(f, Files::ANALYZER_X509);
-	# Always calculate hashes. They are not necessary for base scripts
-	# but very useful for identification, and required for policy scripts.
-	Files::add_analyzer(f, Files::ANALYZER_MD5);
-	Files::add_analyzer(f, Files::ANALYZER_SHA1);
 	}
 
 event ssl_established(c: connection) &priority=6
diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro
index e7ee918ba3..463ecbb9ea 100644
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@@ -64,7 +64,6 @@ export {
 		## Flag to indicate if this ssl session has been established
 		## successfully, or if it was aborted during the handshake.
 		established:      bool             &log &default=F;
-
 		## Flag to indicate if this record already has been logged, to
 		## prevent duplicates.
 		logged:           bool             &default=F;
@@ -74,6 +73,26 @@ export {
 	## script sets this to Mozilla's root CA list.
 	const root_certs: table[string] of string = {} &redef;
 
+	## The record type which contains the field for the Certificate
+	## Transparency log bundle.
+	type CTInfo: record {
+		## Description of the Log
+		description:           string;
+		## Operator of the Log
+		operator:              string;
+		## Public key of the Log.
+		key:                   string;
+		## Maximum merge delay of the Log
+		maximum_merge_delay:   count;
+		## URL of the Log
+		url:                   string;
+	};
+
+	## The Certificate Transparency log bundle. By default, the ct-list.bro
+	## script sets this to the current list of known logs. Entries
+	## are indexed by (binary) log-id.
+	const ct_logs: table[string] of CTInfo = {} &redef;
+
 	## If true, detach the SSL analyzer from the connection to prevent
 	## continuing to process encrypted traffic. Helps with performance
 	## (especially with large file transfers).
@@ -90,6 +109,10 @@ export {
 	## Event that can be handled to access the SSL
 	## record as it is sent on to the logging framework.
 	global log_ssl: event(rec: Info);
+
+	# Hook that can be used to perform actions right before the log record
+	# is written.
+	global ssl_finishing: hook(c: connection);
 }
 
 redef record connection += {
@@ -193,15 +216,30 @@ event ssl_server_hello(c: connection, version: count, possible_ts: time, server_
 	{
 	set_session(c);
 
-	c$ssl$version_num = version;
-	c$ssl$version = version_strings[version];
+	# If it is already filled, we saw a supported_versions extensions which overrides this.
+	if ( ! c$ssl?$version_num )
+		{
+		c$ssl$version_num = version;
+		c$ssl$version = version_strings[version];
+		}
 	c$ssl$cipher = cipher_desc[cipher];
 
 	if ( c$ssl?$session_id && c$ssl$session_id == bytestring_to_hexstr(session_id) )
 		c$ssl$resumed = T;
 	}
 
-event ssl_server_curve(c: connection, curve: count) &priority=5
+event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec)
+	{
+	if ( is_orig || |versions| != 1 )
+		return;
+
+	set_session(c);
+
+	c$ssl$version_num = versions[0];
+	c$ssl$version = version_strings[versions[0]];
+	}
+
+event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priority=5
 	{
 	set_session(c);
 
@@ -281,11 +319,22 @@ event ssl_established(c: connection) &priority=7
 	c$ssl$established = T;
 	}
 
+event ssl_established(c: connection) &priority=20
+	{
+	hook ssl_finishing(c);
+	}
+
 event ssl_established(c: connection) &priority=-5
 	{
 	finish(c, T);
 	}
 
+event connection_state_remove(c: connection) &priority=20
+	{
+	if ( c?$ssl && ! c$ssl$logged )
+		hook ssl_finishing(c);
+	}
+
 event connection_state_remove(c: connection) &priority=-5
 	{
 	if ( c?$ssl )
diff --git a/scripts/base/protocols/ssl/mozilla-ca-list.bro b/scripts/base/protocols/ssl/mozilla-ca-list.bro
index b637c1b2bf..0e8f16d8b8 100644
--- a/scripts/base/protocols/ssl/mozilla-ca-list.bro
+++ b/scripts/base/protocols/ssl/mozilla-ca-list.bro
@@ -1,6 +1,6 @@
 # Don't edit!  This file is automatically generated.
-# Generated at: 2016-08-10 09:18:06 -0700
-# Generated from: NSS 3.26
+# Generated at: 2018-02-16 10:50:53 -0800
+# Generated from: NSS 3.35
 #
 # The original source file comes with this licensing statement:
 #
@@ -16,41 +16,27 @@ redef root_certs += {
 	["CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU=(c) 1999 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x04\x1A\x30\x82\x03\x02\x02\x11\x00\x9B\x7E\x06\x49\xA3\x3E\x62\xB9\xD5\xEE\x90\x48\x71\x29\xEF\x57\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x31\x39\x39\x39\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x33\x30\x1E\x17\x0D\x39\x39\x31\x30\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x36\x30\x37\x31\x36\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x31\x39\x39\x39\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xCB\xBA\x9C\x52\xFC\x78\x1F\x1A\x1E\x6F\x1B\x37\x73\xBD\xF8\xC9\x6B\x94\x12\x30\x4F\xF0\x36\x47\xF5\xD0\x91\x0A\xF5\x17\xC8\xA5\x61\xC1\x16\x40\x4D\xFB\x8A\x61\x90\xE5\x76\x20\xC1\x11\x06\x7D\xAB\x2C\x6E\xA6\xF5\x11\x41\x8E\xFA\x2D\xAD\x2A\x61\x59\xA4\x67\x26\x4C\xD0\xE8\xBC\x52\x5B\x70\x20\x04\x58\xD1\x7A\xC9\xA4\x69\xBC\x83\x17\x64\xAD\x05\x8B\xBC\xD0\x58\xCE\x8D\x8C\xF5\xEB\xF0\x42\x49\x0B\x9D\x97\x27\x67\x32\x6E\xE1\xAE\x93\x15\x1C\x70\xBC\x20\x4D\x2F\x18\xDE\x92\x88\xE8\x6C\x85\x57\x11\x1A\xE9\x7E\xE3\x26\x11\x54\xA2\x45\x96\x55\x83\xCA\x30\x89\xE8\xDC\xD8\xA3\xED\x2A\x80\x3F\x7F\x79\x65\x57\x3E\x15\x20\x66\x08\x2F\x95\x93\xBF\xAA\x47\x2F\xA8\x46\x97\xF0\x12\xE2\xFE\xC2\x0A\x2B\x51\xE6\x76\xE6\xB7\x46\xB7\xE2\x0D\xA6\xCC\xA8\xC3\x4C\x59\x55\x89\xE6\xE8\x53\x5C\x1C\xEA\x9D\xF0\x62\x16\x0B\xA7\xC9\x5F\x0C\xF0\xDE\xC2\x76\xCE\xAF\xF7\x6A\xF2\xFA\x41\xA6\xA2\x33\x14\xC9\xE5\x7A\x63\xD3\x9E\x62\x37\xD5\x85\x65\x9E\x0E\xE6\x53\x24\x74\x1B\x5E\x1D\x12\x53\x5B\xC7\x2C\xE7\x83\x49\x3B\x15\xAE\x8A\x68\xB9\x57\x97\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x11\x14\x96\xC1\xAB\x92\x08\xF7\x3F\x2F\xC9\xB2\xFE\xE4\x5A\x9F\x64\xDE\xDB\x21\x4F\x86\x99\x34\x76\x36\x57\xDD\xD0\x15\x2F\xC5\xAD\x7F\x15\x1F\x37\x62\x73\x3E\xD4\xE7\x5F\xCE\x17\x03\xDB\x35\xFA\x2B\xDB\xAE\x60\x09\x5F\x1E\x5F\x8F\x6E\xBB\x0B\x3D\xEA\x5A\x13\x1E\x0C\x60\x6F\xB5\xC0\xB5\x23\x22\x2E\x07\x0B\xCB\xA9\x74\xCB\x47\xBB\x1D\xC1\xD7\xA5\x6B\xCC\x2F\xD2\x42\xFD\x49\xDD\xA7\x89\xCF\x53\xBA\xDA\x00\x5A\x28\xBF\x82\xDF\xF8\xBA\x13\x1D\x50\x86\x82\xFD\x8E\x30\x8F\x29\x46\xB0\x1E\x3D\x35\xDA\x38\x62\x16\x18\x4A\xAD\xE6\xB6\x51\x6C\xDE\xAF\x62\xEB\x01\xD0\x1E\x24\xFE\x7A\x8F\x12\x1A\x12\x68\xB8\xFB\x66\x99\x14\x14\x45\x5C\xAE\xE7\xAE\x69\x17\x81\x2B\x5A\x37\xC9\x5E\x2A\xF4\xC6\xE2\xA1\x5C\x54\x9B\xA6\x54\x00\xCF\xF0\xF1\xC1\xC7\x98\x30\x1A\x3B\x36\x16\xDB\xA3\x6E\xEA\xFD\xAD\xB2\xC2\xDA\xEF\x02\x47\x13\x8A\xC0\xF1\xB3\x31\xAD\x4F\x1C\xE1\x4F\x9C\xAF\x0F\x0C\x9D\xF7\x78\x0D\xD8\xF4\x35\x56\x80\xDA\xB7\x6D\x17\x8F\x9D\x1E\x81\x64\xE1\xFE\xC5\x45\xBA\xAD\x6B\xB9\x0A\x7A\x4E\x4F\x4B\x84\xEE\x4B\xF1\x7D\xDD\x11",
 	["CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net"] = "\x30\x82\x04\x2A\x30\x82\x03\x12\xA0\x03\x02\x01\x02\x02\x04\x38\x63\xDE\xF8\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xB4\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x31\x40\x30\x3E\x06\x03\x55\x04\x0B\x14\x37\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x50\x53\x5F\x32\x30\x34\x38\x20\x69\x6E\x63\x6F\x72\x70\x2E\x20\x62\x79\x20\x72\x65\x66\x2E\x20\x28\x6C\x69\x6D\x69\x74\x73\x20\x6C\x69\x61\x62\x2E\x29\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x28\x63\x29\x20\x31\x39\x39\x39\x20\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x33\x30\x31\x06\x03\x55\x04\x03\x13\x2A\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x28\x32\x30\x34\x38\x29\x30\x1E\x17\x0D\x39\x39\x31\x32\x32\x34\x31\x37\x35\x30\x35\x31\x5A\x17\x0D\x32\x39\x30\x37\x32\x34\x31\x34\x31\x35\x31\x32\x5A\x30\x81\xB4\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x31\x40\x30\x3E\x06\x03\x55\x04\x0B\x14\x37\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x50\x53\x5F\x32\x30\x34\x38\x20\x69\x6E\x63\x6F\x72\x70\x2E\x20\x62\x79\x20\x72\x65\x66\x2E\x20\x28\x6C\x69\x6D\x69\x74\x73\x20\x6C\x69\x61\x62\x2E\x29\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x28\x63\x29\x20\x31\x39\x39\x39\x20\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x33\x30\x31\x06\x03\x55\x04\x03\x13\x2A\x45\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x28\x32\x30\x34\x38\x29\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAD\x4D\x4B\xA9\x12\x86\xB2\xEA\xA3\x20\x07\x15\x16\x64\x2A\x2B\x4B\xD1\xBF\x0B\x4A\x4D\x8E\xED\x80\x76\xA5\x67\xB7\x78\x40\xC0\x73\x42\xC8\x68\xC0\xDB\x53\x2B\xDD\x5E\xB8\x76\x98\x35\x93\x8B\x1A\x9D\x7C\x13\x3A\x0E\x1F\x5B\xB7\x1E\xCF\xE5\x24\x14\x1E\xB1\x81\xA9\x8D\x7D\xB8\xCC\x6B\x4B\x03\xF1\x02\x0C\xDC\xAB\xA5\x40\x24\x00\x7F\x74\x94\xA1\x9D\x08\x29\xB3\x88\x0B\xF5\x87\x77\x9D\x55\xCD\xE4\xC3\x7E\xD7\x6A\x64\xAB\x85\x14\x86\x95\x5B\x97\x32\x50\x6F\x3D\xC8\xBA\x66\x0C\xE3\xFC\xBD\xB8\x49\xC1\x76\x89\x49\x19\xFD\xC0\xA8\xBD\x89\xA3\x67\x2F\xC6\x9F\xBC\x71\x19\x60\xB8\x2D\xE9\x2C\xC9\x90\x76\x66\x7B\x94\xE2\xAF\x78\xD6\x65\x53\x5D\x3C\xD6\x9C\xB2\xCF\x29\x03\xF9\x2F\xA4\x50\xB2\xD4\x48\xCE\x05\x32\x55\x8A\xFD\xB2\x64\x4C\x0E\xE4\x98\x07\x75\xDB\x7F\xDF\xB9\x08\x55\x60\x85\x30\x29\xF9\x7B\x48\xA4\x69\x86\xE3\x35\x3F\x1E\x86\x5D\x7A\x7A\x15\xBD\xEF\x00\x8E\x15\x22\x54\x17\x00\x90\x26\x93\xBC\x0E\x49\x68\x91\xBF\xF8\x47\xD3\x9D\x95\x42\xC1\x0E\x4D\xDF\x6F\x26\xCF\xC3\x18\x21\x62\x66\x43\x70\xD6\xD5\xC0\x07\xE1\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x55\xE4\x81\xD1\x11\x80\xBE\xD8\x89\xB9\x08\xA3\x31\xF9\xA1\x24\x09\x16\xB9\x70\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x3B\x9B\x8F\x56\x9B\x30\xE7\x53\x99\x7C\x7A\x79\xA7\x4D\x97\xD7\x19\x95\x90\xFB\x06\x1F\xCA\x33\x7C\x46\x63\x8F\x96\x66\x24\xFA\x40\x1B\x21\x27\xCA\xE6\x72\x73\xF2\x4F\xFE\x31\x99\xFD\xC8\x0C\x4C\x68\x53\xC6\x80\x82\x13\x98\xFA\xB6\xAD\xDA\x5D\x3D\xF1\xCE\x6E\xF6\x15\x11\x94\x82\x0C\xEE\x3F\x95\xAF\x11\xAB\x0F\xD7\x2F\xDE\x1F\x03\x8F\x57\x2C\x1E\xC9\xBB\x9A\x1A\x44\x95\xEB\x18\x4F\xA6\x1F\xCD\x7D\x57\x10\x2F\x9B\x04\x09\x5A\x84\xB5\x6E\xD8\x1D\x3A\xE1\xD6\x9E\xD1\x6C\x79\x5E\x79\x1C\x14\xC5\xE3\xD0\x4C\x93\x3B\x65\x3C\xED\xDF\x3D\xBE\xA6\xE5\x95\x1A\xC3\xB5\x19\xC3\xBD\x5E\x5B\xBB\xFF\x23\xEF\x68\x19\xCB\x12\x93\x27\x5C\x03\x2D\x6F\x30\xD0\x1E\xB6\x1A\xAC\xDE\x5A\xF7\xD1\xAA\xA8\x27\xA6\xFE\x79\x81\xC4\x79\x99\x33\x57\xBA\x12\xB0\xA9\xE0\x42\x6C\x93\xCA\x56\xDE\xFE\x6D\x84\x0B\x08\x8B\x7E\x8D\xEA\xD7\x98\x21\xC6\xF3\xE7\x3C\x79\x2F\x5E\x9C\xD1\x4C\x15\x8D\xE1\xEC\x22\x37\xCC\x9A\x43\x0B\x97\xDC\x80\x90\x8D\xB3\x67\x9B\x6F\x48\x08\x15\x56\xCF\xBF\xF1\x2B\x7C\x5E\x9A\x76\xE9\x59\x90\xC5\x7C\x83\x35\x11\x65\x51",
 	["CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE"] = "\x30\x82\x03\x77\x30\x82\x02\x5F\xA0\x03\x02\x01\x02\x02\x04\x02\x00\x00\xB9\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x45\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x42\x61\x6C\x74\x69\x6D\x6F\x72\x65\x31\x13\x30\x11\x06\x03\x55\x04\x0B\x13\x0A\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x42\x61\x6C\x74\x69\x6D\x6F\x72\x65\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x30\x30\x35\x31\x32\x31\x38\x34\x36\x30\x30\x5A\x17\x0D\x32\x35\x30\x35\x31\x32\x32\x33\x35\x39\x30\x30\x5A\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x45\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x42\x61\x6C\x74\x69\x6D\x6F\x72\x65\x31\x13\x30\x11\x06\x03\x55\x04\x0B\x13\x0A\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x42\x61\x6C\x74\x69\x6D\x6F\x72\x65\x20\x43\x79\x62\x65\x72\x54\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xA3\x04\xBB\x22\xAB\x98\x3D\x57\xE8\x26\x72\x9A\xB5\x79\xD4\x29\xE2\xE1\xE8\x95\x80\xB1\xB0\xE3\x5B\x8E\x2B\x29\x9A\x64\xDF\xA1\x5D\xED\xB0\x09\x05\x6D\xDB\x28\x2E\xCE\x62\xA2\x62\xFE\xB4\x88\xDA\x12\xEB\x38\xEB\x21\x9D\xC0\x41\x2B\x01\x52\x7B\x88\x77\xD3\x1C\x8F\xC7\xBA\xB9\x88\xB5\x6A\x09\xE7\x73\xE8\x11\x40\xA7\xD1\xCC\xCA\x62\x8D\x2D\xE5\x8F\x0B\xA6\x50\xD2\xA8\x50\xC3\x28\xEA\xF5\xAB\x25\x87\x8A\x9A\x96\x1C\xA9\x67\xB8\x3F\x0C\xD5\xF7\xF9\x52\x13\x2F\xC2\x1B\xD5\x70\x70\xF0\x8F\xC0\x12\xCA\x06\xCB\x9A\xE1\xD9\xCA\x33\x7A\x77\xD6\xF8\xEC\xB9\xF1\x68\x44\x42\x48\x13\xD2\xC0\xC2\xA4\xAE\x5E\x60\xFE\xB6\xA6\x05\xFC\xB4\xDD\x07\x59\x02\xD4\x59\x18\x98\x63\xF5\xA5\x63\xE0\x90\x0C\x7D\x5D\xB2\x06\x7A\xF3\x85\xEA\xEB\xD4\x03\xAE\x5E\x84\x3E\x5F\xFF\x15\xED\x69\xBC\xF9\x39\x36\x72\x75\xCF\x77\x52\x4D\xF3\xC9\x90\x2C\xB9\x3D\xE5\xC9\x23\x53\x3F\x1F\x24\x98\x21\x5C\x07\x99\x29\xBD\xC6\x3A\xEC\xE7\x6E\x86\x3A\x6B\x97\x74\x63\x33\xBD\x68\x18\x31\xF0\x78\x8D\x76\xBF\xFC\x9E\x8E\x5D\x2A\x86\xA7\x4D\x90\xDC\x27\x1A\x39\x02\x03\x01\x00\x01\xA3\x45\x30\x43\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE5\x9D\x59\x30\x82\x47\x58\xCC\xAC\xFA\x08\x54\x36\x86\x7B\x3A\xB5\x04\x4D\xF0\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x03\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x85\x0C\x5D\x8E\xE4\x6F\x51\x68\x42\x05\xA0\xDD\xBB\x4F\x27\x25\x84\x03\xBD\xF7\x64\xFD\x2D\xD7\x30\xE3\xA4\x10\x17\xEB\xDA\x29\x29\xB6\x79\x3F\x76\xF6\x19\x13\x23\xB8\x10\x0A\xF9\x58\xA4\xD4\x61\x70\xBD\x04\x61\x6A\x12\x8A\x17\xD5\x0A\xBD\xC5\xBC\x30\x7C\xD6\xE9\x0C\x25\x8D\x86\x40\x4F\xEC\xCC\xA3\x7E\x38\xC6\x37\x11\x4F\xED\xDD\x68\x31\x8E\x4C\xD2\xB3\x01\x74\xEE\xBE\x75\x5E\x07\x48\x1A\x7F\x70\xFF\x16\x5C\x84\xC0\x79\x85\xB8\x05\xFD\x7F\xBE\x65\x11\xA3\x0F\xC0\x02\xB4\xF8\x52\x37\x39\x04\xD5\xA9\x31\x7A\x18\xBF\xA0\x2A\xF4\x12\x99\xF7\xA3\x45\x82\xE3\x3C\x5E\xF5\x9D\x9E\xB5\xC8\x9E\x7C\x2E\xC8\xA4\x9E\x4E\x08\x14\x4B\x6D\xFD\x70\x6D\x6B\x1A\x63\xBD\x64\xE6\x1F\xB7\xCE\xF0\xF2\x9F\x2E\xBB\x1B\xB7\xF2\x50\x88\x73\x92\xC2\xE2\xE3\x16\x8D\x9A\x32\x02\xAB\x8E\x18\xDD\xE9\x10\x11\xEE\x7E\x35\xAB\x90\xAF\x3E\x30\x94\x7A\xD0\x33\x3D\xA7\x65\x0F\xF5\xFC\x8E\x9E\x62\xCF\x47\x44\x2C\x01\x5D\xBB\x1D\xB5\x32\xD2\x47\xD2\x38\x2E\xD0\xFE\x81\xDC\x32\x6A\x1E\xB5\xEE\x3C\xD5\xFC\xE7\x81\x1D\x19\xC3\x24\x42\xEA\x63\x39\xA9",
-	["CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE"] = "\x30\x82\x04\x18\x30\x82\x03\x00\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x41\x64\x64\x54\x72\x75\x73\x74\x20\x43\x6C\x61\x73\x73\x20\x31\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x30\x30\x35\x33\x30\x31\x30\x33\x38\x33\x31\x5A\x17\x0D\x32\x30\x30\x35\x33\x30\x31\x30\x33\x38\x33\x31\x5A\x30\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x41\x64\x64\x54\x72\x75\x73\x74\x20\x43\x6C\x61\x73\x73\x20\x31\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x96\x96\xD4\x21\x49\x60\xE2\x6B\xE8\x41\x07\x0C\xDE\xC4\xE0\xDC\x13\x23\xCD\xC1\x35\xC7\xFB\xD6\x4E\x11\x0A\x67\x5E\xF5\x06\x5B\x6B\xA5\x08\x3B\x5B\x29\x16\x3A\xE7\x87\xB2\x34\x06\xC5\xBC\x05\xA5\x03\x7C\x82\xCB\x29\x10\xAE\xE1\x88\x81\xBD\xD6\x9E\xD3\xFE\x2D\x56\xC1\x15\xCE\xE3\x26\x9D\x15\x2E\x10\xFB\x06\x8F\x30\x04\xDE\xA7\xB4\x63\xB4\xFF\xB1\x9C\xAE\x3C\xAF\x77\xB6\x56\xC5\xB5\xAB\xA2\xE9\x69\x3A\x3D\x0E\x33\x79\x32\x3F\x70\x82\x92\x99\x61\x6D\x8D\x30\x08\x8F\x71\x3F\xA6\x48\x57\x19\xF8\x25\xDC\x4B\x66\x5C\xA5\x74\x8F\x98\xAE\xC8\xF9\xC0\x06\x22\xE7\xAC\x73\xDF\xA5\x2E\xFB\x52\xDC\xB1\x15\x65\x20\xFA\x35\x66\x69\xDE\xDF\x2C\xF1\x6E\xBC\x30\xDB\x2C\x24\x12\xDB\xEB\x35\x35\x68\x90\xCB\x00\xB0\x97\x21\x3D\x74\x21\x23\x65\x34\x2B\xBB\x78\x59\xA3\xD6\xE1\x76\x39\x9A\xA4\x49\x8E\x8C\x74\xAF\x6E\xA4\x9A\xA3\xD9\x9B\xD2\x38\x5C\x9B\xA2\x18\xCC\x75\x23\x84\xBE\xEB\xE2\x4D\x33\x71\x8E\x1A\xF0\xC2\xF8\xC7\x1D\xA2\xAD\x03\x97\x2C\xF8\xCF\x25\xC6\xF6\xB8\x24\x31\xB1\x63\x5D\x92\x7F\x63\xF0\x25\xC9\x53\x2E\x1F\xBF\x4D\x02\x03\x01\x00\x01\xA3\x81\xD2\x30\x81\xCF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x95\xB1\xB4\xF0\x94\xB6\xBD\xC7\xDA\xD1\x11\x09\x21\xBE\xC1\xAF\x49\xFD\x10\x7B\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\x8F\x06\x03\x55\x1D\x23\x04\x81\x87\x30\x81\x84\x80\x14\x95\xB1\xB4\xF0\x94\xB6\xBD\xC7\xDA\xD1\x11\x09\x21\xBE\xC1\xAF\x49\xFD\x10\x7B\xA1\x69\xA4\x67\x30\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x41\x64\x64\x54\x72\x75\x73\x74\x20\x43\x6C\x61\x73\x73\x20\x31\x20\x43\x41\x20\x52\x6F\x6F\x74\x82\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x2C\x6D\x64\x1B\x1F\xCD\x0D\xDD\xB9\x01\xFA\x96\x63\x34\x32\x48\x47\x99\xAE\x97\xED\xFD\x72\x16\xA6\x73\x47\x5A\xF4\xEB\xDD\xE9\xF5\xD6\xFB\x45\xCC\x29\x89\x44\x5D\xBF\x46\x39\x3D\xE8\xEE\xBC\x4D\x54\x86\x1E\x1D\x6C\xE3\x17\x27\x43\xE1\x89\x56\x2B\xA9\x6F\x72\x4E\x49\x33\xE3\x72\x7C\x2A\x23\x9A\xBC\x3E\xFF\x28\x2A\xED\xA3\xFF\x1C\x23\xBA\x43\x57\x09\x67\x4D\x4B\x62\x06\x2D\xF8\xFF\x6C\x9D\x60\x1E\xD8\x1C\x4B\x7D\xB5\x31\x2F\xD9\xD0\x7C\x5D\xF8\xDE\x6B\x83\x18\x78\x37\x57\x2F\xE8\x33\x07\x67\xDF\x1E\xC7\x6B\x2A\x95\x76\xAE\x8F\x57\xA3\xF0\xF4\x52\xB4\xA9\x53\x08\xCF\xE0\x4F\xD3\x7A\x53\x8B\xFD\xBB\x1C\x56\x36\xF2\xFE\xB2\xB6\xE5\x76\xBB\xD5\x22\x65\xA7\x3F\xFE\xD1\x66\xAD\x0B\xBC\x6B\x99\x86\xEF\x3F\x7D\xF3\x18\x32\xCA\x7B\xC6\xE3\xAB\x64\x46\x95\xF8\x26\x69\xD9\x55\x83\x7B\x2C\x96\x07\xFF\x59\x2C\x44\xA3\xC6\xE5\xE9\xA9\xDC\xA1\x63\x80\x5A\x21\x5E\x21\xCF\x53\x54\xF0\xBA\x6F\x89\xDB\xA8\xAA\x95\xCF\x8B\xE3\x71\xCC\x1E\x1B\x20\x44\x08\xC0\x7A\xB6\x40\xFD\xC4\xE4\x35\xE1\x1D\x16\x1C\xD0\xBC\x2B\x8E\xD6\x71\xD9",
 	["CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE"] = "\x30\x82\x04\x36\x30\x82\x03\x1E\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x6F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x26\x30\x24\x06\x03\x55\x04\x0B\x13\x1D\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x30\x30\x35\x33\x30\x31\x30\x34\x38\x33\x38\x5A\x17\x0D\x32\x30\x30\x35\x33\x30\x31\x30\x34\x38\x33\x38\x5A\x30\x6F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x26\x30\x24\x06\x03\x55\x04\x0B\x13\x1D\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB7\xF7\x1A\x33\xE6\xF2\x00\x04\x2D\x39\xE0\x4E\x5B\xED\x1F\xBC\x6C\x0F\xCD\xB5\xFA\x23\xB6\xCE\xDE\x9B\x11\x33\x97\xA4\x29\x4C\x7D\x93\x9F\xBD\x4A\xBC\x93\xED\x03\x1A\xE3\x8F\xCF\xE5\x6D\x50\x5A\xD6\x97\x29\x94\x5A\x80\xB0\x49\x7A\xDB\x2E\x95\xFD\xB8\xCA\xBF\x37\x38\x2D\x1E\x3E\x91\x41\xAD\x70\x56\xC7\xF0\x4F\x3F\xE8\x32\x9E\x74\xCA\xC8\x90\x54\xE9\xC6\x5F\x0F\x78\x9D\x9A\x40\x3C\x0E\xAC\x61\xAA\x5E\x14\x8F\x9E\x87\xA1\x6A\x50\xDC\xD7\x9A\x4E\xAF\x05\xB3\xA6\x71\x94\x9C\x71\xB3\x50\x60\x0A\xC7\x13\x9D\x38\x07\x86\x02\xA8\xE9\xA8\x69\x26\x18\x90\xAB\x4C\xB0\x4F\x23\xAB\x3A\x4F\x84\xD8\xDF\xCE\x9F\xE1\x69\x6F\xBB\xD7\x42\xD7\x6B\x44\xE4\xC7\xAD\xEE\x6D\x41\x5F\x72\x5A\x71\x08\x37\xB3\x79\x65\xA4\x59\xA0\x94\x37\xF7\x00\x2F\x0D\xC2\x92\x72\xDA\xD0\x38\x72\xDB\x14\xA8\x45\xC4\x5D\x2A\x7D\xB7\xB4\xD6\xC4\xEE\xAC\xCD\x13\x44\xB7\xC9\x2B\xDD\x43\x00\x25\xFA\x61\xB9\x69\x6A\x58\x23\x11\xB7\xA7\x33\x8F\x56\x75\x59\xF5\xCD\x29\xD7\x46\xB7\x0A\x2B\x65\xB6\xD3\x42\x6F\x15\xB2\xB8\x7B\xFB\xEF\xE9\x5D\x53\xD5\x34\x5A\x27\x02\x03\x01\x00\x01\xA3\x81\xDC\x30\x81\xD9\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xAD\xBD\x98\x7A\x34\xB4\x26\xF7\xFA\xC4\x26\x54\xEF\x03\xBD\xE0\x24\xCB\x54\x1A\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\x99\x06\x03\x55\x1D\x23\x04\x81\x91\x30\x81\x8E\x80\x14\xAD\xBD\x98\x7A\x34\xB4\x26\xF7\xFA\xC4\x26\x54\xEF\x03\xBD\xE0\x24\xCB\x54\x1A\xA1\x73\xA4\x71\x30\x6F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x26\x30\x24\x06\x03\x55\x04\x0B\x13\x1D\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x41\x64\x64\x54\x72\x75\x73\x74\x20\x45\x78\x74\x65\x72\x6E\x61\x6C\x20\x43\x41\x20\x52\x6F\x6F\x74\x82\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xB0\x9B\xE0\x85\x25\xC2\xD6\x23\xE2\x0F\x96\x06\x92\x9D\x41\x98\x9C\xD9\x84\x79\x81\xD9\x1E\x5B\x14\x07\x23\x36\x65\x8F\xB0\xD8\x77\xBB\xAC\x41\x6C\x47\x60\x83\x51\xB0\xF9\x32\x3D\xE7\xFC\xF6\x26\x13\xC7\x80\x16\xA5\xBF\x5A\xFC\x87\xCF\x78\x79\x89\x21\x9A\xE2\x4C\x07\x0A\x86\x35\xBC\xF2\xDE\x51\xC4\xD2\x96\xB7\xDC\x7E\x4E\xEE\x70\xFD\x1C\x39\xEB\x0C\x02\x51\x14\x2D\x8E\xBD\x16\xE0\xC1\xDF\x46\x75\xE7\x24\xAD\xEC\xF4\x42\xB4\x85\x93\x70\x10\x67\xBA\x9D\x06\x35\x4A\x18\xD3\x2B\x7A\xCC\x51\x42\xA1\x7A\x63\xD1\xE6\xBB\xA1\xC5\x2B\xC2\x36\xBE\x13\x0D\xE6\xBD\x63\x7E\x79\x7B\xA7\x09\x0D\x40\xAB\x6A\xDD\x8F\x8A\xC3\xF6\xF6\x8C\x1A\x42\x05\x51\xD4\x45\xF5\x9F\xA7\x62\x21\x68\x15\x20\x43\x3C\x99\xE7\x7C\xBD\x24\xD8\xA9\x91\x17\x73\x88\x3F\x56\x1B\x31\x38\x18\xB4\x71\x0F\x9A\xCD\xC8\x0E\x9E\x8E\x2E\x1B\xE1\x8C\x98\x83\xCB\x1F\x31\xF1\x44\x4C\xC6\x04\x73\x49\x76\x60\x0F\xC7\xF8\xBD\x17\x80\x6B\x2E\xE9\xCC\x4C\x0E\x5A\x9A\x79\x0F\x20\x0A\x2E\xD5\x9E\x63\x26\x1E\x55\x92\x94\xD8\x82\x17\x5A\x7B\xD0\xBC\xC7\x8F\x4E\x86\x04",
-	["CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE"] = "\x30\x82\x04\x15\x30\x82\x02\xFD\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x64\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x41\x64\x64\x54\x72\x75\x73\x74\x20\x50\x75\x62\x6C\x69\x63\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x30\x30\x35\x33\x30\x31\x30\x34\x31\x35\x30\x5A\x17\x0D\x32\x30\x30\x35\x33\x30\x31\x30\x34\x31\x35\x30\x5A\x30\x64\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x41\x64\x64\x54\x72\x75\x73\x74\x20\x50\x75\x62\x6C\x69\x63\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE9\x1A\x30\x8F\x83\x88\x14\xC1\x20\xD8\x3C\x9B\x8F\x1B\x7E\x03\x74\xBB\xDA\x69\xD3\x46\xA5\xF8\x8E\xC2\x0C\x11\x90\x51\xA5\x2F\x66\x54\x40\x55\xEA\xDB\x1F\x4A\x56\xEE\x9F\x23\x6E\xF4\x39\xCB\xA1\xB9\x6F\xF2\x7E\xF9\x5D\x87\x26\x61\x9E\x1C\xF8\xE2\xEC\xA6\x81\xF8\x21\xC5\x24\xCC\x11\x0C\x3F\xDB\x26\x72\x7A\xC7\x01\x97\x07\x17\xF9\xD7\x18\x2C\x30\x7D\x0E\x7A\x1E\x62\x1E\xC6\x4B\xC0\xFD\x7D\x62\x77\xD3\x44\x1E\x27\xF6\x3F\x4B\x44\xB3\xB7\x38\xD9\x39\x1F\x60\xD5\x51\x92\x73\x03\xB4\x00\x69\xE3\xF3\x14\x4E\xEE\xD1\xDC\x09\xCF\x77\x34\x46\x50\xB0\xF8\x11\xF2\xFE\x38\x79\xF7\x07\x39\xFE\x51\x92\x97\x0B\x5B\x08\x5F\x34\x86\x01\xAD\x88\x97\xEB\x66\xCD\x5E\xD1\xFF\xDC\x7D\xF2\x84\xDA\xBA\x77\xAD\xDC\x80\x08\xC7\xA7\x87\xD6\x55\x9F\x97\x6A\xE8\xC8\x11\x64\xBA\xE7\x19\x29\x3F\x11\xB3\x78\x90\x84\x20\x52\x5B\x11\xEF\x78\xD0\x83\xF6\xD5\x48\x90\xD0\x30\x1C\xCF\x80\xF9\x60\xFE\x79\xE4\x88\xF2\xDD\x00\xEB\x94\x45\xEB\x65\x94\x69\x40\xBA\xC0\xD5\xB4\xB8\xBA\x7D\x04\x11\xA8\xEB\x31\x05\x96\x94\x4E\x58\x21\x8E\x9F\xD0\x60\xFD\x02\x03\x01\x00\x01\xA3\x81\xD1\x30\x81\xCE\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x81\x3E\x37\xD8\x92\xB0\x1F\x77\x9F\x5C\xB4\xAB\x73\xAA\xE7\xF6\x34\x60\x2F\xFA\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\x8E\x06\x03\x55\x1D\x23\x04\x81\x86\x30\x81\x83\x80\x14\x81\x3E\x37\xD8\x92\xB0\x1F\x77\x9F\x5C\xB4\xAB\x73\xAA\xE7\xF6\x34\x60\x2F\xFA\xA1\x68\xA4\x66\x30\x64\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x41\x64\x64\x54\x72\x75\x73\x74\x20\x50\x75\x62\x6C\x69\x63\x20\x43\x41\x20\x52\x6F\x6F\x74\x82\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x03\xF7\x15\x4A\xF8\x24\xDA\x23\x56\x16\x93\x76\xDD\x36\x28\xB9\xAE\x1B\xB8\xC3\xF1\x64\xBA\x20\x18\x78\x95\x29\x27\x57\x05\xBC\x7C\x2A\xF4\xB9\x51\x55\xDA\x87\x02\xDE\x0F\x16\x17\x31\xF8\xAA\x79\x2E\x09\x13\xBB\xAF\xB2\x20\x19\x12\xE5\x93\xF9\x4B\xF9\x83\xE8\x44\xD5\xB2\x41\x25\xBF\x88\x75\x6F\xFF\x10\xFC\x4A\x54\xD0\x5F\xF0\xFA\xEF\x36\x73\x7D\x1B\x36\x45\xC6\x21\x6D\xB4\x15\xB8\x4E\xCF\x9C\x5C\xA5\x3D\x5A\x00\x8E\x06\xE3\x3C\x6B\x32\x7B\xF2\x9F\xF0\xB6\xFD\xDF\xF0\x28\x18\x48\xF0\xC6\xBC\xD0\xBF\x34\x80\x96\xC2\x4A\xB1\x6D\x8E\xC7\x90\x45\xDE\x2F\x67\xAC\x45\x04\xA3\x7A\xDC\x55\x92\xC9\x47\x66\xD8\x1A\x8C\xC7\xED\x9C\x4E\x9A\xE0\x12\xBB\xB5\x6A\x4C\x84\xE1\xE1\x22\x0D\x87\x00\x64\xFE\x8C\x7D\x62\x39\x65\xA6\xEF\x42\xB6\x80\x25\x12\x61\x01\xA8\x24\x13\x70\x00\x11\x26\x5F\xFA\x35\x50\xC5\x48\xCC\x06\x47\xE8\x27\xD8\x70\x8D\x5F\x64\xE6\xA1\x44\x26\x5E\x22\xEC\x92\xCD\xFF\x42\x9A\x44\x21\x6D\x5C\xC5\xE3\x22\x1D\x5F\x47\x12\xE7\xCE\x5F\x5D\xFA\xD8\xAA\xB1\x33\x2D\xD9\x76\xF2\x4E\x3A\x33\x0C\x2B\xB3\x2D\x90\x06",
-	["CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE"] = "\x30\x82\x04\x1E\x30\x82\x03\x06\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x41\x64\x64\x54\x72\x75\x73\x74\x20\x51\x75\x61\x6C\x69\x66\x69\x65\x64\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x30\x30\x35\x33\x30\x31\x30\x34\x34\x35\x30\x5A\x17\x0D\x32\x30\x30\x35\x33\x30\x31\x30\x34\x34\x35\x30\x5A\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x41\x64\x64\x54\x72\x75\x73\x74\x20\x51\x75\x61\x6C\x69\x66\x69\x65\x64\x20\x43\x41\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE4\x1E\x9A\xFE\xDC\x09\x5A\x87\xA4\x9F\x47\xBE\x11\x5F\xAF\x84\x34\xDB\x62\x3C\x79\x78\xB7\xE9\x30\xB5\xEC\x0C\x1C\x2A\xC4\x16\xFF\xE0\xEC\x71\xEB\x8A\xF5\x11\x6E\xED\x4F\x0D\x91\xD2\x12\x18\x2D\x49\x15\x01\xC2\xA4\x22\x13\xC7\x11\x64\xFF\x22\x12\x9A\xB9\x8E\x5C\x2F\x08\xCF\x71\x6A\xB3\x67\x01\x59\xF1\x5D\x46\xF3\xB0\x78\xA5\xF6\x0E\x42\x7A\xE3\x7F\x1B\xCC\xD0\xF0\xB7\x28\xFD\x2A\xEA\x9E\xB3\xB0\xB9\x04\xAA\xFD\xF6\xC7\xB4\xB1\xB8\x2A\xA0\xFB\x58\xF1\x19\xA0\x6F\x70\x25\x7E\x3E\x69\x4A\x7F\x0F\x22\xD8\xEF\xAD\x08\x11\x9A\x29\x99\xE1\xAA\x44\x45\x9A\x12\x5E\x3E\x9D\x6D\x52\xFC\xE7\xA0\x3D\x68\x2F\xF0\x4B\x70\x7C\x13\x38\xAD\xBC\x15\x25\xF1\xD6\xCE\xAB\xA2\xC0\x31\xD6\x2F\x9F\xE0\xFF\x14\x59\xFC\x84\x93\xD9\x87\x7C\x4C\x54\x13\xEB\x9F\xD1\x2D\x11\xF8\x18\x3A\x3A\xDE\x25\xD9\xF7\xD3\x40\xED\xA4\x06\x12\xC4\x3B\xE1\x91\xC1\x56\x35\xF0\x14\xDC\x65\x36\x09\x6E\xAB\xA4\x07\xC7\x35\xD1\xC2\x03\x33\x36\x5B\x75\x26\x6D\x42\xF1\x12\x6B\x43\x6F\x4B\x71\x94\xFA\x34\x1D\xED\x13\x6E\xCA\x80\x7F\x98\x2F\x6C\xB9\x65\xD8\xE9\x02\x03\x01\x00\x01\xA3\x81\xD4\x30\x81\xD1\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x39\x95\x8B\x62\x8B\x5C\xC9\xD4\x80\xBA\x58\x0F\x97\x3F\x15\x08\x43\xCC\x98\xA7\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\x91\x06\x03\x55\x1D\x23\x04\x81\x89\x30\x81\x86\x80\x14\x39\x95\x8B\x62\x8B\x5C\xC9\xD4\x80\xBA\x58\x0F\x97\x3F\x15\x08\x43\xCC\x98\xA7\xA1\x6B\xA4\x69\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x45\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x13\x0B\x41\x64\x64\x54\x72\x75\x73\x74\x20\x41\x42\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x41\x64\x64\x54\x72\x75\x73\x74\x20\x54\x54\x50\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x41\x64\x64\x54\x72\x75\x73\x74\x20\x51\x75\x61\x6C\x69\x66\x69\x65\x64\x20\x43\x41\x20\x52\x6F\x6F\x74\x82\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x19\xAB\x75\xEA\xF8\x8B\x65\x61\x95\x13\xBA\x69\x04\xEF\x86\xCA\x13\xA0\xC7\xAA\x4F\x64\x1B\x3F\x18\xF6\xA8\x2D\x2C\x55\x8F\x05\xB7\x30\xEA\x42\x6A\x1D\xC0\x25\x51\x2D\xA7\xBF\x0C\xB3\xED\xEF\x08\x7F\x6C\x3C\x46\x1A\xEA\x18\x43\xDF\x76\xCC\xF9\x66\x86\x9C\x2C\x68\xF5\xE9\x17\xF8\x31\xB3\x18\xC4\xD6\x48\x7D\x23\x4C\x68\xC1\x7E\xBB\x01\x14\x6F\xC5\xD9\x6E\xDE\xBB\x04\x42\x6A\xF8\xF6\x5C\x7D\xE5\xDA\xFA\x87\xEB\x0D\x35\x52\x67\xD0\x9E\x97\x76\x05\x93\x3F\x95\xC7\x01\xE6\x69\x55\x38\x7F\x10\x61\x99\xC9\xE3\x5F\xA6\xCA\x3E\x82\x63\x48\xAA\xE2\x08\x48\x3E\xAA\xF2\xB2\x85\x62\xA6\xB4\xA7\xD9\xBD\x37\x9C\x68\xB5\x2D\x56\x7D\xB0\xB7\x3F\xA0\xB1\x07\xD6\xE9\x4F\xDC\xDE\x45\x71\x30\x32\x7F\x1B\x2E\x09\xF9\xBF\x52\xA1\xEE\xC2\x80\x3E\x06\x5C\x2E\x55\x40\xC1\x1B\xF5\x70\x45\xB0\xDC\x5D\xFA\xF6\x72\x5A\x77\xD2\x63\xCD\xCF\x58\x89\x00\x42\x63\x3F\x79\x39\xD0\x44\xB0\x82\x6E\x41\x19\xE8\xDD\xE0\xC1\x88\x5A\xD1\x1E\x71\x93\x1F\x24\x30\x74\xE5\x1E\xA8\xDE\x3C\x27\x37\x7F\x83\xAE\x9E\x77\xCF\xF0\x30\xB1\xFF\x4B\x99\xE8\xC6\xA1",
 	["CN=Entrust Root Certification Authority,OU=(c) 2006 Entrust\, Inc.,OU=www.entrust.net/CPS is incorporated by reference,O=Entrust\, Inc.,C=US"] = "\x30\x82\x04\x91\x30\x82\x03\x79\xA0\x03\x02\x01\x02\x02\x04\x45\x6B\x50\x54\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xB0\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x31\x39\x30\x37\x06\x03\x55\x04\x0B\x13\x30\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x50\x53\x20\x69\x73\x20\x69\x6E\x63\x6F\x72\x70\x6F\x72\x61\x74\x65\x64\x20\x62\x79\x20\x72\x65\x66\x65\x72\x65\x6E\x63\x65\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x28\x63\x29\x20\x32\x30\x30\x36\x20\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x45\x6E\x74\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x36\x31\x31\x32\x37\x32\x30\x32\x33\x34\x32\x5A\x17\x0D\x32\x36\x31\x31\x32\x37\x32\x30\x35\x33\x34\x32\x5A\x30\x81\xB0\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x31\x39\x30\x37\x06\x03\x55\x04\x0B\x13\x30\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x50\x53\x20\x69\x73\x20\x69\x6E\x63\x6F\x72\x70\x6F\x72\x61\x74\x65\x64\x20\x62\x79\x20\x72\x65\x66\x65\x72\x65\x6E\x63\x65\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x28\x63\x29\x20\x32\x30\x30\x36\x20\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x45\x6E\x74\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB6\x95\xB6\x43\x42\xFA\xC6\x6D\x2A\x6F\x48\xDF\x94\x4C\x39\x57\x05\xEE\xC3\x79\x11\x41\x68\x36\xED\xEC\xFE\x9A\x01\x8F\xA1\x38\x28\xFC\xF7\x10\x46\x66\x2E\x4D\x1E\x1A\xB1\x1A\x4E\xC6\xD1\xC0\x95\x88\xB0\xC9\xFF\x31\x8B\x33\x03\xDB\xB7\x83\x7B\x3E\x20\x84\x5E\xED\xB2\x56\x28\xA7\xF8\xE0\xB9\x40\x71\x37\xC5\xCB\x47\x0E\x97\x2A\x68\xC0\x22\x95\x62\x15\xDB\x47\xD9\xF5\xD0\x2B\xFF\x82\x4B\xC9\xAD\x3E\xDE\x4C\xDB\x90\x80\x50\x3F\x09\x8A\x84\x00\xEC\x30\x0A\x3D\x18\xCD\xFB\xFD\x2A\x59\x9A\x23\x95\x17\x2C\x45\x9E\x1F\x6E\x43\x79\x6D\x0C\x5C\x98\xFE\x48\xA7\xC5\x23\x47\x5C\x5E\xFD\x6E\xE7\x1E\xB4\xF6\x68\x45\xD1\x86\x83\x5B\xA2\x8A\x8D\xB1\xE3\x29\x80\xFE\x25\x71\x88\xAD\xBE\xBC\x8F\xAC\x52\x96\x4B\xAA\x51\x8D\xE4\x13\x31\x19\xE8\x4E\x4D\x9F\xDB\xAC\xB3\x6A\xD5\xBC\x39\x54\x71\xCA\x7A\x7A\x7F\x90\xDD\x7D\x1D\x80\xD9\x81\xBB\x59\x26\xC2\x11\xFE\xE6\x93\xE2\xF7\x80\xE4\x65\xFB\x34\x37\x0E\x29\x80\x70\x4D\xAF\x38\x86\x2E\x9E\x7F\x57\xAF\x9E\x17\xAE\xEB\x1C\xCB\x28\x21\x5F\xB6\x1C\xD8\xE7\xA2\x04\x22\xF9\xD3\xDA\xD8\xCB\x02\x03\x01\x00\x01\xA3\x81\xB0\x30\x81\xAD\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x2B\x06\x03\x55\x1D\x10\x04\x24\x30\x22\x80\x0F\x32\x30\x30\x36\x31\x31\x32\x37\x32\x30\x32\x33\x34\x32\x5A\x81\x0F\x32\x30\x32\x36\x31\x31\x32\x37\x32\x30\x35\x33\x34\x32\x5A\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x68\x90\xE4\x67\xA4\xA6\x53\x80\xC7\x86\x66\xA4\xF1\xF7\x4B\x43\xFB\x84\xBD\x6D\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x68\x90\xE4\x67\xA4\xA6\x53\x80\xC7\x86\x66\xA4\xF1\xF7\x4B\x43\xFB\x84\xBD\x6D\x30\x1D\x06\x09\x2A\x86\x48\x86\xF6\x7D\x07\x41\x00\x04\x10\x30\x0E\x1B\x08\x56\x37\x2E\x31\x3A\x34\x2E\x30\x03\x02\x04\x90\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x93\xD4\x30\xB0\xD7\x03\x20\x2A\xD0\xF9\x63\xE8\x91\x0C\x05\x20\xA9\x5F\x19\xCA\x7B\x72\x4E\xD4\xB1\xDB\xD0\x96\xFB\x54\x5A\x19\x2C\x0C\x08\xF7\xB2\xBC\x85\xA8\x9D\x7F\x6D\x3B\x52\xB3\x2A\xDB\xE7\xD4\x84\x8C\x63\xF6\x0F\xCB\x26\x01\x91\x50\x6C\xF4\x5F\x14\xE2\x93\x74\xC0\x13\x9E\x30\x3A\x50\xE3\xB4\x60\xC5\x1C\xF0\x22\x44\x8D\x71\x47\xAC\xC8\x1A\xC9\xE9\x9B\x9A\x00\x60\x13\xFF\x70\x7E\x5F\x11\x4D\x49\x1B\xB3\x15\x52\x7B\xC9\x54\xDA\xBF\x9D\x95\xAF\x6B\x9A\xD8\x9E\xE9\xF1\xE4\x43\x8D\xE2\x11\x44\x3A\xBF\xAF\xBD\x83\x42\x73\x52\x8B\xAA\xBB\xA7\x29\xCF\xF5\x64\x1C\x0A\x4D\xD1\xBC\xAA\xAC\x9F\x2A\xD0\xFF\x7F\x7F\xDA\x7D\xEA\xB1\xED\x30\x25\xC1\x84\xDA\x34\xD2\x5B\x78\x83\x56\xEC\x9C\x36\xC3\x26\xE2\x11\xF6\x67\x49\x1D\x92\xAB\x8C\xFB\xEB\xFF\x7A\xEE\x85\x4A\xA7\x50\x80\xF0\xA7\x5C\x4A\x94\x2E\x5F\x05\x99\x3C\x52\x41\xE0\xCD\xB4\x63\xCF\x01\x43\xBA\x9C\x83\xDC\x8F\x60\x3B\xF3\x5A\xB4\xB4\x7B\xAE\xDA\x0B\x90\x38\x75\xEF\x81\x1D\x66\xD2\xF7\x57\x70\x36\xB3\xBF\xFC\x28\xAF\x71\x25\x85\x5B\x13\xFE\x1E\x7F\x5A\xB4\x3C",
-	["OU=RSA Security 2048 V3,O=RSA Security Inc"] = "\x30\x82\x03\x61\x30\x82\x02\x49\xA0\x03\x02\x01\x02\x02\x10\x0A\x01\x01\x01\x00\x00\x02\x7C\x00\x00\x00\x0A\x00\x00\x00\x02\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3A\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x52\x53\x41\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x49\x6E\x63\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x52\x53\x41\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x32\x30\x34\x38\x20\x56\x33\x30\x1E\x17\x0D\x30\x31\x30\x32\x32\x32\x32\x30\x33\x39\x32\x33\x5A\x17\x0D\x32\x36\x30\x32\x32\x32\x32\x30\x33\x39\x32\x33\x5A\x30\x3A\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x52\x53\x41\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x49\x6E\x63\x31\x1D\x30\x1B\x06\x03\x55\x04\x0B\x13\x14\x52\x53\x41\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x32\x30\x34\x38\x20\x56\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB7\x8F\x55\x71\xD2\x80\xDD\x7B\x69\x79\xA7\xF0\x18\x50\x32\x3C\x62\x67\xF6\x0A\x95\x07\xDD\xE6\x1B\xF3\x9E\xD9\xD2\x41\x54\x6B\xAD\x9F\x7C\xBE\x19\xCD\xFB\x46\xAB\x41\x68\x1E\x18\xEA\x55\xC8\x2F\x91\x78\x89\x28\xFB\x27\x29\x60\xFF\xDF\x8F\x8C\x3B\xC9\x49\x9B\xB5\xA4\x94\xCE\x01\xEA\x3E\xB5\x63\x7B\x7F\x26\xFD\x19\xDD\xC0\x21\xBD\x84\xD1\x2D\x4F\x46\xC3\x4E\xDC\xD8\x37\x39\x3B\x28\xAF\xCB\x9D\x1A\xEA\x2B\xAF\x21\xA5\xC1\x23\x22\xB8\xB8\x1B\x5A\x13\x87\x57\x83\xD1\xF0\x20\xE7\xE8\x4F\x23\x42\xB0\x00\xA5\x7D\x89\xE9\xE9\x61\x73\x94\x98\x71\x26\xBC\x2D\x6A\xE0\xF7\x4D\xF0\xF1\xB6\x2A\x38\x31\x81\x0D\x29\xE1\x00\xC1\x51\x0F\x4C\x52\xF8\x04\x5A\xAA\x7D\x72\xD3\xB8\x87\x2A\xBB\x63\x10\x03\x2A\xB3\xA1\x4F\x0D\x5A\x5E\x46\xB7\x3D\x0E\xF5\x74\xEC\x99\x9F\xF9\x3D\x24\x81\x88\xA6\xDD\x60\x54\xE8\x95\x36\x3D\xC6\x09\x93\x9A\xA3\x12\x80\x00\x55\x99\x19\x47\xBD\xD0\xA5\x7C\xC3\xBA\xFB\x1F\xF7\xF5\x0F\xF8\xAC\xB9\xB5\xF4\x37\x98\x13\x18\xDE\x85\x5B\xB7\x0C\x82\x3B\x87\x6F\x95\x39\x58\x30\xDA\x6E\x01\x68\x17\x22\xCC\xC0\x0B\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x07\xC3\x51\x30\xA4\xAA\xE9\x45\xAE\x35\x24\xFA\xFF\x24\x2C\x33\xD0\xB1\x9D\x8C\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x07\xC3\x51\x30\xA4\xAA\xE9\x45\xAE\x35\x24\xFA\xFF\x24\x2C\x33\xD0\xB1\x9D\x8C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x5F\x3E\x86\x76\x6E\xB8\x35\x3C\x4E\x36\x1C\x1E\x79\x98\xBF\xFD\xD5\x12\x11\x79\x52\x0E\xEE\x31\x89\xBC\xDD\x7F\xF9\xD1\xC6\x15\x21\xE8\x8A\x01\x54\x0D\x3A\xFB\x54\xB9\xD6\x63\xD4\xB1\xAA\x96\x4D\xA2\x42\x4D\xD4\x53\x1F\x8B\x10\xDE\x7F\x65\xBE\x60\x13\x27\x71\x88\xA4\x73\xE3\x84\x63\xD1\xA4\x55\xE1\x50\x93\xE6\x1B\x0E\x79\xD0\x67\xBC\x46\xC8\xBF\x3F\x17\x0D\x95\xE6\xC6\x90\x69\xDE\xE7\xB4\x2F\xDE\x95\x7D\xD0\x12\x3F\x3D\x3E\x7F\x4D\x3F\x14\x68\xF5\x11\x50\xD5\xC1\xF4\x90\xA5\x08\x1D\x31\x60\xFF\x60\x8C\x23\x54\x0A\xAF\xFE\xA1\x6E\xC5\xD1\x7A\x2A\x68\x78\xCF\x1E\x82\x0A\x20\xB4\x1F\xAD\xE5\x85\xB2\x6A\x68\x75\x4E\xAD\x25\x37\x94\x85\xBE\xBD\xA1\xD4\xEA\xB7\x0C\x4B\x3C\x9D\xE8\x12\x00\xF0\x5F\xAC\x0D\xE1\xAC\x70\x63\x73\xF7\x7F\x79\x9F\x32\x25\x42\x74\x05\x80\x28\xBF\xBD\xC1\x24\x96\x58\x15\xB1\x17\x21\xE9\x89\x4B\xDB\x07\x88\x67\xF4\x15\xAD\x70\x3E\x2F\x4D\x85\x3B\xC2\xB7\xDB\xFE\x98\x68\x23\x89\xE1\x74\x0F\xDE\xF4\xC5\x84\x63\x29\x1B\xCC\xCB\x07\xC9\x00\xA4\xA9\xD7\xC2\x22\x4F\x67\xD7\x77\xEC\x20\x05\x61\xDE",
 	["CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US"] = "\x30\x82\x03\x54\x30\x82\x02\x3C\xA0\x03\x02\x01\x02\x02\x03\x02\x34\x56\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x42\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x30\x1E\x17\x0D\x30\x32\x30\x35\x32\x31\x30\x34\x30\x30\x30\x30\x5A\x17\x0D\x32\x32\x30\x35\x32\x31\x30\x34\x30\x30\x30\x30\x5A\x30\x42\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xDA\xCC\x18\x63\x30\xFD\xF4\x17\x23\x1A\x56\x7E\x5B\xDF\x3C\x6C\x38\xE4\x71\xB7\x78\x91\xD4\xBC\xA1\xD8\x4C\xF8\xA8\x43\xB6\x03\xE9\x4D\x21\x07\x08\x88\xDA\x58\x2F\x66\x39\x29\xBD\x05\x78\x8B\x9D\x38\xE8\x05\xB7\x6A\x7E\x71\xA4\xE6\xC4\x60\xA6\xB0\xEF\x80\xE4\x89\x28\x0F\x9E\x25\xD6\xED\x83\xF3\xAD\xA6\x91\xC7\x98\xC9\x42\x18\x35\x14\x9D\xAD\x98\x46\x92\x2E\x4F\xCA\xF1\x87\x43\xC1\x16\x95\x57\x2D\x50\xEF\x89\x2D\x80\x7A\x57\xAD\xF2\xEE\x5F\x6B\xD2\x00\x8D\xB9\x14\xF8\x14\x15\x35\xD9\xC0\x46\xA3\x7B\x72\xC8\x91\xBF\xC9\x55\x2B\xCD\xD0\x97\x3E\x9C\x26\x64\xCC\xDF\xCE\x83\x19\x71\xCA\x4E\xE6\xD4\xD5\x7B\xA9\x19\xCD\x55\xDE\xC8\xEC\xD2\x5E\x38\x53\xE5\x5C\x4F\x8C\x2D\xFE\x50\x23\x36\xFC\x66\xE6\xCB\x8E\xA4\x39\x19\x00\xB7\x95\x02\x39\x91\x0B\x0E\xFE\x38\x2E\xD1\x1D\x05\x9A\xF6\x4D\x3E\x6F\x0F\x07\x1D\xAF\x2C\x1E\x8F\x60\x39\xE2\xFA\x36\x53\x13\x39\xD4\x5E\x26\x2B\xDB\x3D\xA8\x14\xBD\x32\xEB\x18\x03\x28\x52\x04\x71\xE5\xAB\x33\x3D\xE1\x38\xBB\x07\x36\x84\x62\x9C\x79\xEA\x16\x30\xF4\x5F\xC0\x2B\xE8\x71\x6B\xE4\xF9\x02\x03\x01\x00\x01\xA3\x53\x30\x51\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC0\x7A\x98\x68\x8D\x89\xFB\xAB\x05\x64\x0C\x11\x7D\xAA\x7D\x65\xB8\xCA\xCC\x4E\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xC0\x7A\x98\x68\x8D\x89\xFB\xAB\x05\x64\x0C\x11\x7D\xAA\x7D\x65\xB8\xCA\xCC\x4E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x35\xE3\x29\x6A\xE5\x2F\x5D\x54\x8E\x29\x50\x94\x9F\x99\x1A\x14\xE4\x8F\x78\x2A\x62\x94\xA2\x27\x67\x9E\xD0\xCF\x1A\x5E\x47\xE9\xC1\xB2\xA4\xCF\xDD\x41\x1A\x05\x4E\x9B\x4B\xEE\x4A\x6F\x55\x52\xB3\x24\xA1\x37\x0A\xEB\x64\x76\x2A\x2E\x2C\xF3\xFD\x3B\x75\x90\xBF\xFA\x71\xD8\xC7\x3D\x37\xD2\xB5\x05\x95\x62\xB9\xA6\xDE\x89\x3D\x36\x7B\x38\x77\x48\x97\xAC\xA6\x20\x8F\x2E\xA6\xC9\x0C\xC2\xB2\x99\x45\x00\xC7\xCE\x11\x51\x22\x22\xE0\xA5\xEA\xB6\x15\x48\x09\x64\xEA\x5E\x4F\x74\xF7\x05\x3E\xC7\x8A\x52\x0C\xDB\x15\xB4\xBD\x6D\x9B\xE5\xC6\xB1\x54\x68\xA9\xE3\x69\x90\xB6\x9A\xA5\x0F\xB8\xB9\x3F\x20\x7D\xAE\x4A\xB5\xB8\x9C\xE4\x1D\xB6\xAB\xE6\x94\xA5\xC1\xC7\x83\xAD\xDB\xF5\x27\x87\x0E\x04\x6C\xD5\xFF\xDD\xA0\x5D\xED\x87\x52\xB7\x2B\x15\x02\xAE\x39\xA6\x6A\x74\xE9\xDA\xC4\xE7\xBC\x4D\x34\x1E\xA9\x5C\x4D\x33\x5F\x92\x09\x2F\x88\x66\x5D\x77\x97\xC7\x1D\x76\x13\xA9\xD5\xE5\xF1\x16\x09\x11\x35\xD5\xAC\xDB\x24\x71\x70\x2C\x98\x56\x0B\xD9\x17\xB4\xD1\xE3\x51\x2B\x5E\x75\xE8\xD5\xD0\xDC\x4F\x34\xED\xC2\x05\x66\x80\xA1\xCB\xE6\x33",
-	["CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US"] = "\x30\x82\x03\x66\x30\x82\x02\x4E\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x44\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x13\x14\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x20\x32\x30\x1E\x17\x0D\x30\x34\x30\x33\x30\x34\x30\x35\x30\x30\x30\x30\x5A\x17\x0D\x31\x39\x30\x33\x30\x34\x30\x35\x30\x30\x30\x30\x5A\x30\x44\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x13\x14\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x20\x32\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xEF\x3C\x4D\x40\x3D\x10\xDF\x3B\x53\x00\xE1\x67\xFE\x94\x60\x15\x3E\x85\x88\xF1\x89\x0D\x90\xC8\x28\x23\x99\x05\xE8\x2B\x20\x9D\xC6\xF3\x60\x46\xD8\xC1\xB2\xD5\x8C\x31\xD9\xDC\x20\x79\x24\x81\xBF\x35\x32\xFC\x63\x69\xDB\xB1\x2A\x6B\xEE\x21\x58\xF2\x08\xE9\x78\xCB\x6F\xCB\xFC\x16\x52\xC8\x91\xC4\xFF\x3D\x73\xDE\xB1\x3E\xA7\xC2\x7D\x66\xC1\xF5\x7E\x52\x24\x1A\xE2\xD5\x67\x91\xD0\x82\x10\xD7\x78\x4B\x4F\x2B\x42\x39\xBD\x64\x2D\x40\xA0\xB0\x10\xD3\x38\x48\x46\x88\xA1\x0C\xBB\x3A\x33\x2A\x62\x98\xFB\x00\x9D\x13\x59\x7F\x6F\x3B\x72\xAA\xEE\xA6\x0F\x86\xF9\x05\x61\xEA\x67\x7F\x0C\x37\x96\x8B\xE6\x69\x16\x47\x11\xC2\x27\x59\x03\xB3\xA6\x60\xC2\x21\x40\x56\xFA\xA0\xC7\x7D\x3A\x13\xE3\xEC\x57\xC7\xB3\xD6\xAE\x9D\x89\x80\xF7\x01\xE7\x2C\xF6\x96\x2B\x13\x0D\x79\x2C\xD9\xC0\xE4\x86\x7B\x4B\x8C\x0C\x72\x82\x8A\xFB\x17\xCD\x00\x6C\x3A\x13\x3C\xB0\x84\x87\x4B\x16\x7A\x29\xB2\x4F\xDB\x1D\xD4\x0B\xF3\x66\x37\xBD\xD8\xF6\x57\xBB\x5E\x24\x7A\xB8\x3C\x8B\xB9\xFA\x92\x1A\x1A\x84\x9E\xD8\x74\x8F\xAA\x1B\x7F\x5E\xF4\xFE\x45\x22\x21\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x71\x38\x36\xF2\x02\x31\x53\x47\x2B\x6E\xBA\x65\x46\xA9\x10\x15\x58\x20\x05\x09\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x71\x38\x36\xF2\x02\x31\x53\x47\x2B\x6E\xBA\x65\x46\xA9\x10\x15\x58\x20\x05\x09\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x03\xF7\xB5\x2B\xAB\x5D\x10\xFC\x7B\xB2\xB2\x5E\xAC\x9B\x0E\x7E\x53\x78\x59\x3E\x42\x04\xFE\x75\xA3\xAD\xAC\x81\x4E\xD7\x02\x8B\x5E\xC4\x2D\xC8\x52\x76\xC7\x2C\x1F\xFC\x81\x32\x98\xD1\x4B\xC6\x92\x93\x33\x35\x31\x2F\xFC\xD8\x1D\x44\xDD\xE0\x81\x7F\x9D\xE9\x8B\xE1\x64\x91\x62\x0B\x39\x08\x8C\xAC\x74\x9D\x59\xD9\x7A\x59\x52\x97\x11\xB9\x16\x7B\x6F\x45\xD3\x96\xD9\x31\x7D\x02\x36\x0F\x9C\x3B\x6E\xCF\x2C\x0D\x03\x46\x45\xEB\xA0\xF4\x7F\x48\x44\xC6\x08\x40\xCC\xDE\x1B\x70\xB5\x29\xAD\xBA\x8B\x3B\x34\x65\x75\x1B\x71\x21\x1D\x2C\x14\x0A\xB0\x96\x95\xB8\xD6\xEA\xF2\x65\xFB\x29\xBA\x4F\xEA\x91\x93\x74\x69\xB6\xF2\xFF\xE1\x1A\xD0\x0C\xD1\x76\x85\xCB\x8A\x25\xBD\x97\x5E\x2C\x6F\x15\x99\x26\xE7\xB6\x29\xFF\x22\xEC\xC9\x02\xC7\x56\x00\xCD\x49\xB9\xB3\x6C\x7B\x53\x04\x1A\xE2\xA8\xC9\xAA\x12\x05\x23\xC2\xCE\xE7\xBB\x04\x02\xCC\xC0\x47\xA2\xE4\xC4\x29\x2F\x5B\x45\x57\x89\x51\xEE\x3C\xEB\x52\x08\xFF\x07\x35\x1E\x9F\x35\x6A\x47\x4A\x56\x98\xD1\x5A\x85\x1F\x8C\xF5\x22\xBF\xAB\xCE\x83\xF3\xE2\x22\x29\xAE\x7D\x83\x40\xA8\xBA\x6C",
 	["CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US"] = "\x30\x82\x05\x68\x30\x82\x03\x50\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x1E\x30\x1C\x06\x03\x55\x04\x03\x13\x15\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x43\x41\x30\x1E\x17\x0D\x30\x34\x30\x33\x30\x34\x30\x35\x30\x30\x30\x30\x5A\x17\x0D\x32\x39\x30\x33\x30\x34\x30\x35\x30\x30\x30\x30\x5A\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x1E\x30\x1C\x06\x03\x55\x04\x03\x13\x15\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x43\x41\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xA6\x15\x55\xA0\xA3\xC6\xE0\x1F\x8C\x9D\x21\x50\xD7\xC1\xBE\x2B\x5B\xB5\xA4\x9E\xA1\xD9\x72\x58\xBD\x00\x1B\x4C\xBF\x61\xC9\x14\x1D\x45\x82\xAB\xC6\x1D\x80\xD6\x3D\xEB\x10\x9C\x3A\xAF\x6D\x24\xF8\xBC\x71\x01\x9E\x06\xF5\x7C\x5F\x1E\xC1\x0E\x55\xCA\x83\x9A\x59\x30\xAE\x19\xCB\x30\x48\x95\xED\x22\x37\x8D\xF4\x4A\x9A\x72\x66\x3E\xAD\x95\xC0\xE0\x16\x00\xE0\x10\x1F\x2B\x31\x0E\xD7\x94\x54\xD3\x42\x33\xA0\x34\x1D\x1E\x45\x76\xDD\x4F\xCA\x18\x37\xEC\x85\x15\x7A\x19\x08\xFC\xD5\xC7\x9C\xF0\xF2\xA9\x2E\x10\xA9\x92\xE6\x3D\x58\x3D\xA9\x16\x68\x3C\x2F\x75\x21\x18\x7F\x28\x77\xA5\xE1\x61\x17\xB7\xA6\xE9\xF8\x1E\x99\xDB\x73\x6E\xF4\x0A\xA2\x21\x6C\xEE\xDA\xAA\x85\x92\x66\xAF\xF6\x7A\x6B\x82\xDA\xBA\x22\x08\x35\x0F\xCF\x42\xF1\x35\xFA\x6A\xEE\x7E\x2B\x25\xCC\x3A\x11\xE4\x6D\xAF\x73\xB2\x76\x1D\xAD\xD0\xB2\x78\x67\x1A\xA4\x39\x1C\x51\x0B\x67\x56\x83\xFD\x38\x5D\x0D\xCE\xDD\xF0\xBB\x2B\x96\x1F\xDE\x7B\x32\x52\xFD\x1D\xBB\xB5\x06\xA1\xB2\x21\x5E\xA5\xD6\x95\x68\x7F\xF0\x99\x9E\xDC\x45\x08\x3E\xE7\xD2\x09\x0D\x35\x94\xDD\x80\x4E\x53\x97\xD7\xB5\x09\x44\x20\x64\x16\x17\x03\x02\x4C\x53\x0D\x68\xDE\xD5\xAA\x72\x4D\x93\x6D\x82\x0E\xDB\x9C\xBD\xCF\xB4\xF3\x5C\x5D\x54\x7A\x69\x09\x96\xD6\xDB\x11\xC1\x8D\x75\xA8\xB4\xCF\x39\xC8\xCE\x3C\xBC\x24\x7C\xE6\x62\xCA\xE1\xBD\x7D\xA7\xBD\x57\x65\x0B\xE4\xFE\x25\xED\xB6\x69\x10\xDC\x28\x1A\x46\xBD\x01\x1D\xD0\x97\xB5\xE1\x98\x3B\xC0\x37\x64\xD6\x3D\x94\xEE\x0B\xE1\xF5\x28\xAE\x0B\x56\xBF\x71\x8B\x23\x29\x41\x8E\x86\xC5\x4B\x52\x7B\xD8\x71\xAB\x1F\x8A\x15\xA6\x3B\x83\x5A\xD7\x58\x01\x51\xC6\x4C\x41\xD9\x7F\xD8\x41\x67\x72\xA2\x28\xDF\x60\x83\xA9\x9E\xC8\x7B\xFC\x53\x73\x72\x59\xF5\x93\x7A\x17\x76\x0E\xCE\xF7\xE5\x5C\xD9\x0B\x55\x34\xA2\xAA\x5B\xB5\x6A\x54\xE7\x13\xCA\x57\xEC\x97\x6D\xF4\x5E\x06\x2F\x45\x8B\x58\xD4\x23\x16\x92\xE4\x16\x6E\x28\x63\x59\x30\xDF\x50\x01\x9C\x63\x89\x1A\x9F\xDB\x17\x94\x82\x70\x37\xC3\x24\x9E\x9A\x47\xD6\x5A\xCA\x4E\xA8\x69\x89\x72\x1F\x91\x6C\xDB\x7E\x9E\x1B\xAD\xC7\x1F\x73\xDD\x2C\x4F\x19\x65\xFD\x7F\x93\x40\x10\x2E\xD2\xF0\xED\x3C\x9E\x2E\x28\x3E\x69\x26\x33\xC5\x7B\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xDA\xBB\x2E\xAA\xB0\x0C\xB8\x88\x26\x51\x74\x5C\x6D\x03\xD3\xC0\xD8\x8F\x7A\xD6\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xDA\xBB\x2E\xAA\xB0\x0C\xB8\x88\x26\x51\x74\x5C\x6D\x03\xD3\xC0\xD8\x8F\x7A\xD6\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x31\x78\xE6\xC7\xB5\xDF\xB8\x94\x40\xC9\x71\xC4\xA8\x35\xEC\x46\x1D\xC2\x85\xF3\x28\x58\x86\xB0\x0B\xFC\x8E\xB2\x39\x8F\x44\x55\xAB\x64\x84\x5C\x69\xA9\xD0\x9A\x38\x3C\xFA\xE5\x1F\x35\xE5\x44\xE3\x80\x79\x94\x68\xA4\xBB\xC4\x9F\x3D\xE1\x34\xCD\x30\x46\x8B\x54\x2B\x95\xA5\xEF\xF7\x3F\x99\x84\xFD\x35\xE6\xCF\x31\xC6\xDC\x6A\xBF\xA7\xD7\x23\x08\xE1\x98\x5E\xC3\x5A\x08\x76\xA9\xA6\xAF\x77\x2F\xB7\x60\xBD\x44\x46\x6A\xEF\x97\xFF\x73\x95\xC1\x8E\xE8\x93\xFB\xFD\x31\xB7\xEC\x57\x11\x11\x45\x9B\x30\xF1\x1A\x88\x39\xC1\x4F\x3C\xA7\x00\xD5\xC7\xFC\xAB\x6D\x80\x22\x70\xA5\x0C\xE0\x5D\x04\x29\x02\xFB\xCB\xA0\x91\xD1\x7C\xD6\xC3\x7E\x50\xD5\x9D\x58\xBE\x41\x38\xEB\xB9\x75\x3C\x15\xD9\x9B\xC9\x4A\x83\x59\xC0\xDA\x53\xFD\x33\xBB\x36\x18\x9B\x85\x0F\x15\xDD\xEE\x2D\xAC\x76\x93\xB9\xD9\x01\x8D\x48\x10\xA8\xFB\xF5\x38\x86\xF1\xDB\x0A\xC6\xBD\x84\xA3\x23\x41\xDE\xD6\x77\x6F\x85\xD4\x85\x1C\x50\xE0\xAE\x51\x8A\xBA\x8D\x3E\x76\xE2\xB9\xCA\x27\xF2\x5F\x9F\xEF\x6E\x59\x0D\x06\xD8\x2B\x17\xA4\xD2\x7C\x6B\xBB\x5F\x14\x1A\x48\x8F\x1A\x4C\xE7\xB3\x47\x1C\x8E\x4C\x45\x2B\x20\xEE\x48\xDF\xE7\xDD\x09\x8E\x18\xA8\xDA\x40\x8D\x92\x26\x11\x53\x61\x73\x5D\xEB\xBD\xE7\xC4\x4D\x29\x37\x61\xEB\xAC\x39\x2D\x67\x2E\x16\xD6\xF5\x00\x83\x85\xA1\xCC\x7F\x76\xC4\x7D\xE4\xB7\x4B\x66\xEF\x03\x45\x60\x69\xB6\x0C\x52\x96\x92\x84\x5E\xA6\xA3\xB5\xA4\x3E\x2B\xD9\xCC\xD8\x1B\x47\xAA\xF2\x44\xDA\x4F\xF9\x03\xE8\xF0\x14\xCB\x3F\xF3\x83\xDE\xD0\xC1\x54\xE3\xB7\xE8\x0A\x37\x4D\x8B\x20\x59\x03\x30\x19\xA1\x2C\xC8\xBD\x11\x1F\xDF\xAE\xC9\x4A\xC5\xF3\x27\x66\x66\x86\xAC\x68\x91\xFF\xD9\xE6\x53\x1C\x0F\x8B\x5C\x69\x65\x0A\x26\xC8\x1E\x34\xC3\x5D\x51\x7B\xD7\xA9\x9C\x06\xA1\x36\xDD\xD5\x89\x94\xBC\xD9\xE4\x2D\x0C\x5E\x09\x6C\x08\x97\x7C\xA3\x3D\x7C\x93\xFF\x3F\xA1\x14\xA7\xCF\xB5\x5D\xEB\xDB\xDB\x1C\xC4\x76\xDF\x88\xB9\xBD\x45\x05\x95\x1B\xAE\xFC\x46\x6A\x4C\xAF\x48\xE3\xCE\xAE\x0F\xD2\x7E\xEB\xE6\x6C\x9C\x4F\x81\x6A\x7A\x64\xAC\xBB\x3E\xD5\xE7\xCB\x76\x2E\xC5\xA7\x48\xC1\x5C\x90\x0F\xCB\xC8\x3F\xFA\xE6\x32\xE1\x8D\x1B\x6F\xA4\xE6\x8E\xD8\xF9\x29\x48\x8A\xCE\x73\xFE\x2C",
 	["CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US"] = "\x30\x82\x05\x6C\x30\x82\x03\x54\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x47\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x43\x41\x20\x32\x30\x1E\x17\x0D\x30\x34\x30\x33\x30\x34\x30\x35\x30\x30\x30\x30\x5A\x17\x0D\x32\x39\x30\x33\x30\x34\x30\x35\x30\x30\x30\x30\x5A\x30\x47\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x55\x6E\x69\x76\x65\x72\x73\x61\x6C\x20\x43\x41\x20\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xB3\x54\x52\xC1\xC9\x3E\xF2\xD9\xDC\xB1\x53\x1A\x59\x29\xE7\xB1\xC3\x45\x28\xE5\xD7\xD1\xED\xC5\xC5\x4B\xA1\xAA\x74\x7B\x57\xAF\x4A\x26\xFC\xD8\xF5\x5E\xA7\x6E\x19\xDB\x74\x0C\x4F\x35\x5B\x32\x0B\x01\xE3\xDB\xEB\x7A\x77\x35\xEA\xAA\x5A\xE0\xD6\xE8\xA1\x57\x94\xF0\x90\xA3\x74\x56\x94\x44\x30\x03\x1E\x5C\x4E\x2B\x85\x26\x74\x82\x7A\x0C\x76\xA0\x6F\x4D\xCE\x41\x2D\xA0\x15\x06\x14\x5F\xB7\x42\xCD\x7B\x8F\x58\x61\x34\xDC\x2A\x08\xF9\x2E\xC3\x01\xA6\x22\x44\x1C\x4C\x07\x82\xE6\x5B\xCE\xD0\x4A\x7C\x04\xD3\x19\x73\x27\xF0\xAA\x98\x7F\x2E\xAF\x4E\xEB\x87\x1E\x24\x77\x6A\x5D\xB6\xE8\x5B\x45\xBA\xDC\xC3\xA1\x05\x6F\x56\x8E\x8F\x10\x26\xA5\x49\xC3\x2E\xD7\x41\x87\x22\xE0\x4F\x86\xCA\x60\xB5\xEA\xA1\x63\xC0\x01\x97\x10\x79\xBD\x00\x3C\x12\x6D\x2B\x15\xB1\xAC\x4B\xB1\xEE\x18\xB9\x4E\x96\xDC\xDC\x76\xFF\x3B\xBE\xCF\x5F\x03\xC0\xFC\x3B\xE8\xBE\x46\x1B\xFF\xDA\x40\xC2\x52\xF7\xFE\xE3\x3A\xF7\x6A\x77\x35\xD0\xDA\x8D\xEB\x5E\x18\x6A\x31\xC7\x1E\xBA\x3C\x1B\x28\xD6\x6B\x54\xC6\xAA\x5B\xD7\xA2\x2C\x1B\x19\xCC\xA2\x02\xF6\x9B\x59\xBD\x37\x6B\x86\xB5\x6D\x82\xBA\xD8\xEA\xC9\x56\xBC\xA9\x36\x58\xFD\x3E\x19\xF3\xED\x0C\x26\xA9\x93\x38\xF8\x4F\xC1\x5D\x22\x06\xD0\x97\xEA\xE1\xAD\xC6\x55\xE0\x81\x2B\x28\x83\x3A\xFA\xF4\x7B\x21\x51\x00\xBE\x52\x38\xCE\xCD\x66\x79\xA8\xF4\x81\x56\xE2\xD0\x83\x09\x47\x51\x5B\x50\x6A\xCF\xDB\x48\x1A\x5D\x3E\xF7\xCB\xF6\x65\xF7\x6C\xF1\x95\xF8\x02\x3B\x32\x56\x82\x39\x7A\x5B\xBD\x2F\x89\x1B\xBF\xA1\xB4\xE8\xFF\x7F\x8D\x8C\xDF\x03\xF1\x60\x4E\x58\x11\x4C\xEB\xA3\x3F\x10\x2B\x83\x9A\x01\x73\xD9\x94\x6D\x84\x00\x27\x66\xAC\xF0\x70\x40\x09\x42\x92\xAD\x4F\x93\x0D\x61\x09\x51\x24\xD8\x92\xD5\x0B\x94\x61\xB2\x87\xB2\xED\xFF\x9A\x35\xFF\x85\x54\xCA\xED\x44\x43\xAC\x1B\x3C\x16\x6B\x48\x4A\x0A\x1C\x40\x88\x1F\x92\xC2\x0B\x00\x05\xFF\xF2\xC8\x02\x4A\xA4\xAA\xA9\xCC\x99\x96\x9C\x2F\x58\xE0\x7D\xE1\xBE\xBB\x07\xDC\x5F\x04\x72\x5C\x31\x34\xC3\xEC\x5F\x2D\xE0\x3D\x64\x90\x22\xE6\xD1\xEC\xB8\x2E\xDD\x59\xAE\xD9\xA1\x37\xBF\x54\x35\xDC\x73\x32\x4F\x8C\x04\x1E\x33\xB2\xC9\x46\xF1\xD8\x5C\xC8\x55\x50\xC9\x68\xBD\xA8\xBA\x36\x09\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x76\xF3\x55\xE1\xFA\xA4\x36\xFB\xF0\x9F\x5C\x62\x71\xED\x3C\xF4\x47\x38\x10\x2B\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x76\xF3\x55\xE1\xFA\xA4\x36\xFB\xF0\x9F\x5C\x62\x71\xED\x3C\xF4\x47\x38\x10\x2B\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x66\xC1\xC6\x23\xF3\xD9\xE0\x2E\x6E\x5F\xE8\xCF\xAE\xB0\xB0\x25\x4D\x2B\xF8\x3B\x58\x9B\x40\x24\x37\x5A\xCB\xAB\x16\x49\xFF\xB3\x75\x79\x33\xA1\x2F\x6D\x70\x17\x34\x91\xFE\x67\x7E\x8F\xEC\x9B\xE5\x5E\x82\xA9\x55\x1F\x2F\xDC\xD4\x51\x07\x12\xFE\xAC\x16\x3E\x2C\x35\xC6\x63\xFC\xDC\x10\xEB\x0D\xA3\xAA\xD0\x7C\xCC\xD1\xD0\x2F\x51\x2E\xC4\x14\x5A\xDE\xE8\x19\xE1\x3E\xC6\xCC\xA4\x29\xE7\x2E\x84\xAA\x06\x30\x78\x76\x54\x73\x28\x98\x59\x38\xE0\x00\x0D\x62\xD3\x42\x7D\x21\x9F\xAE\x3D\x3A\x8C\xD5\xFA\x77\x0D\x18\x2B\x16\x0E\x5F\x36\xE1\xFC\x2A\xB5\x30\x24\xCF\xE0\x63\x0C\x7B\x58\x1A\xFE\x99\xBA\x42\x12\xB1\x91\xF4\x7C\x68\xE2\xC8\xE8\xAF\x2C\xEA\xC9\x7E\xAE\xBB\x2A\x3D\x0D\x15\xDC\x34\x95\xB6\x18\x74\xA8\x6A\x0F\xC7\xB4\xF4\x13\xC4\xE4\x5B\xED\x0A\xD2\xA4\x97\x4C\x2A\xED\x2F\x6C\x12\x89\x3D\xF1\x27\x70\xAA\x6A\x03\x52\x21\x9F\x40\xA8\x67\x50\xF2\xF3\x5A\x1F\xDF\xDF\x23\xF6\xDC\x78\x4E\xE6\x98\x4F\x55\x3A\x53\xE3\xEF\xF2\xF4\x9F\xC7\x7C\xD8\x58\xAF\x29\x22\x97\xB8\xE0\xBD\x91\x2E\xB0\x76\xEC\x57\x11\xCF\xEF\x29\x44\xF3\xE9\x85\x7A\x60\x63\xE4\x5D\x33\x89\x17\xD9\x31\xAA\xDA\xD6\xF3\x18\x35\x72\xCF\x87\x2B\x2F\x63\x23\x84\x5D\x84\x8C\x3F\x57\xA0\x88\xFC\x99\x91\x28\x26\x69\x99\xD4\x8F\x97\x44\xBE\x8E\xD5\x48\xB1\xA4\x28\x29\xF1\x15\xB4\xE1\xE5\x9E\xDD\xF8\x8F\xA6\x6F\x26\xD7\x09\x3C\x3A\x1C\x11\x0E\xA6\x6C\x37\xF7\xAD\x44\x87\x2C\x28\xC7\xD8\x74\x82\xB3\xD0\x6F\x4A\x57\xBB\x35\x29\x27\xA0\x8B\xE8\x21\xA7\x87\x64\x36\x5D\xCC\xD8\x16\xAC\xC7\xB2\x27\x40\x92\x55\x38\x28\x8D\x51\x6E\xDD\x14\x67\x53\x6C\x71\x5C\x26\x84\x4D\x75\x5A\xB6\x7E\x60\x56\xA9\x4D\xAD\xFB\x9B\x1E\x97\xF3\x0D\xD9\xD2\x97\x54\x77\xDA\x3D\x12\xB7\xE0\x1E\xEF\x08\x06\xAC\xF9\x85\x87\xE9\xA2\xDC\xAF\x7E\x18\x12\x83\xFD\x56\x17\x41\x2E\xD5\x29\x82\x7D\x99\xF4\x31\xF6\x71\xA9\xCF\x2C\x01\x27\xA5\x05\xB9\xAA\xB2\x48\x4E\x2A\xEF\x9F\x93\x52\x51\x95\x3C\x52\x73\x8E\x56\x4C\x17\x40\xC0\x09\x28\xE4\x8B\x6A\x48\x53\xDB\xEC\xCD\x55\x55\xF1\xC6\xF8\xE9\xA2\x2C\x4C\xA6\xD1\x26\x5F\x7E\xAF\x5A\x4C\xDA\x1F\xA6\xF2\x1C\x2C\x7E\xAE\x02\x16\xD2\x56\xD0\x2F\x57\x53\x47\xE8\x92",
 	["CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US"] = "\x30\x82\x03\xA2\x30\x82\x02\x8A\xA0\x03\x02\x01\x02\x02\x10\x13\x86\x35\x4D\x1D\x3F\x06\xF2\xC1\xF9\x65\x05\xD5\x90\x1C\x62\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x6B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0D\x30\x0B\x06\x03\x55\x04\x0A\x13\x04\x56\x49\x53\x41\x31\x2F\x30\x2D\x06\x03\x55\x04\x0B\x13\x26\x56\x69\x73\x61\x20\x49\x6E\x74\x65\x72\x6E\x61\x74\x69\x6F\x6E\x61\x6C\x20\x53\x65\x72\x76\x69\x63\x65\x20\x41\x73\x73\x6F\x63\x69\x61\x74\x69\x6F\x6E\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x56\x69\x73\x61\x20\x65\x43\x6F\x6D\x6D\x65\x72\x63\x65\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x32\x30\x36\x32\x36\x30\x32\x31\x38\x33\x36\x5A\x17\x0D\x32\x32\x30\x36\x32\x34\x30\x30\x31\x36\x31\x32\x5A\x30\x6B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0D\x30\x0B\x06\x03\x55\x04\x0A\x13\x04\x56\x49\x53\x41\x31\x2F\x30\x2D\x06\x03\x55\x04\x0B\x13\x26\x56\x69\x73\x61\x20\x49\x6E\x74\x65\x72\x6E\x61\x74\x69\x6F\x6E\x61\x6C\x20\x53\x65\x72\x76\x69\x63\x65\x20\x41\x73\x73\x6F\x63\x69\x61\x74\x69\x6F\x6E\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x56\x69\x73\x61\x20\x65\x43\x6F\x6D\x6D\x65\x72\x63\x65\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAF\x57\xDE\x56\x1E\x6E\xA1\xDA\x60\xB1\x94\x27\xCB\x17\xDB\x07\x3F\x80\x85\x4F\xC8\x9C\xB6\xD0\xF4\x6F\x4F\xCF\x99\xD8\xE1\xDB\xC2\x48\x5C\x3A\xAC\x39\x33\xC7\x1F\x6A\x8B\x26\x3D\x2B\x35\xF5\x48\xB1\x91\xC1\x02\x4E\x04\x96\x91\x7B\xB0\x33\xF0\xB1\x14\x4E\x11\x6F\xB5\x40\xAF\x1B\x45\xA5\x4A\xEF\x7E\xB6\xAC\xF2\xA0\x1F\x58\x3F\x12\x46\x60\x3C\x8D\xA1\xE0\x7D\xCF\x57\x3E\x33\x1E\xFB\x47\xF1\xAA\x15\x97\x07\x55\x66\xA5\xB5\x2D\x2E\xD8\x80\x59\xB2\xA7\x0D\xB7\x46\xEC\x21\x63\xFF\x35\xAB\xA5\x02\xCF\x2A\xF4\x4C\xFE\x7B\xF5\x94\x5D\x84\x4D\xA8\xF2\x60\x8F\xDB\x0E\x25\x3C\x9F\x73\x71\xCF\x94\xDF\x4A\xEA\xDB\xDF\x72\x38\x8C\xF3\x96\xBD\xF1\x17\xBC\xD2\xBA\x3B\x45\x5A\xC6\xA7\xF6\xC6\x17\x8B\x01\x9D\xFC\x19\xA8\x2A\x83\x16\xB8\x3A\x48\xFE\x4E\x3E\xA0\xAB\x06\x19\xE9\x53\xF3\x80\x13\x07\xED\x2D\xBF\x3F\x0A\x3C\x55\x20\x39\x2C\x2C\x00\x69\x74\x95\x4A\xBC\x20\xB2\xA9\x79\xE5\x18\x89\x91\xA8\xDC\x1C\x4D\xEF\xBB\x7E\x37\x0B\x5D\xFE\x39\xA5\x88\x52\x8C\x00\x6C\xEC\x18\x7C\x41\xBD\xF6\x8B\x75\x77\xBA\x60\x9D\x84\xE7\xFE\x2D\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x15\x38\x83\x0F\x3F\x2C\x3F\x70\x33\x1E\xCD\x46\xFE\x07\x8C\x20\xE0\xD7\xC3\xB7\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x5F\xF1\x41\x7D\x7C\x5C\x08\xB9\x2B\xE0\xD5\x92\x47\xFA\x67\x5C\xA5\x13\xC3\x03\x21\x9B\x2B\x4C\x89\x46\xCF\x59\x4D\xC9\xFE\xA5\x40\xB6\x63\xCD\xDD\x71\x28\x95\x67\x11\xCC\x24\xAC\xD3\x44\x6C\x71\xAE\x01\x20\x6B\x03\xA2\x8F\x18\xB7\x29\x3A\x7D\xE5\x16\x60\x53\x78\x3C\xC0\xAF\x15\x83\xF7\x8F\x52\x33\x24\xBD\x64\x93\x97\xEE\x8B\xF7\xDB\x18\xA8\x6D\x71\xB3\xF7\x2C\x17\xD0\x74\x25\x69\xF7\xFE\x6B\x3C\x94\xBE\x4D\x4B\x41\x8C\x4E\xE2\x73\xD0\xE3\x90\x22\x73\x43\xCD\xF3\xEF\xEA\x73\xCE\x45\x8A\xB0\xA6\x49\xFF\x4C\x7D\x9D\x71\x88\xC4\x76\x1D\x90\x5B\x1D\xEE\xFD\xCC\xF7\xEE\xFD\x60\xA5\xB1\x7A\x16\x71\xD1\x16\xD0\x7C\x12\x3C\x6C\x69\x97\xDB\xAE\x5F\x39\x9A\x70\x2F\x05\x3C\x19\x46\x04\x99\x20\x36\xD0\x60\x6E\x61\x06\xBB\x16\x42\x8C\x70\xF7\x30\xFB\xE0\xDB\x66\xA3\x00\x01\xBD\xE6\x2C\xDA\x91\x5F\xA0\x46\x8B\x4D\x6A\x9C\x3D\x3D\xDD\x05\x46\xFE\x76\xBF\xA0\x0A\x3C\xE4\x00\xE6\x27\xB7\xFF\x84\x2D\xDE\xBA\x22\x27\x96\x10\x71\xEB\x22\xED\xDF\xDF\x33\x9C\xCF\xE3\xAD\xAE\x8E\xD4\x8E\xE6\x4F\x51\xAF\x16\x92\xE0\x5C\xF6\x07\x0F",
-	["CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL"] = "\x30\x82\x03\x0C\x30\x82\x01\xF4\xA0\x03\x02\x01\x02\x02\x03\x01\x00\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x1B\x30\x19\x06\x03\x55\x04\x0A\x13\x12\x55\x6E\x69\x7A\x65\x74\x6F\x20\x53\x70\x2E\x20\x7A\x20\x6F\x2E\x6F\x2E\x31\x12\x30\x10\x06\x03\x55\x04\x03\x13\x09\x43\x65\x72\x74\x75\x6D\x20\x43\x41\x30\x1E\x17\x0D\x30\x32\x30\x36\x31\x31\x31\x30\x34\x36\x33\x39\x5A\x17\x0D\x32\x37\x30\x36\x31\x31\x31\x30\x34\x36\x33\x39\x5A\x30\x3E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x1B\x30\x19\x06\x03\x55\x04\x0A\x13\x12\x55\x6E\x69\x7A\x65\x74\x6F\x20\x53\x70\x2E\x20\x7A\x20\x6F\x2E\x6F\x2E\x31\x12\x30\x10\x06\x03\x55\x04\x03\x13\x09\x43\x65\x72\x74\x75\x6D\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xCE\xB1\xC1\x2E\xD3\x4F\x7C\xCD\x25\xCE\x18\x3E\x4F\xC4\x8C\x6F\x80\x6A\x73\xC8\x5B\x51\xF8\x9B\xD2\xDC\xBB\x00\x5C\xB1\xA0\xFC\x75\x03\xEE\x81\xF0\x88\xEE\x23\x52\xE9\xE6\x15\x33\x8D\xAC\x2D\x09\xC5\x76\xF9\x2B\x39\x80\x89\xE4\x97\x4B\x90\xA5\xA8\x78\xF8\x73\x43\x7B\xA4\x61\xB0\xD8\x58\xCC\xE1\x6C\x66\x7E\x9C\xF3\x09\x5E\x55\x63\x84\xD5\xA8\xEF\xF3\xB1\x2E\x30\x68\xB3\xC4\x3C\xD8\xAC\x6E\x8D\x99\x5A\x90\x4E\x34\xDC\x36\x9A\x8F\x81\x88\x50\xB7\x6D\x96\x42\x09\xF3\xD7\x95\x83\x0D\x41\x4B\xB0\x6A\x6B\xF8\xFC\x0F\x7E\x62\x9F\x67\xC4\xED\x26\x5F\x10\x26\x0F\x08\x4F\xF0\xA4\x57\x28\xCE\x8F\xB8\xED\x45\xF6\x6E\xEE\x25\x5D\xAA\x6E\x39\xBE\xE4\x93\x2F\xD9\x47\xA0\x72\xEB\xFA\xA6\x5B\xAF\xCA\x53\x3F\xE2\x0E\xC6\x96\x56\x11\x6E\xF7\xE9\x66\xA9\x26\xD8\x7F\x95\x53\xED\x0A\x85\x88\xBA\x4F\x29\xA5\x42\x8C\x5E\xB6\xFC\x85\x20\x00\xAA\x68\x0B\xA1\x1A\x85\x01\x9C\xC4\x46\x63\x82\x88\xB6\x22\xB1\xEE\xFE\xAA\x46\x59\x7E\xCF\x35\x2C\xD5\xB6\xDA\x5D\xF7\x48\x33\x14\x54\xB6\xEB\xD9\x6F\xCE\xCD\x88\xD6\xAB\x1B\xDA\x96\x3B\x1D\x59\x02\x03\x01\x00\x01\xA3\x13\x30\x11\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xB8\x8D\xCE\xEF\xE7\x14\xBA\xCF\xEE\xB0\x44\x92\x6C\xB4\x39\x3E\xA2\x84\x6E\xAD\xB8\x21\x77\xD2\xD4\x77\x82\x87\xE6\x20\x41\x81\xEE\xE2\xF8\x11\xB7\x63\xD1\x17\x37\xBE\x19\x76\x24\x1C\x04\x1A\x4C\xEB\x3D\xAA\x67\x6F\x2D\xD4\xCD\xFE\x65\x31\x70\xC5\x1B\xA6\x02\x0A\xBA\x60\x7B\x6D\x58\xC2\x9A\x49\xFE\x63\x32\x0B\x6B\xE3\x3A\xC0\xAC\xAB\x3B\xB0\xE8\xD3\x09\x51\x8C\x10\x83\xC6\x34\xE0\xC5\x2B\xE0\x1A\xB6\x60\x14\x27\x6C\x32\x77\x8C\xBC\xB2\x72\x98\xCF\xCD\xCC\x3F\xB9\xC8\x24\x42\x14\xD6\x57\xFC\xE6\x26\x43\xA9\x1D\xE5\x80\x90\xCE\x03\x54\x28\x3E\xF7\x3F\xD3\xF8\x4D\xED\x6A\x0A\x3A\x93\x13\x9B\x3B\x14\x23\x13\x63\x9C\x3F\xD1\x87\x27\x79\xE5\x4C\x51\xE3\x01\xAD\x85\x5D\x1A\x3B\xB1\xD5\x73\x10\xA4\xD3\xF2\xBC\x6E\x64\xF5\x5A\x56\x90\xA8\xC7\x0E\x4C\x74\x0F\x2E\x71\x3B\xF7\xC8\x47\xF4\x69\x6F\x15\xF2\x11\x5E\x83\x1E\x9C\x7C\x52\xAE\xFD\x02\xDA\x12\xA8\x59\x67\x18\xDB\xBC\x70\xDD\x9B\xB1\x69\xED\x80\xCE\x89\x40\x48\x6A\x0E\x35\xCA\x29\x66\x15\x21\x94\x2C\xE8\x60\x2A\x9B\x85\x4A\x40\xF3\x6B\x8A\x24\xEC\x06\x16\x2C\x73",
 	["CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB"] = "\x30\x82\x04\x32\x30\x82\x03\x1A\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x0C\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x0C\x11\x43\x6F\x6D\x6F\x64\x6F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x0C\x18\x41\x41\x41\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x30\x1E\x17\x0D\x30\x34\x30\x31\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x7B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x0C\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x0C\x11\x43\x6F\x6D\x6F\x64\x6F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x0C\x18\x41\x41\x41\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBE\x40\x9D\xF4\x6E\xE1\xEA\x76\x87\x1C\x4D\x45\x44\x8E\xBE\x46\xC8\x83\x06\x9D\xC1\x2A\xFE\x18\x1F\x8E\xE4\x02\xFA\xF3\xAB\x5D\x50\x8A\x16\x31\x0B\x9A\x06\xD0\xC5\x70\x22\xCD\x49\x2D\x54\x63\xCC\xB6\x6E\x68\x46\x0B\x53\xEA\xCB\x4C\x24\xC0\xBC\x72\x4E\xEA\xF1\x15\xAE\xF4\x54\x9A\x12\x0A\xC3\x7A\xB2\x33\x60\xE2\xDA\x89\x55\xF3\x22\x58\xF3\xDE\xDC\xCF\xEF\x83\x86\xA2\x8C\x94\x4F\x9F\x68\xF2\x98\x90\x46\x84\x27\xC7\x76\xBF\xE3\xCC\x35\x2C\x8B\x5E\x07\x64\x65\x82\xC0\x48\xB0\xA8\x91\xF9\x61\x9F\x76\x20\x50\xA8\x91\xC7\x66\xB5\xEB\x78\x62\x03\x56\xF0\x8A\x1A\x13\xEA\x31\xA3\x1E\xA0\x99\xFD\x38\xF6\xF6\x27\x32\x58\x6F\x07\xF5\x6B\xB8\xFB\x14\x2B\xAF\xB7\xAA\xCC\xD6\x63\x5F\x73\x8C\xDA\x05\x99\xA8\x38\xA8\xCB\x17\x78\x36\x51\xAC\xE9\x9E\xF4\x78\x3A\x8D\xCF\x0F\xD9\x42\xE2\x98\x0C\xAB\x2F\x9F\x0E\x01\xDE\xEF\x9F\x99\x49\xF1\x2D\xDF\xAC\x74\x4D\x1B\x98\xB5\x47\xC5\xE5\x29\xD1\xF9\x90\x18\xC7\x62\x9C\xBE\x83\xC7\x26\x7B\x3E\x8A\x25\xC7\xC0\xDD\x9D\xE6\x35\x68\x10\x20\x9D\x8F\xD8\xDE\xD2\xC3\x84\x9C\x0D\x5E\xE8\x2F\xC9\x02\x03\x01\x00\x01\xA3\x81\xC0\x30\x81\xBD\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA0\x11\x0A\x23\x3E\x96\xF1\x07\xEC\xE2\xAF\x29\xEF\x82\xA5\x7F\xD0\x30\xA4\xB4\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x7B\x06\x03\x55\x1D\x1F\x04\x74\x30\x72\x30\x38\xA0\x36\xA0\x34\x86\x32\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x63\x61\x2E\x63\x6F\x6D\x2F\x41\x41\x41\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x53\x65\x72\x76\x69\x63\x65\x73\x2E\x63\x72\x6C\x30\x36\xA0\x34\xA0\x32\x86\x30\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x2E\x6E\x65\x74\x2F\x41\x41\x41\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x53\x65\x72\x76\x69\x63\x65\x73\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x08\x56\xFC\x02\xF0\x9B\xE8\xFF\xA4\xFA\xD6\x7B\xC6\x44\x80\xCE\x4F\xC4\xC5\xF6\x00\x58\xCC\xA6\xB6\xBC\x14\x49\x68\x04\x76\xE8\xE6\xEE\x5D\xEC\x02\x0F\x60\xD6\x8D\x50\x18\x4F\x26\x4E\x01\xE3\xE6\xB0\xA5\xEE\xBF\xBC\x74\x54\x41\xBF\xFD\xFC\x12\xB8\xC7\x4F\x5A\xF4\x89\x60\x05\x7F\x60\xB7\x05\x4A\xF3\xF6\xF1\xC2\xBF\xC4\xB9\x74\x86\xB6\x2D\x7D\x6B\xCC\xD2\xF3\x46\xDD\x2F\xC6\xE0\x6A\xC3\xC3\x34\x03\x2C\x7D\x96\xDD\x5A\xC2\x0E\xA7\x0A\x99\xC1\x05\x8B\xAB\x0C\x2F\xF3\x5C\x3A\xCF\x6C\x37\x55\x09\x87\xDE\x53\x40\x6C\x58\xEF\xFC\xB6\xAB\x65\x6E\x04\xF6\x1B\xDC\x3C\xE0\x5A\x15\xC6\x9E\xD9\xF1\x59\x48\x30\x21\x65\x03\x6C\xEC\xE9\x21\x73\xEC\x9B\x03\xA1\xE0\x37\xAD\xA0\x15\x18\x8F\xFA\xBA\x02\xCE\xA7\x2C\xA9\x10\x13\x2C\xD4\xE5\x08\x26\xAB\x22\x97\x60\xF8\x90\x5E\x74\xD4\xA2\x9A\x53\xBD\xF2\xA9\x68\xE0\xA2\x6E\xC2\xD7\x6C\xB1\xA3\x0F\x9E\xBF\xEB\x68\xE7\x56\xF2\xAE\xF2\xE3\x2B\x38\x3A\x09\x81\xB5\x6B\x85\xD7\xBE\x2D\xED\x3F\x1A\xB7\xB2\x63\xE2\xF5\x62\x2C\x82\xD4\x6A\x00\x41\x50\xF1\x39\x83\x9F\x95\xE9\x36\x96\x98\x6E",
-	["CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB"] = "\x30\x82\x04\x3F\x30\x82\x03\x27\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x0C\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x0C\x11\x43\x6F\x6D\x6F\x64\x6F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x24\x30\x22\x06\x03\x55\x04\x03\x0C\x1B\x53\x65\x63\x75\x72\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x30\x1E\x17\x0D\x30\x34\x30\x31\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x7E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x0C\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x0C\x11\x43\x6F\x6D\x6F\x64\x6F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x24\x30\x22\x06\x03\x55\x04\x03\x0C\x1B\x53\x65\x63\x75\x72\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC0\x71\x33\x82\x8A\xD0\x70\xEB\x73\x87\x82\x40\xD5\x1D\xE4\xCB\xC9\x0E\x42\x90\xF9\xDE\x34\xB9\xA1\xBA\x11\xF4\x25\x85\xF3\xCC\x72\x6D\xF2\x7B\x97\x6B\xB3\x07\xF1\x77\x24\x91\x5F\x25\x8F\xF6\x74\x3D\xE4\x80\xC2\xF8\x3C\x0D\xF3\xBF\x40\xEA\xF7\xC8\x52\xD1\x72\x6F\xEF\xC8\xAB\x41\xB8\x6E\x2E\x17\x2A\x95\x69\x0C\xCD\xD2\x1E\x94\x7B\x2D\x94\x1D\xAA\x75\xD7\xB3\x98\xCB\xAC\xBC\x64\x53\x40\xBC\x8F\xAC\xAC\x36\xCB\x5C\xAD\xBB\xDD\xE0\x94\x17\xEC\xD1\x5C\xD0\xBF\xEF\xA5\x95\xC9\x90\xC5\xB0\xAC\xFB\x1B\x43\xDF\x7A\x08\x5D\xB7\xB8\xF2\x40\x1B\x2B\x27\x9E\x50\xCE\x5E\x65\x82\x88\x8C\x5E\xD3\x4E\x0C\x7A\xEA\x08\x91\xB6\x36\xAA\x2B\x42\xFB\xEA\xC2\xA3\x39\xE5\xDB\x26\x38\xAD\x8B\x0A\xEE\x19\x63\xC7\x1C\x24\xDF\x03\x78\xDA\xE6\xEA\xC1\x47\x1A\x0B\x0B\x46\x09\xDD\x02\xFC\xDE\xCB\x87\x5F\xD7\x30\x63\x68\xA1\xAE\xDC\x32\xA1\xBA\xBE\xFE\x44\xAB\x68\xB6\xA5\x17\x15\xFD\xBD\xD5\xA7\xA7\x9A\xE4\x44\x33\xE9\x88\x8E\xFC\xED\x51\xEB\x93\x71\x4E\xAD\x01\xE7\x44\x8E\xAB\x2D\xCB\xA8\xFE\x01\x49\x48\xF0\xC0\xDD\xC7\x68\xD8\x92\xFE\x3D\x02\x03\x01\x00\x01\xA3\x81\xC7\x30\x81\xC4\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x3C\xD8\x93\x88\xC2\xC0\x82\x09\xCC\x01\x99\x06\x93\x20\xE9\x9E\x70\x09\x63\x4F\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\x81\x06\x03\x55\x1D\x1F\x04\x7A\x30\x78\x30\x3B\xA0\x39\xA0\x37\x86\x35\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x63\x61\x2E\x63\x6F\x6D\x2F\x53\x65\x63\x75\x72\x65\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x53\x65\x72\x76\x69\x63\x65\x73\x2E\x63\x72\x6C\x30\x39\xA0\x37\xA0\x35\x86\x33\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x2E\x6E\x65\x74\x2F\x53\x65\x63\x75\x72\x65\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x53\x65\x72\x76\x69\x63\x65\x73\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x87\x01\x6D\x23\x1D\x7E\x5B\x17\x7D\xC1\x61\x32\xCF\x8F\xE7\xF3\x8A\x94\x59\x66\xE0\x9E\x28\xA8\x5E\xD3\xB7\xF4\x34\xE6\xAA\x39\xB2\x97\x16\xC5\x82\x6F\x32\xA4\xE9\x8C\xE7\xAF\xFD\xEF\xC2\xE8\xB9\x4B\xAA\xA3\xF4\xE6\xDA\x8D\x65\x21\xFB\xBA\x80\xEB\x26\x28\x85\x1A\xFE\x39\x8C\xDE\x5B\x04\x04\xB4\x54\xF9\xA3\x67\x9E\x41\xFA\x09\x52\xCC\x05\x48\xA8\xC9\x3F\x21\x04\x1E\xCE\x48\x6B\xFC\x85\xE8\xC2\x7B\xAF\x7F\xB7\xCC\xF8\x5F\x3A\xFD\x35\xC6\x0D\xEF\x97\xDC\x4C\xAB\x11\xE1\x6B\xCB\x31\xD1\x6C\xFB\x48\x80\xAB\xDC\x9C\x37\xB8\x21\x14\x4B\x0D\x71\x3D\xEC\x83\x33\x6E\xD1\x6E\x32\x16\xEC\x98\xC7\x16\x8B\x59\xA6\x34\xAB\x05\x57\x2D\x93\xF7\xAA\x13\xCB\xD2\x13\xE2\xB7\x2E\x3B\xCD\x6B\x50\x17\x09\x68\x3E\xB5\x26\x57\xEE\xB6\xE0\xB6\xDD\xB9\x29\x80\x79\x7D\x8F\xA3\xF0\xA4\x28\xA4\x15\xC4\x85\xF4\x27\xD4\x6B\xBF\xE5\x5C\xE4\x65\x02\x76\x54\xB4\xE3\x37\x66\x24\xD3\x19\x61\xC8\x52\x10\xE5\x8B\x37\x9A\xB9\xA9\xF9\x1D\xBF\xEA\x99\x92\x61\x96\xFF\x01\xCD\xA1\x5F\x0D\xBC\x71\xBC\x0E\xAC\x0B\x1D\x47\x45\x1D\xC1\xEC\x7C\xEC\xFD\x29",
-	["CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB"] = "\x30\x82\x04\x43\x30\x82\x03\x2B\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x0C\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x0C\x11\x43\x6F\x6D\x6F\x64\x6F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x25\x30\x23\x06\x03\x55\x04\x03\x0C\x1C\x54\x72\x75\x73\x74\x65\x64\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x30\x1E\x17\x0D\x30\x34\x30\x31\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x0C\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x0C\x11\x43\x6F\x6D\x6F\x64\x6F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x25\x30\x23\x06\x03\x55\x04\x03\x0C\x1C\x54\x72\x75\x73\x74\x65\x64\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xDF\x71\x6F\x36\x58\x53\x5A\xF2\x36\x54\x57\x80\xC4\x74\x08\x20\xED\x18\x7F\x2A\x1D\xE6\x35\x9A\x1E\x25\xAC\x9C\xE5\x96\x7E\x72\x52\xA0\x15\x42\xDB\x59\xDD\x64\x7A\x1A\xD0\xB8\x7B\xDD\x39\x15\xBC\x55\x48\xC4\xED\x3A\x00\xEA\x31\x11\xBA\xF2\x71\x74\x1A\x67\xB8\xCF\x33\xCC\xA8\x31\xAF\xA3\xE3\xD7\x7F\xBF\x33\x2D\x4C\x6A\x3C\xEC\x8B\xC3\x92\xD2\x53\x77\x24\x74\x9C\x07\x6E\x70\xFC\xBD\x0B\x5B\x76\xBA\x5F\xF2\xFF\xD7\x37\x4B\x4A\x60\x78\xF7\xF0\xFA\xCA\x70\xB4\xEA\x59\xAA\xA3\xCE\x48\x2F\xA9\xC3\xB2\x0B\x7E\x17\x72\x16\x0C\xA6\x07\x0C\x1B\x38\xCF\xC9\x62\xB7\x3F\xA0\x93\xA5\x87\x41\xF2\xB7\x70\x40\x77\xD8\xBE\x14\x7C\xE3\xA8\xC0\x7A\x8E\xE9\x63\x6A\xD1\x0F\x9A\xC6\xD2\xF4\x8B\x3A\x14\x04\x56\xD4\xED\xB8\xCC\x6E\xF5\xFB\xE2\x2C\x58\xBD\x7F\x4F\x6B\x2B\xF7\x60\x24\x58\x24\xCE\x26\xEF\x34\x91\x3A\xD5\xE3\x81\xD0\xB2\xF0\x04\x02\xD7\x5B\xB7\x3E\x92\xAC\x6B\x12\x8A\xF9\xE4\x05\xB0\x3B\x91\x49\x5C\xB2\xEB\x53\xEA\xF8\x9F\x47\x86\xEE\xBF\x95\xC0\xC0\x06\x9F\xD2\x5B\x5E\x11\x1B\xF4\xC7\x04\x35\x29\xD2\x55\x5C\xE4\xED\xEB\x02\x03\x01\x00\x01\xA3\x81\xC9\x30\x81\xC6\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC5\x7B\x58\xBD\xED\xDA\x25\x69\xD2\xF7\x59\x16\xA8\xB3\x32\xC0\x7B\x27\x5B\xF4\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\x83\x06\x03\x55\x1D\x1F\x04\x7C\x30\x7A\x30\x3C\xA0\x3A\xA0\x38\x86\x36\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x63\x61\x2E\x63\x6F\x6D\x2F\x54\x72\x75\x73\x74\x65\x64\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x53\x65\x72\x76\x69\x63\x65\x73\x2E\x63\x72\x6C\x30\x3A\xA0\x38\xA0\x36\x86\x34\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x2E\x6E\x65\x74\x2F\x54\x72\x75\x73\x74\x65\x64\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x53\x65\x72\x76\x69\x63\x65\x73\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xC8\x93\x81\x3B\x89\xB4\xAF\xB8\x84\x12\x4C\x8D\xD2\xF0\xDB\x70\xBA\x57\x86\x15\x34\x10\xB9\x2F\x7F\x1E\xB0\xA8\x89\x60\xA1\x8A\xC2\x77\x0C\x50\x4A\x9B\x00\x8B\xD8\x8B\xF4\x41\xE2\xD0\x83\x8A\x4A\x1C\x14\x06\xB0\xA3\x68\x05\x70\x31\x30\xA7\x53\x9B\x0E\xE9\x4A\xA0\x58\x69\x67\x0E\xAE\x9D\xF6\xA5\x2C\x41\xBF\x3C\x06\x6B\xE4\x59\xCC\x6D\x10\xF1\x96\x6F\x1F\xDF\xF4\x04\x02\xA4\x9F\x45\x3E\xC8\xD8\xFA\x36\x46\x44\x50\x3F\x82\x97\x91\x1F\x28\xDB\x18\x11\x8C\x2A\xE4\x65\x83\x57\x12\x12\x8C\x17\x3F\x94\x36\xFE\x5D\xB0\xC0\x04\x77\x13\xB8\xF4\x15\xD5\x3F\x38\xCC\x94\x3A\x55\xD0\xAC\x98\xF5\xBA\x00\x5F\xE0\x86\x19\x81\x78\x2F\x28\xC0\x7E\xD3\xCC\x42\x0A\xF5\xAE\x50\xA0\xD1\x3E\xC6\xA1\x71\xEC\x3F\xA0\x20\x8C\x66\x3A\x89\xB4\x8E\xD4\xD8\xB1\x4D\x25\x47\xEE\x2F\x88\xC8\xB5\xE1\x05\x45\xC0\xBE\x14\x71\xDE\x7A\xFD\x8E\x7B\x7D\x4D\x08\x96\xA5\x12\x73\xF0\x2D\xCA\x37\x27\x74\x12\x27\x4C\xCB\xB6\x97\xE9\xD9\xAE\x08\x6D\x5A\x39\x40\xDD\x05\x47\x75\x6A\x5A\x21\xB3\xA3\x18\xCF\x4E\xF7\x2E\x57\xB7\x98\x70\x5E\xC8\xC4\x78\xB0\x62",
 	["CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM"] = "\x30\x82\x05\xD0\x30\x82\x04\xB8\xA0\x03\x02\x01\x02\x02\x04\x3A\xB6\x50\x8B\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x2E\x30\x2C\x06\x03\x55\x04\x03\x13\x25\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x31\x30\x33\x31\x39\x31\x38\x33\x33\x33\x33\x5A\x17\x0D\x32\x31\x30\x33\x31\x37\x31\x38\x33\x33\x33\x33\x5A\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x2E\x30\x2C\x06\x03\x55\x04\x03\x13\x25\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBF\x61\xB5\x95\x53\xBA\x57\xFC\xFA\xF2\x67\x0B\x3A\x1A\xDF\x11\x80\x64\x95\xB4\xD1\xBC\xCD\x7A\xCF\xF6\x29\x96\x2E\x24\x54\x40\x24\x38\xF7\x1A\x85\xDC\x58\x4C\xCB\xA4\x27\x42\x97\xD0\x9F\x83\x8A\xC3\xE4\x06\x03\x5B\x00\xA5\x51\x1E\x70\x04\x74\xE2\xC1\xD4\x3A\xAB\xD7\xAD\x3B\x07\x18\x05\x8E\xFD\x83\xAC\xEA\x66\xD9\x18\x1B\x68\x8A\xF5\x57\x1A\x98\xBA\xF5\xED\x76\x3D\x7C\xD9\xDE\x94\x6A\x3B\x4B\x17\xC1\xD5\x8F\xBD\x65\x38\x3A\x95\xD0\x3D\x55\x36\x4E\xDF\x79\x57\x31\x2A\x1E\xD8\x59\x65\x49\x58\x20\x98\x7E\xAB\x5F\x7E\x9F\xE9\xD6\x4D\xEC\x83\x74\xA9\xC7\x6C\xD8\xEE\x29\x4A\x85\x2A\x06\x14\xF9\x54\xE6\xD3\xDA\x65\x07\x8B\x63\x37\x12\xD7\xD0\xEC\xC3\x7B\x20\x41\x44\xA3\xED\xCB\xA0\x17\xE1\x71\x65\xCE\x1D\x66\x31\xF7\x76\x01\x19\xC8\x7D\x03\x58\xB6\x95\x49\x1D\xA6\x12\x26\xE8\xC6\x0C\x76\xE0\xE3\x66\xCB\xEA\x5D\xA6\x26\xEE\xE5\xCC\x5F\xBD\x67\xA7\x01\x27\x0E\xA2\xCA\x54\xC5\xB1\x7A\x95\x1D\x71\x1E\x4A\x29\x8A\x03\xDC\x6A\x45\xC1\xA4\x19\x5E\x6F\x36\xCD\xC3\xA2\xB0\xB7\xFE\x5C\x38\xE2\x52\xBC\xF8\x44\x43\xE6\x90\xBB\x02\x03\x01\x00\x01\xA3\x82\x02\x52\x30\x82\x02\x4E\x30\x3D\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x01\x04\x31\x30\x2F\x30\x2D\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x01\x86\x21\x68\x74\x74\x70\x73\x3A\x2F\x2F\x6F\x63\x73\x70\x2E\x71\x75\x6F\x76\x61\x64\x69\x73\x6F\x66\x66\x73\x68\x6F\x72\x65\x2E\x63\x6F\x6D\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x82\x01\x1A\x06\x03\x55\x1D\x20\x04\x82\x01\x11\x30\x82\x01\x0D\x30\x82\x01\x09\x06\x09\x2B\x06\x01\x04\x01\xBE\x58\x00\x01\x30\x81\xFB\x30\x81\xD4\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x81\xC7\x1A\x81\xC4\x52\x65\x6C\x69\x61\x6E\x63\x65\x20\x6F\x6E\x20\x74\x68\x65\x20\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x62\x79\x20\x61\x6E\x79\x20\x70\x61\x72\x74\x79\x20\x61\x73\x73\x75\x6D\x65\x73\x20\x61\x63\x63\x65\x70\x74\x61\x6E\x63\x65\x20\x6F\x66\x20\x74\x68\x65\x20\x74\x68\x65\x6E\x20\x61\x70\x70\x6C\x69\x63\x61\x62\x6C\x65\x20\x73\x74\x61\x6E\x64\x61\x72\x64\x20\x74\x65\x72\x6D\x73\x20\x61\x6E\x64\x20\x63\x6F\x6E\x64\x69\x74\x69\x6F\x6E\x73\x20\x6F\x66\x20\x75\x73\x65\x2C\x20\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x70\x72\x61\x63\x74\x69\x63\x65\x73\x2C\x20\x61\x6E\x64\x20\x74\x68\x65\x20\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x50\x6F\x6C\x69\x63\x79\x2E\x30\x22\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x16\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x71\x75\x6F\x76\x61\x64\x69\x73\x2E\x62\x6D\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x8B\x4B\x6D\xED\xD3\x29\xB9\x06\x19\xEC\x39\x39\xA9\xF0\x97\x84\x6A\xCB\xEF\xDF\x30\x81\xAE\x06\x03\x55\x1D\x23\x04\x81\xA6\x30\x81\xA3\x80\x14\x8B\x4B\x6D\xED\xD3\x29\xB9\x06\x19\xEC\x39\x39\xA9\xF0\x97\x84\x6A\xCB\xEF\xDF\xA1\x81\x84\xA4\x81\x81\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x2E\x30\x2C\x06\x03\x55\x04\x03\x13\x25\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x82\x04\x3A\xB6\x50\x8B\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x8A\xD4\x14\xB5\xFE\xF4\x9A\x92\xA7\x19\xD4\xA4\x7E\x72\x18\x8F\xD9\x68\x7C\x52\x24\xDD\x67\x6F\x39\x7A\xC4\xAA\x5E\x3D\xE2\x58\xB0\x4D\x70\x98\x84\x61\xE8\x1B\xE3\x69\x18\x0E\xCE\xFB\x47\x50\xA0\x4E\xFF\xF0\x24\x1F\xBD\xB2\xCE\xF5\x27\xFC\xEC\x2F\x53\xAA\x73\x7B\x03\x3D\x74\x6E\xE6\x16\x9E\xEB\xA5\x2E\xC4\xBF\x56\x27\x50\x2B\x62\xBA\xBE\x4B\x1C\x3C\x55\x5C\x41\x1D\x24\xBE\x82\x20\x47\x5D\xD5\x44\x7E\x7A\x16\x68\xDF\x7D\x4D\x51\x70\x78\x57\x1D\x33\x1E\xFD\x02\x99\x9C\x0C\xCD\x0A\x05\x4F\xC7\xBB\x8E\xA4\x75\xFA\x4A\x6D\xB1\x80\x8E\x09\x56\xB9\x9C\x1A\x60\xFE\x5D\xC1\xD7\x7A\xDC\x11\x78\xD0\xD6\x5D\xC1\xB7\xD5\xAD\x32\x99\x03\x3A\x8A\xCC\x54\x25\x39\x31\x81\x7B\x13\x22\x51\xBA\x46\x6C\xA1\xBB\x9E\xFA\x04\x6C\x49\x26\x74\x8F\xD2\x73\xEB\xCC\x30\xA2\xE6\xEA\x59\x22\x87\xF8\x97\xF5\x0E\xFD\xEA\xCC\x92\xA4\x16\xC4\x52\x18\xEA\x21\xCE\xB1\xF1\xE6\x84\x81\xE5\xBA\xA9\x86\x28\xF2\x43\x5A\x5D\x12\x9D\xAC\x1E\xD9\xA8\xE5\x0A\x6A\xA7\x7F\xA0\x87\x29\xCF\xF2\x89\x4D\xD4\xEC\xC5\xE2\xE6\x7A\xD0\x36\x23\x8A\x4A\x74\x36\xF9",
 	["CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM"] = "\x30\x82\x05\xB7\x30\x82\x03\x9F\xA0\x03\x02\x01\x02\x02\x02\x05\x09\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x1E\x17\x0D\x30\x36\x31\x31\x32\x34\x31\x38\x32\x37\x30\x30\x5A\x17\x0D\x33\x31\x31\x31\x32\x34\x31\x38\x32\x33\x33\x33\x5A\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x9A\x18\xCA\x4B\x94\x0D\x00\x2D\xAF\x03\x29\x8A\xF0\x0F\x81\xC8\xAE\x4C\x19\x85\x1D\x08\x9F\xAB\x29\x44\x85\xF3\x2F\x81\xAD\x32\x1E\x90\x46\xBF\xA3\x86\x26\x1A\x1E\xFE\x7E\x1C\x18\x3A\x5C\x9C\x60\x17\x2A\x3A\x74\x83\x33\x30\x7D\x61\x54\x11\xCB\xED\xAB\xE0\xE6\xD2\xA2\x7E\xF5\x6B\x6F\x18\xB7\x0A\x0B\x2D\xFD\xE9\x3E\xEF\x0A\xC6\xB3\x10\xE9\xDC\xC2\x46\x17\xF8\x5D\xFD\xA4\xDA\xFF\x9E\x49\x5A\x9C\xE6\x33\xE6\x24\x96\xF7\x3F\xBA\x5B\x2B\x1C\x7A\x35\xC2\xD6\x67\xFE\xAB\x66\x50\x8B\x6D\x28\x60\x2B\xEF\xD7\x60\xC3\xC7\x93\xBC\x8D\x36\x91\xF3\x7F\xF8\xDB\x11\x13\xC4\x9C\x77\x76\xC1\xAE\xB7\x02\x6A\x81\x7A\xA9\x45\x83\xE2\x05\xE6\xB9\x56\xC1\x94\x37\x8F\x48\x71\x63\x22\xEC\x17\x65\x07\x95\x8A\x4B\xDF\x8F\xC6\x5A\x0A\xE5\xB0\xE3\x5F\x5E\x6B\x11\xAB\x0C\xF9\x85\xEB\x44\xE9\xF8\x04\x73\xF2\xE9\xFE\x5C\x98\x8C\xF5\x73\xAF\x6B\xB4\x7E\xCD\xD4\x5C\x02\x2B\x4C\x39\xE1\xB2\x95\x95\x2D\x42\x87\xD7\xD5\xB3\x90\x43\xB7\x6C\x13\xF1\xDE\xDD\xF6\xC4\xF8\x89\x3F\xD1\x75\xF5\x92\xC3\x91\xD5\x8A\x88\xD0\x90\xEC\xDC\x6D\xDE\x89\xC2\x65\x71\x96\x8B\x0D\x03\xFD\x9C\xBF\x5B\x16\xAC\x92\xDB\xEA\xFE\x79\x7C\xAD\xEB\xAF\xF7\x16\xCB\xDB\xCD\x25\x2B\xE5\x1F\xFB\x9A\x9F\xE2\x51\xCC\x3A\x53\x0C\x48\xE6\x0E\xBD\xC9\xB4\x76\x06\x52\xE6\x11\x13\x85\x72\x63\x03\x04\xE0\x04\x36\x2B\x20\x19\x02\xE8\x74\xA7\x1F\xB6\xC9\x56\x66\xF0\x75\x25\xDC\x67\xC1\x0E\x61\x60\x88\xB3\x3E\xD1\xA8\xFC\xA3\xDA\x1D\xB0\xD1\xB1\x23\x54\xDF\x44\x76\x6D\xED\x41\xD8\xC1\xB2\x22\xB6\x53\x1C\xDF\x35\x1D\xDC\xA1\x77\x2A\x31\xE4\x2D\xF5\xE5\xE5\xDB\xC8\xE0\xFF\xE5\x80\xD7\x0B\x63\xA0\xFF\x33\xA1\x0F\xBA\x2C\x15\x15\xEA\x97\xB3\xD2\xA2\xB5\xBE\xF2\x8C\x96\x1E\x1A\x8F\x1D\x6C\xA4\x61\x37\xB9\x86\x73\x33\xD7\x97\x96\x9E\x23\x7D\x82\xA4\x4C\x81\xE2\xA1\xD1\xBA\x67\x5F\x95\x07\xA3\x27\x11\xEE\x16\x10\x7B\xBC\x45\x4A\x4C\xB2\x04\xD2\xAB\xEF\xD5\xFD\x0C\x51\xCE\x50\x6A\x08\x31\xF9\x91\xDA\x0C\x8F\x64\x5C\x03\xC3\x3A\x8B\x20\x3F\x6E\x8D\x67\x3D\x3A\xD6\xFE\x7D\x5B\x88\xC9\x5E\xFB\xCC\x61\xDC\x8B\x33\x77\xD3\x44\x32\x35\x09\x62\x04\x92\x16\x10\xD8\x9E\x27\x47\xFB\x3B\x21\xE3\xF8\xEB\x1D\x5B\x02\x03\x01\x00\x01\xA3\x81\xB0\x30\x81\xAD\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x1A\x84\x62\xBC\x48\x4C\x33\x25\x04\xD4\xEE\xD0\xF6\x03\xC4\x19\x46\xD1\x94\x6B\x30\x6E\x06\x03\x55\x1D\x23\x04\x67\x30\x65\x80\x14\x1A\x84\x62\xBC\x48\x4C\x33\x25\x04\xD4\xEE\xD0\xF6\x03\xC4\x19\x46\xD1\x94\x6B\xA1\x49\xA4\x47\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x82\x02\x05\x09\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x3E\x0A\x16\x4D\x9F\x06\x5B\xA8\xAE\x71\x5D\x2F\x05\x2F\x67\xE6\x13\x45\x83\xC4\x36\xF6\xF3\xC0\x26\x0C\x0D\xB5\x47\x64\x5D\xF8\xB4\x72\xC9\x46\xA5\x03\x18\x27\x55\x89\x78\x7D\x76\xEA\x96\x34\x80\x17\x20\xDC\xE7\x83\xF8\x8D\xFC\x07\xB8\xDA\x5F\x4D\x2E\x67\xB2\x84\xFD\xD9\x44\xFC\x77\x50\x81\xE6\x7C\xB4\xC9\x0D\x0B\x72\x53\xF8\x76\x07\x07\x41\x47\x96\x0C\xFB\xE0\x82\x26\x93\x55\x8C\xFE\x22\x1F\x60\x65\x7C\x5F\xE7\x26\xB3\xF7\x32\x90\x98\x50\xD4\x37\x71\x55\xF6\x92\x21\x78\xF7\x95\x79\xFA\xF8\x2D\x26\x87\x66\x56\x30\x77\xA6\x37\x78\x33\x52\x10\x58\xAE\x3F\x61\x8E\xF2\x6A\xB1\xEF\x18\x7E\x4A\x59\x63\xCA\x8D\xA2\x56\xD5\xA7\x2F\xBC\x56\x1F\xCF\x39\xC1\xE2\xFB\x0A\xA8\x15\x2C\x7D\x4D\x7A\x63\xC6\x6C\x97\x44\x3C\xD2\x6F\xC3\x4A\x17\x0A\xF8\x90\xD2\x57\xA2\x19\x51\xA5\x2D\x97\x41\xDA\x07\x4F\xA9\x50\xDA\x90\x8D\x94\x46\xE1\x3E\xF0\x94\xFD\x10\x00\x38\xF5\x3B\xE8\x40\xE1\xB4\x6E\x56\x1A\x20\xCC\x6F\x58\x8D\xED\x2E\x45\x8F\xD6\xE9\x93\x3F\xE7\xB1\x2C\xDF\x3A\xD6\x22\x8C\xDC\x84\xBB\x22\x6F\xD0\xF8\xE4\xC6\x39\xE9\x04\x88\x3C\xC3\xBA\xEB\x55\x7A\x6D\x80\x99\x24\xF5\x6C\x01\xFB\xF8\x97\xB0\x94\x5B\xEB\xFD\xD2\x6F\xF1\x77\x68\x0D\x35\x64\x23\xAC\xB8\x55\xA1\x03\xD1\x4D\x42\x19\xDC\xF8\x75\x59\x56\xA3\xF9\xA8\x49\x79\xF8\xAF\x0E\xB9\x11\xA0\x7C\xB7\x6A\xED\x34\xD0\xB6\x26\x62\x38\x1A\x87\x0C\xF8\xE8\xFD\x2E\xD3\x90\x7F\x07\x91\x2A\x1D\xD6\x7E\x5C\x85\x83\x99\xB0\x38\x08\x3F\xE9\x5E\xF9\x35\x07\xE4\xC9\x62\x6E\x57\x7F\xA7\x50\x95\xF7\xBA\xC8\x9B\xE6\x8E\xA2\x01\xC5\xD6\x66\xBF\x79\x61\xF3\x3C\x1C\xE1\xB9\x82\x5C\x5D\xA0\xC3\xE9\xD8\x48\xBD\x19\xA2\x11\x14\x19\x6E\xB2\x86\x1B\x68\x3E\x48\x37\x1A\x88\xB7\x5D\x96\x5E\x9C\xC7\xEF\x27\x62\x08\xE2\x91\x19\x5C\xD2\xF1\x21\xDD\xBA\x17\x42\x82\x97\x71\x81\x53\x31\xA9\x9F\xF6\x7D\x62\xBF\x72\xE1\xA3\x93\x1D\xCC\x8A\x26\x5A\x09\x38\xD0\xCE\xD7\x0D\x80\x16\xB4\x78\xA5\x3A\x87\x4C\x8D\x8A\xA5\xD5\x46\x97\xF2\x2C\x10\xB9\xBC\x54\x22\xC0\x01\x50\x69\x43\x9E\xF4\xB2\xEF\x6D\xF8\xEC\xDA\xF1\xE3\xB1\xEF\xDF\x91\x8F\x54\x2A\x0B\x25\xC1\x26\x19\xC4\x52\x10\x05\x65\xD5\x82\x10\xEA\xC2\x31\xCD\x2E",
 	["CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM"] = "\x30\x82\x06\x9D\x30\x82\x04\x85\xA0\x03\x02\x01\x02\x02\x02\x05\xC6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x33\x30\x1E\x17\x0D\x30\x36\x31\x31\x32\x34\x31\x39\x31\x31\x32\x33\x5A\x17\x0D\x33\x31\x31\x31\x32\x34\x31\x39\x30\x36\x34\x34\x5A\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x33\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xCC\x57\x42\x16\x54\x9C\xE6\x98\xD3\xD3\x4D\xEE\xFE\xED\xC7\x9F\x43\x39\x4A\x65\xB3\xE8\x16\x88\x34\xDB\x0D\x59\x91\x74\xCF\x92\xB8\x04\x40\xAD\x02\x4B\x31\xAB\xBC\x8D\x91\x68\xD8\x20\x0E\x1A\x01\xE2\x1A\x7B\x4E\x17\x5D\xE2\x8A\xB7\x3F\x99\x1A\xCD\xEB\x61\xAB\xC2\x65\xA6\x1F\xB7\xB7\xBD\xB7\x8F\xFC\xFD\x70\x8F\x0B\xA0\x67\xBE\x01\xA2\x59\xCF\x71\xE6\x0F\x29\x76\xFF\xB1\x56\x79\x45\x2B\x1F\x9E\x7A\x54\xE8\xA3\x29\x35\x68\xA4\x01\x4F\x0F\xA4\x2E\x37\xEF\x1B\xBF\xE3\x8F\x10\xA8\x72\xAB\x58\x57\xE7\x54\x86\xC8\xC9\xF3\x5B\xDA\x2C\xDA\x5D\x8E\x6E\x3C\xA3\x3E\xDA\xFB\x82\xE5\xDD\xF2\x5C\xB2\x05\x33\x6F\x8A\x36\xCE\xD0\x13\x4E\xFF\xBF\x4A\x0C\x34\x4C\xA6\xC3\x21\xBD\x50\x04\x55\xEB\xB1\xBB\x9D\xFB\x45\x1E\x64\x15\xDE\x55\x01\x8C\x02\x76\xB5\xCB\xA1\x3F\x42\x69\xBC\x2F\xBD\x68\x43\x16\x56\x89\x2A\x37\x61\x91\xFD\xA6\xAE\x4E\xC0\xCB\x14\x65\x94\x37\x4B\x92\x06\xEF\x04\xD0\xC8\x9C\x88\xDB\x0B\x7B\x81\xAF\xB1\x3D\x2A\xC4\x65\x3A\x78\xB6\xEE\xDC\x80\xB1\xD2\xD3\x99\x9C\x3A\xEE\x6B\x5A\x6B\xB3\x8D\xB7\xD5\xCE\x9C\xC2\xBE\xA5\x4B\x2F\x16\xB1\x9E\x68\x3B\x06\x6F\xAE\x7D\x9F\xF8\xDE\xEC\xCC\x29\xA7\x98\xA3\x25\x43\x2F\xEF\xF1\x5F\x26\xE1\x88\x4D\xF8\x5E\x6E\xD7\xD9\x14\x6E\x19\x33\x69\xA7\x3B\x84\x89\x93\xC4\x53\x55\x13\xA1\x51\x78\x40\xF8\xB8\xC9\xA2\xEE\x7B\xBA\x52\x42\x83\x9E\x14\xED\x05\x52\x5A\x59\x56\xA7\x97\xFC\x9D\x3F\x0A\x29\xD8\xDC\x4F\x91\x0E\x13\xBC\xDE\x95\xA4\xDF\x8B\x99\xBE\xAC\x9B\x33\x88\xEF\xB5\x81\xAF\x1B\xC6\x22\x53\xC8\xF6\xC7\xEE\x97\x14\xB0\xC5\x7C\x78\x52\xC8\xF0\xCE\x6E\x77\x60\x84\xA6\xE9\x2A\x76\x20\xED\x58\x01\x17\x30\x93\xE9\x1A\x8B\xE0\x73\x63\xD9\x6A\x92\x94\x49\x4E\xB4\xAD\x4A\x85\xC4\xA3\x22\x30\xFC\x09\xED\x68\x22\x73\xA6\x88\x0C\x55\x21\x58\xC5\xE1\x3A\x9F\x2A\xDD\xCA\xE1\x90\xE0\xD9\x73\xAB\x6C\x80\xB8\xE8\x0B\x64\x93\xA0\x9C\x8C\x19\xFF\xB3\xD2\x0C\xEC\x91\x26\x87\x8A\xB3\xA2\xE1\x70\x8F\x2C\x0A\xE5\xCD\x6D\x68\x51\xEB\xDA\x3F\x05\x7F\x8B\x32\xE6\x13\x5C\x6B\xFE\x5F\x40\xE2\x22\xC8\xB4\xB4\x64\x4F\xD6\xBA\x7D\x48\x3E\xA8\x69\x0C\xD7\xBB\x86\x71\xC9\x73\xB8\x3F\x3B\x9D\x25\x4B\xDA\xFF\x40\xEB\x02\x03\x01\x00\x01\xA3\x82\x01\x95\x30\x82\x01\x91\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x81\xE1\x06\x03\x55\x1D\x20\x04\x81\xD9\x30\x81\xD6\x30\x81\xD3\x06\x09\x2B\x06\x01\x04\x01\xBE\x58\x00\x03\x30\x81\xC5\x30\x81\x93\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x81\x86\x1A\x81\x83\x41\x6E\x79\x20\x75\x73\x65\x20\x6F\x66\x20\x74\x68\x69\x73\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x63\x6F\x6E\x73\x74\x69\x74\x75\x74\x65\x73\x20\x61\x63\x63\x65\x70\x74\x61\x6E\x63\x65\x20\x6F\x66\x20\x74\x68\x65\x20\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x33\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x50\x6F\x6C\x69\x63\x79\x20\x2F\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x50\x72\x61\x63\x74\x69\x63\x65\x20\x53\x74\x61\x74\x65\x6D\x65\x6E\x74\x2E\x30\x2D\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x21\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x71\x75\x6F\x76\x61\x64\x69\x73\x67\x6C\x6F\x62\x61\x6C\x2E\x63\x6F\x6D\x2F\x63\x70\x73\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xF2\xC0\x13\xE0\x82\x43\x3E\xFB\xEE\x2F\x67\x32\x96\x35\x5C\xDB\xB8\xCB\x02\xD0\x30\x6E\x06\x03\x55\x1D\x23\x04\x67\x30\x65\x80\x14\xF2\xC0\x13\xE0\x82\x43\x3E\xFB\xEE\x2F\x67\x32\x96\x35\x5C\xDB\xB8\xCB\x02\xD0\xA1\x49\xA4\x47\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x42\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x51\x75\x6F\x56\x61\x64\x69\x73\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x33\x82\x02\x05\xC6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x4F\xAD\xA0\x2C\x4C\xFA\xC0\xF2\x6F\xF7\x66\x55\xAB\x23\x34\xEE\xE7\x29\xDA\xC3\x5B\xB6\xB0\x83\xD9\xD0\xD0\xE2\x21\xFB\xF3\x60\xA7\x3B\x5D\x60\x53\x27\xA2\x9B\xF6\x08\x22\x2A\xE7\xBF\xA0\x72\xE5\x9C\x24\x6A\x31\xB1\x90\x7A\x27\xDB\x84\x11\x89\x27\xA6\x77\x5A\x38\xD7\xBF\xAC\x86\xFC\xEE\x5D\x83\xBC\x06\xC6\xD1\x77\x6B\x0F\x6D\x24\x2F\x4B\x7A\x6C\xA7\x07\x96\xCA\xE3\x84\x9F\xAD\x88\x8B\x1D\xAB\x16\x8D\x5B\x66\x17\xD9\x16\xF4\x8B\x80\xD2\xDD\xF8\xB2\x76\xC3\xFC\x38\x13\xAA\x0C\xDE\x42\x69\x2B\x6E\xF3\x3C\xEB\x80\x27\xDB\xF5\xA6\x44\x0D\x9F\x5A\x55\x59\x0B\xD5\x0D\x52\x48\xC5\xAE\x9F\xF2\x2F\x80\xC5\xEA\x32\x50\x35\x12\x97\x2E\xC1\xE1\xFF\xF1\x23\x88\x51\x38\x9F\xF2\x66\x56\x76\xE7\x0F\x51\x97\xA5\x52\x0C\x4D\x49\x51\x95\x36\x3D\xBF\xA2\x4B\x0C\x10\x1D\x86\x99\x4C\xAA\xF3\x72\x11\x93\xE4\xEA\xF6\x9B\xDA\xA8\x5D\xA7\x4D\xB7\x9E\x02\xAE\x73\x00\xC8\xDA\x23\x03\xE8\xF9\xEA\x19\x74\x62\x00\x94\xCB\x22\x20\xBE\x94\xA7\x59\xB5\x82\x6A\xBE\x99\x79\x7A\xA9\xF2\x4A\x24\x52\xF7\x74\xFD\xBA\x4E\xE6\xA8\x1D\x02\x6E\xB1\x0D\x80\x44\xC1\xAE\xD3\x23\x37\x5F\xBB\x85\x7C\x2B\x92\x2E\xE8\x7E\xA5\x8B\xDD\x99\xE1\xBF\x27\x6F\x2D\x5D\xAA\x7B\x87\xFE\x0A\xDD\x4B\xFC\x8E\xF5\x26\xE4\x6E\x70\x42\x6E\x33\xEC\x31\x9E\x7B\x93\xC1\xE4\xC9\x69\x1A\x3D\xC0\x6B\x4E\x22\x6D\xEE\xAB\x58\x4D\xC6\xD0\x41\xC1\x2B\xEA\x4F\x12\x87\x5E\xEB\x45\xD8\x6C\xF5\x98\x02\xD3\xA0\xD8\x55\x8A\x06\x99\x19\xA2\xA0\x77\xD1\x30\x9E\xAC\xCC\x75\xEE\x83\xF5\xB0\x62\x39\xCF\x6C\x57\xE2\x4C\xD2\x91\x0B\x0E\x75\x28\x1B\x9A\xBF\xFD\x1A\x43\xF1\xCA\x77\xFB\x3B\x8F\x61\xB8\x69\x28\x16\x42\x04\x5E\x70\x2A\x1C\x21\xD8\x8F\xE1\xBD\x23\x5B\x2D\x74\x40\x92\xD9\x63\x19\x0D\x73\xDD\x69\xBC\x62\x47\xBC\xE0\x74\x2B\xB2\xEB\x7D\xBE\x41\x1B\xB5\xC0\x46\xC5\xA1\x22\xCB\x5F\x4E\xC1\x28\x92\xDE\x18\xBA\xD5\x2A\x28\xBB\x11\x8B\x17\x93\x98\x99\x60\x94\x5C\x23\xCF\x5A\x27\x97\x5E\x0B\x05\x06\x93\x37\x1E\x3B\x69\x36\xEB\xA9\x9E\x61\x1D\x8F\x32\xDA\x8E\x0C\xD6\x74\x3E\x7B\x09\x24\xDA\x01\x77\x47\xC4\x3B\xCD\x34\x8C\x99\xF5\xCA\xE1\x25\x61\x33\xB2\x59\x1B\xE2\x6E\xD7\x37\x57\xB6\x0D\xA9\x12\xDA",
 	["OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP"] = "\x30\x82\x03\x5A\x30\x82\x02\x42\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x50\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x2E\x6E\x65\x74\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x52\x6F\x6F\x74\x43\x41\x31\x30\x1E\x17\x0D\x30\x33\x30\x39\x33\x30\x30\x34\x32\x30\x34\x39\x5A\x17\x0D\x32\x33\x30\x39\x33\x30\x30\x34\x32\x30\x34\x39\x5A\x30\x50\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x2E\x6E\x65\x74\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x52\x6F\x6F\x74\x43\x41\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB3\xB3\xFE\x7F\xD3\x6D\xB1\xEF\x16\x7C\x57\xA5\x0C\x6D\x76\x8A\x2F\x4B\xBF\x64\xFB\x4C\xEE\x8A\xF0\xF3\x29\x7C\xF5\xFF\xEE\x2A\xE0\xE9\xE9\xBA\x5B\x64\x22\x9A\x9A\x6F\x2C\x3A\x26\x69\x51\x05\x99\x26\xDC\xD5\x1C\x6A\x71\xC6\x9A\x7D\x1E\x9D\xDD\x7C\x6C\xC6\x8C\x67\x67\x4A\x3E\xF8\x71\xB0\x19\x27\xA9\x09\x0C\xA6\x95\xBF\x4B\x8C\x0C\xFA\x55\x98\x3B\xD8\xE8\x22\xA1\x4B\x71\x38\x79\xAC\x97\x92\x69\xB3\x89\x7E\xEA\x21\x68\x06\x98\x14\x96\x87\xD2\x61\x36\xBC\x6D\x27\x56\x9E\x57\xEE\xC0\xC0\x56\xFD\x32\xCF\xA4\xD9\x8E\xC2\x23\xD7\x8D\xA8\xF3\xD8\x25\xAC\x97\xE4\x70\x38\xF4\xB6\x3A\xB4\x9D\x3B\x97\x26\x43\xA3\xA1\xBC\x49\x59\x72\x4C\x23\x30\x87\x01\x58\xF6\x4E\xBE\x1C\x68\x56\x66\xAF\xCD\x41\x5D\xC8\xB3\x4D\x2A\x55\x46\xAB\x1F\xDA\x1E\xE2\x40\x3D\xDB\xCD\x7D\xB9\x92\x80\x9C\x37\xDD\x0C\x96\x64\x9D\xDC\x22\xF7\x64\x8B\xDF\x61\xDE\x15\x94\x52\x15\xA0\x7D\x52\xC9\x4B\xA8\x21\xC9\xC6\xB1\xED\xCB\xC3\x95\x60\xD1\x0F\xF0\xAB\x70\xF8\xDF\xCB\x4D\x7E\xEC\xD6\xFA\xAB\xD9\xBD\x7F\x54\xF2\xA5\xE9\x79\xFA\xD9\xD6\x76\x24\x28\x73\x02\x03\x01\x00\x01\xA3\x3F\x30\x3D\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA0\x73\x49\x99\x68\xDC\x85\x5B\x65\xE3\x9B\x28\x2F\x57\x9F\xBD\x33\xBC\x07\x48\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x68\x40\xA9\xA8\xBB\xE4\x4F\x5D\x79\xB3\x05\xB5\x17\xB3\x60\x13\xEB\xC6\x92\x5D\xE0\xD1\xD3\x6A\xFE\xFB\xBE\x9B\x6D\xBF\xC7\x05\x6D\x59\x20\xC4\x1C\xF0\xB7\xDA\x84\x58\x02\x63\xFA\x48\x16\xEF\x4F\xA5\x0B\xF7\x4A\x98\xF2\x3F\x9E\x1B\xAD\x47\x6B\x63\xCE\x08\x47\xEB\x52\x3F\x78\x9C\xAF\x4D\xAE\xF8\xD5\x4F\xCF\x9A\x98\x2A\x10\x41\x39\x52\xC4\xDD\xD9\x9B\x0E\xEF\x93\x01\xAE\xB2\x2E\xCA\x68\x42\x24\x42\x6C\xB0\xB3\x3A\x3E\xCD\xE9\xDA\x48\xC4\x15\xCB\xE9\xF9\x07\x0F\x92\x50\x49\x8A\xDD\x31\x97\x5F\xC9\xE9\x37\xAA\x3B\x59\x65\x97\x94\x32\xC9\xB3\x9F\x3E\x3A\x62\x58\xC5\x49\xAD\x62\x0E\x71\xA5\x32\xAA\x2F\xC6\x89\x76\x43\x40\x13\x13\x67\x3D\xA2\x54\x25\x10\xCB\xF1\x3A\xF2\xD9\xFA\xDB\x49\x56\xBB\xA6\xFE\xA7\x41\x35\xC3\xE0\x88\x61\xC9\x88\xC7\xDF\x36\x10\x22\x98\x59\xEA\xB0\x4A\xFB\x56\x16\x73\x6E\xAC\x4D\xF7\x22\xA1\x4F\xAD\x1D\x7A\x2D\x45\x27\xE5\x30\xC1\x5E\xF2\xDA\x13\xCB\x25\x42\x51\x95\x47\x03\x8C\x6C\x21\xCC\x74\x42\xED\x53\xFF\x33\x8B\x8F\x0F\x57\x01\x16\x2F\xCF\xA6\xEE\xC9\x70\x22\x14\xBD\xFD\xBE\x6C\x0B\x03",
 	["CN=Sonera Class2 CA,O=Sonera,C=FI"] = "\x30\x82\x03\x20\x30\x82\x02\x08\xA0\x03\x02\x01\x02\x02\x01\x1D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x49\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x53\x6F\x6E\x65\x72\x61\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x53\x6F\x6E\x65\x72\x61\x20\x43\x6C\x61\x73\x73\x32\x20\x43\x41\x30\x1E\x17\x0D\x30\x31\x30\x34\x30\x36\x30\x37\x32\x39\x34\x30\x5A\x17\x0D\x32\x31\x30\x34\x30\x36\x30\x37\x32\x39\x34\x30\x5A\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x49\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x53\x6F\x6E\x65\x72\x61\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x53\x6F\x6E\x65\x72\x61\x20\x43\x6C\x61\x73\x73\x32\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x90\x17\x4A\x35\x9D\xCA\xF0\x0D\x96\xC7\x44\xFA\x16\x37\xFC\x48\xBD\xBD\x7F\x80\x2D\x35\x3B\xE1\x6F\xA8\x67\xA9\xBF\x03\x1C\x4D\x8C\x6F\x32\x47\xD5\x41\x68\xA4\x13\x04\xC1\x35\x0C\x9A\x84\x43\xFC\x5C\x1D\xFF\x89\xB3\xE8\x17\x18\xCD\x91\x5F\xFB\x89\xE3\xEA\xBF\x4E\x5D\x7C\x1B\x26\xD3\x75\x79\xED\xE6\x84\xE3\x57\xE5\xAD\x29\xC4\xF4\x3A\x28\xE7\xA5\x7B\x84\x36\x69\xB3\xFD\x5E\x76\xBD\xA3\x2D\x99\xD3\x90\x4E\x23\x28\x7D\x18\x63\xF1\x54\x3B\x26\x9D\x76\x5B\x97\x42\xB2\xFF\xAE\xF0\x4E\xEC\xDD\x39\x95\x4E\x83\x06\x7F\xE7\x49\x40\xC8\xC5\x01\xB2\x54\x5A\x66\x1D\x3D\xFC\xF9\xE9\x3C\x0A\x9E\x81\xB8\x70\xF0\x01\x8B\xE4\x23\x54\x7C\xC8\xAE\xF8\x90\x1E\x00\x96\x72\xD4\x54\xCF\x61\x23\xBC\xEA\xFB\x9D\x02\x95\xD1\xB6\xB9\x71\x3A\x69\x08\x3F\x0F\xB4\xE1\x42\xC7\x88\xF5\x3F\x98\xA8\xA7\xBA\x1C\xE0\x71\x71\xEF\x58\x57\x81\x50\x7A\x5C\x6B\x74\x46\x0E\x83\x03\x98\xC3\x8E\xA8\x6E\xF2\x76\x32\x6E\x27\x83\xC2\x73\xF3\xDC\x18\xE8\xB4\x93\xEA\x75\x44\x6B\x04\x60\x20\x71\x57\x87\x9D\xF3\xBE\xA0\x90\x23\x3D\x8A\x24\xE1\xDA\x21\xDB\xC3\x02\x03\x01\x00\x01\xA3\x33\x30\x31\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x11\x06\x03\x55\x1D\x0E\x04\x0A\x04\x08\x4A\xA0\xAA\x58\x84\xD3\x5E\x3C\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x5A\xCE\x87\xF9\x16\x72\x15\x57\x4B\x1D\xD9\x9B\xE7\xA2\x26\x30\xEC\x93\x67\xDF\xD6\x2D\xD2\x34\xAF\xF7\x38\xA5\xCE\xAB\x16\xB9\xAB\x2F\x7C\x35\xCB\xAC\xD0\x0F\xB4\x4C\x2B\xFC\x80\xEF\x6B\x8C\x91\x5F\x36\x76\xF7\xDB\xB3\x1B\x19\xEA\xF4\xB2\x11\xFD\x61\x71\x44\xBF\x28\xB3\x3A\x1D\xBF\xB3\x43\xE8\x9F\xBF\xDC\x31\x08\x71\xB0\x9D\x8D\xD6\x34\x47\x32\x90\xC6\x65\x24\xF7\xA0\x4A\x7C\x04\x73\x8F\x39\x6F\x17\x8C\x72\xB5\xBD\x4B\xC8\x7A\xF8\x7B\x83\xC3\x28\x4E\x9C\x09\xEA\x67\x3F\xB2\x67\x04\x1B\xC3\x14\xDA\xF8\xE7\x49\x24\x91\xD0\x1D\x6A\xFA\x61\x39\xEF\x6B\xE7\x21\x75\x06\x07\xD8\x12\xB4\x21\x20\x70\x42\x71\x81\xDA\x3C\x9A\x36\xBE\xA6\x5B\x0D\x6A\x6C\x9A\x1F\x91\x7B\xF9\xF9\xEF\x42\xBA\x4E\x4E\x9E\xCC\x0C\x8D\x94\xDC\xD9\x45\x9C\x5E\xEC\x42\x50\x63\xAE\xF4\x5D\xC4\xB1\x12\xDC\xCA\x3B\xA8\x2E\x9D\x14\x5A\x05\x75\xB7\xEC\xD7\x63\xE2\xBA\x35\xB6\x04\x08\x91\xE8\xDA\x9D\x9C\xF6\x66\xB5\x18\xAC\x0A\xA6\x54\x26\x34\x33\xD2\x1B\xC1\xD4\x7F\x1A\x3A\x8E\x0B\xAA\x32\x6E\xDB\xFC\x4F\x25\x9F\xD9\x32\xC7\x96\x5A\x70\xAC\xDF\x4C",
-	["CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US"] = "\x30\x82\x04\x74\x30\x82\x03\x5C\xA0\x03\x02\x01\x02\x02\x10\x44\xBE\x0C\x8B\x50\x00\x24\xB4\x11\xD3\x36\x2A\xFE\x65\x0A\xFD\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x97\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0B\x30\x09\x06\x03\x55\x04\x08\x13\x02\x55\x54\x31\x17\x30\x15\x06\x03\x55\x04\x07\x13\x0E\x53\x61\x6C\x74\x20\x4C\x61\x6B\x65\x20\x43\x69\x74\x79\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x54\x68\x65\x20\x55\x53\x45\x52\x54\x52\x55\x53\x54\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x21\x30\x1F\x06\x03\x55\x04\x0B\x13\x18\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x75\x73\x65\x72\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x13\x16\x55\x54\x4E\x2D\x55\x53\x45\x52\x46\x69\x72\x73\x74\x2D\x48\x61\x72\x64\x77\x61\x72\x65\x30\x1E\x17\x0D\x39\x39\x30\x37\x30\x39\x31\x38\x31\x30\x34\x32\x5A\x17\x0D\x31\x39\x30\x37\x30\x39\x31\x38\x31\x39\x32\x32\x5A\x30\x81\x97\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0B\x30\x09\x06\x03\x55\x04\x08\x13\x02\x55\x54\x31\x17\x30\x15\x06\x03\x55\x04\x07\x13\x0E\x53\x61\x6C\x74\x20\x4C\x61\x6B\x65\x20\x43\x69\x74\x79\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x54\x68\x65\x20\x55\x53\x45\x52\x54\x52\x55\x53\x54\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x21\x30\x1F\x06\x03\x55\x04\x0B\x13\x18\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x75\x73\x65\x72\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x13\x16\x55\x54\x4E\x2D\x55\x53\x45\x52\x46\x69\x72\x73\x74\x2D\x48\x61\x72\x64\x77\x61\x72\x65\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB1\xF7\xC3\x38\x3F\xB4\xA8\x7F\xCF\x39\x82\x51\x67\xD0\x6D\x9F\xD2\xFF\x58\xF3\xE7\x9F\x2B\xEC\x0D\x89\x54\x99\xB9\x38\x99\x16\xF7\xE0\x21\x79\x48\xC2\xBB\x61\x74\x12\x96\x1D\x3C\x6A\x72\xD5\x3C\x10\x67\x3A\x39\xED\x2B\x13\xCD\x66\xEB\x95\x09\x33\xA4\x6C\x97\xB1\xE8\xC6\xEC\xC1\x75\x79\x9C\x46\x5E\x8D\xAB\xD0\x6A\xFD\xB9\x2A\x55\x17\x10\x54\xB3\x19\xF0\x9A\xF6\xF1\xB1\x5D\xB6\xA7\x6D\xFB\xE0\x71\x17\x6B\xA2\x88\xFB\x00\xDF\xFE\x1A\x31\x77\x0C\x9A\x01\x7A\xB1\x32\xE3\x2B\x01\x07\x38\x6E\xC3\xA5\x5E\x23\xBC\x45\x9B\x7B\x50\xC1\xC9\x30\x8F\xDB\xE5\x2B\x7A\xD3\x5B\xFB\x33\x40\x1E\xA0\xD5\x98\x17\xBC\x8B\x87\xC3\x89\xD3\x5D\xA0\x8E\xB2\xAA\xAA\xF6\x8E\x69\x88\x06\xC5\xFA\x89\x21\xF3\x08\x9D\x69\x2E\x09\x33\x9B\x29\x0D\x46\x0F\x8C\xCC\x49\x34\xB0\x69\x51\xBD\xF9\x06\xCD\x68\xAD\x66\x4C\xBC\x3E\xAC\x61\xBD\x0A\x88\x0E\xC8\xDF\x3D\xEE\x7C\x04\x4C\x9D\x0A\x5E\x6B\x91\xD6\xEE\xC7\xED\x28\x8D\xAB\x4D\x87\x89\x73\xD0\x6E\xA4\xD0\x1E\x16\x8B\x14\xE1\x76\x44\x03\x7F\x63\xAC\xE4\xCD\x49\x9C\xC5\x92\xF4\xAB\x32\xA1\x48\x5B\x02\x03\x01\x00\x01\xA3\x81\xB9\x30\x81\xB6\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\xC6\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA1\x72\x5F\x26\x1B\x28\x98\x43\x95\x5D\x07\x37\xD5\x85\x96\x9D\x4B\xD2\xC3\x45\x30\x44\x06\x03\x55\x1D\x1F\x04\x3D\x30\x3B\x30\x39\xA0\x37\xA0\x35\x86\x33\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x75\x73\x65\x72\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x2F\x55\x54\x4E\x2D\x55\x53\x45\x52\x46\x69\x72\x73\x74\x2D\x48\x61\x72\x64\x77\x61\x72\x65\x2E\x63\x72\x6C\x30\x31\x06\x03\x55\x1D\x25\x04\x2A\x30\x28\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x01\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x05\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x06\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x07\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x47\x19\x0F\xDE\x74\xC6\x99\x97\xAF\xFC\xAD\x28\x5E\x75\x8E\xEB\x2D\x67\xEE\x4E\x7B\x2B\xD7\x0C\xFF\xF6\xDE\xCB\x55\xA2\x0A\xE1\x4C\x54\x65\x93\x60\x6B\x9F\x12\x9C\xAD\x5E\x83\x2C\xEB\x5A\xAE\xC0\xE4\x2D\xF4\x00\x63\x1D\xB8\xC0\x6C\xF2\xCF\x49\xBB\x4D\x93\x6F\x06\xA6\x0A\x22\xB2\x49\x62\x08\x4E\xFF\xC8\xC8\x14\xB2\x88\x16\x5D\xE7\x01\xE4\x12\x95\xE5\x45\x34\xB3\x8B\x69\xBD\xCF\xB4\x85\x8F\x75\x51\x9E\x7D\x3A\x38\x3A\x14\x48\x12\xC6\xFB\xA7\x3B\x1A\x8D\x0D\x82\x40\x07\xE8\x04\x08\x90\xA1\x89\xCB\x19\x50\xDF\xCA\x1C\x01\xBC\x1D\x04\x19\x7B\x10\x76\x97\x3B\xEE\x90\x90\xCA\xC4\x0E\x1F\x16\x6E\x75\xEF\x33\xF8\xD3\x6F\x5B\x1E\x96\xE3\xE0\x74\x77\x74\x7B\x8A\xA2\x6E\x2D\xDD\x76\xD6\x39\x30\x82\xF0\xAB\x9C\x52\xF2\x2A\xC7\xAF\x49\x5E\x7E\xC7\x68\xE5\x82\x81\xC8\x6A\x27\xF9\x27\x88\x2A\xD5\x58\x50\x95\x1F\xF0\x3B\x1C\x57\xBB\x7D\x14\x39\x62\x2B\x9A\xC9\x94\x92\x2A\xA3\x22\x0C\xFF\x89\x26\x7D\x5F\x23\x2B\x47\xD7\x15\x1D\xA9\x6A\x9E\x51\x0D\x2A\x51\x9E\x81\xF9\xD4\x3B\x5E\x70\x12\x7F\x10\x32\x9C\x1E\xBB\x9D\xF8\x66\xA8",
-	["CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU"] = "\x30\x82\x04\xBD\x30\x82\x03\xA5\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x41\x20\x43\x49\x46\x20\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x13\x1A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x43\x68\x61\x6D\x62\x65\x72\x73\x20\x6F\x66\x20\x43\x6F\x6D\x6D\x65\x72\x63\x65\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x33\x30\x39\x33\x30\x31\x36\x31\x33\x34\x33\x5A\x17\x0D\x33\x37\x30\x39\x33\x30\x31\x36\x31\x33\x34\x34\x5A\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x41\x20\x43\x49\x46\x20\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x13\x1A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x43\x68\x61\x6D\x62\x65\x72\x73\x20\x6F\x66\x20\x43\x6F\x6D\x6D\x65\x72\x63\x65\x20\x52\x6F\x6F\x74\x30\x82\x01\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0D\x00\x30\x82\x01\x08\x02\x82\x01\x01\x00\xB7\x36\x55\xE5\xA5\x5D\x18\x30\xE0\xDA\x89\x54\x91\xFC\xC8\xC7\x52\xF8\x2F\x50\xD9\xEF\xB1\x75\x73\x65\x47\x7D\x1B\x5B\xBA\x75\xC5\xFC\xA1\x88\x24\xFA\x2F\xED\xCA\x08\x4A\x39\x54\xC4\x51\x7A\xB5\xDA\x60\xEA\x38\x3C\x81\xB2\xCB\xF1\xBB\xD9\x91\x23\x3F\x48\x01\x70\x75\xA9\x05\x2A\xAD\x1F\x71\xF3\xC9\x54\x3D\x1D\x06\x6A\x40\x3E\xB3\x0C\x85\xEE\x5C\x1B\x79\xC2\x62\xC4\xB8\x36\x8E\x35\x5D\x01\x0C\x23\x04\x47\x35\xAA\x9B\x60\x4E\xA0\x66\x3D\xCB\x26\x0A\x9C\x40\xA1\xF4\x5D\x98\xBF\x71\xAB\xA5\x00\x68\x2A\xED\x83\x7A\x0F\xA2\x14\xB5\xD4\x22\xB3\x80\xB0\x3C\x0C\x5A\x51\x69\x2D\x58\x18\x8F\xED\x99\x9E\xF1\xAE\xE2\x95\xE6\xF6\x47\xA8\xD6\x0C\x0F\xB0\x58\x58\xDB\xC3\x66\x37\x9E\x9B\x91\x54\x33\x37\xD2\x94\x1C\x6A\x48\xC9\xC9\xF2\xA5\xDA\xA5\x0C\x23\xF7\x23\x0E\x9C\x32\x55\x5E\x71\x9C\x84\x05\x51\x9A\x2D\xFD\xE6\x4E\x2A\x34\x5A\xDE\xCA\x40\x37\x67\x0C\x54\x21\x55\x77\xDA\x0A\x0C\xCC\x97\xAE\x80\xDC\x94\x36\x4A\xF4\x3E\xCE\x36\x13\x1E\x53\xE4\xAC\x4E\x3A\x05\xEC\xDB\xAE\x72\x9C\x38\x8B\xD0\x39\x3B\x89\x0A\x3E\x77\xFE\x75\x02\x01\x03\xA3\x82\x01\x44\x30\x82\x01\x40\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x0C\x30\x3C\x06\x03\x55\x1D\x1F\x04\x35\x30\x33\x30\x31\xA0\x2F\xA0\x2D\x86\x2B\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x2F\x63\x68\x61\x6D\x62\x65\x72\x73\x72\x6F\x6F\x74\x2E\x63\x72\x6C\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE3\x94\xF5\xB1\x4D\xE9\xDB\xA1\x29\x5B\x57\x8B\x4D\x76\x06\x76\xE1\xD1\xA2\x8A\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x27\x06\x03\x55\x1D\x11\x04\x20\x30\x1E\x81\x1C\x63\x68\x61\x6D\x62\x65\x72\x73\x72\x6F\x6F\x74\x40\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x30\x27\x06\x03\x55\x1D\x12\x04\x20\x30\x1E\x81\x1C\x63\x68\x61\x6D\x62\x65\x72\x73\x72\x6F\x6F\x74\x40\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x30\x58\x06\x03\x55\x1D\x20\x04\x51\x30\x4F\x30\x4D\x06\x0B\x2B\x06\x01\x04\x01\x81\x87\x2E\x0A\x03\x01\x30\x3E\x30\x3C\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x30\x68\x74\x74\x70\x3A\x2F\x2F\x63\x70\x73\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x2F\x63\x70\x73\x2F\x63\x68\x61\x6D\x62\x65\x72\x73\x72\x6F\x6F\x74\x2E\x68\x74\x6D\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x0C\x41\x97\xC2\x1A\x86\xC0\x22\x7C\x9F\xFB\x90\xF3\x1A\xD1\x03\xB1\xEF\x13\xF9\x21\x5F\x04\x9C\xDA\xC9\xA5\x8D\x27\x6C\x96\x87\x91\xBE\x41\x90\x01\x72\x93\xE7\x1E\x7D\x5F\xF6\x89\xC6\x5D\xA7\x40\x09\x3D\xAC\x49\x45\x45\xDC\x2E\x8D\x30\x68\xB2\x09\xBA\xFB\xC3\x2F\xCC\xBA\x0B\xDF\x3F\x77\x7B\x46\x7D\x3A\x12\x24\x8E\x96\x8F\x3C\x05\x0A\x6F\xD2\x94\x28\x1D\x6D\x0C\xC0\x2E\x88\x22\xD5\xD8\xCF\x1D\x13\xC7\xF0\x48\xD7\xD7\x05\xA7\xCF\xC7\x47\x9E\x3B\x3C\x34\xC8\x80\x4F\xD4\x14\xBB\xFC\x0D\x50\xF7\xFA\xB3\xEC\x42\x5F\xA9\xDD\x6D\xC8\xF4\x75\xCF\x7B\xC1\x72\x26\xB1\x01\x1C\x5C\x2C\xFD\x7A\x4E\xB4\x01\xC5\x05\x57\xB9\xE7\x3C\xAA\x05\xD9\x88\xE9\x07\x46\x41\xCE\xEF\x41\x81\xAE\x58\xDF\x83\xA2\xAE\xCA\xD7\x77\x1F\xE7\x00\x3C\x9D\x6F\x8E\xE4\x32\x09\x1D\x4D\x78\x34\x78\x34\x3C\x94\x9B\x26\xED\x4F\x71\xC6\x19\x7A\xBD\x20\x22\x48\x5A\xFE\x4B\x7D\x03\xB7\xE7\x58\xBE\xC6\x32\x4E\x74\x1E\x68\xDD\xA8\x68\x5B\xB3\x3E\xEE\x62\x7D\xD9\x80\xE8\x0A\x75\x7A\xB7\xEE\xB4\x65\x9A\x21\x90\xE0\xAA\xD0\x98\xBC\x38\xB5\x73\x3C\x8B\xF8\xDC",
-	["CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU"] = "\x30\x82\x04\xC5\x30\x82\x03\xAD\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x41\x20\x43\x49\x46\x20\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x13\x1A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x47\x6C\x6F\x62\x61\x6C\x20\x43\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x33\x30\x39\x33\x30\x31\x36\x31\x34\x31\x38\x5A\x17\x0D\x33\x37\x30\x39\x33\x30\x31\x36\x31\x34\x31\x38\x5A\x30\x7D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x55\x31\x27\x30\x25\x06\x03\x55\x04\x0A\x13\x1E\x41\x43\x20\x43\x61\x6D\x65\x72\x66\x69\x72\x6D\x61\x20\x53\x41\x20\x43\x49\x46\x20\x41\x38\x32\x37\x34\x33\x32\x38\x37\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x13\x1A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x47\x6C\x6F\x62\x61\x6C\x20\x43\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x20\x52\x6F\x6F\x74\x30\x82\x01\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0D\x00\x30\x82\x01\x08\x02\x82\x01\x01\x00\xA2\x70\xA2\xD0\x9F\x42\xAE\x5B\x17\xC7\xD8\x7D\xCF\x14\x83\xFC\x4F\xC9\xA1\xB7\x13\xAF\x8A\xD7\x9E\x3E\x04\x0A\x92\x8B\x60\x56\xFA\xB4\x32\x2F\x88\x4D\xA1\x60\x08\xF4\xB7\x09\x4E\xA0\x49\x2F\x49\xD6\xD3\xDF\x9D\x97\x5A\x9F\x94\x04\x70\xEC\x3F\x59\xD9\xB7\xCC\x66\x8B\x98\x52\x28\x09\x02\xDF\xC5\x2F\x84\x8D\x7A\x97\x77\xBF\xEC\x40\x9D\x25\x72\xAB\xB5\x3F\x32\x98\xFB\xB7\xB7\xFC\x72\x84\xE5\x35\x87\xF9\x55\xFA\xA3\x1F\x0E\x6F\x2E\x28\xDD\x69\xA0\xD9\x42\x10\xC6\xF8\xB5\x44\xC2\xD0\x43\x7F\xDB\xBC\xE4\xA2\x3C\x6A\x55\x78\x0A\x77\xA9\xD8\xEA\x19\x32\xB7\x2F\xFE\x5C\x3F\x1B\xEE\xB1\x98\xEC\xCA\xAD\x7A\x69\x45\xE3\x96\x0F\x55\xF6\xE6\xED\x75\xEA\x65\xE8\x32\x56\x93\x46\x89\xA8\x25\x8A\x65\x06\xEE\x6B\xBF\x79\x07\xD0\xF1\xB7\xAF\xED\x2C\x4D\x92\xBB\xC0\xA8\x5F\xA7\x67\x7D\x04\xF2\x15\x08\x70\xAC\x92\xD6\x7D\x04\xD2\x33\xFB\x4C\xB6\x0B\x0B\xFB\x1A\xC9\xC4\x8D\x03\xA9\x7E\x5C\xF2\x50\xAB\x12\xA5\xA1\xCF\x48\x50\xA5\xEF\xD2\xC8\x1A\x13\xFA\xB0\x7F\xB1\x82\x1C\x77\x6A\x0F\x5F\xDC\x0B\x95\x8F\xEF\x43\x7E\xE6\x45\x09\x25\x02\x01\x03\xA3\x82\x01\x50\x30\x82\x01\x4C\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x0C\x30\x3F\x06\x03\x55\x1D\x1F\x04\x38\x30\x36\x30\x34\xA0\x32\xA0\x30\x86\x2E\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x2F\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x72\x6F\x6F\x74\x2E\x63\x72\x6C\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x43\x9C\x36\x9F\xB0\x9E\x30\x4D\xC6\xCE\x5F\xAD\x10\xAB\xE5\x03\xA5\xFA\xA9\x14\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x2A\x06\x03\x55\x1D\x11\x04\x23\x30\x21\x81\x1F\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x72\x6F\x6F\x74\x40\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x30\x2A\x06\x03\x55\x1D\x12\x04\x23\x30\x21\x81\x1F\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x72\x6F\x6F\x74\x40\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x30\x5B\x06\x03\x55\x1D\x20\x04\x54\x30\x52\x30\x50\x06\x0B\x2B\x06\x01\x04\x01\x81\x87\x2E\x0A\x01\x01\x30\x41\x30\x3F\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x33\x68\x74\x74\x70\x3A\x2F\x2F\x63\x70\x73\x2E\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x2E\x6F\x72\x67\x2F\x63\x70\x73\x2F\x63\x68\x61\x6D\x62\x65\x72\x73\x69\x67\x6E\x72\x6F\x6F\x74\x2E\x68\x74\x6D\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x3C\x3B\x70\x91\xF9\x04\x54\x27\x91\xE1\xED\xED\xFE\x68\x7F\x61\x5D\xE5\x41\x65\x4F\x32\xF1\x18\x05\x94\x6A\x1C\xDE\x1F\x70\xDB\x3E\x7B\x32\x02\x34\xB5\x0C\x6C\xA1\x8A\x7C\xA5\xF4\x8F\xFF\xD4\xD8\xAD\x17\xD5\x2D\x04\xD1\x3F\x58\x80\xE2\x81\x59\x88\xBE\xC0\xE3\x46\x93\x24\xFE\x90\xBD\x26\xA2\x30\x2D\xE8\x97\x26\x57\x35\x89\x74\x96\x18\xF6\x15\xE2\xAF\x24\x19\x56\x02\x02\xB2\xBA\x0F\x14\xEA\xC6\x8A\x66\xC1\x86\x45\x55\x8B\xBE\x92\xBE\x9C\xA4\x04\xC7\x49\x3C\x9E\xE8\x29\x7A\x89\xD7\xFE\xAF\xFF\x68\xF5\xA5\x17\x90\xBD\xAC\x99\xCC\xA5\x86\x57\x09\x67\x46\xDB\xD6\x16\xC2\x46\xF1\xE4\xA9\x50\xF5\x8F\xD1\x92\x15\xD3\x5F\x3E\xC6\x00\x49\x3A\x6E\x58\xB2\xD1\xD1\x27\x0D\x25\xC8\x32\xF8\x20\x11\xCD\x7D\x32\x33\x48\x94\x54\x4C\xDD\xDC\x79\xC4\x30\x9F\xEB\x8E\xB8\x55\xB5\xD7\x88\x5C\xC5\x6A\x24\x3D\xB2\xD3\x05\x03\x51\xC6\x07\xEF\xCC\x14\x72\x74\x3D\x6E\x72\xCE\x18\x28\x8C\x4A\xA0\x77\xE5\x09\x2B\x45\x44\x47\xAC\xB7\x67\x7F\x01\x8A\x05\x5A\x93\xBE\xA1\xC1\xFF\xF8\xE7\x0E\x67\xA4\x47\x49\x76\x5D\x75\x90\x1A\xF5\x26\x8F\xF0",
 	["CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US"] = "\x30\x82\x04\x30\x30\x82\x03\x18\xA0\x03\x02\x01\x02\x02\x10\x50\x94\x6C\xEC\x18\xEA\xD5\x9C\x4D\xD5\x97\xEF\x75\x8F\xA0\xAD\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x1E\x30\x1C\x06\x03\x55\x04\x0B\x13\x15\x77\x77\x77\x2E\x78\x72\x61\x6D\x70\x73\x65\x63\x75\x72\x69\x74\x79\x2E\x63\x6F\x6D\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x13\x1B\x58\x52\x61\x6D\x70\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x49\x6E\x63\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x58\x52\x61\x6D\x70\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x34\x31\x31\x30\x31\x31\x37\x31\x34\x30\x34\x5A\x17\x0D\x33\x35\x30\x31\x30\x31\x30\x35\x33\x37\x31\x39\x5A\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x1E\x30\x1C\x06\x03\x55\x04\x0B\x13\x15\x77\x77\x77\x2E\x78\x72\x61\x6D\x70\x73\x65\x63\x75\x72\x69\x74\x79\x2E\x63\x6F\x6D\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x13\x1B\x58\x52\x61\x6D\x70\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x49\x6E\x63\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x58\x52\x61\x6D\x70\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x98\x24\x1E\xBD\x15\xB4\xBA\xDF\xC7\x8C\xA5\x27\xB6\x38\x0B\x69\xF3\xB6\x4E\xA8\x2C\x2E\x21\x1D\x5C\x44\xDF\x21\x5D\x7E\x23\x74\xFE\x5E\x7E\xB4\x4A\xB7\xA6\xAD\x1F\xAE\xE0\x06\x16\xE2\x9B\x5B\xD9\x67\x74\x6B\x5D\x80\x8F\x29\x9D\x86\x1B\xD9\x9C\x0D\x98\x6D\x76\x10\x28\x58\xE4\x65\xB0\x7F\x4A\x98\x79\x9F\xE0\xC3\x31\x7E\x80\x2B\xB5\x8C\xC0\x40\x3B\x11\x86\xD0\xCB\xA2\x86\x36\x60\xA4\xD5\x30\x82\x6D\xD9\x6E\xD0\x0F\x12\x04\x33\x97\x5F\x4F\x61\x5A\xF0\xE4\xF9\x91\xAB\xE7\x1D\x3B\xBC\xE8\xCF\xF4\x6B\x2D\x34\x7C\xE2\x48\x61\x1C\x8E\xF3\x61\x44\xCC\x6F\xA0\x4A\xA9\x94\xB0\x4D\xDA\xE7\xA9\x34\x7A\x72\x38\xA8\x41\xCC\x3C\x94\x11\x7D\xEB\xC8\xA6\x8C\xB7\x86\xCB\xCA\x33\x3B\xD9\x3D\x37\x8B\xFB\x7A\x3E\x86\x2C\xE7\x73\xD7\x0A\x57\xAC\x64\x9B\x19\xEB\xF4\x0F\x04\x08\x8A\xAC\x03\x17\x19\x64\xF4\x5A\x25\x22\x8D\x34\x2C\xB2\xF6\x68\x1D\x12\x6D\xD3\x8A\x1E\x14\xDA\xC4\x8F\xA6\xE2\x23\x85\xD5\x7A\x0D\xBD\x6A\xE0\xE9\xEC\xEC\x17\xBB\x42\x1B\x67\xAA\x25\xED\x45\x83\x21\xFC\xC1\xC9\x7C\xD5\x62\x3E\xFA\xF2\xC5\x2D\xD3\xFD\xD4\x65\x02\x03\x01\x00\x01\xA3\x81\x9F\x30\x81\x9C\x30\x13\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x14\x02\x04\x06\x1E\x04\x00\x43\x00\x41\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC6\x4F\xA2\x3D\x06\x63\x84\x09\x9C\xCE\x62\xE4\x04\xAC\x8D\x5C\xB5\xE9\xB6\x1B\x30\x36\x06\x03\x55\x1D\x1F\x04\x2F\x30\x2D\x30\x2B\xA0\x29\xA0\x27\x86\x25\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x78\x72\x61\x6D\x70\x73\x65\x63\x75\x72\x69\x74\x79\x2E\x63\x6F\x6D\x2F\x58\x47\x43\x41\x2E\x63\x72\x6C\x30\x10\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x15\x01\x04\x03\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x91\x15\x39\x03\x01\x1B\x67\xFB\x4A\x1C\xF9\x0A\x60\x5B\xA1\xDA\x4D\x97\x62\xF9\x24\x53\x27\xD7\x82\x64\x4E\x90\x2E\xC3\x49\x1B\x2B\x9A\xDC\xFC\xA8\x78\x67\x35\xF1\x1D\xF0\x11\xBD\xB7\x48\xE3\x10\xF6\x0D\xDF\x3F\xD2\xC9\xB6\xAA\x55\xA4\x48\xBA\x02\xDB\xDE\x59\x2E\x15\x5B\x3B\x9D\x16\x7D\x47\xD7\x37\xEA\x5F\x4D\x76\x12\x36\xBB\x1F\xD7\xA1\x81\x04\x46\x20\xA3\x2C\x6D\xA9\x9E\x01\x7E\x3F\x29\xCE\x00\x93\xDF\xFD\xC9\x92\x73\x89\x89\x64\x9E\xE7\x2B\xE4\x1C\x91\x2C\xD2\xB9\xCE\x7D\xCE\x6F\x31\x99\xD3\xE6\xBE\xD2\x1E\x90\xF0\x09\x14\x79\x5C\x23\xAB\x4D\xD2\xDA\x21\x1F\x4D\x99\x79\x9D\xE1\xCF\x27\x9F\x10\x9B\x1C\x88\x0D\xB0\x8A\x64\x41\x31\xB8\x0E\x6C\x90\x24\xA4\x9B\x5C\x71\x8F\xBA\xBB\x7E\x1C\x1B\xDB\x6A\x80\x0F\x21\xBC\xE9\xDB\xA6\xB7\x40\xF4\xB2\x8B\xA9\xB1\xE4\xEF\x9A\x1A\xD0\x3D\x69\x99\xEE\xA8\x28\xA3\xE1\x3C\xB3\xF0\xB2\x11\x9C\xCF\x7C\x40\xE6\xDD\xE7\x43\x7D\xA2\xD8\x3A\xB5\xA9\x8D\xF2\x34\x99\xC4\xD4\x10\xE1\x06\xFD\x09\x84\x10\x3B\xEE\xC4\x4C\xF4\xEC\x27\x7C\x42\xC2\x74\x7C\x82\x8A\x09\xC9\xB4\x03\x25\xBC",
 	["OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US"] = "\x30\x82\x04\x00\x30\x82\x02\xE8\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x54\x68\x65\x20\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x47\x72\x6F\x75\x70\x2C\x20\x49\x6E\x63\x2E\x31\x31\x30\x2F\x06\x03\x55\x04\x0B\x13\x28\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x34\x30\x36\x32\x39\x31\x37\x30\x36\x32\x30\x5A\x17\x0D\x33\x34\x30\x36\x32\x39\x31\x37\x30\x36\x32\x30\x5A\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x54\x68\x65\x20\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x47\x72\x6F\x75\x70\x2C\x20\x49\x6E\x63\x2E\x31\x31\x30\x2F\x06\x03\x55\x04\x0B\x13\x28\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0D\x00\x30\x82\x01\x08\x02\x82\x01\x01\x00\xDE\x9D\xD7\xEA\x57\x18\x49\xA1\x5B\xEB\xD7\x5F\x48\x86\xEA\xBE\xDD\xFF\xE4\xEF\x67\x1C\xF4\x65\x68\xB3\x57\x71\xA0\x5E\x77\xBB\xED\x9B\x49\xE9\x70\x80\x3D\x56\x18\x63\x08\x6F\xDA\xF2\xCC\xD0\x3F\x7F\x02\x54\x22\x54\x10\xD8\xB2\x81\xD4\xC0\x75\x3D\x4B\x7F\xC7\x77\xC3\x3E\x78\xAB\x1A\x03\xB5\x20\x6B\x2F\x6A\x2B\xB1\xC5\x88\x7E\xC4\xBB\x1E\xB0\xC1\xD8\x45\x27\x6F\xAA\x37\x58\xF7\x87\x26\xD7\xD8\x2D\xF6\xA9\x17\xB7\x1F\x72\x36\x4E\xA6\x17\x3F\x65\x98\x92\xDB\x2A\x6E\x5D\xA2\xFE\x88\xE0\x0B\xDE\x7F\xE5\x8D\x15\xE1\xEB\xCB\x3A\xD5\xE2\x12\xA2\x13\x2D\xD8\x8E\xAF\x5F\x12\x3D\xA0\x08\x05\x08\xB6\x5C\xA5\x65\x38\x04\x45\x99\x1E\xA3\x60\x60\x74\xC5\x41\xA5\x72\x62\x1B\x62\xC5\x1F\x6F\x5F\x1A\x42\xBE\x02\x51\x65\xA8\xAE\x23\x18\x6A\xFC\x78\x03\xA9\x4D\x7F\x80\xC3\xFA\xAB\x5A\xFC\xA1\x40\xA4\xCA\x19\x16\xFE\xB2\xC8\xEF\x5E\x73\x0D\xEE\x77\xBD\x9A\xF6\x79\x98\xBC\xB1\x07\x67\xA2\x15\x0D\xDD\xA0\x58\xC6\x44\x7B\x0A\x3E\x62\x28\x5F\xBA\x41\x07\x53\x58\xCF\x11\x7E\x38\x74\xC5\xF8\xFF\xB5\x69\x90\x8F\x84\x74\xEA\x97\x1B\xAF\x02\x01\x03\xA3\x81\xC0\x30\x81\xBD\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xD2\xC4\xB0\xD2\x91\xD4\x4C\x11\x71\xB3\x61\xCB\x3D\xA1\xFE\xDD\xA8\x6A\xD4\xE3\x30\x81\x8D\x06\x03\x55\x1D\x23\x04\x81\x85\x30\x81\x82\x80\x14\xD2\xC4\xB0\xD2\x91\xD4\x4C\x11\x71\xB3\x61\xCB\x3D\xA1\xFE\xDD\xA8\x6A\xD4\xE3\xA1\x67\xA4\x65\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x54\x68\x65\x20\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x47\x72\x6F\x75\x70\x2C\x20\x49\x6E\x63\x2E\x31\x31\x30\x2F\x06\x03\x55\x04\x0B\x13\x28\x47\x6F\x20\x44\x61\x64\x64\x79\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x82\x01\x00\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x32\x4B\xF3\xB2\xCA\x3E\x91\xFC\x12\xC6\xA1\x07\x8C\x8E\x77\xA0\x33\x06\x14\x5C\x90\x1E\x18\xF7\x08\xA6\x3D\x0A\x19\xF9\x87\x80\x11\x6E\x69\xE4\x96\x17\x30\xFF\x34\x91\x63\x72\x38\xEE\xCC\x1C\x01\xA3\x1D\x94\x28\xA4\x31\xF6\x7A\xC4\x54\xD7\xF6\xE5\x31\x58\x03\xA2\xCC\xCE\x62\xDB\x94\x45\x73\xB5\xBF\x45\xC9\x24\xB5\xD5\x82\x02\xAD\x23\x79\x69\x8D\xB8\xB6\x4D\xCE\xCF\x4C\xCA\x33\x23\xE8\x1C\x88\xAA\x9D\x8B\x41\x6E\x16\xC9\x20\xE5\x89\x9E\xCD\x3B\xDA\x70\xF7\x7E\x99\x26\x20\x14\x54\x25\xAB\x6E\x73\x85\xE6\x9B\x21\x9D\x0A\x6C\x82\x0E\xA8\xF8\xC2\x0C\xFA\x10\x1E\x6C\x96\xEF\x87\x0D\xC4\x0F\x61\x8B\xAD\xEE\x83\x2B\x95\xF8\x8E\x92\x84\x72\x39\xEB\x20\xEA\x83\xED\x83\xCD\x97\x6E\x08\xBC\xEB\x4E\x26\xB6\x73\x2B\xE4\xD3\xF6\x4C\xFE\x26\x71\xE2\x61\x11\x74\x4A\xFF\x57\x1A\x87\x0F\x75\x48\x2E\xCF\x51\x69\x17\xA0\x02\x12\x61\x95\xD5\xD1\x40\xB2\x10\x4C\xEE\xC4\xAC\x10\x43\xA6\xA5\x9E\x0A\xD5\x95\x62\x9A\x0D\xCF\x88\x82\xC5\x32\x0C\xE4\x2B\x9F\x45\xE6\x0D\x9F\x28\x9C\xB1\xB9\x2A\x5A\x57\xAD\x37\x0F\xAF\x1D\x7F\xDB\xBD\x9F",
 	["OU=Starfield Class 2 Certification Authority,O=Starfield Technologies\, Inc.,C=US"] = "\x30\x82\x04\x0F\x30\x82\x02\xF7\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x32\x30\x30\x06\x03\x55\x04\x0B\x13\x29\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x34\x30\x36\x32\x39\x31\x37\x33\x39\x31\x36\x5A\x17\x0D\x33\x34\x30\x36\x32\x39\x31\x37\x33\x39\x31\x36\x5A\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x32\x30\x30\x06\x03\x55\x04\x0B\x13\x29\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0D\x00\x30\x82\x01\x08\x02\x82\x01\x01\x00\xB7\x32\xC8\xFE\xE9\x71\xA6\x04\x85\xAD\x0C\x11\x64\xDF\xCE\x4D\xEF\xC8\x03\x18\x87\x3F\xA1\xAB\xFB\x3C\xA6\x9F\xF0\xC3\xA1\xDA\xD4\xD8\x6E\x2B\x53\x90\xFB\x24\xA4\x3E\x84\xF0\x9E\xE8\x5F\xEC\xE5\x27\x44\xF5\x28\xA6\x3F\x7B\xDE\xE0\x2A\xF0\xC8\xAF\x53\x2F\x9E\xCA\x05\x01\x93\x1E\x8F\x66\x1C\x39\xA7\x4D\xFA\x5A\xB6\x73\x04\x25\x66\xEB\x77\x7F\xE7\x59\xC6\x4A\x99\x25\x14\x54\xEB\x26\xC7\xF3\x7F\x19\xD5\x30\x70\x8F\xAF\xB0\x46\x2A\xFF\xAD\xEB\x29\xED\xD7\x9F\xAA\x04\x87\xA3\xD4\xF9\x89\xA5\x34\x5F\xDB\x43\x91\x82\x36\xD9\x66\x3C\xB1\xB8\xB9\x82\xFD\x9C\x3A\x3E\x10\xC8\x3B\xEF\x06\x65\x66\x7A\x9B\x19\x18\x3D\xFF\x71\x51\x3C\x30\x2E\x5F\xBE\x3D\x77\x73\xB2\x5D\x06\x6C\xC3\x23\x56\x9A\x2B\x85\x26\x92\x1C\xA7\x02\xB3\xE4\x3F\x0D\xAF\x08\x79\x82\xB8\x36\x3D\xEA\x9C\xD3\x35\xB3\xBC\x69\xCA\xF5\xCC\x9D\xE8\xFD\x64\x8D\x17\x80\x33\x6E\x5E\x4A\x5D\x99\xC9\x1E\x87\xB4\x9D\x1A\xC0\xD5\x6E\x13\x35\x23\x5E\xDF\x9B\x5F\x3D\xEF\xD6\xF7\x76\xC2\xEA\x3E\xBB\x78\x0D\x1C\x42\x67\x6B\x04\xD8\xF8\xD6\xDA\x6F\x8B\xF2\x44\xA0\x01\xAB\x02\x01\x03\xA3\x81\xC5\x30\x81\xC2\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xBF\x5F\xB7\xD1\xCE\xDD\x1F\x86\xF4\x5B\x55\xAC\xDC\xD7\x10\xC2\x0E\xA9\x88\xE7\x30\x81\x92\x06\x03\x55\x1D\x23\x04\x81\x8A\x30\x81\x87\x80\x14\xBF\x5F\xB7\xD1\xCE\xDD\x1F\x86\xF4\x5B\x55\xAC\xDC\xD7\x10\xC2\x0E\xA9\x88\xE7\xA1\x6C\xA4\x6A\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x32\x30\x30\x06\x03\x55\x04\x0B\x13\x29\x53\x74\x61\x72\x66\x69\x65\x6C\x64\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x82\x01\x00\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x05\x9D\x3F\x88\x9D\xD1\xC9\x1A\x55\xA1\xAC\x69\xF3\xF3\x59\xDA\x9B\x01\x87\x1A\x4F\x57\xA9\xA1\x79\x09\x2A\xDB\xF7\x2F\xB2\x1E\xCC\xC7\x5E\x6A\xD8\x83\x87\xA1\x97\xEF\x49\x35\x3E\x77\x06\x41\x58\x62\xBF\x8E\x58\xB8\x0A\x67\x3F\xEC\xB3\xDD\x21\x66\x1F\xC9\x54\xFA\x72\xCC\x3D\x4C\x40\xD8\x81\xAF\x77\x9E\x83\x7A\xBB\xA2\xC7\xF5\x34\x17\x8E\xD9\x11\x40\xF4\xFC\x2C\x2A\x4D\x15\x7F\xA7\x62\x5D\x2E\x25\xD3\x00\x0B\x20\x1A\x1D\x68\xF9\x17\xB8\xF4\xBD\x8B\xED\x28\x59\xDD\x4D\x16\x8B\x17\x83\xC8\xB2\x65\xC7\x2D\x7A\xA5\xAA\xBC\x53\x86\x6D\xDD\x57\xA4\xCA\xF8\x20\x41\x0B\x68\xF0\xF4\xFB\x74\xBE\x56\x5D\x7A\x79\xF5\xF9\x1D\x85\xE3\x2D\x95\xBE\xF5\x71\x90\x43\xCC\x8D\x1F\x9A\x00\x0A\x87\x29\xE9\x55\x22\x58\x00\x23\xEA\xE3\x12\x43\x29\x5B\x47\x08\xDD\x8C\x41\x6A\x65\x06\xA8\xE5\x21\xAA\x41\xB4\x95\x21\x95\xB9\x7D\xD1\x34\xAB\x13\xD6\xAD\xBC\xDC\xE2\x3D\x39\xCD\xBD\x3E\x75\x70\xA1\x18\x59\x03\xC9\x22\xB4\x8F\x9C\xD5\x5E\x2A\xD7\xA5\xB6\xD4\x0A\x6D\xF8\xB7\x40\x11\x46\x9A\x1F\x79\x0E\x62\xBF\x0F\x97\xEC\xE0\x2F\x1F\x17\x94",
-	["CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL"] = "\x30\x82\x07\xC9\x30\x82\x05\xB1\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x4C\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x4C\x74\x64\x2E\x31\x2B\x30\x29\x06\x03\x55\x04\x0B\x13\x22\x53\x65\x63\x75\x72\x65\x20\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x69\x67\x6E\x69\x6E\x67\x31\x29\x30\x27\x06\x03\x55\x04\x03\x13\x20\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x36\x30\x39\x31\x37\x31\x39\x34\x36\x33\x36\x5A\x17\x0D\x33\x36\x30\x39\x31\x37\x31\x39\x34\x36\x33\x36\x5A\x30\x7D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x4C\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x4C\x74\x64\x2E\x31\x2B\x30\x29\x06\x03\x55\x04\x0B\x13\x22\x53\x65\x63\x75\x72\x65\x20\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x69\x67\x6E\x69\x6E\x67\x31\x29\x30\x27\x06\x03\x55\x04\x03\x13\x20\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC1\x88\xDB\x09\xBC\x6C\x46\x7C\x78\x9F\x95\x7B\xB5\x33\x90\xF2\x72\x62\xD6\xC1\x36\x20\x22\x24\x5E\xCE\xE9\x77\xF2\x43\x0A\xA2\x06\x64\xA4\xCC\x8E\x36\xF8\x38\xE6\x23\xF0\x6E\x6D\xB1\x3C\xDD\x72\xA3\x85\x1C\xA1\xD3\x3D\xB4\x33\x2B\xD3\x2F\xAF\xFE\xEA\xB0\x41\x59\x67\xB6\xC4\x06\x7D\x0A\x9E\x74\x85\xD6\x79\x4C\x80\x37\x7A\xDF\x39\x05\x52\x59\xF7\xF4\x1B\x46\x43\xA4\xD2\x85\x85\xD2\xC3\x71\xF3\x75\x62\x34\xBA\x2C\x8A\x7F\x1E\x8F\xEE\xED\x34\xD0\x11\xC7\x96\xCD\x52\x3D\xBA\x33\xD6\xDD\x4D\xDE\x0B\x3B\x4A\x4B\x9F\xC2\x26\x2F\xFA\xB5\x16\x1C\x72\x35\x77\xCA\x3C\x5D\xE6\xCA\xE1\x26\x8B\x1A\x36\x76\x5C\x01\xDB\x74\x14\x25\xFE\xED\xB5\xA0\x88\x0F\xDD\x78\xCA\x2D\x1F\x07\x97\x30\x01\x2D\x72\x79\xFA\x46\xD6\x13\x2A\xA8\xB9\xA6\xAB\x83\x49\x1D\xE5\xF2\xEF\xDD\xE4\x01\x8E\x18\x0A\x8F\x63\x53\x16\x85\x62\xA9\x0E\x19\x3A\xCC\xB5\x66\xA6\xC2\x6B\x74\x07\xE4\x2B\xE1\x76\x3E\xB4\x6D\xD8\xF6\x44\xE1\x73\x62\x1F\x3B\xC4\xBE\xA0\x53\x56\x25\x6C\x51\x09\xF7\xAA\xAB\xCA\xBF\x76\xFD\x6D\x9B\xF3\x9D\xDB\xBF\x3D\x66\xBC\x0C\x56\xAA\xAF\x98\x48\x95\x3A\x4B\xDF\xA7\x58\x50\xD9\x38\x75\xA9\x5B\xEA\x43\x0C\x02\xFF\x99\xEB\xE8\x6C\x4D\x70\x5B\x29\x65\x9C\xDD\xAA\x5D\xCC\xAF\x01\x31\xEC\x0C\xEB\xD2\x8D\xE8\xEA\x9C\x7B\xE6\x6E\xF7\x27\x66\x0C\x1A\x48\xD7\x6E\x42\xE3\x3F\xDE\x21\x3E\x7B\xE1\x0D\x70\xFB\x63\xAA\xA8\x6C\x1A\x54\xB4\x5C\x25\x7A\xC9\xA2\xC9\x8B\x16\xA6\xBB\x2C\x7E\x17\x5E\x05\x4D\x58\x6E\x12\x1D\x01\xEE\x12\x10\x0D\xC6\x32\x7F\x18\xFF\xFC\xF4\xFA\xCD\x6E\x91\xE8\x36\x49\xBE\x1A\x48\x69\x8B\xC2\x96\x4D\x1A\x12\xB2\x69\x17\xC1\x0A\x90\xD6\xFA\x79\x22\x48\xBF\xBA\x7B\x69\xF8\x70\xC7\xFA\x7A\x37\xD8\xD8\x0D\xD2\x76\x4F\x57\xFF\x90\xB7\xE3\x91\xD2\xDD\xEF\xC2\x60\xB7\x67\x3A\xDD\xFE\xAA\x9C\xF0\xD4\x8B\x7F\x72\x22\xCE\xC6\x9F\x97\xB6\xF8\xAF\x8A\xA0\x10\xA8\xD9\xFB\x18\xC6\xB6\xB5\x5C\x52\x3C\x89\xB6\x19\x2A\x73\x01\x0A\x0F\x03\xB3\x12\x60\xF2\x7A\x2F\x81\xDB\xA3\x6E\xFF\x26\x30\x97\xF5\x8B\xDD\x89\x57\xB6\xAD\x3D\xB3\xAF\x2B\xC5\xB7\x76\x02\xF0\xA5\xD6\x2B\x9A\x86\x14\x2A\x72\xF6\xE3\x33\x8C\x5D\x09\x4B\x13\xDF\xBB\x8C\x74\x13\x52\x4B\x02\x03\x01\x00\x01\xA3\x82\x02\x52\x30\x82\x02\x4E\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\xAE\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x4E\x0B\xEF\x1A\xA4\x40\x5B\xA5\x17\x69\x87\x30\xCA\x34\x68\x43\xD0\x41\xAE\xF2\x30\x64\x06\x03\x55\x1D\x1F\x04\x5D\x30\x5B\x30\x2C\xA0\x2A\xA0\x28\x86\x26\x68\x74\x74\x70\x3A\x2F\x2F\x63\x65\x72\x74\x2E\x73\x74\x61\x72\x74\x63\x6F\x6D\x2E\x6F\x72\x67\x2F\x73\x66\x73\x63\x61\x2D\x63\x72\x6C\x2E\x63\x72\x6C\x30\x2B\xA0\x29\xA0\x27\x86\x25\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x73\x74\x61\x72\x74\x63\x6F\x6D\x2E\x6F\x72\x67\x2F\x73\x66\x73\x63\x61\x2D\x63\x72\x6C\x2E\x63\x72\x6C\x30\x82\x01\x5D\x06\x03\x55\x1D\x20\x04\x82\x01\x54\x30\x82\x01\x50\x30\x82\x01\x4C\x06\x0B\x2B\x06\x01\x04\x01\x81\xB5\x37\x01\x01\x01\x30\x82\x01\x3B\x30\x2F\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x23\x68\x74\x74\x70\x3A\x2F\x2F\x63\x65\x72\x74\x2E\x73\x74\x61\x72\x74\x63\x6F\x6D\x2E\x6F\x72\x67\x2F\x70\x6F\x6C\x69\x63\x79\x2E\x70\x64\x66\x30\x35\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x29\x68\x74\x74\x70\x3A\x2F\x2F\x63\x65\x72\x74\x2E\x73\x74\x61\x72\x74\x63\x6F\x6D\x2E\x6F\x72\x67\x2F\x69\x6E\x74\x65\x72\x6D\x65\x64\x69\x61\x74\x65\x2E\x70\x64\x66\x30\x81\xD0\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x81\xC3\x30\x27\x16\x20\x53\x74\x61\x72\x74\x20\x43\x6F\x6D\x6D\x65\x72\x63\x69\x61\x6C\x20\x28\x53\x74\x61\x72\x74\x43\x6F\x6D\x29\x20\x4C\x74\x64\x2E\x30\x03\x02\x01\x01\x1A\x81\x97\x4C\x69\x6D\x69\x74\x65\x64\x20\x4C\x69\x61\x62\x69\x6C\x69\x74\x79\x2C\x20\x72\x65\x61\x64\x20\x74\x68\x65\x20\x73\x65\x63\x74\x69\x6F\x6E\x20\x2A\x4C\x65\x67\x61\x6C\x20\x4C\x69\x6D\x69\x74\x61\x74\x69\x6F\x6E\x73\x2A\x20\x6F\x66\x20\x74\x68\x65\x20\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x50\x6F\x6C\x69\x63\x79\x20\x61\x76\x61\x69\x6C\x61\x62\x6C\x65\x20\x61\x74\x20\x68\x74\x74\x70\x3A\x2F\x2F\x63\x65\x72\x74\x2E\x73\x74\x61\x72\x74\x63\x6F\x6D\x2E\x6F\x72\x67\x2F\x70\x6F\x6C\x69\x63\x79\x2E\x70\x64\x66\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x38\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x0D\x04\x2B\x16\x29\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x46\x72\x65\x65\x20\x53\x53\x4C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x16\x6C\x99\xF4\x66\x0C\x34\xF5\xD0\x85\x5E\x7D\x0A\xEC\xDA\x10\x4E\x38\x1C\x5E\xDF\xA6\x25\x05\x4B\x91\x32\xC1\xE8\x3B\xF1\x3D\xDD\x44\x09\x5B\x07\x49\x8A\x29\xCB\x66\x02\xB7\xB1\x9A\xF7\x25\x98\x09\x3C\x8E\x1B\xE1\xDD\x36\x87\x2B\x4B\xBB\x68\xD3\x39\x66\x3D\xA0\x26\xC7\xF2\x39\x91\x1D\x51\xAB\x82\x7B\x7E\xD5\xCE\x5A\xE4\xE2\x03\x57\x70\x69\x97\x08\xF9\x5E\x58\xA6\x0A\xDF\x8C\x06\x9A\x45\x16\x16\x38\x0A\x5E\x57\xF6\x62\xC7\x7A\x02\x05\xE6\xBC\x1E\xB5\xF2\x9E\xF4\xA9\x29\x83\xF8\xB2\x14\xE3\x6E\x28\x87\x44\xC3\x90\x1A\xDE\x38\xA9\x3C\xAC\x43\x4D\x64\x45\xCE\xDD\x28\xA9\x5C\xF2\x73\x7B\x04\xF8\x17\xE8\xAB\xB1\xF3\x2E\x5C\x64\x6E\x73\x31\x3A\x12\xB8\xBC\xB3\x11\xE4\x7D\x8F\x81\x51\x9A\x3B\x8D\x89\xF4\x4D\x93\x66\x7B\x3C\x03\xED\xD3\x9A\x1D\x9A\xF3\x65\x50\xF5\xA0\xD0\x75\x9F\x2F\xAF\xF0\xEA\x82\x43\x98\xF8\x69\x9C\x89\x79\xC4\x43\x8E\x46\x72\xE3\x64\x36\x12\xAF\xF7\x25\x1E\x38\x89\x90\x77\x7E\xC3\x6B\x6A\xB9\xC3\xCB\x44\x4B\xAC\x78\x90\x8B\xE7\xC7\x2C\x1E\x4B\x11\x44\xC8\x34\x52\x27\xCD\x0A\x5D\x9F\x85\xC1\x89\xD5\x1A\x78\xF2\x95\x10\x53\x32\xDD\x80\x84\x66\x75\xD9\xB5\x68\x28\xFB\x61\x2E\xBE\x84\xA8\x38\xC0\x99\x12\x86\xA5\x1E\x67\x64\xAD\x06\x2E\x2F\xA9\x70\x85\xC7\x96\x0F\x7C\x89\x65\xF5\x8E\x43\x54\x0E\xAB\xDD\xA5\x80\x39\x94\x60\xC0\x34\xC9\x96\x70\x2C\xA3\x12\xF5\x1F\x48\x7B\xBD\x1C\x7E\x6B\xB7\x9D\x90\xF4\x22\x3B\xAE\xF8\xFC\x2A\xCA\xFA\x82\x52\xA0\xEF\xAF\x4B\x55\x93\xEB\xC1\xB5\xF0\x22\x8B\xAC\x34\x4E\x26\x22\x04\xA1\x87\x2C\x75\x4A\xB7\xE5\x7D\x13\xD7\xB8\x0C\x64\xC0\x36\xD2\xC9\x2F\x86\x12\x8C\x23\x09\xC1\x1B\x82\x3B\x73\x49\xA3\x6A\x57\x87\x94\xE5\xD6\x78\xC5\x99\x43\x63\xE3\x4D\xE0\x77\x2D\xE1\x65\x99\x72\x69\x04\x1A\x47\x09\xE6\x0F\x01\x56\x24\xFB\x1F\xBF\x0E\x79\xA9\x58\x2E\xB9\xC4\x09\x01\x7E\x95\xBA\x6D\x00\x06\x3E\xB2\xEA\x4A\x10\x39\xD8\xD0\x2B\xF5\xBF\xEC\x75\xBF\x97\x02\xC5\x09\x1B\x08\xDC\x55\x37\xE2\x81\xFB\x37\x84\x43\x62\x20\xCA\xE7\x56\x4B\x65\xEA\xFE\x6C\xC1\x24\x93\x24\xA1\x34\xEB\x05\xFF\x9A\x22\xAE\x9B\x7D\x3F\xF1\x65\x51\x0A\xA6\x30\x6A\xB3\xF4\x88\x1C\x80\x0D\xFC\x72\x8A\xE8\x83\x5E",
 	["O=Government Root Certification Authority,C=TW"] = "\x30\x82\x05\x72\x30\x82\x03\x5A\xA0\x03\x02\x01\x02\x02\x10\x1F\x9D\x59\x5A\xD7\x2F\xC2\x06\x44\xA5\x80\x08\x69\xE3\x5E\xF6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x30\x30\x2E\x06\x03\x55\x04\x0A\x0C\x27\x47\x6F\x76\x65\x72\x6E\x6D\x65\x6E\x74\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x32\x31\x32\x30\x35\x31\x33\x32\x33\x33\x33\x5A\x17\x0D\x33\x32\x31\x32\x30\x35\x31\x33\x32\x33\x33\x33\x5A\x30\x3F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x30\x30\x2E\x06\x03\x55\x04\x0A\x0C\x27\x47\x6F\x76\x65\x72\x6E\x6D\x65\x6E\x74\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x9A\x25\xB8\xEC\xCC\xA2\x75\xA8\x7B\xF7\xCE\x5B\x59\x8A\xC9\xD1\x86\x12\x08\x54\xEC\x9C\xF2\xE7\x46\xF6\x88\xF3\x7C\xE9\xA5\xDF\x4C\x47\x36\xA4\x1B\x01\x1C\x7F\x1E\x57\x8A\x8D\xC3\xC5\xD1\x21\xE3\xDA\x24\x3F\x48\x2B\xFB\x9F\x2E\xA1\x94\xE7\x2C\x1C\x93\xD1\xBF\x1B\x01\x87\x53\x99\xCE\xA7\xF5\x0A\x21\x76\x77\xFF\xA9\xB7\xC6\x73\x94\x4F\x46\xF7\x10\x49\x37\xFA\xA8\x59\x49\x5D\x6A\x81\x07\x56\xF2\x8A\xF9\x06\xD0\xF7\x70\x22\x4D\xB4\xB7\x41\xB9\x32\xB8\xB1\xF0\xB1\xC3\x9C\x3F\x70\xFD\x53\xDD\x81\xAA\xD8\x63\x78\xF6\xD8\x53\x6E\xA1\xAC\x6A\x84\x24\x72\x54\x86\xC6\xD2\xB2\xCA\x1C\x0E\x79\x81\xD6\xB5\x70\x62\x08\x01\x2E\x4E\x4F\x0E\xD5\x11\xAF\xA9\xAF\xE5\x9A\xBF\xDC\xCC\x87\x6D\x26\xE4\xC9\x57\xA2\xFB\x96\xF9\xCC\xE1\x3F\x53\x8C\x6C\x4C\x7E\x9B\x53\x08\x0B\x6C\x17\xFB\x67\xC8\xC2\xAD\xB1\xCD\x80\xB4\x97\xDC\x76\x01\x16\x15\xE9\x6A\xD7\xA4\xE1\x78\x47\xCE\x86\xD5\xFB\x31\xF3\xFA\x31\xBE\x34\xAA\x28\xFB\x70\x4C\x1D\x49\xC7\xAF\x2C\x9D\x6D\x66\xA6\xB6\x8D\x64\x7E\xB5\x20\x6A\x9D\x3B\x81\xB6\x8F\x40\x00\x67\x4B\x89\x86\xB8\xCC\x65\xFE\x15\x53\xE9\x04\xC1\xD6\x5F\x1D\x44\xD7\x0A\x2F\x27\x9A\x46\x7D\xA1\x0D\x75\xAD\x54\x86\x15\xDC\x49\x3B\xF1\x96\xCE\x0F\x9B\xA0\xEC\xA3\x7A\x5D\xBE\xD5\x2A\x75\x42\xE5\x7B\xDE\xA5\xB6\xAA\xAF\x28\xAC\xAC\x90\xAC\x38\xB7\xD5\x68\x35\x26\x7A\xDC\xF7\x3B\xF3\xFD\x45\x9B\xD1\xBB\x43\x78\x6E\x6F\xF1\x42\x54\x6A\x98\xF0\x0D\xAD\x97\xE9\x52\x5E\xE9\xD5\x6A\x72\xDE\x6A\xF7\x1B\x60\x14\xF4\xA5\xE4\xB6\x71\x67\xAA\x1F\xEA\xE2\x4D\xC1\x42\x40\xFE\x67\x46\x17\x38\x2F\x47\x3F\x71\x9C\xAE\xE5\x21\xCA\x61\x2D\x6D\x07\xA8\x84\x7C\x2D\xEE\x51\x25\xF1\x63\x90\x9E\xFD\xE1\x57\x88\x6B\xEF\x8A\x23\x6D\xB1\xE6\xBD\x3F\xAD\xD1\x3D\x96\x0B\x85\x8D\xCD\x6B\x27\xBB\xB7\x05\x9B\xEC\xBB\x91\xA9\x0A\x07\x12\x02\x97\x4E\x20\x90\xF0\xFF\x0D\x1E\xE2\x41\x3B\xD3\x40\x3A\xE7\x8D\x5D\xDA\x66\xE4\x02\xB0\x07\x52\x98\x5C\x0E\x8E\x33\x9C\xC2\xA6\x95\xFB\x55\x19\x6E\x4C\x8E\xAE\x4B\x0F\xBD\xC1\x38\x4D\x5E\x8F\x84\x1D\x66\xCD\xC5\x60\x96\xB4\x52\x5A\x05\x89\x8E\x95\x7A\x98\xC1\x91\x3C\x95\x23\xB2\x0E\xF4\x79\xB4\xC9\x7C\xC1\x4A\x21\x02\x03\x01\x00\x01\xA3\x6A\x30\x68\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xCC\xCC\xEF\xCC\x29\x60\xA4\x3B\xB1\x92\xB6\x3C\xFA\x32\x62\x8F\xAC\x25\x15\x3B\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x39\x06\x04\x67\x2A\x07\x00\x04\x31\x30\x2F\x30\x2D\x02\x01\x00\x30\x09\x06\x05\x2B\x0E\x03\x02\x1A\x05\x00\x30\x07\x06\x05\x67\x2A\x03\x00\x00\x04\x14\x03\x9B\xF0\x22\x13\xFF\x95\x28\x36\xD3\xDC\x9E\xC0\x32\xFB\x31\x3A\x8A\x51\x65\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x40\x80\x4A\xFA\x26\xC9\xCE\x5E\x30\xDD\x4F\x86\x74\x76\x58\xF5\xAE\xB3\x83\x33\x78\xA4\x7A\x74\x17\x19\x4E\xE9\x52\xB5\xB9\xE0\x0A\x74\x62\xAA\x68\xCA\x78\xA0\x4C\x9A\x8E\x2C\x23\x2E\xD5\x6A\x12\x24\xBF\xD4\x68\xD3\x8A\xD0\xD8\x9C\x9F\xB4\x1F\x0C\xDE\x38\x7E\x57\x38\xFC\x8D\xE2\x4F\x5E\x0C\x9F\xAB\x3B\xD2\xFF\x75\x97\xCB\xA4\xE3\x67\x08\xFF\xE5\xC0\x16\xB5\x48\x01\x7D\xE9\xF9\x0A\xFF\x1B\xE5\x6A\x69\xBF\x78\x21\xA8\xC2\xA7\x23\xA9\x86\xAB\x76\x56\xE8\x0E\x0C\xF6\x13\xDD\x2A\x66\x8A\x64\x49\x3D\x1A\x18\x87\x90\x04\x9F\x42\x52\xB7\x4F\xCB\xFE\x47\x41\x76\x35\xEF\xFF\x00\x76\x36\x45\x32\x9B\xC6\x46\x85\x5D\xE2\x24\xB0\x1E\xE3\x48\x96\x98\x57\x47\x94\x55\x7A\x0F\x41\xB1\x44\x24\xF3\xC1\xFE\x1A\x6B\xBF\x88\xFD\xC1\xA6\xDA\x93\x60\x5E\x81\x4A\x99\x20\x9C\x48\x66\x19\xB5\x00\x79\x54\x0F\xB8\x2C\x2F\x4B\xBC\xA9\x5D\x5B\x60\x7F\x8C\x87\xA5\xE0\x52\x63\x2A\xBE\xD8\x3B\x85\x40\x15\xFE\x1E\xB6\x65\x3F\xC5\x4B\xDA\x7E\xB5\x7A\x35\x29\xA3\x2E\x7A\x98\x60\x22\xA3\xF4\x7D\x27\x4E\x2D\xEA\xB4\x74\x3C\xE9\x0F\xA4\x33\x0F\x10\x11\xBC\x13\x01\xD6\xE5\x0E\xD3\xBF\xB5\x12\xA2\xE1\x45\x23\xC0\xCC\x08\x6E\x61\xB7\x89\xAB\x83\xE3\x24\x1E\xE6\x5D\x07\xE7\x1F\x20\x3E\xCF\x67\xC8\xE7\xAC\x30\x6D\x27\x4B\x68\x6E\x4B\x2A\x5C\x02\x08\x34\xDB\xF8\x76\xE4\x67\xA3\x26\x9C\x3F\xA2\x32\xC2\x4A\xC5\x81\x18\x31\x10\x56\xAA\x84\xEF\x2D\x0A\xFF\xB8\x1F\x77\xD2\xBF\xA5\x58\xA0\x62\xE4\xD7\x4B\x91\x75\x8D\x89\x80\x98\x7E\x6D\xCB\x53\x4E\x5E\xAF\xF6\xB2\x97\x85\x97\xB9\xDA\x55\x06\xB9\x24\xEE\xD7\xC6\x38\x1E\x63\x1B\x12\x3B\x95\xE1\x58\xAC\xF2\xDF\x84\xD5\x5F\x99\x2F\x0D\x55\x5B\xE6\x38\xDB\x2E\x3F\x72\xE9\x48\x85\xCB\xBB\x29\x13\x8F\x1E\x38\x55\xB9\xF3\xB2\xC4\x30\x99\x23\x4E\x5D\xF2\x48\xA1\x12\x0C\xDC\x12\x90\x09\x90\x54\x91\x03\x3C\x47\xE5\xD5\xC9\x65\xE0\xB7\x4B\x7D\xEC\x47\xD3\xB3\x0B\x3E\xAD\x9E\xD0\x74\x00\x0E\xEB\xBD\x51\xAD\xC0\xDE\x2C\xC0\xC3\x6A\xFE\xEF\xDC\x0B\xA7\xFA\x46\xDF\x60\xDB\x9C\xA6\x59\x50\x75\x23\x69\x73\x93\xB2\xF9\xFC\x02\xD3\x47\xE6\x71\xCE\x10\x02\xEE\x27\x8C\x84\xFF\xAC\x45\x0D\x13\x5C\x83\x32\xE0\x25\xA5\x86\x2C\x7C\xF4\x12",
-	["CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch"] = "\x30\x82\x05\xD9\x30\x82\x03\xC1\xA0\x03\x02\x01\x02\x02\x10\x5C\x0B\x85\x5C\x0B\xE7\x59\x41\xDF\x57\xCC\x3F\x7F\x9D\xA8\x36\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x64\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x63\x68\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x53\x77\x69\x73\x73\x63\x6F\x6D\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x53\x77\x69\x73\x73\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x1E\x17\x0D\x30\x35\x30\x38\x31\x38\x31\x32\x30\x36\x32\x30\x5A\x17\x0D\x32\x35\x30\x38\x31\x38\x32\x32\x30\x36\x32\x30\x5A\x30\x64\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x63\x68\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x53\x77\x69\x73\x73\x63\x6F\x6D\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x53\x77\x69\x73\x73\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xD0\xB9\xB0\xA8\x0C\xD9\xBB\x3F\x21\xF8\x1B\xD5\x33\x93\x80\x16\x65\x20\x75\xB2\x3D\x9B\x60\x6D\x46\xC8\x8C\x31\x6F\x17\xC3\xFA\x9A\x6C\x56\xED\x3C\xC5\x91\x57\xC3\xCD\xAB\x96\x49\x90\x2A\x19\x4B\x1E\xA3\x6D\x57\xDD\xF1\x2B\x62\x28\x75\x45\x5E\xAA\xD6\x5B\xFA\x0B\x25\xD8\xA1\x16\xF9\x1C\xC4\x2E\xE6\x95\x2A\x67\xCC\xD0\x29\x6E\x3C\x85\x34\x38\x61\x49\xB1\x00\x9F\xD6\x3A\x71\x5F\x4D\x6D\xCE\x5F\xB9\xA9\xE4\x89\x7F\x6A\x52\xFA\xCA\x9B\xF2\xDC\xA9\xF9\x9D\x99\x47\x3F\x4E\x29\x5F\xB4\xA6\x8D\x5D\x7B\x0B\x99\x11\x03\x03\xFE\xE7\xDB\xDB\xA3\xFF\x1D\xA5\xCD\x90\x1E\x01\x1F\x35\xB0\x7F\x00\xDB\x90\x6F\xC6\x7E\x7B\xD1\xEE\x7A\x7A\xA7\xAA\x0C\x57\x6F\xA4\x6D\xC5\x13\x3B\xB0\xA5\xD9\xED\x32\x1C\xB4\x5E\x67\x8B\x54\xDC\x73\x87\xE5\xD3\x17\x7C\x66\x50\x72\x5D\xD4\x1A\x58\xC1\xD9\xCF\xD8\x89\x02\x6F\xA7\x49\xB4\x36\x5D\xD0\xA4\xDE\x07\x2C\xB6\x75\xB7\x28\x91\xD6\x97\xBE\x28\xF5\x98\x1E\xEA\x5B\x26\xC9\xBD\xB0\x97\x73\xDA\xAE\x91\x26\xEB\x68\xC1\xF9\x39\x15\xD6\x67\x4B\x0A\x6D\x4F\xCB\xCF\xB0\xE4\x42\x71\x8C\x53\x79\xE7\xEE\xE1\xDB\x1D\xA0\x6E\x1D\x8C\x1A\x77\x35\x5C\x16\x1E\x2B\x53\x1F\x34\x8B\xD1\x6C\xFC\xF2\x67\x07\x7A\xF5\xAD\xED\xD6\x9A\xAB\xA1\xB1\x4B\xE1\xCC\x37\x5F\xFD\x7F\xCD\x4D\xAE\xB8\x1F\x9C\x43\xF9\x2A\x58\x55\x43\x45\xBC\x96\xCD\x70\x0E\xFC\xC9\xE3\x66\xBA\x4E\x8D\x3B\x81\xCB\x15\x64\x7B\xB9\x94\xE8\x5D\x33\x52\x85\x71\x2E\x4F\x8E\xA2\x06\x11\x51\xC9\xE3\xCB\xA1\x6E\x31\x08\x64\x0C\xC2\xD2\x3C\xF5\x36\xE8\xD7\xD0\x0E\x78\x23\x20\x91\xC9\x24\x2A\x65\x29\x5B\x22\xF7\x21\xCE\x83\x5E\xA4\xF3\xDE\x4B\xD3\x68\x8F\x46\x75\x5C\x83\x09\x6E\x29\x6B\xC4\x70\x8C\xF5\x9D\xD7\x20\x2F\xFF\x46\xD2\x2B\x38\xC2\x2F\x75\x1C\x3D\x7E\xDA\xA5\xEF\x1E\x60\x85\x69\x42\xD3\xCC\xF8\x63\xFE\x1E\x43\x39\x85\xA6\xB6\x63\x41\x10\xB3\x73\x1E\xBC\xD3\xFA\xCA\x7D\x16\x47\xE2\xA7\xD5\xD0\xA3\x8A\x0A\x08\x96\x62\x56\x6E\x34\xDB\xD9\x02\xB9\x30\x75\xE3\x04\xD2\xE7\x8F\xC2\xB0\x11\x40\x0A\xAC\xD5\x71\x02\x62\x8B\x31\xBE\xDD\xC6\x23\x58\x31\x42\x43\x2D\x74\xF9\xC6\x9E\xA6\x8A\x0F\xE9\xFE\xBF\x83\xE6\x43\x57\x24\xBA\xEF\x46\x34\xAA\xD7\x12\x01\x38\xED\x02\x03\x01\x00\x01\xA3\x81\x86\x30\x81\x83\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x21\x04\x16\x30\x14\x30\x12\x06\x07\x60\x85\x74\x01\x53\x00\x01\x06\x07\x60\x85\x74\x01\x53\x00\x01\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x07\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x03\x25\x2F\xDE\x6F\x82\x01\x3A\x5C\x2C\xDC\x2B\xA1\x69\xB5\x67\xD4\x8C\xD3\xFD\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x03\x25\x2F\xDE\x6F\x82\x01\x3A\x5C\x2C\xDC\x2B\xA1\x69\xB5\x67\xD4\x8C\xD3\xFD\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x35\x10\xCB\xEC\xA6\x04\x0D\x0D\x0F\xCD\xC0\xDB\xAB\xA8\xF2\x88\x97\x0C\xDF\x93\x2F\x4D\x7C\x40\x56\x31\x7A\xEB\xA4\x0F\x60\xCD\x7A\xF3\xBE\xC3\x27\x8E\x03\x3E\xA4\xDD\x12\xEF\x7E\x1E\x74\x06\x3C\x3F\x31\xF2\x1C\x7B\x91\x31\x21\xB4\xF0\xD0\x6C\x97\xD4\xE9\x97\xB2\x24\x56\x1E\x56\xC3\x35\xBD\x88\x05\x0F\x5B\x10\x1A\x64\xE1\xC7\x82\x30\xF9\x32\xAD\x9E\x50\x2C\xE7\x78\x05\xD0\x31\xB1\x5A\x98\x8A\x75\x4E\x90\x5C\x6A\x14\x2A\xE0\x52\x47\x82\x60\xE6\x1E\xDA\x81\xB1\xFB\x14\x0B\x5A\xF1\x9F\xD2\x95\xBA\x3E\xD0\x1B\xD6\x15\x1D\xA3\xBE\x86\xD5\xDB\x0F\xC0\x49\x64\xBB\x2E\x50\x19\x4B\xD2\x24\xF8\xDD\x1E\x07\x56\xD0\x38\xA0\x95\x70\x20\x76\x8C\xD7\xDD\x1E\xDE\x9F\x71\xC4\x23\xEF\x83\x13\x5C\xA3\x24\x15\x4D\x29\x40\x3C\x6A\xC4\xA9\xD8\xB7\xA6\x44\xA5\x0D\xF4\xE0\x9D\x77\x1E\x40\x70\x26\xFC\xDA\xD9\x36\xE4\x79\xE4\xB5\x3F\xBC\x9B\x65\xBE\xBB\x11\x96\xCF\xDB\xC6\x28\x39\x3A\x08\xCE\x47\x5B\x53\x5A\xC5\x99\xFE\x5D\xA9\xDD\xEF\x4C\xD4\xC6\xA5\xAD\x02\xE6\x8C\x07\x12\x1E\x6F\x03\xD1\x6F\xA0\xA3\xF3\x29\xBD\x12\xC7\x50\xA2\xB0\x7F\x88\xA9\x99\x77\x9A\xB1\xC0\xA5\x39\x2E\x5C\x7C\x69\xE2\x2C\xB0\xEA\x37\x6A\xA4\xE1\x5A\xE1\xF5\x50\xE5\x83\xEF\xA5\xBB\x2A\x88\xE7\x8C\xDB\xFD\x6D\x5E\x97\x19\xA8\x7E\x66\x75\x6B\x71\xEA\xBF\xB1\xC7\x6F\xA0\xF4\x8E\xA4\xEC\x34\x51\x5B\x8C\x26\x03\x70\xA1\x77\xD5\x01\x12\x57\x00\x35\xDB\x23\xDE\x0E\x8A\x28\x99\xFD\xB1\x10\x6F\x4B\xFF\x38\x2D\x60\x4E\x2C\x9C\xEB\x67\xB5\xAD\x49\xEE\x4B\x1F\xAC\xAF\xFB\x0D\x90\x5A\x66\x60\x70\x5D\xAA\xCD\x78\xD4\x24\xEE\xC8\x41\xA0\x93\x01\x92\x9C\x6A\x9E\xFC\xB9\x24\xC5\xB3\x15\x82\x7E\xBE\xAE\x95\x2B\xEB\xB1\xC0\xDA\xE3\x01\x60\x0B\x5E\x69\xAC\x84\x56\x61\xBE\x71\x17\xFE\x1D\x13\x0F\xFE\xC6\x87\x45\xE9\xFE\x32\xA0\x1A\x0D\x13\xA4\x94\x55\x71\xA5\x16\x8B\xBA\xCA\x89\xB0\xB2\xC7\xFC\x8F\xD8\x54\xB5\x93\x62\x9D\xCE\xCF\x59\xFB\x3D\x18\xCE\x2A\xCB\x35\x15\x82\x5D\xFF\x54\x22\x5B\x71\x52\xFB\xB7\xC9\xFE\x60\x9B\x00\x41\x64\xF0\xAA\x2A\xEC\xB6\x42\x43\xCE\x89\x66\x81\xC8\x8B\x9F\x39\x54\x03\x25\xD3\x16\x35\x8E\x84\xD0\x5F\xFA\x30\x1A\xF5\x9A\x6C\xF4\x0E\x53\xF9\x3A\x5B\xD1\x1C",
 	["CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US"] = "\x30\x82\x03\xB7\x30\x82\x02\x9F\xA0\x03\x02\x01\x02\x02\x10\x0C\xE7\xE0\xE5\x17\xD8\x46\xFE\x8F\xE5\x60\xFC\x1B\xF0\x30\x39\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x44\x69\x67\x69\x43\x65\x72\x74\x20\x41\x73\x73\x75\x72\x65\x64\x20\x49\x44\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x30\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x44\x69\x67\x69\x43\x65\x72\x74\x20\x41\x73\x73\x75\x72\x65\x64\x20\x49\x44\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAD\x0E\x15\xCE\xE4\x43\x80\x5C\xB1\x87\xF3\xB7\x60\xF9\x71\x12\xA5\xAE\xDC\x26\x94\x88\xAA\xF4\xCE\xF5\x20\x39\x28\x58\x60\x0C\xF8\x80\xDA\xA9\x15\x95\x32\x61\x3C\xB5\xB1\x28\x84\x8A\x8A\xDC\x9F\x0A\x0C\x83\x17\x7A\x8F\x90\xAC\x8A\xE7\x79\x53\x5C\x31\x84\x2A\xF6\x0F\x98\x32\x36\x76\xCC\xDE\xDD\x3C\xA8\xA2\xEF\x6A\xFB\x21\xF2\x52\x61\xDF\x9F\x20\xD7\x1F\xE2\xB1\xD9\xFE\x18\x64\xD2\x12\x5B\x5F\xF9\x58\x18\x35\xBC\x47\xCD\xA1\x36\xF9\x6B\x7F\xD4\xB0\x38\x3E\xC1\x1B\xC3\x8C\x33\xD9\xD8\x2F\x18\xFE\x28\x0F\xB3\xA7\x83\xD6\xC3\x6E\x44\xC0\x61\x35\x96\x16\xFE\x59\x9C\x8B\x76\x6D\xD7\xF1\xA2\x4B\x0D\x2B\xFF\x0B\x72\xDA\x9E\x60\xD0\x8E\x90\x35\xC6\x78\x55\x87\x20\xA1\xCF\xE5\x6D\x0A\xC8\x49\x7C\x31\x98\x33\x6C\x22\xE9\x87\xD0\x32\x5A\xA2\xBA\x13\x82\x11\xED\x39\x17\x9D\x99\x3A\x72\xA1\xE6\xFA\xA4\xD9\xD5\x17\x31\x75\xAE\x85\x7D\x22\xAE\x3F\x01\x46\x86\xF6\x28\x79\xC8\xB1\xDA\xE4\x57\x17\xC4\x7E\x1C\x0E\xB0\xB4\x92\xA6\x56\xB3\xBD\xB2\x97\xED\xAA\xA7\xF0\xB7\xC5\xA8\x3F\x95\x16\xD0\xFF\xA1\x96\xEB\x08\x5F\x18\x77\x4F\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x45\xEB\xA2\xAF\xF4\x92\xCB\x82\x31\x2D\x51\x8B\xA7\xA7\x21\x9D\xF3\x6D\xC8\x0F\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x45\xEB\xA2\xAF\xF4\x92\xCB\x82\x31\x2D\x51\x8B\xA7\xA7\x21\x9D\xF3\x6D\xC8\x0F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA2\x0E\xBC\xDF\xE2\xED\xF0\xE3\x72\x73\x7A\x64\x94\xBF\xF7\x72\x66\xD8\x32\xE4\x42\x75\x62\xAE\x87\xEB\xF2\xD5\xD9\xDE\x56\xB3\x9F\xCC\xCE\x14\x28\xB9\x0D\x97\x60\x5C\x12\x4C\x58\xE4\xD3\x3D\x83\x49\x45\x58\x97\x35\x69\x1A\xA8\x47\xEA\x56\xC6\x79\xAB\x12\xD8\x67\x81\x84\xDF\x7F\x09\x3C\x94\xE6\xB8\x26\x2C\x20\xBD\x3D\xB3\x28\x89\xF7\x5F\xFF\x22\xE2\x97\x84\x1F\xE9\x65\xEF\x87\xE0\xDF\xC1\x67\x49\xB3\x5D\xEB\xB2\x09\x2A\xEB\x26\xED\x78\xBE\x7D\x3F\x2B\xF3\xB7\x26\x35\x6D\x5F\x89\x01\xB6\x49\x5B\x9F\x01\x05\x9B\xAB\x3D\x25\xC1\xCC\xB6\x7F\xC2\xF1\x6F\x86\xC6\xFA\x64\x68\xEB\x81\x2D\x94\xEB\x42\xB7\xFA\x8C\x1E\xDD\x62\xF1\xBE\x50\x67\xB7\x6C\xBD\xF3\xF1\x1F\x6B\x0C\x36\x07\x16\x7F\x37\x7C\xA9\x5B\x6D\x7A\xF1\x12\x46\x60\x83\xD7\x27\x04\xBE\x4B\xCE\x97\xBE\xC3\x67\x2A\x68\x11\xDF\x80\xE7\x0C\x33\x66\xBF\x13\x0D\x14\x6E\xF3\x7F\x1F\x63\x10\x1E\xFA\x8D\x1B\x25\x6D\x6C\x8F\xA5\xB7\x61\x01\xB1\xD2\xA3\x26\xA1\x10\x71\x9D\xAD\xE2\xC3\xF9\xC3\x99\x51\xB7\x2B\x07\x08\xCE\x2E\xE6\x50\xB2\xA7\xFA\x0A\x45\x2F\xA2\xF0\xF2",
 	["CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US"] = "\x30\x82\x03\xAF\x30\x82\x02\x97\xA0\x03\x02\x01\x02\x02\x10\x08\x3B\xE0\x56\x90\x42\x46\xB1\xA1\x75\x6A\xC9\x59\x91\xC7\x4A\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x44\x69\x67\x69\x43\x65\x72\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x30\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x44\x69\x67\x69\x43\x65\x72\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE2\x3B\xE1\x11\x72\xDE\xA8\xA4\xD3\xA3\x57\xAA\x50\xA2\x8F\x0B\x77\x90\xC9\xA2\xA5\xEE\x12\xCE\x96\x5B\x01\x09\x20\xCC\x01\x93\xA7\x4E\x30\xB7\x53\xF7\x43\xC4\x69\x00\x57\x9D\xE2\x8D\x22\xDD\x87\x06\x40\x00\x81\x09\xCE\xCE\x1B\x83\xBF\xDF\xCD\x3B\x71\x46\xE2\xD6\x66\xC7\x05\xB3\x76\x27\x16\x8F\x7B\x9E\x1E\x95\x7D\xEE\xB7\x48\xA3\x08\xDA\xD6\xAF\x7A\x0C\x39\x06\x65\x7F\x4A\x5D\x1F\xBC\x17\xF8\xAB\xBE\xEE\x28\xD7\x74\x7F\x7A\x78\x99\x59\x85\x68\x6E\x5C\x23\x32\x4B\xBF\x4E\xC0\xE8\x5A\x6D\xE3\x70\xBF\x77\x10\xBF\xFC\x01\xF6\x85\xD9\xA8\x44\x10\x58\x32\xA9\x75\x18\xD5\xD1\xA2\xBE\x47\xE2\x27\x6A\xF4\x9A\x33\xF8\x49\x08\x60\x8B\xD4\x5F\xB4\x3A\x84\xBF\xA1\xAA\x4A\x4C\x7D\x3E\xCF\x4F\x5F\x6C\x76\x5E\xA0\x4B\x37\x91\x9E\xDC\x22\xE6\x6D\xCE\x14\x1A\x8E\x6A\xCB\xFE\xCD\xB3\x14\x64\x17\xC7\x5B\x29\x9E\x32\xBF\xF2\xEE\xFA\xD3\x0B\x42\xD4\xAB\xB7\x41\x32\xDA\x0C\xD4\xEF\xF8\x81\xD5\xBB\x8D\x58\x3F\xB5\x1B\xE8\x49\x28\xA2\x70\xDA\x31\x04\xDD\xF7\xB2\x16\xF2\x4C\x0A\x4E\x07\xA8\xED\x4A\x3D\x5E\xB5\x7F\xA3\x90\xC3\xAF\x27\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x03\xDE\x50\x35\x56\xD1\x4C\xBB\x66\xF0\xA3\xE2\x1B\x1B\xC3\x97\xB2\x3D\xD1\x55\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x03\xDE\x50\x35\x56\xD1\x4C\xBB\x66\xF0\xA3\xE2\x1B\x1B\xC3\x97\xB2\x3D\xD1\x55\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xCB\x9C\x37\xAA\x48\x13\x12\x0A\xFA\xDD\x44\x9C\x4F\x52\xB0\xF4\xDF\xAE\x04\xF5\x79\x79\x08\xA3\x24\x18\xFC\x4B\x2B\x84\xC0\x2D\xB9\xD5\xC7\xFE\xF4\xC1\x1F\x58\xCB\xB8\x6D\x9C\x7A\x74\xE7\x98\x29\xAB\x11\xB5\xE3\x70\xA0\xA1\xCD\x4C\x88\x99\x93\x8C\x91\x70\xE2\xAB\x0F\x1C\xBE\x93\xA9\xFF\x63\xD5\xE4\x07\x60\xD3\xA3\xBF\x9D\x5B\x09\xF1\xD5\x8E\xE3\x53\xF4\x8E\x63\xFA\x3F\xA7\xDB\xB4\x66\xDF\x62\x66\xD6\xD1\x6E\x41\x8D\xF2\x2D\xB5\xEA\x77\x4A\x9F\x9D\x58\xE2\x2B\x59\xC0\x40\x23\xED\x2D\x28\x82\x45\x3E\x79\x54\x92\x26\x98\xE0\x80\x48\xA8\x37\xEF\xF0\xD6\x79\x60\x16\xDE\xAC\xE8\x0E\xCD\x6E\xAC\x44\x17\x38\x2F\x49\xDA\xE1\x45\x3E\x2A\xB9\x36\x53\xCF\x3A\x50\x06\xF7\x2E\xE8\xC4\x57\x49\x6C\x61\x21\x18\xD5\x04\xAD\x78\x3C\x2C\x3A\x80\x6B\xA7\xEB\xAF\x15\x14\xE9\xD8\x89\xC1\xB9\x38\x6C\xE2\x91\x6C\x8A\xFF\x64\xB9\x77\x25\x57\x30\xC0\x1B\x24\xA3\xE1\xDC\xE9\xDF\x47\x7C\xB5\xB4\x24\x08\x05\x30\xEC\x2D\xBD\x0B\xBF\x45\xBF\x50\xB9\xA9\xF3\xEB\x98\x01\x12\xAD\xC8\x88\xC6\x98\x34\x5F\x8D\x0A\x3C\xC6\xE9\xD5\x95\x95\x6D\xDE",
 	["CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US"] = "\x30\x82\x03\xC5\x30\x82\x02\xAD\xA0\x03\x02\x01\x02\x02\x10\x02\xAC\x5C\x26\x6A\x0B\x40\x9B\x8F\x0B\x79\xF2\xAE\x46\x25\x77\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x6C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x44\x69\x67\x69\x43\x65\x72\x74\x20\x48\x69\x67\x68\x20\x41\x73\x73\x75\x72\x61\x6E\x63\x65\x20\x45\x56\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x5A\x30\x6C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x44\x69\x67\x69\x43\x65\x72\x74\x20\x48\x69\x67\x68\x20\x41\x73\x73\x75\x72\x61\x6E\x63\x65\x20\x45\x56\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC6\xCC\xE5\x73\xE6\xFB\xD4\xBB\xE5\x2D\x2D\x32\xA6\xDF\xE5\x81\x3F\xC9\xCD\x25\x49\xB6\x71\x2A\xC3\xD5\x94\x34\x67\xA2\x0A\x1C\xB0\x5F\x69\xA6\x40\xB1\xC4\xB7\xB2\x8F\xD0\x98\xA4\xA9\x41\x59\x3A\xD3\xDC\x94\xD6\x3C\xDB\x74\x38\xA4\x4A\xCC\x4D\x25\x82\xF7\x4A\xA5\x53\x12\x38\xEE\xF3\x49\x6D\x71\x91\x7E\x63\xB6\xAB\xA6\x5F\xC3\xA4\x84\xF8\x4F\x62\x51\xBE\xF8\xC5\xEC\xDB\x38\x92\xE3\x06\xE5\x08\x91\x0C\xC4\x28\x41\x55\xFB\xCB\x5A\x89\x15\x7E\x71\xE8\x35\xBF\x4D\x72\x09\x3D\xBE\x3A\x38\x50\x5B\x77\x31\x1B\x8D\xB3\xC7\x24\x45\x9A\xA7\xAC\x6D\x00\x14\x5A\x04\xB7\xBA\x13\xEB\x51\x0A\x98\x41\x41\x22\x4E\x65\x61\x87\x81\x41\x50\xA6\x79\x5C\x89\xDE\x19\x4A\x57\xD5\x2E\xE6\x5D\x1C\x53\x2C\x7E\x98\xCD\x1A\x06\x16\xA4\x68\x73\xD0\x34\x04\x13\x5C\xA1\x71\xD3\x5A\x7C\x55\xDB\x5E\x64\xE1\x37\x87\x30\x56\x04\xE5\x11\xB4\x29\x80\x12\xF1\x79\x39\x88\xA2\x02\x11\x7C\x27\x66\xB7\x88\xB7\x78\xF2\xCA\x0A\xA8\x38\xAB\x0A\x64\xC2\xBF\x66\x5D\x95\x84\xC1\xA1\x25\x1E\x87\x5D\x1A\x50\x0B\x20\x12\xCC\x41\xBB\x6E\x0B\x51\x38\xB8\x4B\xCB\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB1\x3E\xC3\x69\x03\xF8\xBF\x47\x01\xD4\x98\x26\x1A\x08\x02\xEF\x63\x64\x2B\xC3\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xB1\x3E\xC3\x69\x03\xF8\xBF\x47\x01\xD4\x98\x26\x1A\x08\x02\xEF\x63\x64\x2B\xC3\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x1C\x1A\x06\x97\xDC\xD7\x9C\x9F\x3C\x88\x66\x06\x08\x57\x21\xDB\x21\x47\xF8\x2A\x67\xAA\xBF\x18\x32\x76\x40\x10\x57\xC1\x8A\xF3\x7A\xD9\x11\x65\x8E\x35\xFA\x9E\xFC\x45\xB5\x9E\xD9\x4C\x31\x4B\xB8\x91\xE8\x43\x2C\x8E\xB3\x78\xCE\xDB\xE3\x53\x79\x71\xD6\xE5\x21\x94\x01\xDA\x55\x87\x9A\x24\x64\xF6\x8A\x66\xCC\xDE\x9C\x37\xCD\xA8\x34\xB1\x69\x9B\x23\xC8\x9E\x78\x22\x2B\x70\x43\xE3\x55\x47\x31\x61\x19\xEF\x58\xC5\x85\x2F\x4E\x30\xF6\xA0\x31\x16\x23\xC8\xE7\xE2\x65\x16\x33\xCB\xBF\x1A\x1B\xA0\x3D\xF8\xCA\x5E\x8B\x31\x8B\x60\x08\x89\x2D\x0C\x06\x5C\x52\xB7\xC4\xF9\x0A\x98\xD1\x15\x5F\x9F\x12\xBE\x7C\x36\x63\x38\xBD\x44\xA4\x7F\xE4\x26\x2B\x0A\xC4\x97\x69\x0D\xE9\x8C\xE2\xC0\x10\x57\xB8\xC8\x76\x12\x91\x55\xF2\x48\x69\xD8\xBC\x2A\x02\x5B\x0F\x44\xD4\x20\x31\xDB\xF4\xBA\x70\x26\x5D\x90\x60\x9E\xBC\x4B\x17\x09\x2F\xB4\xCB\x1E\x43\x68\xC9\x07\x27\xC1\xD2\x5C\xF7\xEA\x21\xB9\x68\x12\x9C\x3C\x9C\xBF\x9E\xFC\x80\x5C\x9B\x63\xCD\xEC\x47\xAA\x25\x27\x67\xA0\x37\xF3\x00\x82\x7D\x54\xD7\xA9\xF8\xE9\x2E\x13\xA3\x77\xE8\x1F\x4A",
 	["CN=Class 2 Primary CA,O=Certplus,C=FR"] = "\x30\x82\x03\x92\x30\x82\x02\x7A\xA0\x03\x02\x01\x02\x02\x11\x00\x85\xBD\x4B\xF3\xD8\xDA\xE3\x69\xF6\x94\xD7\x5F\xC3\xA5\x44\x23\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x43\x65\x72\x74\x70\x6C\x75\x73\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x43\x6C\x61\x73\x73\x20\x32\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x41\x30\x1E\x17\x0D\x39\x39\x30\x37\x30\x37\x31\x37\x30\x35\x30\x30\x5A\x17\x0D\x31\x39\x30\x37\x30\x36\x32\x33\x35\x39\x35\x39\x5A\x30\x3D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x43\x65\x72\x74\x70\x6C\x75\x73\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x43\x6C\x61\x73\x73\x20\x32\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xDC\x50\x96\xD0\x12\xF8\x35\xD2\x08\x78\x7A\xB6\x52\x70\xFD\x6F\xEE\xCF\xB9\x11\xCB\x5D\x77\xE1\xEC\xE9\x7E\x04\x8D\xD6\xCC\x6F\x73\x43\x57\x60\xAC\x33\x0A\x44\xEC\x03\x5F\x1C\x80\x24\x91\xE5\xA8\x91\x56\x12\x82\xF7\xE0\x2B\xF4\xDB\xAE\x61\x2E\x89\x10\x8D\x6B\x6C\xBA\xB3\x02\xBD\xD5\x36\xC5\x48\x37\x23\xE2\xF0\x5A\x37\x52\x33\x17\x12\xE2\xD1\x60\x4D\xBE\x2F\x41\x11\xE3\xF6\x17\x25\x0C\x8B\x91\xC0\x1B\x99\x7B\x99\x56\x0D\xAF\xEE\xD2\xBC\x47\x57\xE3\x79\x49\x7B\x34\x89\x27\x24\x84\xDE\xB1\xEC\xE9\x58\x4E\xFE\x4E\xDF\x5A\xBE\x41\xAD\xAC\x08\xC5\x18\x0E\xEF\xD2\x53\xEE\x6C\xD0\x9D\x12\x01\x13\x8D\xDC\x80\x62\xF7\x95\xA9\x44\x88\x4A\x71\x4E\x60\x55\x9E\xDB\x23\x19\x79\x56\x07\x0C\x3F\x63\x0B\x5C\xB0\xE2\xBE\x7E\x15\xFC\x94\x33\x58\x41\x38\x74\xC4\xE1\x8F\x8B\xDF\x26\xAC\x1F\xB5\x8B\x3B\xB7\x43\x59\x6B\xB0\x24\xA6\x6D\x90\x8B\xC4\x72\xEA\x5D\x33\x98\xB7\xCB\xDE\x5E\x7B\xEF\x94\xF1\x1B\x3E\xCA\xC9\x21\xC1\xC5\x98\x02\xAA\xA2\xF6\x5B\x77\x9B\xF5\x7E\x96\x55\x34\x1C\x67\x69\xC0\xF1\x42\xE3\x47\xAC\xFC\x28\x1C\x66\x55\x02\x03\x01\x00\x01\xA3\x81\x8C\x30\x81\x89\x30\x0F\x06\x03\x55\x1D\x13\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x0A\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE3\x73\x2D\xDF\xCB\x0E\x28\x0C\xDE\xDD\xB3\xA4\xCA\x79\xB8\x8E\xBB\xE8\x30\x89\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x01\x06\x30\x37\x06\x03\x55\x1D\x1F\x04\x30\x30\x2E\x30\x2C\xA0\x2A\xA0\x28\x86\x26\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x65\x72\x74\x70\x6C\x75\x73\x2E\x63\x6F\x6D\x2F\x43\x52\x4C\x2F\x63\x6C\x61\x73\x73\x32\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA7\x54\xCF\x88\x44\x19\xCB\xDF\xD4\x7F\x00\xDF\x56\x33\x62\xB5\xF7\x51\x01\x90\xEB\xC3\x3F\xD1\x88\x44\xE9\x24\x5D\xEF\xE7\x14\xBD\x20\xB7\x9A\x3C\x00\xFE\x6D\x9F\xDB\x90\xDC\xD7\xF4\x62\xD6\x8B\x70\x5D\xE7\xE5\x04\x48\xA9\x68\x7C\xC9\xF1\x42\xF3\x6C\x7F\xC5\x7A\x7C\x1D\x51\x88\xBA\xD2\x0A\x3E\x27\x5D\xDE\x2D\x51\x4E\xD3\x13\x64\x69\xE4\x2E\xE3\xD3\xE7\x9B\x09\x99\xA6\xE0\x95\x9B\xCE\x1A\xD7\x7F\xBE\x3C\xCE\x52\xB3\x11\x15\xC1\x0F\x17\xCD\x03\xBB\x9C\x25\x15\xBA\xA2\x76\x89\xFC\x06\xF1\x18\xD0\x93\x4B\x0E\x7C\x82\xB7\xA5\xF4\xF6\x5F\xFE\xED\x40\xA6\x9D\x84\x74\x39\xB9\xDC\x1E\x85\x16\xDA\x29\x1B\x86\x23\x00\xC9\xBB\x89\x7E\x6E\x80\x88\x1E\x2F\x14\xB4\x03\x24\xA8\x32\x6F\x03\x9A\x47\x2C\x30\xBE\x56\xC6\xA7\x42\x02\x70\x1B\xEA\x40\xD8\xBA\x05\x03\x70\x07\xA4\x96\xFF\xFD\x48\x33\x0A\xE1\xDC\xA5\x81\x90\x9B\x4D\xDD\x7D\xE7\xE7\xB2\xCD\x5C\xC8\x6A\x95\xF8\xA5\xF6\x8D\xC4\x5D\x78\x08\xBE\x7B\x06\xD6\x49\xCF\x19\x36\x50\x23\x2E\x08\xE6\x9E\x05\x4D\x47\x18\xD5\x16\xE9\xB1\xD6\xB6\x10\xD5\xBB\x97\xBF\xA2\x8E\xB4\x54",
 	["CN=DST Root CA X3,O=Digital Signature Trust Co."] = "\x30\x82\x03\x4A\x30\x82\x02\x32\xA0\x03\x02\x01\x02\x02\x10\x44\xAF\xB0\x80\xD6\xA3\x27\xBA\x89\x30\x39\x86\x2E\xF8\x40\x6B\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3F\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x13\x1B\x44\x69\x67\x69\x74\x61\x6C\x20\x53\x69\x67\x6E\x61\x74\x75\x72\x65\x20\x54\x72\x75\x73\x74\x20\x43\x6F\x2E\x31\x17\x30\x15\x06\x03\x55\x04\x03\x13\x0E\x44\x53\x54\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x58\x33\x30\x1E\x17\x0D\x30\x30\x30\x39\x33\x30\x32\x31\x31\x32\x31\x39\x5A\x17\x0D\x32\x31\x30\x39\x33\x30\x31\x34\x30\x31\x31\x35\x5A\x30\x3F\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x13\x1B\x44\x69\x67\x69\x74\x61\x6C\x20\x53\x69\x67\x6E\x61\x74\x75\x72\x65\x20\x54\x72\x75\x73\x74\x20\x43\x6F\x2E\x31\x17\x30\x15\x06\x03\x55\x04\x03\x13\x0E\x44\x53\x54\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x58\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xDF\xAF\xE9\x97\x50\x08\x83\x57\xB4\xCC\x62\x65\xF6\x90\x82\xEC\xC7\xD3\x2C\x6B\x30\xCA\x5B\xEC\xD9\xC3\x7D\xC7\x40\xC1\x18\x14\x8B\xE0\xE8\x33\x76\x49\x2A\xE3\x3F\x21\x49\x93\xAC\x4E\x0E\xAF\x3E\x48\xCB\x65\xEE\xFC\xD3\x21\x0F\x65\xD2\x2A\xD9\x32\x8F\x8C\xE5\xF7\x77\xB0\x12\x7B\xB5\x95\xC0\x89\xA3\xA9\xBA\xED\x73\x2E\x7A\x0C\x06\x32\x83\xA2\x7E\x8A\x14\x30\xCD\x11\xA0\xE1\x2A\x38\xB9\x79\x0A\x31\xFD\x50\xBD\x80\x65\xDF\xB7\x51\x63\x83\xC8\xE2\x88\x61\xEA\x4B\x61\x81\xEC\x52\x6B\xB9\xA2\xE2\x4B\x1A\x28\x9F\x48\xA3\x9E\x0C\xDA\x09\x8E\x3E\x17\x2E\x1E\xDD\x20\xDF\x5B\xC6\x2A\x8A\xAB\x2E\xBD\x70\xAD\xC5\x0B\x1A\x25\x90\x74\x72\xC5\x7B\x6A\xAB\x34\xD6\x30\x89\xFF\xE5\x68\x13\x7B\x54\x0B\xC8\xD6\xAE\xEC\x5A\x9C\x92\x1E\x3D\x64\xB3\x8C\xC6\xDF\xBF\xC9\x41\x70\xEC\x16\x72\xD5\x26\xEC\x38\x55\x39\x43\xD0\xFC\xFD\x18\x5C\x40\xF1\x97\xEB\xD5\x9A\x9B\x8D\x1D\xBA\xDA\x25\xB9\xC6\xD8\xDF\xC1\x15\x02\x3A\xAB\xDA\x6E\xF1\x3E\x2E\xF5\x5C\x08\x9C\x3C\xD6\x83\x69\xE4\x10\x9B\x19\x2A\xB6\x29\x57\xE3\xE5\x3D\x9B\x9F\xF0\x02\x5D\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC4\xA7\xB1\xA4\x7B\x2C\x71\xFA\xDB\xE1\x4B\x90\x75\xFF\xC4\x15\x60\x85\x89\x10\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA3\x1A\x2C\x9B\x17\x00\x5C\xA9\x1E\xEE\x28\x66\x37\x3A\xBF\x83\xC7\x3F\x4B\xC3\x09\xA0\x95\x20\x5D\xE3\xD9\x59\x44\xD2\x3E\x0D\x3E\xBD\x8A\x4B\xA0\x74\x1F\xCE\x10\x82\x9C\x74\x1A\x1D\x7E\x98\x1A\xDD\xCB\x13\x4B\xB3\x20\x44\xE4\x91\xE9\xCC\xFC\x7D\xA5\xDB\x6A\xE5\xFE\xE6\xFD\xE0\x4E\xDD\xB7\x00\x3A\xB5\x70\x49\xAF\xF2\xE5\xEB\x02\xF1\xD1\x02\x8B\x19\xCB\x94\x3A\x5E\x48\xC4\x18\x1E\x58\x19\x5F\x1E\x02\x5A\xF0\x0C\xF1\xB1\xAD\xA9\xDC\x59\x86\x8B\x6E\xE9\x91\xF5\x86\xCA\xFA\xB9\x66\x33\xAA\x59\x5B\xCE\xE2\xA7\x16\x73\x47\xCB\x2B\xCC\x99\xB0\x37\x48\xCF\xE3\x56\x4B\xF5\xCF\x0F\x0C\x72\x32\x87\xC6\xF0\x44\xBB\x53\x72\x6D\x43\xF5\x26\x48\x9A\x52\x67\xB7\x58\xAB\xFE\x67\x76\x71\x78\xDB\x0D\xA2\x56\x14\x13\x39\x24\x31\x85\xA2\xA8\x02\x5A\x30\x47\xE1\xDD\x50\x07\xBC\x02\x09\x90\x00\xEB\x64\x63\x60\x9B\x16\xBC\x88\xC9\x12\xE6\xD2\x7D\x91\x8B\xF9\x3D\x32\x8D\x65\xB4\xE9\x7C\xB1\x57\x76\xEA\xC5\xB6\x28\x39\xBF\x15\x65\x1C\xC8\xF6\x77\x96\x6A\x0A\x8D\x77\x0B\xD8\x91\x0B\x04\x8E\x07\xDB\x29\xB6\x0A\xEE\x9D\x82\x35\x35\x10",
-	["CN=DST ACES CA X6,OU=DST ACES,O=Digital Signature Trust,C=US"] = "\x30\x82\x04\x09\x30\x82\x02\xF1\xA0\x03\x02\x01\x02\x02\x10\x0D\x5E\x99\x0A\xD6\x9D\xB7\x78\xEC\xD8\x07\x56\x3B\x86\x15\xD9\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x5B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x44\x69\x67\x69\x74\x61\x6C\x20\x53\x69\x67\x6E\x61\x74\x75\x72\x65\x20\x54\x72\x75\x73\x74\x31\x11\x30\x0F\x06\x03\x55\x04\x0B\x13\x08\x44\x53\x54\x20\x41\x43\x45\x53\x31\x17\x30\x15\x06\x03\x55\x04\x03\x13\x0E\x44\x53\x54\x20\x41\x43\x45\x53\x20\x43\x41\x20\x58\x36\x30\x1E\x17\x0D\x30\x33\x31\x31\x32\x30\x32\x31\x31\x39\x35\x38\x5A\x17\x0D\x31\x37\x31\x31\x32\x30\x32\x31\x31\x39\x35\x38\x5A\x30\x5B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x44\x69\x67\x69\x74\x61\x6C\x20\x53\x69\x67\x6E\x61\x74\x75\x72\x65\x20\x54\x72\x75\x73\x74\x31\x11\x30\x0F\x06\x03\x55\x04\x0B\x13\x08\x44\x53\x54\x20\x41\x43\x45\x53\x31\x17\x30\x15\x06\x03\x55\x04\x03\x13\x0E\x44\x53\x54\x20\x41\x43\x45\x53\x20\x43\x41\x20\x58\x36\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB9\x3D\xF5\x2C\xC9\x94\xDC\x75\x8A\x95\x5D\x63\xE8\x84\x77\x76\x66\xB9\x59\x91\x5C\x46\xDD\x92\x3E\x9F\xF9\x0E\x03\xB4\x3D\x61\x92\xBD\x23\x26\xB5\x63\xEE\x92\xD2\x9E\xD6\x3C\xC8\x0D\x90\x5F\x64\x81\xB1\xA8\x08\x0D\x4C\xD8\xF9\xD3\x05\x28\x52\xB4\x01\x25\xC5\x95\x1C\x0C\x7E\x3E\x10\x84\x75\xCF\xC1\x19\x91\x63\xCF\xE8\xA8\x91\x88\xB9\x43\x52\xBB\x80\xB1\x55\x89\x8B\x31\xFA\xD0\xB7\x76\xBE\x41\x3D\x30\x9A\xA4\x22\x25\x17\x73\xE8\x1E\xE2\xD3\xAC\x2A\xBD\x5B\x38\x21\xD5\x2A\x4B\xD7\x55\x7D\xE3\x3A\x55\xBD\xD7\x6D\x6B\x02\x57\x6B\xE6\x47\x7C\x08\xC8\x82\xBA\xDE\xA7\x87\x3D\xA1\x6D\xB8\x30\x56\xC2\xB3\x02\x81\x5F\x2D\xF5\xE2\x9A\x30\x18\x28\xB8\x66\xD3\xCB\x01\x96\x6F\xEA\x8A\x45\x55\xD6\xE0\x9D\xFF\x67\x2B\x17\x02\xA6\x4E\x1A\x6A\x11\x0B\x7E\xB7\x7B\xE7\x98\xD6\x8C\x76\x6F\xC1\x3B\xDB\x50\x93\x7E\xE5\xD0\x8E\x1F\x37\xB8\xBD\xBA\xC6\x9F\x6C\xE9\x7C\x33\xF2\x32\x3C\x26\x47\xFA\x27\x24\x02\xC9\x7E\x1D\x5B\x88\x42\x13\x6A\x35\x7C\x7D\x35\xE9\x2E\x66\x91\x72\x93\xD5\x32\x26\xC4\x74\xF5\x53\xA3\xB3\x5D\x9A\xF6\x09\xCB\x02\x03\x01\x00\x01\xA3\x81\xC8\x30\x81\xC5\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\xC6\x30\x1F\x06\x03\x55\x1D\x11\x04\x18\x30\x16\x81\x14\x70\x6B\x69\x2D\x6F\x70\x73\x40\x74\x72\x75\x73\x74\x64\x73\x74\x2E\x63\x6F\x6D\x30\x62\x06\x03\x55\x1D\x20\x04\x5B\x30\x59\x30\x57\x06\x0A\x60\x86\x48\x01\x65\x03\x02\x01\x01\x01\x30\x49\x30\x47\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x3B\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x74\x72\x75\x73\x74\x64\x73\x74\x2E\x63\x6F\x6D\x2F\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x73\x2F\x70\x6F\x6C\x69\x63\x79\x2F\x41\x43\x45\x53\x2D\x69\x6E\x64\x65\x78\x2E\x68\x74\x6D\x6C\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x09\x72\x06\x4E\x18\x43\x0F\xE5\xD6\xCC\xC3\x6A\x8B\x31\x7B\x78\x8F\xA8\x83\xB8\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA3\xD8\x8E\xD6\xB2\xDB\xCE\x05\xE7\x32\xCD\x01\xD3\x04\x03\xE5\x76\xE4\x56\x2B\x9C\x99\x90\xE8\x08\x30\x6C\xDF\x7D\x3D\xEE\xE5\xBF\xB5\x24\x40\x84\x49\xE1\xD1\x28\xAE\xC4\xC2\x3A\x53\x30\x88\xF1\xF5\x77\x6E\x51\xCA\xFA\xFF\x99\xAF\x24\x5F\x1B\xA0\xFD\xF2\xAC\x84\xCA\xDF\xA9\xF0\x5F\x04\x2E\xAD\x16\xBF\x21\x97\x10\x81\x3D\xE3\xFF\x87\x8D\x32\xDC\x94\xE5\x47\x8A\x5E\x6A\x13\xC9\x94\x95\x3D\xD2\xEE\xC8\x34\x95\xD0\x80\xD4\xAD\x32\x08\x80\x54\x3C\xE0\xBD\x52\x53\xD7\x52\x7C\xB2\x69\x3F\x7F\x7A\xCF\x6A\x74\xCA\xFA\x04\x2A\x9C\x4C\x5A\x06\xA5\xE9\x20\xAD\x45\x66\x0F\x69\xF1\xDD\xBF\xE9\xE3\x32\x8B\xFA\xE0\xC1\x86\x4D\x72\x3C\x2E\xD8\x93\x78\x0A\x2A\xF8\xD8\xD2\x27\x3D\x19\x89\x5F\x5A\x7B\x8A\x3B\xCC\x0C\xDA\x51\xAE\xC7\x0B\xF7\x2B\xB0\x37\x05\xEC\xBC\x57\x23\xE2\x38\xD2\x9B\x68\xF3\x56\x12\x88\x4F\x42\x7C\xB8\x31\xC4\xB5\xDB\xE4\xC8\x21\x34\xE9\x48\x11\x35\xEE\xFA\xC7\x92\x57\xC5\x9F\x34\xE4\xC7\xF6\xF7\x0E\x0B\x4C\x9C\x68\x78\x7B\x71\x31\xC7\xEB\x1E\xE0\x67\x41\xF3\xB7\xA0\xA7\xCD\xE5\x7A\x33\x36\x6A\xFA\x9A\x2B",
 	["CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH"] = "\x30\x82\x05\xBA\x30\x82\x03\xA2\xA0\x03\x02\x01\x02\x02\x09\x00\xBB\x40\x1C\x43\xF5\x5E\x4F\xB0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x41\x47\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x13\x16\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x47\x6F\x6C\x64\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x1E\x17\x0D\x30\x36\x31\x30\x32\x35\x30\x38\x33\x30\x33\x35\x5A\x17\x0D\x33\x36\x31\x30\x32\x35\x30\x38\x33\x30\x33\x35\x5A\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x41\x47\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x13\x16\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x47\x6F\x6C\x64\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xAF\xE4\xEE\x7E\x8B\x24\x0E\x12\x6E\xA9\x50\x2D\x16\x44\x3B\x92\x92\x5C\xCA\xB8\x5D\x84\x92\x42\x13\x2A\xBC\x65\x57\x82\x40\x3E\x57\x24\xCD\x50\x8B\x25\x2A\xB7\x6F\xFC\xEF\xA2\xD0\xC0\x1F\x02\x24\x4A\x13\x96\x8F\x23\x13\xE6\x28\x58\x00\xA3\x47\xC7\x06\xA7\x84\x23\x2B\xBB\xBD\x96\x2B\x7F\x55\xCC\x8B\xC1\x57\x1F\x0E\x62\x65\x0F\xDD\x3D\x56\x8A\x73\xDA\xAE\x7E\x6D\xBA\x81\x1C\x7E\x42\x8C\x20\x35\xD9\x43\x4D\x84\xFA\x84\xDB\x52\x2C\xF3\x0E\x27\x77\x0B\x6B\xBF\x11\x2F\x72\x78\x9F\x2E\xD8\x3E\xE6\x18\x37\x5A\x2A\x72\xF9\xDA\x62\x90\x92\x95\xCA\x1F\x9C\xE9\xB3\x3C\x2B\xCB\xF3\x01\x13\xBF\x5A\xCF\xC1\xB5\x0A\x60\xBD\xDD\xB5\x99\x64\x53\xB8\xA0\x96\xB3\x6F\xE2\x26\x77\x91\x8C\xE0\x62\x10\x02\x9F\x34\x0F\xA4\xD5\x92\x33\x51\xDE\xBE\x8D\xBA\x84\x7A\x60\x3C\x6A\xDB\x9F\x2B\xEC\xDE\xDE\x01\x3F\x6E\x4D\xE5\x50\x86\xCB\xB4\xAF\xED\x44\x40\xC5\xCA\x5A\x8C\xDA\xD2\x2B\x7C\xA8\xEE\xBE\xA6\xE5\x0A\xAA\x0E\xA5\xDF\x05\x52\xB7\x55\xC7\x22\x5D\x32\x6A\x97\x97\x63\x13\xDB\xC9\xDB\x79\x36\x7B\x85\x3A\x4A\xC5\x52\x89\xF9\x24\xE7\x9D\x77\xA9\x82\xFF\x55\x1C\xA5\x71\x69\x2B\xD1\x02\x24\xF2\xB3\x26\xD4\x6B\xDA\x04\x55\xE5\xC1\x0A\xC7\x6D\x30\x37\x90\x2A\xE4\x9E\x14\x33\x5E\x16\x17\x55\xC5\x5B\xB5\xCB\x34\x89\x92\xF1\x9D\x26\x8F\xA1\x07\xD4\xC6\xB2\x78\x50\xDB\x0C\x0C\x0B\x7C\x0B\x8C\x41\xD7\xB9\xE9\xDD\x8C\x88\xF7\xA3\x4D\xB2\x32\xCC\xD8\x17\xDA\xCD\xB7\xCE\x66\x9D\xD4\xFD\x5E\xFF\xBD\x97\x3E\x29\x75\xE7\x7E\xA7\x62\x58\xAF\x25\x34\xA5\x41\xC7\x3D\xBC\x0D\x50\xCA\x03\x03\x0F\x08\x5A\x1F\x95\x73\x78\x62\xBF\xAF\x72\x14\x69\x0E\xA5\xE5\x03\x0E\x78\x8E\x26\x28\x42\xF0\x07\x0B\x62\x20\x10\x67\x39\x46\xFA\xA9\x03\xCC\x04\x38\x7A\x66\xEF\x20\x83\xB5\x8C\x4A\x56\x8E\x91\x00\xFC\x8E\x5C\x82\xDE\x88\xA0\xC3\xE2\x68\x6E\x7D\x8D\xEF\x3C\xDD\x65\xF4\x5D\xAC\x51\xEF\x24\x80\xAE\xAA\x56\x97\x6F\xF9\xAD\x7D\xDA\x61\x3F\x98\x77\x3C\xA5\x91\xB6\x1C\x8C\x26\xDA\x65\xA2\x09\x6D\xC1\xE2\x54\xE3\xB9\xCA\x4C\x4C\x80\x8F\x77\x7B\x60\x9A\x1E\xDF\xB6\xF2\x48\x1E\x0E\xBA\x4E\x54\x6D\x98\xE0\xE1\xA2\x1A\xA2\x77\x50\xCF\xC4\x63\x92\xEC\x47\x19\x9D\xEB\xE6\x6B\xCE\xC1\x02\x03\x01\x00\x01\xA3\x81\xAC\x30\x81\xA9\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x5B\x25\x7B\x96\xA4\x65\x51\x7E\xB8\x39\xF3\xC0\x78\x66\x5E\xE8\x3A\xE7\xF0\xEE\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x5B\x25\x7B\x96\xA4\x65\x51\x7E\xB8\x39\xF3\xC0\x78\x66\x5E\xE8\x3A\xE7\xF0\xEE\x30\x46\x06\x03\x55\x1D\x20\x04\x3F\x30\x3D\x30\x3B\x06\x09\x60\x85\x74\x01\x59\x01\x02\x01\x01\x30\x2E\x30\x2C\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x20\x68\x74\x74\x70\x3A\x2F\x2F\x72\x65\x70\x6F\x73\x69\x74\x6F\x72\x79\x2E\x73\x77\x69\x73\x73\x73\x69\x67\x6E\x2E\x63\x6F\x6D\x2F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x27\xBA\xE3\x94\x7C\xF1\xAE\xC0\xDE\x17\xE6\xE5\xD8\xD5\xF5\x54\xB0\x83\xF4\xBB\xCD\x5E\x05\x7B\x4F\x9F\x75\x66\xAF\x3C\xE8\x56\x7E\xFC\x72\x78\x38\x03\xD9\x2B\x62\x1B\x00\xB9\xF8\xE9\x60\xCD\xCC\xCE\x51\x8A\xC7\x50\x31\x6E\xE1\x4A\x7E\x18\x2F\x69\x59\xB6\x3D\x64\x81\x2B\xE3\x83\x84\xE6\x22\x87\x8E\x7D\xE0\xEE\x02\x99\x61\xB8\x1E\xF4\xB8\x2B\x88\x12\x16\x84\xC2\x31\x93\x38\x96\x31\xA6\xB9\x3B\x53\x3F\xC3\x24\x93\x56\x5B\x69\x92\xEC\xC5\xC1\xBB\x38\x00\xE3\xEC\x17\xA9\xB8\xDC\xC7\x7C\x01\x83\x9F\x32\x47\xBA\x52\x22\x34\x1D\x32\x7A\x09\x56\xA7\x7C\x25\x36\xA9\x3D\x4B\xDA\xC0\x82\x6F\x0A\xBB\x12\xC8\x87\x4B\x27\x11\xF9\x1E\x2D\xC7\x93\x3F\x9E\xDB\x5F\x26\x6B\x52\xD9\x2E\x8A\xF1\x14\xC6\x44\x8D\x15\xA9\xB7\xBF\xBD\xDE\xA6\x1A\xEE\xAE\x2D\xFB\x48\x77\x17\xFE\xBB\xEC\xAF\x18\xF5\x2A\x51\xF0\x39\x84\x97\x95\x6C\x6E\x1B\xC3\x2B\xC4\x74\x60\x79\x25\xB0\x0A\x27\xDF\xDF\x5E\xD2\x39\xCF\x45\x7D\x42\x4B\xDF\xB3\x2C\x1E\xC5\xC6\x5D\xCA\x55\x3A\xA0\x9C\x69\x9A\x8F\xDA\xEF\xB2\xB0\x3C\x9F\x87\x6C\x12\x2B\x65\x70\x15\x52\x31\x1A\x24\xCF\x6F\x31\x23\x50\x1F\x8C\x4F\x8F\x23\xC3\x74\x41\x63\x1C\x55\xA8\x14\xDD\x3E\xE0\x51\x50\xCF\xF1\x1B\x30\x56\x0E\x92\xB0\x82\x85\xD8\x83\xCB\x22\x64\xBC\x2D\xB8\x25\xD5\x54\xA2\xB8\x06\xEA\xAD\x92\xA4\x24\xA0\xC1\x86\xB5\x4A\x13\x6A\x47\xCF\x2E\x0B\x56\x95\x54\xCB\xCE\x9A\xDB\x6A\xB4\xA6\xB2\xDB\x41\x08\x86\x27\x77\xF7\x6A\xA0\x42\x6C\x0B\x38\xCE\xD7\x75\x50\x32\x92\xC2\xDF\x2B\x30\x22\x48\xD0\xD5\x41\x38\x25\x5D\xA4\xE9\x5D\x9F\xC6\x94\x75\xD0\x45\xFD\x30\x97\x43\x8F\x90\xAB\x0A\xC7\x86\x73\x60\x4A\x69\x2D\xDE\xA5\x78\xD7\x06\xDA\x6A\x9E\x4B\x3E\x77\x3A\x20\x13\x22\x01\xD0\xBF\x68\x9E\x63\x60\x6B\x35\x4D\x0B\x6D\xBA\xA1\x3D\xC0\x93\xE0\x7F\x23\xB3\x55\xAD\x72\x25\x4E\x46\xF9\xD2\x16\xEF\xB0\x64\xC1\x01\x9E\xE9\xCA\xA0\x6A\x98\x0E\xCF\xD8\x60\xF2\x2F\x49\xB8\xE4\x42\xE1\x38\x35\x16\xF4\xC8\x6E\x4F\xF7\x81\x56\xE8\xBA\xA3\xBE\x23\xAF\xAE\xFD\x6F\x03\xE0\x02\x3B\x30\x76\xFA\x1B\x6D\x41\xCF\x01\xB1\xE9\xB8\xC9\x66\xF4\xDB\x26\xF3\x3A\xA4\x74\xF2\x49\x24\x5B\xC9\xB0\xD0\x57\xC1\xFA\x3E\x7A\xE1\x97\xC9",
 	["CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH"] = "\x30\x82\x05\xBD\x30\x82\x03\xA5\xA0\x03\x02\x01\x02\x02\x08\x4F\x1B\xD4\x2F\x54\xBB\x2F\x4B\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x47\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x41\x47\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x53\x69\x6C\x76\x65\x72\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x1E\x17\x0D\x30\x36\x31\x30\x32\x35\x30\x38\x33\x32\x34\x36\x5A\x17\x0D\x33\x36\x31\x30\x32\x35\x30\x38\x33\x32\x34\x36\x5A\x30\x47\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x41\x47\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x53\x77\x69\x73\x73\x53\x69\x67\x6E\x20\x53\x69\x6C\x76\x65\x72\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC4\xF1\x87\x7F\xD3\x78\x31\xF7\x38\xC9\xF8\xC3\x99\x43\xBC\xC7\xF7\xBC\x37\xE7\x4E\x71\xBA\x4B\x8F\xA5\x73\x1D\x5C\x6E\x98\xAE\x03\x57\xAE\x38\x37\x43\x2F\x17\x3D\x1F\xC8\xCE\x68\x10\xC1\x78\xAE\x19\x03\x2B\x10\xFA\x2C\x79\x83\xF6\xE8\xB9\x68\xB9\x55\xF2\x04\x44\xA7\x39\xF9\xFC\x04\x8B\x1E\xF1\xA2\x4D\x27\xF9\x61\x7B\xBA\xB7\xE5\xA2\x13\xB6\xEB\x61\x3E\xD0\x6C\xD1\xE6\xFB\xFA\x5E\xED\x1D\xB4\x9E\xA0\x35\x5B\xA1\x92\xCB\xF0\x49\x92\xFE\x85\x0A\x05\x3E\xE6\xD9\x0B\xE2\x4F\xBB\xDC\x95\x37\xFC\x91\xE9\x32\x35\x22\xD1\x1F\x3A\x4E\x27\x85\x9D\xB0\x15\x94\x32\xDA\x61\x0D\x47\x4D\x60\x42\xAE\x92\x47\xE8\x83\x5A\x50\x58\xE9\x8A\x8B\xB9\x5D\xA1\xDC\xDD\x99\x4A\x1F\x36\x67\xBB\x48\xE4\x83\xB6\x37\xEB\x48\x3A\xAF\x0F\x67\x8F\x17\x07\xE8\x04\xCA\xEF\x6A\x31\x87\xD4\xC0\xB6\xF9\x94\x71\x7B\x67\x64\xB8\xB6\x91\x4A\x42\x7B\x65\x2E\x30\x6A\x0C\xF5\x90\xEE\x95\xE6\xF2\xCD\x82\xEC\xD9\xA1\x4A\xEC\xF6\xB2\x4B\xE5\x45\x85\xE6\x6D\x78\x93\x04\x2E\x9C\x82\x6D\x36\xA9\xC4\x31\x64\x1F\x86\x83\x0B\x2A\xF4\x35\x0A\x78\xC9\x55\xCF\x41\xB0\x47\xE9\x30\x9F\x99\xBE\x61\xA8\x06\x84\xB9\x28\x7A\x5F\x38\xD9\x1B\xA9\x38\xB0\x83\x7F\x73\xC1\xC3\x3B\x48\x2A\x82\x0F\x21\x9B\xB8\xCC\xA8\x35\xC3\x84\x1B\x83\xB3\x3E\xBE\xA4\x95\x69\x01\x3A\x89\x00\x78\x04\xD9\xC9\xF4\x99\x19\xAB\x56\x7E\x5B\x8B\x86\x39\x15\x91\xA4\x10\x2C\x09\x32\x80\x60\xB3\x93\xC0\x2A\xB6\x18\x0B\x9D\x7E\x8D\x49\xF2\x10\x4A\x7F\xF9\xD5\x46\x2F\x19\x92\xA3\x99\xA7\x26\xAC\xBB\x8C\x3C\xE6\x0E\xBC\x47\x07\xDC\x73\x51\xF1\x70\x64\x2F\x08\xF9\xB4\x47\x1D\x30\x6C\x44\xEA\x29\x37\x85\x92\x68\x66\xBC\x83\x38\xFE\x7B\x39\x2E\xD3\x50\xF0\x1F\xFB\x5E\x60\xB6\xA9\xA6\xFA\x27\x41\xF1\x9B\x18\x72\xF2\xF5\x84\x74\x4A\xC9\x67\xC4\x54\xAE\x48\x64\xDF\x8C\xD1\x6E\xB0\x1D\xE1\x07\x8F\x08\x1E\x99\x9C\x71\xE9\x4C\xD8\xA5\xF7\x47\x12\x1F\x74\xD1\x51\x9E\x86\xF3\xC2\xA2\x23\x40\x0B\x73\xDB\x4B\xA6\xE7\x73\x06\x8C\xC1\xA0\xE9\xC1\x59\xAC\x46\xFA\xE6\x2F\xF8\xCF\x71\x9C\x46\x6D\xB9\xC4\x15\x8D\x38\x79\x03\x45\x48\xEF\xC4\x5D\xD7\x08\xEE\x87\x39\x22\x86\xB2\x0D\x0F\x58\x43\xF7\x71\xA9\x48\x2E\xFD\xEA\xD6\x1F\x02\x03\x01\x00\x01\xA3\x81\xAC\x30\x81\xA9\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x17\xA0\xCD\xC1\xE4\x41\xB6\x3A\x5B\x3B\xCB\x45\x9D\xBD\x1C\xC2\x98\xFA\x86\x58\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x17\xA0\xCD\xC1\xE4\x41\xB6\x3A\x5B\x3B\xCB\x45\x9D\xBD\x1C\xC2\x98\xFA\x86\x58\x30\x46\x06\x03\x55\x1D\x20\x04\x3F\x30\x3D\x30\x3B\x06\x09\x60\x85\x74\x01\x59\x01\x03\x01\x01\x30\x2E\x30\x2C\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x20\x68\x74\x74\x70\x3A\x2F\x2F\x72\x65\x70\x6F\x73\x69\x74\x6F\x72\x79\x2E\x73\x77\x69\x73\x73\x73\x69\x67\x6E\x2E\x63\x6F\x6D\x2F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x73\xC6\x81\xE0\x27\xD2\x2D\x0F\xE0\x95\x30\xE2\x9A\x41\x7F\x50\x2C\x5F\x5F\x62\x61\xA9\x86\x6A\x69\x18\x0C\x74\x49\xD6\x5D\x84\xEA\x41\x52\x18\x6F\x58\xAD\x50\x56\x20\x6A\xC6\xBD\x28\x69\x58\x91\xDC\x91\x11\x35\xA9\x3A\x1D\xBC\x1A\xA5\x60\x9E\xD8\x1F\x7F\x45\x91\x69\xD9\x7E\xBB\x78\x72\xC1\x06\x0F\x2A\xCE\x8F\x85\x70\x61\xAC\xA0\xCD\x0B\xB8\x39\x29\x56\x84\x32\x4E\x86\xBB\x3D\xC4\x2A\xD9\xD7\x1F\x72\xEE\xFE\x51\xA1\x22\x41\xB1\x71\x02\x63\x1A\x82\xB0\x62\xAB\x5E\x57\x12\x1F\xDF\xCB\xDD\x75\xA0\xC0\x5D\x79\x90\x8C\x1B\xE0\x50\xE6\xDE\x31\xFE\x98\x7B\x70\x5F\xA5\x90\xD8\xAD\xF8\x02\xB6\x6F\xD3\x60\xDD\x40\x4B\x22\xC5\x3D\xAD\x3A\x7A\x9F\x1A\x1A\x47\x91\x79\x33\xBA\x82\xDC\x32\x69\x03\x96\x6E\x1F\x4B\xF0\x71\xFE\xE3\x67\x72\xA0\xB1\xBF\x5C\x8B\xE4\xFA\x99\x22\xC7\x84\xB9\x1B\x8D\x23\x97\x3F\xED\x25\xE0\xCF\x65\xBB\xF5\x61\x04\xEF\xDD\x1E\xB2\x5A\x41\x22\x5A\xA1\x9F\x5D\x2C\xE8\x5B\xC9\x6D\xA9\x0C\x0C\x78\xAA\x60\xC6\x56\x8F\x01\x5A\x0C\x68\xBC\x69\x19\x79\xC4\x1F\x7E\x97\x05\xBF\xC5\xE9\x24\x51\x5E\xD4\xD5\x4B\x53\xED\xD9\x23\x5A\x36\x03\x65\xA3\xC1\x03\xAD\x41\x30\xF3\x46\x1B\x85\x90\xAF\x65\xB5\xD5\xB1\xE4\x16\x5B\x78\x75\x1D\x97\x7A\x6D\x59\xA9\x2A\x8F\x7B\xDE\xC3\x87\x89\x10\x99\x49\x73\x78\xC8\x3D\xBD\x51\x35\x74\x2A\xD5\xF1\x7E\x69\x1B\x2A\xBB\x3B\xBD\x25\xB8\x9A\x5A\x3D\x72\x61\x90\x66\x87\xEE\x0C\xD6\x4D\xD4\x11\x74\x0B\x6A\xFE\x0B\x03\xFC\xA3\x55\x57\x89\xFE\x4A\xCB\xAE\x5B\x17\x05\xC8\xF2\x8D\x23\x31\x53\x38\xD2\x2D\x6A\x3F\x82\xB9\x8D\x08\x6A\xF7\x5E\x41\x74\x6E\xC3\x11\x7E\x07\xAC\x29\x60\x91\x3F\x38\xCA\x57\x10\x0D\xBD\x30\x2F\xC7\xA5\xE6\x41\xA0\xDA\xAE\x05\x87\x9A\xA0\xA4\x65\x6C\x4C\x09\x0C\x89\xBA\xB8\xD3\xB9\xC0\x93\x8A\x30\xFA\x8D\xE5\x9A\x6B\x15\x01\x4E\x67\xAA\xDA\x62\x56\x3E\x84\x08\x66\xD2\xC4\x36\x7D\xA7\x3E\x10\xFC\x88\xE0\xD4\x80\xE5\x00\xBD\xAA\xF3\x4E\x06\xA3\x7A\x6A\xF9\x62\x72\xE3\x09\x4F\xEB\x9B\x0E\x01\x23\xF1\x9F\xBB\x7C\xDC\xDC\x6C\x11\x97\x25\xB2\xF2\xB4\x63\x14\xD2\x06\x2A\x67\x8C\x83\xF5\xCE\xEA\x07\xD8\x9A\x6A\x1E\xEC\xE4\x0A\xBB\x2A\x4C\xEB\x09\x60\x39\xCE\xCA\x62\xD8\x2E\x6E",
 	["CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US"] = "\x30\x82\x03\x7C\x30\x82\x02\x64\xA0\x03\x02\x01\x02\x02\x10\x18\xAC\xB5\x6A\xFD\x69\xB6\x15\x3A\x63\x6C\xAF\xDA\xFA\xC4\xA1\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x58\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x31\x30\x2F\x06\x03\x55\x04\x03\x13\x28\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x36\x31\x31\x32\x37\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x36\x30\x37\x31\x36\x32\x33\x35\x39\x35\x39\x5A\x30\x58\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x31\x30\x2F\x06\x03\x55\x04\x03\x13\x28\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBE\xB8\x15\x7B\xFF\xD4\x7C\x7D\x67\xAD\x83\x64\x7B\xC8\x42\x53\x2D\xDF\xF6\x84\x08\x20\x61\xD6\x01\x59\x6A\x9C\x44\x11\xAF\xEF\x76\xFD\x95\x7E\xCE\x61\x30\xBB\x7A\x83\x5F\x02\xBD\x01\x66\xCA\xEE\x15\x8D\x6F\xA1\x30\x9C\xBD\xA1\x85\x9E\x94\x3A\xF3\x56\x88\x00\x31\xCF\xD8\xEE\x6A\x96\x02\xD9\xED\x03\x8C\xFB\x75\x6D\xE7\xEA\xB8\x55\x16\x05\x16\x9A\xF4\xE0\x5E\xB1\x88\xC0\x64\x85\x5C\x15\x4D\x88\xC7\xB7\xBA\xE0\x75\xE9\xAD\x05\x3D\x9D\xC7\x89\x48\xE0\xBB\x28\xC8\x03\xE1\x30\x93\x64\x5E\x52\xC0\x59\x70\x22\x35\x57\x88\x8A\xF1\x95\x0A\x83\xD7\xBC\x31\x73\x01\x34\xED\xEF\x46\x71\xE0\x6B\x02\xA8\x35\x72\x6B\x97\x9B\x66\xE0\xCB\x1C\x79\x5F\xD8\x1A\x04\x68\x1E\x47\x02\xE6\x9D\x60\xE2\x36\x97\x01\xDF\xCE\x35\x92\xDF\xBE\x67\xC7\x6D\x77\x59\x3B\x8F\x9D\xD6\x90\x15\x94\xBC\x42\x34\x10\xC1\x39\xF9\xB1\x27\x3E\x7E\xD6\x8A\x75\xC5\xB2\xAF\x96\xD3\xA2\xDE\x9B\xE4\x98\xBE\x7D\xE1\xE9\x81\xAD\xB6\x6F\xFC\xD7\x0E\xDA\xE0\x34\xB0\x0D\x1A\x77\xE7\xE3\x08\x98\xEF\x58\xFA\x9C\x84\xB7\x36\xAF\xC2\xDF\xAC\xD2\xF4\x10\x06\x70\x71\x35\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x2C\xD5\x50\x41\x97\x15\x8B\xF0\x8F\x36\x61\x5B\x4A\xFB\x6B\xD9\x99\xC9\x33\x92\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x5A\x70\x7F\x2C\xDD\xB7\x34\x4F\xF5\x86\x51\xA9\x26\xBE\x4B\xB8\xAA\xF1\x71\x0D\xDC\x61\xC7\xA0\xEA\x34\x1E\x7A\x77\x0F\x04\x35\xE8\x27\x8F\x6C\x90\xBF\x91\x16\x24\x46\x3E\x4A\x4E\xCE\x2B\x16\xD5\x0B\x52\x1D\xFC\x1F\x67\xA2\x02\x45\x31\x4F\xCE\xF3\xFA\x03\xA7\x79\x9D\x53\x6A\xD9\xDA\x63\x3A\xF8\x80\xD7\xD3\x99\xE1\xA5\xE1\xBE\xD4\x55\x71\x98\x35\x3A\xBE\x93\xEA\xAE\xAD\x42\xB2\x90\x6F\xE0\xFC\x21\x4D\x35\x63\x33\x89\x49\xD6\x9B\x4E\xCA\xC7\xE7\x4E\x09\x00\xF7\xDA\xC7\xEF\x99\x62\x99\x77\xB6\x95\x22\x5E\x8A\xA0\xAB\xF4\xB8\x78\x98\xCA\x38\x19\x99\xC9\x72\x9E\x78\xCD\x4B\xAC\xAF\x19\xA0\x73\x12\x2D\xFC\xC2\x41\xBA\x81\x91\xDA\x16\x5A\x31\xB7\xF9\xB4\x71\x80\x12\x48\x99\x72\x73\x5A\x59\x53\xC1\x63\x52\x33\xED\xA7\xC9\xD2\x39\x02\x70\xFA\xE0\xB1\x42\x66\x29\xAA\x9B\x51\xED\x30\x54\x22\x14\x5F\xD9\xAB\x1D\xC1\xE4\x94\xF0\xF8\xF5\x2B\xF7\xEA\xCA\x78\x46\xD6\xB8\x91\xFD\xA6\x0D\x2B\x1A\x14\x01\x3E\x80\xF0\x42\xA0\x95\x07\x5E\x6D\xCD\xCC\x4B\xA4\x45\x8D\xAB\x12\xE8\xB3\xDE\x5A\xE5\xA0\x7C\xE8\x0F\x22\x1D\x5A\xE9\x59",
@@ -60,22 +46,13 @@ redef root_certs += {
 	["CN=Secure Global CA,O=SecureTrust Corporation,C=US"] = "\x30\x82\x03\xBC\x30\x82\x02\xA4\xA0\x03\x02\x01\x02\x02\x10\x07\x56\x22\xA4\xE8\xD4\x8A\x89\x4D\xF4\x13\xC8\xF0\xF8\xEA\xA5\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x4A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x53\x65\x63\x75\x72\x65\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x31\x31\x30\x37\x31\x39\x34\x32\x32\x38\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x31\x39\x35\x32\x30\x36\x5A\x30\x4A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x13\x17\x53\x65\x63\x75\x72\x65\x54\x72\x75\x73\x74\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x53\x65\x63\x75\x72\x65\x20\x47\x6C\x6F\x62\x61\x6C\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAF\x35\x2E\xD8\xAC\x6C\x55\x69\x06\x71\xE5\x13\x68\x24\xB3\x4F\xD8\xCC\x21\x47\xF8\xF1\x60\x38\x89\x89\x03\xE9\xBD\xEA\x5E\x46\x53\x09\xDC\x5C\xF5\x5A\xE8\xF7\x45\x2A\x02\xEB\x31\x61\xD7\x29\x33\x4C\xCE\xC7\x7C\x0A\x37\x7E\x0F\xBA\x32\x98\xE1\x1D\x97\xAF\x8F\xC7\xDC\xC9\x38\x96\xF3\xDB\x1A\xFC\x51\xED\x68\xC6\xD0\x6E\xA4\x7C\x24\xD1\xAE\x42\xC8\x96\x50\x63\x2E\xE0\xFE\x75\xFE\x98\xA7\x5F\x49\x2E\x95\xE3\x39\x33\x64\x8E\x1E\xA4\x5F\x90\xD2\x67\x3C\xB2\xD9\xFE\x41\xB9\x55\xA7\x09\x8E\x72\x05\x1E\x8B\xDD\x44\x85\x82\x42\xD0\x49\xC0\x1D\x60\xF0\xD1\x17\x2C\x95\xEB\xF6\xA5\xC1\x92\xA3\xC5\xC2\xA7\x08\x60\x0D\x60\x04\x10\x96\x79\x9E\x16\x34\xE6\xA9\xB6\xFA\x25\x45\x39\xC8\x1E\x65\xF9\x93\xF5\xAA\xF1\x52\xDC\x99\x98\x3D\xA5\x86\x1A\x0C\x35\x33\xFA\x4B\xA5\x04\x06\x15\x1C\x31\x80\xEF\xAA\x18\x6B\xC2\x7B\xD7\xDA\xCE\xF9\x33\x20\xD5\xF5\xBD\x6A\x33\x2D\x81\x04\xFB\xB0\x5C\xD4\x9C\xA3\xE2\x5C\x1D\xE3\xA9\x42\x75\x5E\x7B\xD4\x77\xEF\x39\x54\xBA\xC9\x0A\x18\x1B\x12\x99\x49\x2F\x88\x4B\xFD\x50\x62\xD1\x73\xE7\x8F\x7A\x43\x02\x03\x01\x00\x01\xA3\x81\x9D\x30\x81\x9A\x30\x13\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x14\x02\x04\x06\x1E\x04\x00\x43\x00\x41\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xAF\x44\x04\xC2\x41\x7E\x48\x83\xDB\x4E\x39\x02\xEC\xEC\x84\x7A\xE6\xCE\xC9\xA4\x30\x34\x06\x03\x55\x1D\x1F\x04\x2D\x30\x2B\x30\x29\xA0\x27\xA0\x25\x86\x23\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x73\x65\x63\x75\x72\x65\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x2F\x53\x47\x43\x41\x2E\x63\x72\x6C\x30\x10\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x15\x01\x04\x03\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x63\x1A\x08\x40\x7D\xA4\x5E\x53\x0D\x77\xD8\x7A\xAE\x1F\x0D\x0B\x51\x16\x03\xEF\x18\x7C\xC8\xE3\xAF\x6A\x58\x93\x14\x60\x91\xB2\x84\xDC\x88\x4E\xBE\x39\x8A\x3A\xF3\xE6\x82\x89\x5D\x01\x37\xB3\xAB\x24\xA4\x15\x0E\x92\x35\x5A\x4A\x44\x5E\x4E\x57\xFA\x75\xCE\x1F\x48\xCE\x66\xF4\x3C\x40\x26\x92\x98\x6C\x1B\xEE\x24\x46\x0C\x17\xB3\x52\xA5\xDB\xA5\x91\x91\xCF\x37\xD3\x6F\xE7\x27\x08\x3A\x4E\x19\x1F\x3A\xA7\x58\x5C\x17\xCF\x79\x3F\x8B\xE4\xA7\xD3\x26\x23\x9D\x26\x0F\x58\x69\xFC\x47\x7E\xB2\xD0\x8D\x8B\x93\xBF\x29\x4F\x43\x69\x74\x76\x67\x4B\xCF\x07\x8C\xE6\x02\xF7\xB5\xE1\xB4\x43\xB5\x4B\x2D\x14\x9F\xF9\xDC\x26\x0D\xBF\xA6\x47\x74\x06\xD8\x88\xD1\x3A\x29\x30\x84\xCE\xD2\x39\x80\x62\x1B\xA8\xC7\x57\x49\xBC\x6A\x55\x51\x67\x15\x4A\xBE\x35\x07\xE4\xD5\x75\x98\x37\x79\x30\x14\xDB\x29\x9D\x6C\xC5\x69\xCC\x47\x55\xA2\x30\xF7\xCC\x5C\x7F\xC2\xC3\x98\x1C\x6B\x4E\x16\x80\xEB\x7A\x78\x65\x45\xA2\x00\x1A\xAF\x0C\x0D\x55\x64\x34\x48\xB8\x92\xB9\xF1\xB4\x50\x29\xF2\x4F\x23\x1F\xDA\x6C\xAC\x1F\x44\xE1\xDD\x23\x78\x51\x5B\xC7\x16",
 	["CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB"] = "\x30\x82\x04\x1D\x30\x82\x03\x05\xA0\x03\x02\x01\x02\x02\x10\x4E\x81\x2D\x8A\x82\x65\xE0\x0B\x02\xEE\x3E\x35\x02\x46\xE5\x3D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x81\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x36\x31\x32\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x81\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xD0\x40\x8B\x8B\x72\xE3\x91\x1B\xF7\x51\xC1\x1B\x54\x04\x98\xD3\xA9\xBF\xC1\xE6\x8A\x5D\x3B\x87\xFB\xBB\x88\xCE\x0D\xE3\x2F\x3F\x06\x96\xF0\xA2\x29\x50\x99\xAE\xDB\x3B\xA1\x57\xB0\x74\x51\x71\xCD\xED\x42\x91\x4D\x41\xFE\xA9\xC8\xD8\x6A\x86\x77\x44\xBB\x59\x66\x97\x50\x5E\xB4\xD4\x2C\x70\x44\xCF\xDA\x37\x95\x42\x69\x3C\x30\xC4\x71\xB3\x52\xF0\x21\x4D\xA1\xD8\xBA\x39\x7C\x1C\x9E\xA3\x24\x9D\xF2\x83\x16\x98\xAA\x16\x7C\x43\x9B\x15\x5B\xB7\xAE\x34\x91\xFE\xD4\x62\x26\x18\x46\x9A\x3F\xEB\xC1\xF9\xF1\x90\x57\xEB\xAC\x7A\x0D\x8B\xDB\x72\x30\x6A\x66\xD5\xE0\x46\xA3\x70\xDC\x68\xD9\xFF\x04\x48\x89\x77\xDE\xB5\xE9\xFB\x67\x6D\x41\xE9\xBC\x39\xBD\x32\xD9\x62\x02\xF1\xB1\xA8\x3D\x6E\x37\x9C\xE2\x2F\xE2\xD3\xA2\x26\x8B\xC6\xB8\x55\x43\x88\xE1\x23\x3E\xA5\xD2\x24\x39\x6A\x47\xAB\x00\xD4\xA1\xB3\xA9\x25\xFE\x0D\x3F\xA7\x1D\xBA\xD3\x51\xC1\x0B\xA4\xDA\xAC\x38\xEF\x55\x50\x24\x05\x65\x46\x93\x34\x4F\x2D\x8D\xAD\xC6\xD4\x21\x19\xD2\x8E\xCA\x05\x61\x71\x07\x73\x47\xE5\x8A\x19\x12\xBD\x04\x4D\xCE\x4E\x9C\xA5\x48\xAC\xBB\x26\xF7\x02\x03\x01\x00\x01\xA3\x81\x8E\x30\x81\x8B\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x0B\x58\xE5\x8B\xC6\x4C\x15\x37\xA4\x40\xA9\x30\xA9\x21\xBE\x47\x36\x5A\x56\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x49\x06\x03\x55\x1D\x1F\x04\x42\x30\x40\x30\x3E\xA0\x3C\xA0\x3A\x86\x38\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x63\x6F\x6D\x6F\x64\x6F\x63\x61\x2E\x63\x6F\x6D\x2F\x43\x4F\x4D\x4F\x44\x4F\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x3E\x98\x9E\x9B\xF6\x1B\xE9\xD7\x39\xB7\x78\xAE\x1D\x72\x18\x49\xD3\x87\xE4\x43\x82\xEB\x3F\xC9\xAA\xF5\xA8\xB5\xEF\x55\x7C\x21\x52\x65\xF9\xD5\x0D\xE1\x6C\xF4\x3E\x8C\x93\x73\x91\x2E\x02\xC4\x4E\x07\x71\x6F\xC0\x8F\x38\x61\x08\xA8\x1E\x81\x0A\xC0\x2F\x20\x2F\x41\x8B\x91\xDC\x48\x45\xBC\xF1\xC6\xDE\xBA\x76\x6B\x33\xC8\x00\x2D\x31\x46\x4C\xED\xE7\x9D\xCF\x88\x94\xFF\x33\xC0\x56\xE8\x24\x86\x26\xB8\xD8\x38\x38\xDF\x2A\x6B\xDD\x12\xCC\xC7\x3F\x47\x17\x4C\xA2\xC2\x06\x96\x09\xD6\xDB\xFE\x3F\x3C\x46\x41\xDF\x58\xE2\x56\x0F\x3C\x3B\xC1\x1C\x93\x35\xD9\x38\x52\xAC\xEE\xC8\xEC\x2E\x30\x4E\x94\x35\xB4\x24\x1F\x4B\x78\x69\xDA\xF2\x02\x38\xCC\x95\x52\x93\xF0\x70\x25\x59\x9C\x20\x67\xC4\xEE\xF9\x8B\x57\x61\xF4\x92\x76\x7D\x3F\x84\x8D\x55\xB7\xE8\xE5\xAC\xD5\xF1\xF5\x19\x56\xA6\x5A\xFB\x90\x1C\xAF\x93\xEB\xE5\x1C\xD4\x67\x97\x5D\x04\x0E\xBE\x0B\x83\xA6\x17\x83\xB9\x30\x12\xA0\xC5\x33\x15\x05\xB9\x0D\xFB\xC7\x05\x76\xE3\xD8\x4A\x8D\xFC\x34\x17\xA3\xC6\x21\x28\xBE\x30\x45\x31\x1E\xC7\x78\xBE\x58\x61\x38\xAC\x3B\xE2\x01\x65",
 	["CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US"] = "\x30\x82\x03\xE6\x30\x82\x02\xCE\xA0\x03\x02\x01\x02\x02\x10\x57\xCB\x33\x6F\xC2\x5C\x16\xE6\x47\x16\x17\xE3\x90\x31\x68\xE0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x62\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x4E\x65\x74\x77\x6F\x72\x6B\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x20\x4C\x2E\x4C\x2E\x43\x2E\x31\x30\x30\x2E\x06\x03\x55\x04\x03\x13\x27\x4E\x65\x74\x77\x6F\x72\x6B\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x36\x31\x32\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x62\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x21\x30\x1F\x06\x03\x55\x04\x0A\x13\x18\x4E\x65\x74\x77\x6F\x72\x6B\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x20\x4C\x2E\x4C\x2E\x43\x2E\x31\x30\x30\x2E\x06\x03\x55\x04\x03\x13\x27\x4E\x65\x74\x77\x6F\x72\x6B\x20\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE4\xBC\x7E\x92\x30\x6D\xC6\xD8\x8E\x2B\x0B\xBC\x46\xCE\xE0\x27\x96\xDE\xDE\xF9\xFA\x12\xD3\x3C\x33\x73\xB3\x04\x2F\xBC\x71\x8C\xE5\x9F\xB6\x22\x60\x3E\x5F\x5D\xCE\x09\xFF\x82\x0C\x1B\x9A\x51\x50\x1A\x26\x89\xDD\xD5\x61\x5D\x19\xDC\x12\x0F\x2D\x0A\xA2\x43\x5D\x17\xD0\x34\x92\x20\xEA\x73\xCF\x38\x2C\x06\x26\x09\x7A\x72\xF7\xFA\x50\x32\xF8\xC2\x93\xD3\x69\xA2\x23\xCE\x41\xB1\xCC\xE4\xD5\x1F\x36\xD1\x8A\x3A\xF8\x8C\x63\xE2\x14\x59\x69\xED\x0D\xD3\x7F\x6B\xE8\xB8\x03\xE5\x4F\x6A\xE5\x98\x63\x69\x48\x05\xBE\x2E\xFF\x33\xB6\xE9\x97\x59\x69\xF8\x67\x19\xAE\x93\x61\x96\x44\x15\xD3\x72\xB0\x3F\xBC\x6A\x7D\xEC\x48\x7F\x8D\xC3\xAB\xAA\x71\x2B\x53\x69\x41\x53\x34\xB5\xB0\xB9\xC5\x06\x0A\xC4\xB0\x45\xF5\x41\x5D\x6E\x89\x45\x7B\x3D\x3B\x26\x8C\x74\xC2\xE5\xD2\xD1\x7D\xB2\x11\xD4\xFB\x58\x32\x22\x9A\x80\xC9\xDC\xFD\x0C\xE9\x7F\x5E\x03\x97\xCE\x3B\x00\x14\x87\x27\x70\x38\xA9\x8E\x6E\xB3\x27\x76\x98\x51\xE0\x05\xE3\x21\xAB\x1A\xD5\x85\x22\x3C\x29\xB5\x9A\x16\xC5\x80\xA8\xF4\xBB\x6B\x30\x8F\x2F\x46\x02\xA2\xB1\x0C\x22\xE0\xD3\x02\x03\x01\x00\x01\xA3\x81\x97\x30\x81\x94\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x21\x30\xC9\xFB\x00\xD7\x4E\x98\xDA\x87\xAA\x2A\xD0\xA7\x2E\xB1\x40\x31\xA7\x4C\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x52\x06\x03\x55\x1D\x1F\x04\x4B\x30\x49\x30\x47\xA0\x45\xA0\x43\x86\x41\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x6E\x65\x74\x73\x6F\x6C\x73\x73\x6C\x2E\x63\x6F\x6D\x2F\x4E\x65\x74\x77\x6F\x72\x6B\x53\x6F\x6C\x75\x74\x69\x6F\x6E\x73\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xBB\xAE\x4B\xE7\xB7\x57\xEB\x7F\xAA\x2D\xB7\x73\x47\x85\x6A\xC1\xE4\xA5\x1D\xE4\xE7\x3C\xE9\xF4\x59\x65\x77\xB5\x7A\x5B\x5A\x8D\x25\x36\xE0\x7A\x97\x2E\x38\xC0\x57\x60\x83\x98\x06\x83\x9F\xB9\x76\x7A\x6E\x50\xE0\xBA\x88\x2C\xFC\x45\xCC\x18\xB0\x99\x95\x51\x0E\xEC\x1D\xB8\x88\xFF\x87\x50\x1C\x82\xC2\xE3\xE0\x32\x80\xBF\xA0\x0B\x47\xC8\xC3\x31\xEF\x99\x67\x32\x80\x4F\x17\x21\x79\x0C\x69\x5C\xDE\x5E\x34\xAE\x02\xB5\x26\xEA\x50\xDF\x7F\x18\x65\x2C\xC9\xF2\x63\xE1\xA9\x07\xFE\x7C\x71\x1F\x6B\x33\x24\x6A\x1E\x05\xF7\x05\x68\xC0\x6A\x12\xCB\x2E\x5E\x61\xCB\xAE\x28\xD3\x7E\xC2\xB4\x66\x91\x26\x5F\x3C\x2E\x24\x5F\xCB\x58\x0F\xEB\x28\xEC\xAF\x11\x96\xF3\xDC\x7B\x6F\xC0\xA7\x88\xF2\x53\x77\xB3\x60\x5E\xAE\xAE\x28\xDA\x35\x2C\x6F\x34\x45\xD3\x26\xE1\xDE\xEC\x5B\x4F\x27\x6B\x16\x7C\xBD\x44\x04\x18\x82\xB3\x89\x79\x17\x10\x71\x3D\x7A\xA2\x16\x4E\xF5\x01\xCD\xA4\x6C\x65\x68\xA1\x49\x76\x5C\x43\xC9\xD8\xBC\x36\x67\x6C\xA5\x94\xB5\xD4\xCC\xB9\xBD\x6A\x35\x56\x21\xDE\xD8\xC3\xEB\xFB\xCB\xA4\x60\x4C\xB0\x55\xA0\xA0\x7B\x57\xB2",
-	["CN=WellsSecure Public Root Certificate Authority,OU=Wells Fargo Bank NA,O=Wells Fargo WellsSecure,C=US"] = "\x30\x82\x04\xBD\x30\x82\x03\xA5\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x0C\x17\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x31\x1C\x30\x1A\x06\x03\x55\x04\x0B\x0C\x13\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x42\x61\x6E\x6B\x20\x4E\x41\x31\x36\x30\x34\x06\x03\x55\x04\x03\x0C\x2D\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x20\x50\x75\x62\x6C\x69\x63\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x37\x31\x32\x31\x33\x31\x37\x30\x37\x35\x34\x5A\x17\x0D\x32\x32\x31\x32\x31\x34\x30\x30\x30\x37\x35\x34\x5A\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x0C\x17\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x31\x1C\x30\x1A\x06\x03\x55\x04\x0B\x0C\x13\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x42\x61\x6E\x6B\x20\x4E\x41\x31\x36\x30\x34\x06\x03\x55\x04\x03\x0C\x2D\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x20\x50\x75\x62\x6C\x69\x63\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xEE\x6F\xB4\xBD\x79\xE2\x8F\x08\x21\x9E\x38\x04\x41\x25\xEF\xAB\x5B\x1C\x53\x92\xAC\x6D\x9E\xDD\xC2\xC4\x2E\x45\x94\x03\x35\x88\x67\x74\x57\xE3\xDF\x8C\xB8\xA7\x76\x8F\x3B\xF7\xA8\xC4\xDB\x29\x63\x0E\x91\x68\x36\x8A\x97\x8E\x8A\x71\x68\x09\x07\xE4\xE8\xD4\x0E\x4F\xF8\xD6\x2B\x4C\xA4\x16\xF9\xEF\x43\x98\x8F\xB3\x9E\x52\xDF\x6D\x91\x39\x8F\x38\xBD\x77\x8B\x43\x63\xEB\xB7\x93\xFC\x30\x4C\x1C\x01\x93\xB6\x13\xFB\xF7\xA1\x1F\xBF\x25\xE1\x74\x37\x2C\x1E\xA4\x5E\x3C\x68\xF8\x4B\xBF\x0D\xB9\x1E\x2E\x36\xE8\xA9\xE4\xA7\xF8\x0F\xCB\x82\x75\x7C\x35\x2D\x22\xD6\xC2\xBF\x0B\xF3\xB4\xFC\x6C\x95\x61\x1E\x57\xD7\x04\x81\x32\x83\x52\x79\xE6\x83\x63\xCF\xB7\xCB\x63\x8B\x11\xE2\xBD\x5E\xEB\xF6\x8D\xED\x95\x72\x28\xB4\xAC\x12\x62\xE9\x4A\x33\xE6\x83\x32\xAE\x05\x75\x95\xBD\x84\x95\xDB\x2A\x5C\x9B\x8E\x2E\x0C\xB8\x81\x2B\x41\xE6\x38\x56\x9F\x49\x9B\x6C\x76\xFA\x8A\x5D\xF7\x01\x79\x81\x7C\xC1\x83\x40\x05\xFE\x71\xFD\x0C\x3F\xCC\x4E\x60\x09\x0E\x65\x47\x10\x2F\x01\xC0\x05\x3F\x8F\xF8\xB3\x41\xEF\x5A\x42\x7E\x59\xEF\xD2\x97\x0C\x65\x02\x03\x01\x00\x01\xA3\x82\x01\x34\x30\x82\x01\x30\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x39\x06\x03\x55\x1D\x1F\x04\x32\x30\x30\x30\x2E\xA0\x2C\xA0\x2A\x86\x28\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x70\x6B\x69\x2E\x77\x65\x6C\x6C\x73\x66\x61\x72\x67\x6F\x2E\x63\x6F\x6D\x2F\x77\x73\x70\x72\x63\x61\x2E\x63\x72\x6C\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\xC6\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x26\x95\x19\x10\xD9\xE8\xA1\x97\x91\xFF\xDC\x19\xD9\xB5\x04\x3E\xD2\x73\x0A\x6A\x30\x81\xB2\x06\x03\x55\x1D\x23\x04\x81\xAA\x30\x81\xA7\x80\x14\x26\x95\x19\x10\xD9\xE8\xA1\x97\x91\xFF\xDC\x19\xD9\xB5\x04\x3E\xD2\x73\x0A\x6A\xA1\x81\x8B\xA4\x81\x88\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x20\x30\x1E\x06\x03\x55\x04\x0A\x0C\x17\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x31\x1C\x30\x1A\x06\x03\x55\x04\x0B\x0C\x13\x57\x65\x6C\x6C\x73\x20\x46\x61\x72\x67\x6F\x20\x42\x61\x6E\x6B\x20\x4E\x41\x31\x36\x30\x34\x06\x03\x55\x04\x03\x0C\x2D\x57\x65\x6C\x6C\x73\x53\x65\x63\x75\x72\x65\x20\x50\x75\x62\x6C\x69\x63\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x82\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xB9\x15\xB1\x44\x91\xCC\x23\xC8\x2B\x4D\x77\xE3\xF8\x9A\x7B\x27\x0D\xCD\x72\xBB\x99\x00\xCA\x7C\x66\x19\x50\xC6\xD5\x98\xED\xAB\xBF\x03\x5A\xE5\x4D\xE5\x1E\xC8\x4F\x71\x97\x86\xD5\xE3\x1D\xFD\x90\xC9\x3C\x75\x77\x57\x7A\x7D\xF8\xDE\xF4\xD4\xD5\xF7\x95\xE6\x74\x6E\x1D\x3C\xAE\x7C\x9D\xDB\x02\x03\x05\x2C\x71\x4B\x25\x3E\x07\xE3\x5E\x9A\xF5\x66\x17\x29\x88\x1A\x38\x9F\xCF\xAA\x41\x03\x84\x97\x6B\x93\x38\x7A\xCA\x30\x44\x1B\x24\x44\x33\xD0\xE4\xD1\xDC\x28\x38\xF4\x13\x43\x35\x35\x29\x63\xA8\x7C\xA2\xB5\xAD\x38\xA4\xED\xAD\xFD\xC6\x9A\x1F\xFF\x97\x73\xFE\xFB\xB3\x35\xA7\x93\x86\xC6\x76\x91\x00\xE6\xAC\x51\x16\xC4\x27\x32\x5C\xDB\x73\xDA\xA5\x93\x57\x8E\x3E\x6D\x35\x26\x08\x59\xD5\xE7\x44\xD7\x76\x20\x63\xE7\xAC\x13\x67\xC3\x6D\xB1\x70\x46\x7C\xD5\x96\x11\x3D\x89\x6F\x5D\xA8\xA1\xEB\x8D\x0A\xDA\xC3\x1D\x33\x6C\xA3\xEA\x67\x19\x9A\x99\x7F\x4B\x3D\x83\x51\x2A\x1D\xCA\x2F\x86\x0C\xA2\x7E\x10\x2D\x2B\xD4\x16\x95\x0B\x07\xAA\x2E\x14\x92\x49\xB7\x29\x6F\xD8\x6D\x31\x7D\xF5\xFC\xA1\x10\x07\x87\xCE\x2F\x59\xDC\x3E\x58\xDB",
 	["CN=COMODO ECC Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB"] = "\x30\x82\x02\x89\x30\x82\x02\x0F\xA0\x03\x02\x01\x02\x02\x10\x1F\x47\xAF\xAA\x62\x00\x70\x50\x54\x4C\x01\x9E\x9B\x63\x99\x2A\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x43\x4F\x4D\x4F\x44\x4F\x20\x45\x43\x43\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x38\x30\x33\x30\x36\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x43\x4F\x4D\x4F\x44\x4F\x20\x45\x43\x43\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x03\x47\x7B\x2F\x75\xC9\x82\x15\x85\xFB\x75\xE4\x91\x16\xD4\xAB\x62\x99\xF5\x3E\x52\x0B\x06\xCE\x41\x00\x7F\x97\xE1\x0A\x24\x3C\x1D\x01\x04\xEE\x3D\xD2\x8D\x09\x97\x0C\xE0\x75\xE4\xFA\xFB\x77\x8A\x2A\xF5\x03\x60\x4B\x36\x8B\x16\x23\x16\xAD\x09\x71\xF4\x4A\xF4\x28\x50\xB4\xFE\x88\x1C\x6E\x3F\x6C\x2F\x2F\x09\x59\x5B\xA5\x5B\x0B\x33\x99\xE2\xC3\x3D\x89\xF9\x6A\x2C\xEF\xB2\xD3\x06\xE9\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x75\x71\xA7\x19\x48\x19\xBC\x9D\x9D\xEA\x41\x47\xDF\x94\xC4\x48\x77\x99\xD3\x79\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x31\x00\xEF\x03\x5B\x7A\xAC\xB7\x78\x0A\x72\xB7\x88\xDF\xFF\xB5\x46\x14\x09\x0A\xFA\xA0\xE6\x7D\x08\xC6\x1A\x87\xBD\x18\xA8\x73\xBD\x26\xCA\x60\x0C\x9D\xCE\x99\x9F\xCF\x5C\x0F\x30\xE1\xBE\x14\x31\xEA\x02\x30\x14\xF4\x93\x3C\x49\xA7\x33\x7A\x90\x46\x47\xB3\x63\x7D\x13\x9B\x4E\xB7\x6F\x18\x37\x80\x53\xFE\xDD\x20\xE0\x35\x9A\x36\xD1\xC7\x01\xB9\xE6\xDC\xDD\xF3\xFF\x1D\x2C\x3A\x16\x57\xD9\x92\x39\xD6",
-	["emailAddress=igca@sgdn.pm.gouv.fr,CN=IGC/A,OU=DCSSI,O=PM/SGDN,L=Paris,ST=France,C=FR"] = "\x30\x82\x04\x02\x30\x82\x02\xEA\xA0\x03\x02\x01\x02\x02\x05\x39\x11\x45\x10\x94\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x13\x06\x46\x72\x61\x6E\x63\x65\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05\x50\x61\x72\x69\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x50\x4D\x2F\x53\x47\x44\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13\x05\x44\x43\x53\x53\x49\x31\x0E\x30\x0C\x06\x03\x55\x04\x03\x13\x05\x49\x47\x43\x2F\x41\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x14\x69\x67\x63\x61\x40\x73\x67\x64\x6E\x2E\x70\x6D\x2E\x67\x6F\x75\x76\x2E\x66\x72\x30\x1E\x17\x0D\x30\x32\x31\x32\x31\x33\x31\x34\x32\x39\x32\x33\x5A\x17\x0D\x32\x30\x31\x30\x31\x37\x31\x34\x32\x39\x32\x32\x5A\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x13\x06\x46\x72\x61\x6E\x63\x65\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x13\x05\x50\x61\x72\x69\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x50\x4D\x2F\x53\x47\x44\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13\x05\x44\x43\x53\x53\x49\x31\x0E\x30\x0C\x06\x03\x55\x04\x03\x13\x05\x49\x47\x43\x2F\x41\x31\x23\x30\x21\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x14\x69\x67\x63\x61\x40\x73\x67\x64\x6E\x2E\x70\x6D\x2E\x67\x6F\x75\x76\x2E\x66\x72\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB2\x1F\xD1\xD0\x62\xC5\x33\x3B\xC0\x04\x86\x88\xB3\xDC\xF8\x88\xF7\xFD\xDF\x43\xDF\x7A\x8D\x9A\x49\x5C\xF6\x4E\xAA\xCC\x1C\xB9\xA1\xEB\x27\x89\xF2\x46\xE9\x3B\x4A\x71\xD5\x1D\x8E\x2D\xCF\xE6\xAD\xAB\x63\x50\xC7\x54\x0B\x6E\x12\xC9\x90\x36\xC6\xD8\x2F\xDA\x91\xAA\x68\xC5\x72\xFE\x17\x0A\xB2\x17\x7E\x79\xB5\x32\x88\x70\xCA\x70\xC0\x96\x4A\x8E\xE4\x55\xCD\x1D\x27\x94\xBF\xCE\x72\x2A\xEC\x5C\xF9\x73\x20\xFE\xBD\xF7\x2E\x89\x67\xB8\xBB\x47\x73\x12\xF7\xD1\x35\x69\x3A\xF2\x0A\xB9\xAE\xFF\x46\x42\x46\xA2\xBF\xA1\x85\x1A\xF9\xBF\xE4\xFF\x49\x85\xF7\xA3\x70\x86\x32\x1C\x5D\x9F\x60\xF7\xA9\xAD\xA5\xFF\xCF\xD1\x34\xF9\x7D\x5B\x17\xC6\xDC\xD6\x0E\x28\x6B\xC2\xDD\xF1\xF5\x33\x68\x9D\x4E\xFC\x87\x7C\x36\x12\xD6\xA3\x80\xE8\x43\x0D\x55\x61\x94\xEA\x64\x37\x47\xEA\x77\xCA\xD0\xB2\x58\x05\xC3\x5D\x7E\xB1\xA8\x46\x90\x31\x56\xCE\x70\x2A\x96\xB2\x30\xB8\x77\xE6\x79\xC0\xBD\x29\x3B\xFD\x94\x77\x4C\xBD\x20\xCD\x41\x25\xE0\x2E\xC7\x1B\xBB\xEE\xA4\x04\x41\xD2\x5D\xAD\x12\x6A\x8A\x9B\x47\xFB\xC9\xDD\x46\x40\xE1\x9D\x3C\x33\xD0\xB5\x02\x03\x01\x00\x01\xA3\x77\x30\x75\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x46\x30\x15\x06\x03\x55\x1D\x20\x04\x0E\x30\x0C\x30\x0A\x06\x08\x2A\x81\x7A\x01\x79\x01\x01\x01\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA3\x05\x2F\x18\x60\x50\xC2\x89\x0A\xDD\x2B\x21\x4F\xFF\x8E\x4E\xA8\x30\x31\x36\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xA3\x05\x2F\x18\x60\x50\xC2\x89\x0A\xDD\x2B\x21\x4F\xFF\x8E\x4E\xA8\x30\x31\x36\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x05\xDC\x26\xD8\xFA\x77\x15\x44\x68\xFC\x2F\x66\x3A\x74\xE0\x5D\xE4\x29\xFF\x06\x07\x13\x84\x4A\xAB\xCF\x6D\xA0\x1F\x51\x94\xF8\x49\xCB\x74\x36\x14\xBC\x15\xDD\xDB\x89\x2F\xDD\x8F\xA0\x5D\x7C\xF5\x12\xEB\x9F\x9E\x38\xA4\x47\xCC\xB3\x96\xD9\xBE\x9C\x25\xAB\x03\x7E\x33\x0F\x95\x81\x0D\xFD\x16\xE0\x88\xBE\x37\xF0\x6C\x5D\xD0\x31\x9B\x32\x2B\x5D\x17\x65\x93\x98\x60\xBC\x6E\x8F\xB1\xA8\x3C\x1E\xD9\x1C\xF3\xA9\x26\x42\xF9\x64\x1D\xC2\xE7\x92\xF6\xF4\x1E\x5A\xAA\x19\x52\x5D\xAF\xE8\xA2\xF7\x60\xA0\xF6\x8D\xF0\x89\xF5\x6E\xE0\x0A\x05\x01\x95\xC9\x8B\x20\x0A\xBA\x5A\xFC\x9A\x2C\x3C\xBD\xC3\xB7\xC9\x5D\x78\x25\x05\x3F\x56\x14\x9B\x0C\xDA\xFB\x3A\x48\xFE\x97\x69\x5E\xCA\x10\x86\xF7\x4E\x96\x04\x08\x4D\xEC\xB0\xBE\x5D\xDC\x3B\x8E\x4F\xC1\xFD\x9A\x36\x34\x9A\x4C\x54\x7E\x17\x03\x48\x95\x08\x11\x1C\x07\x6F\x85\x08\x7E\x5D\x4D\xC4\x9D\xDB\xFB\xAE\xCE\xB2\xD1\xB3\xB8\x83\x6C\x1D\xB2\xB3\x79\xF1\xD8\x70\x99\x7E\xF0\x13\x02\xCE\x5E\xDD\x51\xD3\xDF\x36\x81\xA1\x1B\x78\x2F\x71\xB3\xF1\x59\x4C\x46\x18\x28\xAB\x85\xD2\x60\x56\x5A",
-	["OU=Security Communication EV RootCA1,O=SECOM Trust Systems CO.\,LTD.,C=JP"] = "\x30\x82\x03\x7D\x30\x82\x02\x65\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x60\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x43\x4F\x2E\x2C\x4C\x54\x44\x2E\x31\x2A\x30\x28\x06\x03\x55\x04\x0B\x13\x21\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x45\x56\x20\x52\x6F\x6F\x74\x43\x41\x31\x30\x1E\x17\x0D\x30\x37\x30\x36\x30\x36\x30\x32\x31\x32\x33\x32\x5A\x17\x0D\x33\x37\x30\x36\x30\x36\x30\x32\x31\x32\x33\x32\x5A\x30\x60\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x43\x4F\x2E\x2C\x4C\x54\x44\x2E\x31\x2A\x30\x28\x06\x03\x55\x04\x0B\x13\x21\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x45\x56\x20\x52\x6F\x6F\x74\x43\x41\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBC\x7F\xEC\x57\x9B\x24\xE0\xFE\x9C\xBA\x42\x79\xA9\x88\x8A\xFA\x80\xE0\xF5\x07\x29\x43\xEA\x8E\x0A\x34\x36\x8D\x1C\xFA\xA7\xB5\x39\x78\xFF\x97\x75\xF7\x2F\xE4\xAA\x6B\x04\x84\x44\xCA\xA6\xE2\x68\x8E\xFD\x55\x50\x62\x0F\xA4\x71\x0E\xCE\x07\x38\x2D\x42\x85\x50\xAD\x3C\x96\x6F\x8B\xD5\xA2\x0E\xCF\xDE\x49\x89\x3D\xD6\x64\x2E\x38\xE5\x1E\x6C\xB5\x57\x8A\x9E\xEF\x48\x0E\xCD\x7A\x69\x16\x87\x44\xB5\x90\xE4\x06\x9D\xAE\xA1\x04\x97\x58\x79\xEF\x20\x4A\x82\x6B\x8C\x22\xBF\xEC\x1F\x0F\xE9\x84\x71\xED\xF1\x0E\xE4\xB8\x18\x13\xCC\x56\x36\x5D\xD1\x9A\x1E\x51\x6B\x39\x6E\x60\x76\x88\x34\x0B\xF3\xB3\xD1\xB0\x9D\xCA\x61\xE2\x64\x1D\xC1\x46\x07\xB8\x63\xDD\x1E\x33\x65\xB3\x8E\x09\x55\x52\x3D\xB5\xBD\xFF\x07\xEB\xAD\x61\x55\x18\x2C\xA9\x69\x98\x4A\xAA\x40\xC5\x33\x14\x65\x74\x00\xF9\x91\xDE\xAF\x03\x48\xC5\x40\x54\xDC\x0F\x84\x90\x68\x20\xC5\x92\x96\xDC\x2E\xE5\x02\x45\xAA\xC0\x5F\x54\xF8\x6D\xEA\x49\xCF\x5D\x6C\x4B\xAF\xEF\x9A\xC2\x56\x5C\xC6\x35\x56\x42\x6A\x30\x5F\xC2\xAB\xF6\xE2\x3D\x3F\xB3\xC9\x11\x8F\x31\x4C\xD7\x9F\x49\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x35\x4A\xF5\x4D\xAF\x3F\xD7\x82\x38\xAC\xAB\x71\x65\x17\x75\x8C\x9D\x55\x93\xE6\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA8\x87\xE9\xEC\xF8\x40\x67\x5D\xC3\xC1\x66\xC7\x40\x4B\x97\xFC\x87\x13\x90\x5A\xC4\xEF\xA0\xCA\x5F\x8B\xB7\xA7\xB7\xF1\xD6\xB5\x64\xB7\x8A\xB3\xB8\x1B\xCC\xDA\xFB\xAC\x66\x88\x41\xCE\xE8\xFC\xE4\xDB\x1E\x88\xA6\xED\x27\x50\x1B\x02\x30\x24\x46\x79\xFE\x04\x87\x70\x97\x40\x73\xD1\xC0\xC1\x57\x19\x9A\x69\xA5\x27\x99\xAB\x9D\x62\x84\xF6\x51\xC1\x2C\xC9\x23\x15\xD8\x28\xB7\xAB\x25\x13\xB5\x46\xE1\x86\x02\xFF\x26\x8C\xC4\x88\x92\x1D\x56\xFE\x19\x67\xF2\x55\xE4\x80\xA3\x6B\x9C\xAB\x77\xE1\x51\x71\x0D\x20\xDB\x10\x9A\xDB\xBD\x76\x79\x07\x77\x99\x28\xAD\x9A\x5E\xDA\xB1\x4F\x44\x2C\x35\x8E\xA5\x96\xC7\xFD\x83\xF0\x58\xC6\x79\xD6\x98\x7C\xA8\x8D\xFE\x86\x3E\x07\x16\x92\xE1\x7B\xE7\x1D\xEC\x33\x76\x7E\x42\x2E\x4A\x85\xF9\x91\x89\x68\x84\x03\x81\xA5\x9B\x9A\xBE\xE3\x37\xC5\x54\xAB\x56\x3B\x18\x2D\x41\xA4\x0C\xF8\x42\xDB\x99\xA0\xE0\x72\x6F\xBB\x5D\xE1\x16\x4F\x53\x0A\x64\xF9\x4E\xF4\xBF\x4E\x54\xBD\x78\x6C\x88\xEA\xBF\x9C\x13\x24\xC2\x70\x69\xA2\x7F\x0F\xC8\x3C\xAD\x08\xC9\xB0\x98\x40\xA3\x2A\xE7\x88\x83\xED\x77\x8F\x74",
 	["CN=OISTE WISeKey Global Root GA CA,OU=OISTE Foundation Endorsed,OU=Copyright (c) 2005,O=WISeKey,C=CH"] = "\x30\x82\x03\xF1\x30\x82\x02\xD9\xA0\x03\x02\x01\x02\x02\x10\x41\x3D\x72\xC7\xF4\x6B\x1F\x81\x43\x7D\xF1\xD2\x28\x54\xDF\x9A\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x8A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x57\x49\x53\x65\x4B\x65\x79\x31\x1B\x30\x19\x06\x03\x55\x04\x0B\x13\x12\x43\x6F\x70\x79\x72\x69\x67\x68\x74\x20\x28\x63\x29\x20\x32\x30\x30\x35\x31\x22\x30\x20\x06\x03\x55\x04\x0B\x13\x19\x4F\x49\x53\x54\x45\x20\x46\x6F\x75\x6E\x64\x61\x74\x69\x6F\x6E\x20\x45\x6E\x64\x6F\x72\x73\x65\x64\x31\x28\x30\x26\x06\x03\x55\x04\x03\x13\x1F\x4F\x49\x53\x54\x45\x20\x57\x49\x53\x65\x4B\x65\x79\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x47\x41\x20\x43\x41\x30\x1E\x17\x0D\x30\x35\x31\x32\x31\x31\x31\x36\x30\x33\x34\x34\x5A\x17\x0D\x33\x37\x31\x32\x31\x31\x31\x36\x30\x39\x35\x31\x5A\x30\x81\x8A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x57\x49\x53\x65\x4B\x65\x79\x31\x1B\x30\x19\x06\x03\x55\x04\x0B\x13\x12\x43\x6F\x70\x79\x72\x69\x67\x68\x74\x20\x28\x63\x29\x20\x32\x30\x30\x35\x31\x22\x30\x20\x06\x03\x55\x04\x0B\x13\x19\x4F\x49\x53\x54\x45\x20\x46\x6F\x75\x6E\x64\x61\x74\x69\x6F\x6E\x20\x45\x6E\x64\x6F\x72\x73\x65\x64\x31\x28\x30\x26\x06\x03\x55\x04\x03\x13\x1F\x4F\x49\x53\x54\x45\x20\x57\x49\x53\x65\x4B\x65\x79\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x47\x41\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xCB\x4F\xB3\x00\x9B\x3D\x36\xDD\xF9\xD1\x49\x6A\x6B\x10\x49\x1F\xEC\xD8\x2B\xB2\xC6\xF8\x32\x81\x29\x43\x95\x4C\x9A\x19\x23\x21\x15\x45\xDE\xE3\xC8\x1C\x51\x55\x5B\xAE\x93\xE8\x37\xFF\x2B\x6B\xE9\xD4\xEA\xBE\x2A\xDD\xA8\x51\x2B\xD7\x66\xC3\x61\x5C\x60\x02\xC8\xF5\xCE\x72\x7B\x3B\xB8\xF2\x4E\x65\x08\x9A\xCD\xA4\x6A\x19\xC1\x01\xBB\x73\xA6\xD7\xF6\xC3\xDD\xCD\xBC\xA4\x8B\xB5\x99\x61\xB8\x01\xA2\xA3\xD4\x4D\xD4\x05\x3D\x91\xAD\xF8\xB4\x08\x71\x64\xAF\x70\xF1\x1C\x6B\x7E\xF6\xC3\x77\x9D\x24\x73\x7B\xE4\x0C\x8C\xE1\xD9\x36\xE1\x99\x8B\x05\x99\x0B\xED\x45\x31\x09\xCA\xC2\x00\xDB\xF7\x72\xA0\x96\xAA\x95\x87\xD0\x8E\xC7\xB6\x61\x73\x0D\x76\x66\x8C\xDC\x1B\xB4\x63\xA2\x9F\x7F\x93\x13\x30\xF1\xA1\x27\xDB\xD9\xFF\x2C\x55\x88\x91\xA0\xE0\x4F\x07\xB0\x28\x56\x8C\x18\x1B\x97\x44\x8E\x89\xDD\xE0\x17\x6E\xE7\x2A\xEF\x8F\x39\x0A\x31\x84\x82\xD8\x40\x14\x49\x2E\x7A\x41\xE4\xA7\xFE\xE3\x64\xCC\xC1\x59\x71\x4B\x2C\x21\xA7\x5B\x7D\xE0\x1D\xD1\x2E\x81\x9B\xC3\xD8\x68\xF7\xBD\x96\x1B\xAC\x70\xB1\x16\x14\x0B\xDB\x60\xB9\x26\x01\x05\x02\x03\x01\x00\x01\xA3\x51\x30\x4F\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB3\x03\x7E\xAE\x36\xBC\xB0\x79\xD1\xDC\x94\x26\xB6\x11\xBE\x21\xB2\x69\x86\x94\x30\x10\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x15\x01\x04\x03\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x4B\xA1\xFF\x0B\x87\x6E\xB3\xF9\xC1\x43\xB1\x48\xF3\x28\xC0\x1D\x2E\xC9\x09\x41\xFA\x94\x00\x1C\xA4\xA4\xAB\x49\x4F\x8F\x3D\x1E\xEF\x4D\x6F\xBD\xBC\xA4\xF6\xF2\x26\x30\xC9\x10\xCA\x1D\x88\xFB\x74\x19\x1F\x85\x45\xBD\xB0\x6C\x51\xF9\x36\x7E\xDB\xF5\x4C\x32\x3A\x41\x4F\x5B\x47\xCF\xE8\x0B\x2D\xB6\xC4\x19\x9D\x74\xC5\x47\xC6\x3B\x6A\x0F\xAC\x14\xDB\x3C\xF4\x73\x9C\xA9\x05\xDF\x00\xDC\x74\x78\xFA\xF8\x35\x60\x59\x02\x13\x18\x7C\xBC\xFB\x4D\xB0\x20\x6D\x43\xBB\x60\x30\x7A\x67\x33\x5C\xC5\x99\xD1\xF8\x2D\x39\x52\x73\xFB\x8C\xAA\x97\x25\x5C\x72\xD9\x08\x1E\xAB\x4E\x3C\xE3\x81\x31\x9F\x03\xA6\xFB\xC0\xFE\x29\x88\x55\xDA\x84\xD5\x50\x03\xB6\xE2\x84\xA3\xA6\x36\xAA\x11\x3A\x01\xE1\x18\x4B\xD6\x44\x68\xB3\x3D\xF9\x53\x74\x84\xB3\x46\x91\x46\x96\x00\xB7\x80\x2C\xB6\xE1\xE3\x10\xE2\xDB\xA2\xE7\x28\x8F\x01\x96\x62\x16\x3E\x00\xE3\x1C\xA5\x36\x81\x18\xA2\x4C\x52\x76\xC0\x11\xA3\x6E\xE6\x1D\xBA\xE3\x5A\xBE\x36\x53\xC5\x3E\x75\x8F\x86\x69\x29\x58\x53\xB5\x9C\xBB\x6F\x9F\x5C\xC5\x18\xEC\xDD\x2F\xE1\x98\xC9\xFC\xBE\xDF\x0A\x0D",
-	["CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU"] = "\x30\x82\x07\xA8\x30\x82\x06\x90\xA0\x03\x02\x01\x02\x02\x11\x00\xCC\xB8\xE7\xBF\x4E\x29\x1A\xFD\xA2\xDC\x66\xA5\x1C\x2C\x0F\x11\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x72\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x4C\x74\x64\x2E\x31\x14\x30\x12\x06\x03\x55\x04\x0B\x13\x0B\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x43\x41\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x35\x30\x34\x30\x36\x31\x32\x32\x38\x34\x34\x5A\x17\x0D\x31\x37\x30\x34\x30\x36\x31\x32\x32\x38\x34\x34\x5A\x30\x72\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x4C\x74\x64\x2E\x31\x14\x30\x12\x06\x03\x55\x04\x0B\x13\x0B\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x43\x41\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xED\xC8\x00\xD5\x81\x7B\xCD\x38\x00\x47\xCC\xDB\x84\xC1\x21\x69\x2C\x74\x90\x0C\x21\xD9\x53\x87\xED\x3E\x43\x44\x53\xAF\xAB\xF8\x80\x9B\x3C\x78\x8D\xD4\x8D\xAE\xB8\xEF\xD3\x11\xDC\x81\xE6\xCF\x3B\x96\x8C\xD6\x6F\x15\xC6\x77\x7E\xA1\x2F\xE0\x5F\x92\xB6\x27\xD7\x76\x9A\x1D\x43\x3C\xEA\xD9\xEC\x2F\xEE\x39\xF3\x6A\x67\x4B\x8B\x82\xCF\x22\xF8\x65\x55\xFE\x2C\xCB\x2F\x7D\x48\x7A\x3D\x75\xF9\xAA\xA0\x27\xBB\x78\xC2\x06\xCA\x51\xC2\x7E\x66\x4B\xAF\xCD\xA2\xA7\x4D\x02\x82\x3F\x82\xAC\x85\xC6\xE1\x0F\x90\x47\x99\x94\x0A\x71\x72\x93\x2A\xC9\xA6\xC0\xBE\x3C\x56\x4C\x73\x92\x27\xF1\x6B\xB5\xF5\xFD\xFC\x30\x05\x60\x92\xC6\xEB\x96\x7E\x01\x91\xC2\x69\xB1\x1E\x1D\x7B\x53\x45\xB8\xDC\x41\x1F\xC9\x8B\x71\xD6\x54\x14\xE3\x8B\x54\x78\x3F\xBE\xF4\x62\x3B\x5B\xF5\xA3\xEC\xD5\x92\x74\xE2\x74\x30\xEF\x01\xDB\xE1\xD4\xAB\x99\x9B\x2A\x6B\xF8\xBD\xA6\x1C\x86\x23\x42\x5F\xEC\x49\xDE\x9A\x8B\x5B\xF4\x72\x3A\x40\xC5\x49\x3E\xA5\xBE\x8E\xAA\x71\xEB\x6C\xFA\xF5\x1A\xE4\x6A\xFD\x7B\x7D\x55\x40\xEF\x58\x6E\xE6\xD9\xD5\xBC\x24\xAB\xC1\xEF\xB7\x02\x03\x01\x00\x01\xA3\x82\x04\x37\x30\x82\x04\x33\x30\x67\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x01\x04\x5B\x30\x59\x30\x28\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x01\x86\x1C\x68\x74\x74\x70\x73\x3A\x2F\x2F\x72\x63\x61\x2E\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x2F\x6F\x63\x73\x70\x30\x2D\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x02\x86\x21\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x2F\x52\x6F\x6F\x74\x43\x41\x2E\x63\x72\x74\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x82\x01\x73\x06\x03\x55\x1D\x20\x04\x82\x01\x6A\x30\x82\x01\x66\x30\x82\x01\x62\x06\x0C\x2B\x06\x01\x04\x01\x81\xA8\x18\x02\x01\x01\x01\x30\x82\x01\x50\x30\x28\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x1C\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x2F\x53\x5A\x53\x5A\x2F\x30\x82\x01\x22\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x82\x01\x14\x1E\x82\x01\x10\x00\x41\x00\x20\x00\x74\x00\x61\x00\x6E\x00\xFA\x00\x73\x00\xED\x00\x74\x00\x76\x00\xE1\x00\x6E\x00\x79\x00\x20\x00\xE9\x00\x72\x00\x74\x00\x65\x00\x6C\x00\x6D\x00\x65\x00\x7A\x00\xE9\x00\x73\x00\xE9\x00\x68\x00\x65\x00\x7A\x00\x20\x00\xE9\x00\x73\x00\x20\x00\x65\x00\x6C\x00\x66\x00\x6F\x00\x67\x00\x61\x00\x64\x00\xE1\x00\x73\x00\xE1\x00\x68\x00\x6F\x00\x7A\x00\x20\x00\x61\x00\x20\x00\x53\x00\x7A\x00\x6F\x00\x6C\x00\x67\x00\xE1\x00\x6C\x00\x74\x00\x61\x00\x74\x00\xF3\x00\x20\x00\x53\x00\x7A\x00\x6F\x00\x6C\x00\x67\x00\xE1\x00\x6C\x00\x74\x00\x61\x00\x74\x00\xE1\x00\x73\x00\x69\x00\x20\x00\x53\x00\x7A\x00\x61\x00\x62\x00\xE1\x00\x6C\x00\x79\x00\x7A\x00\x61\x00\x74\x00\x61\x00\x20\x00\x73\x00\x7A\x00\x65\x00\x72\x00\x69\x00\x6E\x00\x74\x00\x20\x00\x6B\x00\x65\x00\x6C\x00\x6C\x00\x20\x00\x65\x00\x6C\x00\x6A\x00\xE1\x00\x72\x00\x6E\x00\x69\x00\x3A\x00\x20\x00\x68\x00\x74\x00\x74\x00\x70\x00\x3A\x00\x2F\x00\x2F\x00\x77\x00\x77\x00\x77\x00\x2E\x00\x65\x00\x2D\x00\x73\x00\x7A\x00\x69\x00\x67\x00\x6E\x00\x6F\x00\x2E\x00\x68\x00\x75\x00\x2F\x00\x53\x00\x5A\x00\x53\x00\x5A\x00\x2F\x30\x81\xC8\x06\x03\x55\x1D\x1F\x04\x81\xC0\x30\x81\xBD\x30\x81\xBA\xA0\x81\xB7\xA0\x81\xB4\x86\x21\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x2F\x52\x6F\x6F\x74\x43\x41\x2E\x63\x72\x6C\x86\x81\x8E\x6C\x64\x61\x70\x3A\x2F\x2F\x6C\x64\x61\x70\x2E\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x2F\x43\x4E\x3D\x4D\x69\x63\x72\x6F\x73\x65\x63\x25\x32\x30\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x25\x32\x30\x52\x6F\x6F\x74\x25\x32\x30\x43\x41\x2C\x4F\x55\x3D\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x25\x32\x30\x43\x41\x2C\x4F\x3D\x4D\x69\x63\x72\x6F\x73\x65\x63\x25\x32\x30\x4C\x74\x64\x2E\x2C\x4C\x3D\x42\x75\x64\x61\x70\x65\x73\x74\x2C\x43\x3D\x48\x55\x3F\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x52\x65\x76\x6F\x63\x61\x74\x69\x6F\x6E\x4C\x69\x73\x74\x3B\x62\x69\x6E\x61\x72\x79\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x81\x96\x06\x03\x55\x1D\x11\x04\x81\x8E\x30\x81\x8B\x81\x10\x69\x6E\x66\x6F\x40\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\xA4\x77\x30\x75\x31\x23\x30\x21\x06\x03\x55\x04\x03\x0C\x1A\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x65\x2D\x53\x7A\x69\x67\x6E\xC3\xB3\x20\x52\x6F\x6F\x74\x20\x43\x41\x31\x16\x30\x14\x06\x03\x55\x04\x0B\x0C\x0D\x65\x2D\x53\x7A\x69\x67\x6E\xC3\xB3\x20\x48\x53\x5A\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x4B\x66\x74\x2E\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x30\x81\xAC\x06\x03\x55\x1D\x23\x04\x81\xA4\x30\x81\xA1\x80\x14\xC7\xA0\x49\x75\x16\x61\x84\xDB\x31\x4B\x84\xD2\xF1\x37\x40\x90\xEF\x4E\xDC\xF7\xA1\x76\xA4\x74\x30\x72\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x13\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x4C\x74\x64\x2E\x31\x14\x30\x12\x06\x03\x55\x04\x0B\x13\x0B\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x43\x41\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x52\x6F\x6F\x74\x20\x43\x41\x82\x11\x00\xCC\xB8\xE7\xBF\x4E\x29\x1A\xFD\xA2\xDC\x66\xA5\x1C\x2C\x0F\x11\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC7\xA0\x49\x75\x16\x61\x84\xDB\x31\x4B\x84\xD2\xF1\x37\x40\x90\xEF\x4E\xDC\xF7\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xD3\x13\x9C\x66\x63\x59\x2E\xCA\x5C\x70\x0C\xFC\x83\xBC\x55\xB1\xF4\x8E\x07\x6C\x66\x27\xCE\xC1\x3B\x20\xA9\x1C\xBB\x46\x54\x70\xEE\x5A\xCC\xA0\x77\xEA\x68\x44\x27\xEB\xF2\x29\xDD\x77\xA9\xD5\xFB\xE3\xD4\xA7\x04\xC4\x95\xB8\x0B\xE1\x44\x68\x60\x07\x43\x30\x31\x42\x61\xE5\xEE\xD9\xE5\x24\xD5\x1B\xDF\xE1\x4A\x1B\xAA\x9F\xC7\x5F\xF8\x7A\x11\xEA\x13\x93\x00\xCA\x8A\x58\xB1\xEE\xED\x0E\x4D\xB4\xD7\xA8\x36\x26\x7C\xE0\x3A\xC1\xD5\x57\x82\xF1\x75\xB6\xFD\x89\x5F\xDA\xF3\xA8\x38\x9F\x35\x06\x08\xCE\x22\x95\xBE\xCD\xD5\xFC\xBE\x5B\xDE\x79\x6B\xDC\x7A\xA9\x65\x66\xBE\xB1\x25\x5A\x5F\xED\x7E\xD3\xAC\x46\x6D\x4C\xF4\x32\x87\xB4\x20\x04\xE0\x6C\x78\xB0\x77\xD1\x85\x46\x4B\xA6\x12\xB7\x75\xE8\x4A\xC9\x56\x6C\xD7\x92\xAB\x9D\xF5\x49\x38\xD2\x4F\x53\xE3\x55\x90\x11\xDB\x98\x96\xC6\x49\xF2\x3E\xF4\x9F\x1B\xE0\xF7\x88\xDC\x25\x62\x99\x44\xD8\x73\xBF\x3F\x30\xF3\x0C\x37\x3E\xD4\xC2\x28\x80\x73\xB1\x01\xB7\x9D\x5A\x96\x14\x01\x4B\xA9\x11\x9D\x29\x6A\x2E\xD0\x5D\x81\xC0\xCF\xB2\x20\x43\xC7\x03\xE0\x37\x4E\x5D\x0A\xDC\x59\x20\x25",
 	["CN=Certigna,O=Dhimyotis,C=FR"] = "\x30\x82\x03\xA8\x30\x82\x02\x90\xA0\x03\x02\x01\x02\x02\x09\x00\xFE\xDC\xE3\x01\x0F\xC9\x48\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x34\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x44\x68\x69\x6D\x79\x6F\x74\x69\x73\x31\x11\x30\x0F\x06\x03\x55\x04\x03\x0C\x08\x43\x65\x72\x74\x69\x67\x6E\x61\x30\x1E\x17\x0D\x30\x37\x30\x36\x32\x39\x31\x35\x31\x33\x30\x35\x5A\x17\x0D\x32\x37\x30\x36\x32\x39\x31\x35\x31\x33\x30\x35\x5A\x30\x34\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x44\x68\x69\x6D\x79\x6F\x74\x69\x73\x31\x11\x30\x0F\x06\x03\x55\x04\x03\x0C\x08\x43\x65\x72\x74\x69\x67\x6E\x61\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC8\x68\xF1\xC9\xD6\xD6\xB3\x34\x75\x26\x82\x1E\xEC\xB4\xBE\xEA\x5C\xE1\x26\xED\x11\x47\x61\xE1\xA2\x7C\x16\x78\x40\x21\xE4\x60\x9E\x5A\xC8\x63\xE1\xC4\xB1\x96\x92\xFF\x18\x6D\x69\x23\xE1\x2B\x62\xF7\xDD\xE2\x36\x2F\x91\x07\xB9\x48\xCF\x0E\xEC\x79\xB6\x2C\xE7\x34\x4B\x70\x08\x25\xA3\x3C\x87\x1B\x19\xF2\x81\x07\x0F\x38\x90\x19\xD3\x11\xFE\x86\xB4\xF2\xD1\x5E\x1E\x1E\x96\xCD\x80\x6C\xCE\x3B\x31\x93\xB6\xF2\xA0\xD0\xA9\x95\x12\x7D\xA5\x9A\xCC\x6B\xC8\x84\x56\x8A\x33\xA9\xE7\x22\x15\x53\x16\xF0\xCC\x17\xEC\x57\x5F\xE9\xA2\x0A\x98\x09\xDE\xE3\x5F\x9C\x6F\xDC\x48\xE3\x85\x0B\x15\x5A\xA6\xBA\x9F\xAC\x48\xE3\x09\xB2\xF7\xF4\x32\xDE\x5E\x34\xBE\x1C\x78\x5D\x42\x5B\xCE\x0E\x22\x8F\x4D\x90\xD7\x7D\x32\x18\xB3\x0B\x2C\x6A\xBF\x8E\x3F\x14\x11\x89\x20\x0E\x77\x14\xB5\x3D\x94\x08\x87\xF7\x25\x1E\xD5\xB2\x60\x00\xEC\x6F\x2A\x28\x25\x6E\x2A\x3E\x18\x63\x17\x25\x3F\x3E\x44\x20\x16\xF6\x26\xC8\x25\xAE\x05\x4A\xB4\xE7\x63\x2C\xF3\x8C\x16\x53\x7E\x5C\xFB\x11\x1A\x08\xC1\x46\x62\x9F\x22\xB8\xF1\xC2\x8D\x69\xDC\xFA\x3A\x58\x06\xDF\x02\x03\x01\x00\x01\xA3\x81\xBC\x30\x81\xB9\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x1A\xED\xFE\x41\x39\x90\xB4\x24\x59\xBE\x01\xF2\x52\xD5\x45\xF6\x5A\x39\xDC\x11\x30\x64\x06\x03\x55\x1D\x23\x04\x5D\x30\x5B\x80\x14\x1A\xED\xFE\x41\x39\x90\xB4\x24\x59\xBE\x01\xF2\x52\xD5\x45\xF6\x5A\x39\xDC\x11\xA1\x38\xA4\x36\x30\x34\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x44\x68\x69\x6D\x79\x6F\x74\x69\x73\x31\x11\x30\x0F\x06\x03\x55\x04\x03\x0C\x08\x43\x65\x72\x74\x69\x67\x6E\x61\x82\x09\x00\xFE\xDC\xE3\x01\x0F\xC9\x48\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x85\x03\x1E\x92\x71\xF6\x42\xAF\xE1\xA3\x61\x9E\xEB\xF3\xC0\x0F\xF2\xA5\xD4\xDA\x95\xE6\xD6\xBE\x68\x36\x3D\x7E\x6E\x1F\x4C\x8A\xEF\xD1\x0F\x21\x6D\x5E\xA5\x52\x63\xCE\x12\xF8\xEF\x2A\xDA\x6F\xEB\x37\xFE\x13\x02\xC7\xCB\x3B\x3E\x22\x6B\xDA\x61\x2E\x7F\xD4\x72\x3D\xDD\x30\xE1\x1E\x4C\x40\x19\x8C\x0F\xD7\x9C\xD1\x83\x30\x7B\x98\x59\xDC\x7D\xC6\xB9\x0C\x29\x4C\xA1\x33\xA2\xEB\x67\x3A\x65\x84\xD3\x96\xE2\xED\x76\x45\x70\x8F\xB5\x2B\xDE\xF9\x23\xD6\x49\x6E\x3C\x14\xB5\xC6\x9F\x35\x1E\x50\xD0\xC1\x8F\x6A\x70\x44\x02\x62\xCB\xAE\x1D\x68\x41\xA7\xAA\x57\xE8\x53\xAA\x07\xD2\x06\xF6\xD5\x14\x06\x0B\x91\x03\x75\x2C\x6C\x72\xB5\x61\x95\x9A\x0D\x8B\xB9\x0D\xE7\xF5\xDF\x54\xCD\xDE\xE6\xD8\xD6\x09\x08\x97\x63\xE5\xC1\x2E\xB0\xB7\x44\x26\xC0\x26\xC0\xAF\x55\x30\x9E\x3B\xD5\x36\x2A\x19\x04\xF4\x5C\x1E\xFF\xCF\x2C\xB7\xFF\xD0\xFD\x87\x40\x11\xD5\x11\x23\xBB\x48\xC0\x21\xA9\xA4\x28\x2D\xFD\x15\xF8\xB0\x4E\x2B\xF4\x30\x5B\x21\xFC\x11\x91\x34\xBE\x41\xEF\x7B\x9D\x97\x75\xFF\x97\x95\xC0\x96\x58\x2F\xEA\xBB\x46\xD7\xBB\xE4\xD9\x2E",
 	["CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE"] = "\x30\x82\x03\x9F\x30\x82\x02\x87\xA0\x03\x02\x01\x02\x02\x01\x26\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x71\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x44\x65\x75\x74\x73\x63\x68\x65\x20\x54\x65\x6C\x65\x6B\x6F\x6D\x20\x41\x47\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x54\x2D\x54\x65\x6C\x65\x53\x65\x63\x20\x54\x72\x75\x73\x74\x20\x43\x65\x6E\x74\x65\x72\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x44\x65\x75\x74\x73\x63\x68\x65\x20\x54\x65\x6C\x65\x6B\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x1E\x17\x0D\x39\x39\x30\x37\x30\x39\x31\x32\x31\x31\x30\x30\x5A\x17\x0D\x31\x39\x30\x37\x30\x39\x32\x33\x35\x39\x30\x30\x5A\x30\x71\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x44\x65\x75\x74\x73\x63\x68\x65\x20\x54\x65\x6C\x65\x6B\x6F\x6D\x20\x41\x47\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x54\x2D\x54\x65\x6C\x65\x53\x65\x63\x20\x54\x72\x75\x73\x74\x20\x43\x65\x6E\x74\x65\x72\x31\x23\x30\x21\x06\x03\x55\x04\x03\x13\x1A\x44\x65\x75\x74\x73\x63\x68\x65\x20\x54\x65\x6C\x65\x6B\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAB\x0B\xA3\x35\xE0\x8B\x29\x14\xB1\x14\x85\xAF\x3C\x10\xE4\x39\x6F\x35\x5D\x4A\xAE\xDD\xEA\x61\x8D\x95\x49\xF4\x6F\x64\xA3\x1A\x60\x66\xA4\xA9\x40\x22\x84\xD9\xD4\xA5\xE5\x78\x93\x0E\x68\x01\xAD\xB9\x4D\x5C\x3A\xCE\xD3\xB8\xA8\x42\x40\xDF\xCF\xA3\xBA\x82\x59\x6A\x92\x1B\xAC\x1C\x9A\xDA\x08\x2B\x25\x27\xF9\x69\x23\x47\xF1\xE0\xEB\x2C\x7A\x9B\xF5\x13\x02\xD0\x7E\x34\x7C\xC2\x9E\x3C\x00\x59\xAB\xF5\xDA\x0C\xF5\x32\x3C\x2B\xAC\x50\xDA\xD6\xC3\xDE\x83\x94\xCA\xA8\x0C\x99\x32\x0E\x08\x48\x56\x5B\x6A\xFB\xDA\xE1\x58\x58\x01\x49\x5F\x72\x41\x3C\x15\x06\x01\x8E\x5D\xAD\xAA\xB8\x93\xB4\xCD\x9E\xEB\xA7\xE8\x6A\x2D\x52\x34\xDB\x3A\xEF\x5C\x75\x51\xDA\xDB\xF3\x31\xF9\xEE\x71\x98\x32\xC4\x54\x15\x44\x0C\xF9\x9B\x55\xED\xAD\xDF\x18\x08\xA0\xA3\x86\x8A\x49\xEE\x53\x05\x8F\x19\x4C\xD5\xDE\x58\x79\x9B\xD2\x6A\x1C\x42\xAB\xC5\xD5\xA7\xCF\x68\x0F\x96\xE4\xE1\x61\x98\x76\x61\xC8\x91\x7C\xD6\x3E\x00\xE2\x91\x50\x87\xE1\x9D\x0A\xE6\xAD\x97\xD2\x1D\xC6\x3A\x7D\xCB\xBC\xDA\x03\x34\xD5\x8E\x5B\x01\xF5\x6A\x07\xB7\x16\xB6\x6E\x4A\x7F\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x31\xC3\x79\x1B\xBA\xF5\x53\xD7\x17\xE0\x89\x7A\x2D\x17\x6C\x0A\xB3\x2B\x9D\x33\x30\x0F\x06\x03\x55\x1D\x13\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x05\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x94\x64\x59\xAD\x39\x64\xE7\x29\xEB\x13\xFE\x5A\xC3\x8B\x13\x57\xC8\x04\x24\xF0\x74\x77\xC0\x60\xE3\x67\xFB\xE9\x89\xA6\x83\xBF\x96\x82\x7C\x6E\xD4\xC3\x3D\xEF\x9E\x80\x6E\xBB\x29\xB4\x98\x7A\xB1\x3B\x54\xEB\x39\x17\x47\x7E\x1A\x8E\x0B\xFC\x1F\x31\x59\x31\x04\xB2\xCE\x17\xF3\x2C\xC7\x62\x36\x55\xE2\x22\xD8\x89\x55\xB4\x98\x48\xAA\x64\xFA\xD6\x1C\x36\xD8\x44\x78\x5A\x5A\x23\x3A\x57\x97\xF5\x7A\x30\x4F\xAE\x9F\x6A\x4C\x4B\x2B\x8E\xA0\x03\xE3\x3E\xE0\xA9\xD4\xD2\x7B\xD2\xB3\xA8\xE2\x72\x3C\xAD\x9E\xFF\x80\x59\xE4\x9B\x45\xB4\xF6\x3B\xB0\xCD\x39\x19\x98\x32\xE5\xEA\x21\x61\x90\xE4\x31\x21\x8E\x34\xB1\xF7\x2F\x35\x4A\x85\x10\xDA\xE7\x8A\x37\x21\xBE\x59\x63\xE0\xF2\x85\x88\x31\x53\xD4\x54\x14\x85\x70\x79\xF4\x2E\x06\x77\x27\x75\x2F\x1F\xB8\x8A\xF9\xFE\xC5\xBA\xD8\x36\xE4\x83\xEC\xE7\x65\xB7\xBF\x63\x5A\xF3\x46\xAF\x81\x94\x37\xD4\x41\x8C\xD6\x23\xD6\x1E\xCF\xF5\x68\x1B\x44\x63\xA2\x5A\xBA\xA7\x35\x59\xA1\xE5\x70\x05\x9B\x0E\x23\x57\x99\x94\x0A\x6D\xBA\x39\x63\x28\x86\x92\xF3\x18\x84\xD8\xFB\xD1\xCF\x05\x56\x64\x57",
 	["CN=Cybertrust Global Root,O=Cybertrust\, Inc"] = "\x30\x82\x03\xA1\x30\x82\x02\x89\xA0\x03\x02\x01\x02\x02\x0B\x04\x00\x00\x00\x00\x01\x0F\x85\xAA\x2D\x48\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3B\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x43\x79\x62\x65\x72\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x13\x16\x43\x79\x62\x65\x72\x74\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x30\x36\x31\x32\x31\x35\x30\x38\x30\x30\x30\x30\x5A\x17\x0D\x32\x31\x31\x32\x31\x35\x30\x38\x30\x30\x30\x30\x5A\x30\x3B\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x43\x79\x62\x65\x72\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x13\x16\x43\x79\x62\x65\x72\x74\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xF8\xC8\xBC\xBD\x14\x50\x66\x13\xFF\xF0\xD3\x79\xEC\x23\xF2\xB7\x1A\xC7\x8E\x85\xF1\x12\x73\xA6\x19\xAA\x10\xDB\x9C\xA2\x65\x74\x5A\x77\x3E\x51\x7D\x56\xF6\xDC\x23\xB6\xD4\xED\x5F\x58\xB1\x37\x4D\xD5\x49\x0E\x6E\xF5\x6A\x87\xD6\xD2\x8C\xD2\x27\xC6\xE2\xFF\x36\x9F\x98\x65\xA0\x13\x4E\xC6\x2A\x64\x9B\xD5\x90\x12\xCF\x14\x06\xF4\x3B\xE3\xD4\x28\xBE\xE8\x0E\xF8\xAB\x4E\x48\x94\x6D\x8E\x95\x31\x10\x5C\xED\xA2\x2D\xBD\xD5\x3A\x6D\xB2\x1C\xBB\x60\xC0\x46\x4B\x01\xF5\x49\xAE\x7E\x46\x8A\xD0\x74\x8D\xA1\x0C\x02\xCE\xEE\xFC\xE7\x8F\xB8\x6B\x66\xF3\x7F\x44\x00\xBF\x66\x25\x14\x2B\xDD\x10\x30\x1D\x07\x96\x3F\x4D\xF6\x6B\xB8\x8F\xB7\x7B\x0C\xA5\x38\xEB\xDE\x47\xDB\xD5\x5D\x39\xFC\x88\xA7\xF3\xD7\x2A\x74\xF1\xE8\x5A\xA2\x3B\x9F\x50\xBA\xA6\x8C\x45\x35\xC2\x50\x65\x95\xDC\x63\x82\xEF\xDD\xBF\x77\x4D\x9C\x62\xC9\x63\x73\x16\xD0\x29\x0F\x49\xA9\x48\xF0\xB3\xAA\xB7\x6C\xC5\xA7\x30\x39\x40\x5D\xAE\xC4\xE2\x5D\x26\x53\xF0\xCE\x1C\x23\x08\x61\xA8\x94\x19\xBA\x04\x62\x40\xEC\x1F\x38\x70\x77\x12\x06\x71\xA7\x30\x18\x5D\x25\x27\xA5\x02\x03\x01\x00\x01\xA3\x81\xA5\x30\x81\xA2\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB6\x08\x7B\x0D\x7A\xCC\xAC\x20\x4C\x86\x56\x32\x5E\xCF\xAB\x6E\x85\x2D\x70\x57\x30\x3F\x06\x03\x55\x1D\x1F\x04\x38\x30\x36\x30\x34\xA0\x32\xA0\x30\x86\x2E\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x32\x2E\x70\x75\x62\x6C\x69\x63\x2D\x74\x72\x75\x73\x74\x2E\x63\x6F\x6D\x2F\x63\x72\x6C\x2F\x63\x74\x2F\x63\x74\x72\x6F\x6F\x74\x2E\x63\x72\x6C\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xB6\x08\x7B\x0D\x7A\xCC\xAC\x20\x4C\x86\x56\x32\x5E\xCF\xAB\x6E\x85\x2D\x70\x57\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x56\xEF\x0A\x23\xA0\x54\x4E\x95\x97\xC9\xF8\x89\xDA\x45\xC1\xD4\xA3\x00\x25\xF4\x1F\x13\xAB\xB7\xA3\x85\x58\x69\xC2\x30\xAD\xD8\x15\x8A\x2D\xE3\xC9\xCD\x81\x5A\xF8\x73\x23\x5A\xA7\x7C\x05\xF3\xFD\x22\x3B\x0E\xD1\x06\xC4\xDB\x36\x4C\x73\x04\x8E\xE5\xB0\x22\xE4\xC5\xF3\x2E\xA5\xD9\x23\xE3\xB8\x4E\x4A\x20\xA7\x6E\x02\x24\x9F\x22\x60\x67\x7B\x8B\x1D\x72\x09\xC5\x31\x5C\xE9\x79\x9F\x80\x47\x3D\xAD\xA1\x0B\x07\x14\x3D\x47\xFF\x03\x69\x1A\x0C\x0B\x44\xE7\x63\x25\xA7\x7F\xB2\xC9\xB8\x76\x84\xED\x23\xF6\x7D\x07\xAB\x45\x7E\xD3\xDF\xB3\xBF\xE9\x8A\xB6\xCD\xA8\xA2\x67\x2B\x52\xD5\xB7\x65\xF0\x39\x4C\x63\xA0\x91\x79\x93\x52\x0F\x54\xDD\x83\xBB\x9F\xD1\x8F\xA7\x53\x73\xC3\xCB\xFF\x30\xEC\x7C\x04\xB8\xD8\x44\x1F\x93\x5F\x71\x09\x22\xB7\x6E\x3E\xEA\x1C\x03\x4E\x9D\x1A\x20\x61\xFB\x81\x37\xEC\x5E\xFC\x0A\x45\xAB\xD7\xE7\x17\x55\xD0\xA0\xEA\x60\x9B\xA6\xF6\xE3\x8C\x5B\x29\xC2\x06\x60\x14\x9D\x2D\x97\x4C\xA9\x93\x15\x9D\x61\xC4\x01\x5F\x48\xD6\x58\xBD\x56\x31\x12\x4E\x11\xC8\x21\xE0\xB3\x11\x91\x65\xDB\xB4\xA6\x88\x38\xCE\x55",
 	["OU=ePKI Root Certification Authority,O=Chunghwa Telecom Co.\, Ltd.,C=TW"] = "\x30\x82\x05\xB0\x30\x82\x03\x98\xA0\x03\x02\x01\x02\x02\x10\x15\xC8\xBD\x65\x47\x5C\xAF\xB8\x97\x00\x5E\xE4\x06\xD2\xBC\x9D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x5E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x23\x30\x21\x06\x03\x55\x04\x0A\x0C\x1A\x43\x68\x75\x6E\x67\x68\x77\x61\x20\x54\x65\x6C\x65\x63\x6F\x6D\x20\x43\x6F\x2E\x2C\x20\x4C\x74\x64\x2E\x31\x2A\x30\x28\x06\x03\x55\x04\x0B\x0C\x21\x65\x50\x4B\x49\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x34\x31\x32\x32\x30\x30\x32\x33\x31\x32\x37\x5A\x17\x0D\x33\x34\x31\x32\x32\x30\x30\x32\x33\x31\x32\x37\x5A\x30\x5E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x23\x30\x21\x06\x03\x55\x04\x0A\x0C\x1A\x43\x68\x75\x6E\x67\x68\x77\x61\x20\x54\x65\x6C\x65\x63\x6F\x6D\x20\x43\x6F\x2E\x2C\x20\x4C\x74\x64\x2E\x31\x2A\x30\x28\x06\x03\x55\x04\x0B\x0C\x21\x65\x50\x4B\x49\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xE1\x25\x0F\xEE\x8D\xDB\x88\x33\x75\x67\xCD\xAD\x1F\x7D\x3A\x4E\x6D\x9D\xD3\x2F\x14\xF3\x63\x74\xCB\x01\x21\x6A\x37\xEA\x84\x50\x07\x4B\x26\x5B\x09\x43\x6C\x21\x9E\x6A\xC8\xD5\x03\xF5\x60\x69\x8F\xCC\xF0\x22\xE4\x1F\xE7\xF7\x6A\x22\x31\xB7\x2C\x15\xF2\xE0\xFE\x00\x6A\x43\xFF\x87\x65\xC6\xB5\x1A\xC1\xA7\x4C\x6D\x22\x70\x21\x8A\x31\xF2\x97\x74\x89\x09\x12\x26\x1C\x9E\xCA\xD9\x12\xA2\x95\x3C\xDA\xE9\x67\xBF\x08\xA0\x64\xE3\xD6\x42\xB7\x45\xEF\x97\xF4\xF6\xF5\xD7\xB5\x4A\x15\x02\x58\x7D\x98\x58\x4B\x60\xBC\xCD\xD7\x0D\x9A\x13\x33\x53\xD1\x61\xF9\x7A\xD5\xD7\x78\xB3\x9A\x33\xF7\x00\x86\xCE\x1D\x4D\x94\x38\xAF\xA8\xEC\x78\x51\x70\x8A\x5C\x10\x83\x51\x21\xF7\x11\x3D\x34\x86\x5E\xE5\x48\xCD\x97\x81\x82\x35\x4C\x19\xEC\x65\xF6\x6B\xC5\x05\xA1\xEE\x47\x13\xD6\xB3\x21\x27\x94\x10\x0A\xD9\x24\x3B\xBA\xBE\x44\x13\x46\x30\x3F\x97\x3C\xD8\xD7\xD7\x6A\xEE\x3B\x38\xE3\x2B\xD4\x97\x0E\xB9\x1B\xE7\x07\x49\x7F\x37\x2A\xF9\x77\x78\xCF\x54\xED\x5B\x46\x9D\xA3\x80\x0E\x91\x43\xC1\xD6\x5B\x5F\x14\xBA\x9F\xA6\x8D\x24\x47\x40\x59\xBF\x72\x38\xB2\x36\x6C\x37\xFF\x99\xD1\x5D\x0E\x59\x0A\xAB\x69\xF7\xC0\xB2\x04\x45\x7A\x54\x00\xAE\xBE\x53\xF6\xB5\xE7\xE1\xF8\x3C\xA3\x31\xD2\xA9\xFE\x21\x52\x64\xC5\xA6\x67\xF0\x75\x07\x06\x94\x14\x81\x55\xC6\x27\xE4\x01\x8F\x17\xC1\x6A\x71\xD7\xBE\x4B\xFB\x94\x58\x7D\x7E\x11\x33\xB1\x42\xF7\x62\x6C\x18\xD6\xCF\x09\x68\x3E\x7F\x6C\xF6\x1E\x8F\x62\xAD\xA5\x63\xDB\x09\xA7\x1F\x22\x42\x41\x1E\x6F\x99\x8A\x3E\xD7\xF9\x3F\x40\x7A\x79\xB0\xA5\x01\x92\xD2\x9D\x3D\x08\x15\xA5\x10\x01\x2D\xB3\x32\x76\xA8\x95\x0D\xB3\x7A\x9A\xFB\x07\x10\x78\x11\x6F\xE1\x8F\xC7\xBA\x0F\x25\x1A\x74\x2A\xE5\x1C\x98\x41\x99\xDF\x21\x87\xE8\x95\x06\x6A\x0A\xB3\x6A\x47\x76\x65\xF6\x3A\xCF\x8F\x62\x17\x19\x7B\x0A\x28\xCD\x1A\xD2\x83\x1E\x21\xC7\x2C\xBF\xBE\xFF\x61\x68\xB7\x67\x1B\xBB\x78\x4D\x8D\xCE\x67\xE5\xE4\xC1\x8E\xB7\x23\x66\xE2\x9D\x90\x75\x34\x98\xA9\x36\x2B\x8A\x9A\x94\xB9\x9D\xEC\xCC\x8A\xB1\xF8\x25\x89\x5C\x5A\xB6\x2F\x8C\x1F\x6D\x79\x24\xA7\x52\x68\xC3\x84\x35\xE2\x66\x8D\x63\x0E\x25\x4D\xD5\x19\xB2\xE6\x79\x37\xA7\x22\x9D\x54\x31\x02\x03\x01\x00\x01\xA3\x6A\x30\x68\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x1E\x0C\xF7\xB6\x67\xF2\xE1\x92\x26\x09\x45\xC0\x55\x39\x2E\x77\x3F\x42\x4A\xA2\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x39\x06\x04\x67\x2A\x07\x00\x04\x31\x30\x2F\x30\x2D\x02\x01\x00\x30\x09\x06\x05\x2B\x0E\x03\x02\x1A\x05\x00\x30\x07\x06\x05\x67\x2A\x03\x00\x00\x04\x14\x45\xB0\xC2\xC7\x0A\x56\x7C\xEE\x5B\x78\x0C\x95\xF9\x18\x53\xC1\xA6\x1C\xD8\x10\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x09\xB3\x83\x53\x59\x01\x3E\x95\x49\xB9\xF1\x81\xBA\xF9\x76\x20\x23\xB5\x27\x60\x74\xD4\x6A\x99\x34\x5E\x6C\x00\x53\xD9\x9F\xF2\xA6\xB1\x24\x07\x44\x6A\x2A\xC6\xA5\x8E\x78\x12\xE8\x47\xD9\x58\x1B\x13\x2A\x5E\x79\x9B\x9F\x0A\x2A\x67\xA6\x25\x3F\x06\x69\x56\x73\xC3\x8A\x66\x48\xFB\x29\x81\x57\x74\x06\xCA\x9C\xEA\x28\xE8\x38\x67\x26\x2B\xF1\xD5\xB5\x3F\x65\x93\xF8\x36\x5D\x8E\x8D\x8D\x40\x20\x87\x19\xEA\xEF\x27\xC0\x3D\xB4\x39\x0F\x25\x7B\x68\x50\x74\x55\x9C\x0C\x59\x7D\x5A\x3D\x41\x94\x25\x52\x08\xE0\x47\x2C\x15\x31\x19\xD5\xBF\x07\x55\xC6\xBB\x12\xB5\x97\xF4\x5F\x83\x85\xBA\x71\xC1\xD9\x6C\x81\x11\x76\x0A\x0A\xB0\xBF\x82\x97\xF7\xEA\x3D\xFA\xFA\xEC\x2D\xA9\x28\x94\x3B\x56\xDD\xD2\x51\x2E\xAE\xC0\xBD\x08\x15\x8C\x77\x52\x34\x96\xD6\x9B\xAC\xD3\x1D\x8E\x61\x0F\x35\x7B\x9B\xAE\x39\x69\x0B\x62\x60\x40\x20\x36\x8F\xAF\xFB\x36\xEE\x2D\x08\x4A\x1D\xB8\xBF\x9B\x5C\xF8\xEA\xA5\x1B\xA0\x73\xA6\xD8\xF8\x6E\xE0\x33\x04\x5F\x68\xAA\x27\x87\xED\xD9\xC1\x90\x9C\xED\xBD\xE3\x6A\x35\xAF\x63\xDF\xAB\x18\xD9\xBA\xE6\xE9\x4A\xEA\x50\x8A\x0F\x61\x93\x1E\xE2\x2D\x19\xE2\x30\x94\x35\x92\x5D\x0E\xB6\x07\xAF\x19\x80\x8F\x47\x90\x51\x4B\x2E\x4D\xDD\x85\xE2\xD2\x0A\x52\x0A\x17\x9A\xFC\x1A\xB0\x50\x02\xE5\x01\xA3\x63\x37\x21\x4C\x44\xC4\x9B\x51\x99\x11\x0E\x73\x9C\x06\x8F\x54\x2E\xA7\x28\x5E\x44\x39\x87\x56\x2D\x37\xBD\x85\x44\x94\xE1\x0C\x4B\x2C\x9C\xC3\x92\x85\x34\x61\xCB\x0F\xB8\x9B\x4A\x43\x52\xFE\x34\x3A\x7D\xB8\xE9\x29\xDC\x76\xA9\xC8\x30\xF8\x14\x71\x80\xC6\x1E\x36\x48\x74\x22\x41\x5C\x87\x82\xE8\x18\x71\x8B\x41\x89\x44\xE7\x7E\x58\x5B\xA8\xB8\x8D\x13\xE9\xA7\x6C\xC3\x47\xED\xB3\x1A\x9D\x62\xAE\x8D\x82\xEA\x94\x9E\xDD\x59\x10\xC3\xAD\xDD\xE2\x4D\xE3\x31\xD5\xC7\xEC\xE8\xF2\xB0\xFE\x92\x1E\x16\x0A\x1A\xFC\xD9\xF3\xF8\x27\xB6\xC9\xBE\x1D\xB4\x6C\x64\x90\x7F\xF4\xE4\xC4\x5B\xD7\x37\xAE\x42\x0E\xDD\xA4\x1A\x6F\x7C\x88\x54\xC5\x16\x6E\xE1\x7A\x68\x2E\xF8\x3A\xBF\x0D\xA4\x3C\x89\x3B\x78\xA7\x4E\x63\x83\x04\x21\x08\x67\x8D\xF2\x82\x49\xD0\x5B\xFD\xB1\xCD\x0F\x83\x84\xD4\x3E\x20\x85\xF7\x4A\x3D\x2B\x9C\xFD\x2A\x0A\x09\x4D\xEA\x81\xF8\x11\x9C",
-	["CN=T\C3\9CB\C4\B0TAK UEKAE K\C3\B6k Sertifika Hizmet Sa\C4\9Flay\C4\B1c\C4\B1s\C4\B1 - S\C3\BCr\C3\BCm 3,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara\C5\9Ft\C4\B1rma Enstit\C3\BCs\C3\BC - UEKAE,O=T\C3\BCrkiye Bilimsel ve Teknolojik Ara\C5\9Ft\C4\B1rma Kurumu - T\C3\9CB\C4\B0TAK,L=Gebze - Kocaeli,C=TR"] = "\x30\x82\x05\x17\x30\x82\x03\xFF\xA0\x03\x02\x01\x02\x02\x01\x11\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x82\x01\x2B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x18\x30\x16\x06\x03\x55\x04\x07\x0C\x0F\x47\x65\x62\x7A\x65\x20\x2D\x20\x4B\x6F\x63\x61\x65\x6C\x69\x31\x47\x30\x45\x06\x03\x55\x04\x0A\x0C\x3E\x54\xC3\xBC\x72\x6B\x69\x79\x65\x20\x42\x69\x6C\x69\x6D\x73\x65\x6C\x20\x76\x65\x20\x54\x65\x6B\x6E\x6F\x6C\x6F\x6A\x69\x6B\x20\x41\x72\x61\xC5\x9F\x74\xC4\xB1\x72\x6D\x61\x20\x4B\x75\x72\x75\x6D\x75\x20\x2D\x20\x54\xC3\x9C\x42\xC4\xB0\x54\x41\x4B\x31\x48\x30\x46\x06\x03\x55\x04\x0B\x0C\x3F\x55\x6C\x75\x73\x61\x6C\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x76\x65\x20\x4B\x72\x69\x70\x74\x6F\x6C\x6F\x6A\x69\x20\x41\x72\x61\xC5\x9F\x74\xC4\xB1\x72\x6D\x61\x20\x45\x6E\x73\x74\x69\x74\xC3\xBC\x73\xC3\xBC\x20\x2D\x20\x55\x45\x4B\x41\x45\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x0C\x1A\x4B\x61\x6D\x75\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x73\x79\x6F\x6E\x20\x4D\x65\x72\x6B\x65\x7A\x69\x31\x4A\x30\x48\x06\x03\x55\x04\x03\x0C\x41\x54\xC3\x9C\x42\xC4\xB0\x54\x41\x4B\x20\x55\x45\x4B\x41\x45\x20\x4B\xC3\xB6\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x20\x2D\x20\x53\xC3\xBC\x72\xC3\xBC\x6D\x20\x33\x30\x1E\x17\x0D\x30\x37\x30\x38\x32\x34\x31\x31\x33\x37\x30\x37\x5A\x17\x0D\x31\x37\x30\x38\x32\x31\x31\x31\x33\x37\x30\x37\x5A\x30\x82\x01\x2B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x18\x30\x16\x06\x03\x55\x04\x07\x0C\x0F\x47\x65\x62\x7A\x65\x20\x2D\x20\x4B\x6F\x63\x61\x65\x6C\x69\x31\x47\x30\x45\x06\x03\x55\x04\x0A\x0C\x3E\x54\xC3\xBC\x72\x6B\x69\x79\x65\x20\x42\x69\x6C\x69\x6D\x73\x65\x6C\x20\x76\x65\x20\x54\x65\x6B\x6E\x6F\x6C\x6F\x6A\x69\x6B\x20\x41\x72\x61\xC5\x9F\x74\xC4\xB1\x72\x6D\x61\x20\x4B\x75\x72\x75\x6D\x75\x20\x2D\x20\x54\xC3\x9C\x42\xC4\xB0\x54\x41\x4B\x31\x48\x30\x46\x06\x03\x55\x04\x0B\x0C\x3F\x55\x6C\x75\x73\x61\x6C\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x76\x65\x20\x4B\x72\x69\x70\x74\x6F\x6C\x6F\x6A\x69\x20\x41\x72\x61\xC5\x9F\x74\xC4\xB1\x72\x6D\x61\x20\x45\x6E\x73\x74\x69\x74\xC3\xBC\x73\xC3\xBC\x20\x2D\x20\x55\x45\x4B\x41\x45\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x0C\x1A\x4B\x61\x6D\x75\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x73\x79\x6F\x6E\x20\x4D\x65\x72\x6B\x65\x7A\x69\x31\x4A\x30\x48\x06\x03\x55\x04\x03\x0C\x41\x54\xC3\x9C\x42\xC4\xB0\x54\x41\x4B\x20\x55\x45\x4B\x41\x45\x20\x4B\xC3\xB6\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x20\x2D\x20\x53\xC3\xBC\x72\xC3\xBC\x6D\x20\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x8A\x6D\x4B\xFF\x10\x88\x3A\xC3\xF6\x7E\x94\xE8\xEA\x20\x64\x70\xAE\x21\x81\xBE\x3A\x7B\x3C\xDB\xF1\x1D\x52\x7F\x59\xFA\xF3\x22\x4C\x95\xA0\x90\xBC\x48\x4E\x11\xAB\xFB\xB7\xB5\x8D\x7A\x83\x28\x8C\x26\x46\xD8\x4E\x95\x40\x87\x61\x9F\xC5\x9E\x6D\x81\x87\x57\x6C\x8A\x3B\xB4\x66\xEA\xCC\x40\xFC\xE3\xAA\x6C\xB2\xCB\x01\xDB\x32\xBF\xD2\xEB\x85\xCF\xA1\x0D\x55\xC3\x5B\x38\x57\x70\xB8\x75\xC6\x79\xD1\x14\x30\xED\x1B\x58\x5B\x6B\xEF\x35\xF2\xA1\x21\x4E\xC5\xCE\x7C\x99\x5F\x6C\xB9\xB8\x22\x93\x50\xA7\xCD\x4C\x70\x6A\xBE\x6A\x05\x7F\x13\x9C\x2B\x1E\xEA\xFE\x47\xCE\x04\xA5\x6F\xAC\x93\x2E\x7C\x2B\x9F\x9E\x79\x13\x91\xE8\xEA\x9E\xCA\x38\x75\x8E\x62\xB0\x95\x93\x2A\xE5\xDF\xE9\x5E\x97\x6E\x20\x5F\x5F\x84\x7A\x44\x39\x19\x40\x1C\xBA\x55\x2B\xFB\x30\xB2\x81\xEF\x84\xE3\xDC\xEC\x98\x38\x39\x03\x85\x08\xA9\x54\x03\x05\x29\xF0\xC9\x8F\x8B\xEA\x0B\x86\x65\x19\x11\xD3\xE9\x09\x23\xDE\x68\x93\x03\xC9\x36\x1C\x21\x6E\xCE\x8C\x66\xF1\x99\x30\xD8\xD7\xB3\xC3\x1D\xF8\x81\x2E\xA8\xBD\x82\x0B\x66\xFE\x82\xCB\xE1\xE0\x1A\x82\xC3\x40\x81\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xBD\x88\x87\xC9\x8F\xF6\xA4\x0A\x0B\xAA\xEB\xC5\xFE\x91\x23\x9D\xAB\x4A\x8A\x32\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x1D\x7C\xFA\x49\x8F\x34\xE9\xB7\x26\x92\x16\x9A\x05\x74\xE7\x4B\xD0\x6D\x39\x6C\xC3\x26\xF6\xCE\xB8\x31\xBC\xC4\xDF\xBC\x2A\xF8\x37\x91\x18\xDC\x04\xC8\x64\x99\x2B\x18\x6D\x80\x03\x59\xC9\xAE\xF8\x58\xD0\x3E\xED\xC3\x23\x9F\x69\x3C\x86\x38\x1C\x9E\xEF\xDA\x27\x78\xD1\x84\x37\x71\x8A\x3C\x4B\x39\xCF\x7E\x45\x06\xD6\x2D\xD8\x8A\x4D\x78\x12\xD6\xAD\xC2\xD3\xCB\xD2\xD0\x41\xF3\x26\x36\x4A\x9B\x95\x6C\x0C\xEE\xE5\xD1\x43\x27\x66\xC1\x88\xF7\x7A\xB3\x20\x6C\xEA\xB0\x69\x2B\xC7\x20\xE8\x0C\x03\xC4\x41\x05\x99\xE2\x3F\xE4\x6B\xF8\xA0\x86\x81\xC7\x84\xC6\x1F\xD5\x4B\x81\x12\xB2\x16\x21\x2C\x13\xA1\x80\xB2\x5E\x0C\x4A\x13\x9E\x20\xD8\x62\x40\xAB\x90\xEA\x64\x4A\x2F\xAC\x0D\x01\x12\x79\x45\xA8\x2F\x87\x19\x68\xC8\xE2\x85\xC7\x30\xB2\x75\xF9\x38\x3F\xB2\xC0\x93\xB4\x6B\xE2\x03\x44\xCE\x67\xA0\xDF\x89\xD6\xAD\x8C\x76\xA3\x13\xC3\x94\x61\x2B\x6B\xD9\x6C\xC1\x07\x0A\x22\x07\x85\x6C\x85\x24\x46\xA9\xBE\x3F\x8B\x78\x84\x82\x7E\x24\x0C\x9D\xFD\x81\x37\xE3\x25\xA8\xED\x36\x4E\x95\x2C\xC9\x9C\x90\xDA\xEC\xA9\x42\x3C\xAD\xB6\x02",
-	["CN=Buypass Class 2 CA 1,O=Buypass AS-983163327,C=NO"] = "\x30\x82\x03\x53\x30\x82\x02\x3B\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x4B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4F\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x41\x53\x2D\x39\x38\x33\x31\x36\x33\x33\x32\x37\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x41\x20\x31\x30\x1E\x17\x0D\x30\x36\x31\x30\x31\x33\x31\x30\x32\x35\x30\x39\x5A\x17\x0D\x31\x36\x31\x30\x31\x33\x31\x30\x32\x35\x30\x39\x5A\x30\x4B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4F\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x41\x53\x2D\x39\x38\x33\x31\x36\x33\x33\x32\x37\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x43\x41\x20\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x8B\x3C\x07\x45\xD8\xF6\xDF\xE6\xC7\xCA\xBA\x8D\x43\xC5\x47\x8D\xB0\x5A\xC1\x38\xDB\x92\x84\x1C\xAF\x13\xD4\x0F\x6F\x36\x46\x20\xC4\x2E\xCC\x71\x70\x34\xA2\x34\xD3\x37\x2E\xD8\xDD\x3A\x77\x2F\xC0\xEB\x29\xE8\x5C\xD2\xB5\xA9\x91\x34\x87\x22\x59\xFE\xCC\xDB\xE7\x99\xAF\x96\xC1\xA8\xC7\x40\xDD\xA5\x15\x8C\x6E\xC8\x7C\x97\x03\xCB\xE6\x20\xF2\xD7\x97\x5F\x31\xA1\x2F\x37\xD2\xBE\xEE\xBE\xA9\xAD\xA8\x4C\x9E\x21\x66\x43\x3B\xA8\xBC\xF3\x09\xA3\x38\xD5\x59\x24\xC1\xC2\x47\x76\xB1\x88\x5C\x82\x3B\xBB\x2B\xA6\x04\xD7\x8C\x07\x8F\xCD\xD5\x41\x1D\xF0\xAE\xB8\x29\x2C\x94\x52\x60\x34\x94\x3B\xDA\xE0\x38\xD1\x9D\x33\x3E\x15\xF4\x93\x32\xC5\x00\xDA\xB5\x29\x66\x0E\x3A\x78\x0F\x21\x52\x5F\x02\xE5\x92\x7B\x25\xD3\x92\x1E\x2F\x15\x9D\x81\xE4\x9D\x8E\xE8\xEF\x89\xCE\x14\x4C\x54\x1D\x1C\x81\x12\x4D\x70\xA8\xBE\x10\x05\x17\x7E\x1F\xD1\xB8\x57\x55\xED\xCD\xBB\x52\xC2\xB0\x1E\x78\xC2\x4D\x36\x68\xCB\x56\x26\xC1\x52\xC1\xBD\x76\xF7\x58\xD5\x72\x7E\x1F\x44\x76\xBB\x00\x89\x1D\x16\x9D\x51\x35\xEF\x4D\xC2\x56\xEF\x6B\xE0\x8C\x3B\x0D\xE9\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x3F\x8D\x9A\x59\x8B\xFC\x7B\x7B\x9C\xA3\xAF\x38\xB0\x39\xED\x90\x71\x80\xD6\xC8\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x15\x1A\x7E\x13\x8A\xB9\xE8\x07\xA3\x4B\x27\x32\xB2\x40\x91\xF2\x21\xD1\x64\x85\xBE\x63\x6A\xD2\xCF\x81\xC2\x15\xD5\x7A\x7E\x0C\x29\xAC\x37\x1E\x1C\x7C\x76\x52\x95\xDA\xB5\x7F\x23\xA1\x29\x77\x65\xC9\x32\x9D\xA8\x2E\x56\xAB\x60\x76\xCE\x16\xB4\x8D\x7F\x78\xC0\xD5\x99\x51\x83\x7F\x5E\xD9\xBE\x0C\xA8\x50\xED\x22\xC7\xAD\x05\x4C\x76\xFB\xED\xEE\x1E\x47\x64\xF6\xF7\x27\x7D\x5C\x28\x0F\x45\xC5\x5C\x62\x5E\xA6\x9A\x91\x91\xB7\x53\x17\x2E\xDC\xAD\x60\x9D\x96\x64\x39\xBD\x67\x68\xB2\xAE\x05\xCB\x4D\xE7\x5F\x1F\x57\x86\xD5\x20\x9C\x28\xFB\x6F\x13\x38\xF5\xF6\x11\x92\xF6\x7D\x99\x5E\x1F\x0C\xE8\xAB\x44\x24\x29\x72\x40\x3D\x36\x52\xAF\x8C\x58\x90\x73\xC1\xEC\x61\x2C\x79\xA1\xEC\x87\xB5\x3F\xDA\x4D\xD9\x21\x00\x30\xDE\x90\xDA\x0E\xD3\x1A\x48\xA9\x3E\x85\x0B\x14\x8B\x8C\xBC\x41\x9E\x6A\xF7\x0E\x70\xC0\x35\xF7\x39\xA2\x5D\x66\xD0\x7B\x59\x9F\xA8\x47\x12\x9A\x27\x23\xA4\x2D\x8E\x27\x83\x92\x20\xA1\xD7\x15\x7F\xF1\x2E\x18\xEE\xF4\x48\x7F\x2F\x7F\xF1\xA1\x18\xB5\xA1\x0B\x94\xA0\x62\x20\x32\x9C\x1D\xF6\xD4\xEF\xBF\x4C\x88\x68",
-	["C=TR,O=EBG Bili\C5\9Fim Teknolojileri ve Hizmetleri A.\C5\9E.,CN=EBG Elektronik Sertifika Hizmet Sa\C4\9Flay\C4\B1c\C4\B1s\C4\B1"] = "\x30\x82\x05\xE7\x30\x82\x03\xCF\xA0\x03\x02\x01\x02\x02\x08\x4C\xAF\x73\x42\x1C\x8E\x74\x02\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x80\x31\x38\x30\x36\x06\x03\x55\x04\x03\x0C\x2F\x45\x42\x47\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x31\x37\x30\x35\x06\x03\x55\x04\x0A\x0C\x2E\x45\x42\x47\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x54\x65\x6B\x6E\x6F\x6C\x6F\x6A\x69\x6C\x65\x72\x69\x20\x76\x65\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x30\x1E\x17\x0D\x30\x36\x30\x38\x31\x37\x30\x30\x32\x31\x30\x39\x5A\x17\x0D\x31\x36\x30\x38\x31\x34\x30\x30\x33\x31\x30\x39\x5A\x30\x81\x80\x31\x38\x30\x36\x06\x03\x55\x04\x03\x0C\x2F\x45\x42\x47\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x31\x37\x30\x35\x06\x03\x55\x04\x0A\x0C\x2E\x45\x42\x47\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x54\x65\x6B\x6E\x6F\x6C\x6F\x6A\x69\x6C\x65\x72\x69\x20\x76\x65\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xEE\xA0\x84\x61\xD0\x3A\x6A\x66\x10\x32\xD8\x31\x38\x7F\xA7\xA7\xE5\xFD\xA1\xE1\xFB\x97\x77\xB8\x71\x96\xE8\x13\x96\x46\x83\x4F\xB6\xF2\x5F\x72\x56\x6E\x13\x60\xA5\x01\x91\xE2\x5B\xC5\xCD\x57\x1F\x77\x63\x51\xFF\x2F\x3D\xDB\xB9\x3F\xAA\xA9\x35\xE7\x79\xD0\xF5\xD0\x24\xB6\x21\xEA\xEB\x23\x94\xFE\x29\xBF\xFB\x89\x91\x0C\x64\x9A\x05\x4A\x2B\xCC\x0C\xEE\xF1\x3D\x9B\x82\x69\xA4\x4C\xF8\x9A\x6F\xE7\x22\xDA\x10\xBA\x5F\x92\xFC\x18\x27\x0A\xA8\xAA\x44\xFA\x2E\x2C\xB4\xFB\x46\x9A\x08\x03\x83\x72\xAB\x88\xE4\x6A\x72\xC9\xE5\x65\x1F\x6E\x2A\x0F\x9D\xB3\xE8\x3B\xE4\x0C\x6E\x7A\xDA\x57\xFD\xD7\xEB\x79\x8B\x5E\x20\x06\xD3\x76\x0B\x6C\x02\x95\xA3\x96\xE4\xCB\x76\x51\xD1\x28\x9D\xA1\x1A\xFC\x44\xA2\x4D\xCC\x7A\x76\xA8\x0D\x3D\xBF\x17\x4F\x22\x88\x50\xFD\xAE\xB6\xEC\x90\x50\x4A\x5B\x9F\x95\x41\xAA\xCA\x0F\xB2\x4A\xFE\x80\x99\x4E\xA3\x46\x15\xAB\xF8\x73\x42\x6A\xC2\x66\x76\xB1\x0A\x26\x15\xDD\x93\x92\xEC\xDB\xA9\x5F\x54\x22\x52\x91\x70\x5D\x13\xEA\x48\xEC\x6E\x03\x6C\xD9\xDD\x6C\xFC\xEB\x0D\x03\xFF\xA6\x83\x12\x9B\xF1\xA9\x93\x0F\xC5\x26\x4C\x31\xB2\x63\x99\x61\x72\xE7\x2A\x64\x99\xD2\xB8\xE9\x75\xE2\x7C\xA9\xA9\x9A\x1A\xAA\xC3\x56\xDB\x10\x9A\x3C\x83\x52\xB6\x7B\x96\xB7\xAC\x87\x77\xA8\xB9\xF2\x67\x0B\x94\x43\xB3\xAF\x3E\x73\xFA\x42\x36\xB1\x25\xC5\x0A\x31\x26\x37\x56\x67\xBA\xA3\x0B\x7D\xD6\xF7\x89\xCD\x67\xA1\xB7\x3A\x1E\x66\x4F\xF6\xA0\x55\x14\x25\x4C\x2C\x33\x0D\xA6\x41\x8C\xBD\x04\x31\x6A\x10\x72\x0A\x9D\x0E\x2E\x76\xBD\x5E\xF3\x51\x89\x8B\xA8\x3F\x55\x73\xBF\xDB\x3A\xC6\x24\x05\x96\x92\x48\xAA\x4B\x8D\x2A\x03\xE5\x57\x91\x10\xF4\x6A\x28\x15\x6E\x47\x77\x84\x5C\x51\x74\x9F\x19\xE9\xE6\x1E\x63\x16\x39\xE3\x11\x15\xE3\x58\x1A\x44\xBD\xCB\xC4\x6C\x66\xD7\x84\x06\xDF\x30\xF4\x37\xA2\x43\x22\x79\xD2\x10\x6C\xDF\xBB\xE6\x13\x11\xFC\x9D\x84\x0A\x13\x7B\xF0\x3B\xD0\xFC\xA3\x0A\xD7\x89\xEA\x96\x7E\x8D\x48\x85\x1E\x64\x5F\xDB\x54\xA2\xAC\xD5\x7A\x02\x79\x6B\xD2\x8A\xF0\x67\xDA\x65\x72\x0D\x14\x70\xE4\xE9\x8E\x78\x8F\x32\x74\x7C\x57\xF2\xD6\xD6\xF4\x36\x89\x1B\xF8\x29\x6C\x8B\xB9\xF6\x97\xD1\xA4\x2E\xAA\xBE\x0B\x19\xC2\x45\xE9\x70\x5D\x02\x03\x00\x9D\xD9\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE7\xCE\xC6\x4F\xFC\x16\x67\x96\xFA\x4A\xA3\x07\xC1\x04\xA7\xCB\x6A\xDE\xDA\x47\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xE7\xCE\xC6\x4F\xFC\x16\x67\x96\xFA\x4A\xA3\x07\xC1\x04\xA7\xCB\x6A\xDE\xDA\x47\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x9B\x98\x9A\x5D\xBE\xF3\x28\x23\x76\xC6\x6C\xF7\x7F\xE6\x40\x9E\xC0\x36\xDC\x95\x0D\x1D\xAD\x15\xC5\x36\xD8\xD5\x39\xEF\xF2\x1E\x22\x5E\xB3\x82\xB4\x5D\xBB\x4C\x1A\xCA\x92\x0D\xDF\x47\x24\x1E\xB3\x24\xDA\x91\x88\xE9\x83\x70\xDD\x93\xD7\xE9\xBA\xB3\xDF\x16\x5A\x3E\xDE\xE0\xC8\xFB\xD3\xFD\x6C\x29\xF8\x15\x46\xA0\x68\x26\xCC\x93\x52\xAE\x82\x01\x93\x90\xCA\x77\xCA\x4D\x49\xEF\xE2\x5A\xD9\x2A\xBD\x30\xCE\x4C\xB2\x81\xB6\x30\xCE\x59\x4F\xDA\x59\x1D\x6A\x7A\xA4\x45\xB0\x82\x26\x81\x86\x76\xF5\xF5\x10\x00\xB8\xEE\xB3\x09\xE8\x4F\x87\x02\x07\xAE\x24\x5C\xF0\x5F\xAC\x0A\x30\xCC\x8A\x40\xA0\x73\x04\xC1\xFB\x89\x24\xF6\x9A\x1C\x5C\xB7\x3C\x0A\x67\x36\x05\x08\x31\xB3\xAF\xD8\x01\x68\x2A\xE0\x78\x8F\x74\xDE\xB8\x51\xA4\x8C\x6C\x20\x3D\xA2\xFB\xB3\xD4\x09\xFD\x7B\xC2\x80\xAA\x93\x6C\x29\x98\x21\xA8\xBB\x16\xF3\xA9\x12\x5F\x74\xB5\x87\x98\xF2\x95\x26\xDF\x34\xEF\x8A\x53\x91\x88\x5D\x1A\x94\xA3\x3F\x7C\x22\xF8\xD7\x88\xBA\xA6\x8C\x96\xA8\x3D\x52\x34\x62\x9F\x00\x1E\x54\x55\x42\x67\xC6\x4D\x46\x8F\xBB\x14\x45\x3D\x0A\x96\x16\x8E\x10\xA1\x97\x99\xD5\xD3\x30\x85\xCC\xDE\xB4\x72\xB7\xBC\x8A\x3C\x18\x29\x68\xFD\xDC\x71\x07\xEE\x24\x39\x6A\xFA\xED\xA5\xAC\x38\x2F\xF9\x1E\x10\x0E\x06\x71\x1A\x10\x4C\xFE\x75\x7E\xFF\x1E\x57\x39\x42\xCA\xD7\xE1\x15\xA1\x56\x55\x59\x1B\xD1\xA3\xAF\x11\xD8\x4E\xC3\xA5\x2B\xEF\x90\xBF\xC0\xEC\x82\x13\x5B\x8D\xD6\x72\x2C\x93\x4E\x8F\x6A\x29\xDF\x85\x3C\xD3\x0D\xE0\xA2\x18\x12\xCC\x55\x2F\x47\xB7\xA7\x9B\x02\xFE\x41\xF6\x88\x4C\x6D\xDA\xA9\x01\x47\x83\x64\x27\x62\x10\x82\xD6\x12\x7B\x5E\x03\x1F\x34\xA9\xC9\x91\xFE\xAF\x5D\x6D\x86\x27\xB7\x23\xAA\x75\x18\xCA\x20\xE7\xB0\x0F\xD7\x89\x0E\xA6\x67\x22\x63\xF4\x83\x41\x2B\x06\x4B\xBB\x58\xD5\xD1\xD7\xB7\xB9\x10\x63\xD8\x89\x4A\xB4\xAA\xDD\x16\x63\xF5\x6E\xBE\x60\xA1\xF8\xED\xE8\xD6\x90\x4F\x1A\xC6\xC5\xA0\x29\xD3\xA7\x21\xA8\xF5\x5A\x3C\xF7\xC7\x49\xA2\x21\x9A\x4A\x95\x52\x20\x96\x72\x9A\x66\xCB\xF7\xD2\x86\x43\x7C\x22\xBE\x96\xF9\xBD\x01\xA8\x47\xDD\xE5\x3B\x40\xF9\x75\x2B\x9B\x2B\x46\x64\x86\x8D\x1E\xF4\x8F\xFB\x07\x77\xD0\xEA\x49\xA2\x1C\x8D\x52\x14\xA6\x0A\x93",
 	["OU=certSIGN ROOT CA,O=certSIGN,C=RO"] = "\x30\x82\x03\x38\x30\x82\x02\x20\xA0\x03\x02\x01\x02\x02\x06\x20\x06\x05\x16\x70\x02\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x3B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x52\x4F\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x63\x65\x72\x74\x53\x49\x47\x4E\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x63\x65\x72\x74\x53\x49\x47\x4E\x20\x52\x4F\x4F\x54\x20\x43\x41\x30\x1E\x17\x0D\x30\x36\x30\x37\x30\x34\x31\x37\x32\x30\x30\x34\x5A\x17\x0D\x33\x31\x30\x37\x30\x34\x31\x37\x32\x30\x30\x34\x5A\x30\x3B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x52\x4F\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x63\x65\x72\x74\x53\x49\x47\x4E\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x63\x65\x72\x74\x53\x49\x47\x4E\x20\x52\x4F\x4F\x54\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB7\x33\xB9\x7E\xC8\x25\x4A\x8E\xB5\xDB\xB4\x28\x1B\xAA\x57\x90\xE8\xD1\x22\xD3\x64\xBA\xD3\x93\xE8\xD4\xAC\x86\x61\x40\x6A\x60\x57\x68\x54\x84\x4D\xBC\x6A\x54\x02\x05\xFF\xDF\x9B\x9A\x2A\xAE\x5D\x07\x8F\x4A\xC3\x28\x7F\xEF\xFB\x2B\xFA\x79\xF1\xC7\xAD\xF0\x10\x53\x24\x90\x8B\x66\xC9\xA8\x88\xAB\xAF\x5A\xA3\x00\xE9\xBE\xBA\x46\xEE\x5B\x73\x7B\x2C\x17\x82\x81\x5E\x62\x2C\xA1\x02\x65\xB3\xBD\xC5\x2B\x00\x7E\xC4\xFC\x03\x33\x57\x0D\xED\xE2\xFA\xCE\x5D\x45\xD6\x38\xCD\x35\xB6\xB2\xC1\xD0\x9C\x81\x4A\xAA\xE4\xB2\x01\x5C\x1D\x8F\x5F\x99\xC4\xB1\xAD\xDB\x88\x21\xEB\x90\x08\x82\x80\xF3\x30\xA3\x43\xE6\x90\x82\xAE\x55\x28\x49\xED\x5B\xD7\xA9\x10\x38\x0E\xFE\x8F\x4C\x5B\x9B\x46\xEA\x41\xF5\xB0\x08\x74\xC3\xD0\x88\x33\xB6\x7C\xD7\x74\xDF\xDC\x84\xD1\x43\x0E\x75\x39\xA1\x25\x40\x28\xEA\x78\xCB\x0E\x2C\x2E\x39\x9D\x8C\x8B\x6E\x16\x1C\x2F\x26\x82\x10\xE2\xE3\x65\x94\x0A\x04\xC0\x5E\xF7\x5D\x5B\xF8\x10\xE2\xD0\xBA\x7A\x4B\xFB\xDE\x37\x00\x00\x1A\x5B\x28\xE3\xD2\x9C\x73\x3E\x32\x87\x98\xA1\xC9\x51\x2F\xD7\xDE\xAC\x33\xB3\x4F\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\xC6\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE0\x8C\x9B\xDB\x25\x49\xB3\xF1\x7C\x86\xD6\xB2\x42\x87\x0B\xD0\x6B\xA0\xD9\xE4\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x3E\xD2\x1C\x89\x2E\x35\xFC\xF8\x75\xDD\xE6\x7F\x65\x88\xF4\x72\x4C\xC9\x2C\xD7\x32\x4E\xF3\xDD\x19\x79\x47\xBD\x8E\x3B\x5B\x93\x0F\x50\x49\x24\x13\x6B\x14\x06\x72\xEF\x09\xD3\xA1\xA1\xE3\x40\x84\xC9\xE7\x18\x32\x74\x3C\x48\x6E\x0F\x9F\x4B\xD4\xF7\x1E\xD3\x93\x86\x64\x54\x97\x63\x72\x50\xD5\x55\xCF\xFA\x20\x93\x02\xA2\x9B\xC3\x23\x93\x4E\x16\x55\x76\xA0\x70\x79\x6D\xCD\x21\x1F\xCF\x2F\x2D\xBC\x19\xE3\x88\x31\xF8\x59\x1A\x81\x09\xC8\x97\xA6\x74\xC7\x60\xC4\x5B\xCC\x57\x8E\xB2\x75\xFD\x1B\x02\x09\xDB\x59\x6F\x72\x93\x69\xF7\x31\x41\xD6\x88\x38\xBF\x87\xB2\xBD\x16\x79\xF9\xAA\xE4\xBE\x88\x25\xDD\x61\x27\x23\x1C\xB5\x31\x07\x04\x36\xB4\x1A\x90\xBD\xA0\x74\x71\x50\x89\x6D\xBC\x14\xE3\x0F\x86\xAE\xF1\xAB\x3E\xC7\xA0\x09\xCC\xA3\x48\xD1\xE0\xDB\x64\xE7\x92\xB5\xCF\xAF\x72\x43\x70\x8B\xF9\xC3\x84\x3C\x13\xAA\x7E\x92\x9B\x57\x53\x93\xFA\x70\xC2\x91\x0E\x31\xF9\x9B\x67\x5D\xE9\x96\x38\x5E\x5F\xB3\x73\x4E\x88\x15\x67\xDE\x9E\x76\x10\x62\x20\xBE\x55\x69\x95\x43\x00\x39\x4D\xF6\xEE\xB0\x5A\x4E\x49\x44\x54\x58\x5F\x42\x83",
-	["CN=CNNIC ROOT,O=CNNIC,C=CN"] = "\x30\x82\x03\x55\x30\x82\x02\x3D\xA0\x03\x02\x01\x02\x02\x04\x49\x33\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x32\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0A\x13\x05\x43\x4E\x4E\x49\x43\x31\x13\x30\x11\x06\x03\x55\x04\x03\x13\x0A\x43\x4E\x4E\x49\x43\x20\x52\x4F\x4F\x54\x30\x1E\x17\x0D\x30\x37\x30\x34\x31\x36\x30\x37\x30\x39\x31\x34\x5A\x17\x0D\x32\x37\x30\x34\x31\x36\x30\x37\x30\x39\x31\x34\x5A\x30\x32\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x0E\x30\x0C\x06\x03\x55\x04\x0A\x13\x05\x43\x4E\x4E\x49\x43\x31\x13\x30\x11\x06\x03\x55\x04\x03\x13\x0A\x43\x4E\x4E\x49\x43\x20\x52\x4F\x4F\x54\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xD3\x35\xF7\x3F\x73\x77\xAD\xE8\x5B\x73\x17\xC2\xD1\x6F\xED\x55\xBC\x6E\xEA\xE8\xA4\x79\xB2\x6C\xC3\xA3\xEF\xE1\x9F\xB1\x3B\x48\x85\xF5\x9A\x5C\x21\x22\x10\x2C\xC5\x82\xCE\xDA\xE3\x9A\x6E\x37\xE1\x87\x2C\xDC\xB9\x0C\x5A\xBA\x88\x55\xDF\xFD\xAA\xDB\x1F\x31\xEA\x01\xF1\xDF\x39\x01\xC1\x13\xFD\x48\x52\x21\xC4\x55\xDF\xDA\xD8\xB3\x54\x76\xBA\x74\xB1\xB7\x7D\xD7\xC0\xE8\xF6\x59\xC5\x4D\xC8\xBD\xAD\x1F\x14\xDA\xDF\x58\x44\x25\x32\x19\x2A\xC7\x7E\x7E\x8E\xAE\x38\xB0\x30\x7B\x47\x72\x09\x31\xF0\x30\xDB\xC3\x1B\x76\x29\xBB\x69\x76\x4E\x57\xF9\x1B\x64\xA2\x93\x56\xB7\x6F\x99\x6E\xDB\x0A\x04\x9C\x11\xE3\x80\x1F\xCB\x63\x94\x10\x0A\xA9\xE1\x64\x82\x31\xF9\x8C\x27\xED\xA6\x99\x00\xF6\x70\x93\x18\xF8\xA1\x34\x86\xA3\xDD\x7A\xC2\x18\x79\xF6\x7A\x65\x35\xCF\x90\xEB\xBD\x33\x93\x9F\x53\xAB\x73\x3B\xE6\x9B\x34\x20\x2F\x1D\xEF\xA9\x1D\x63\x1A\xA0\x80\xDB\x03\x2F\xF9\x26\x1A\x86\xD2\x8D\xBB\xA9\xBE\x52\x3A\x87\x67\x48\x0D\xBF\xB4\xA0\xD8\x26\xBE\x23\x5F\x73\x37\x7F\x26\xE6\x92\x04\xA3\x7F\xCF\x20\xA7\xB7\xF3\x3A\xCA\xCB\x99\xCB\x02\x03\x01\x00\x01\xA3\x73\x30\x71\x30\x11\x06\x09\x60\x86\x48\x01\x86\xF8\x42\x01\x01\x04\x04\x03\x02\x00\x07\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x65\xF2\x31\xAD\x2A\xF7\xF7\xDD\x52\x96\x0A\xC7\x02\xC1\x0E\xEF\xA6\xD5\x3B\x11\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\xFE\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x65\xF2\x31\xAD\x2A\xF7\xF7\xDD\x52\x96\x0A\xC7\x02\xC1\x0E\xEF\xA6\xD5\x3B\x11\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x4B\x35\xEE\xCC\xE4\xAE\xBF\xC3\x6E\xAD\x9F\x95\x3B\x4B\x3F\x5B\x1E\xDF\x57\x29\xA2\x59\xCA\x38\xE2\xB9\x1A\xFF\x9E\xE6\x6E\x32\xDD\x1E\xAE\xEA\x35\xB7\xF5\x93\x91\x4E\xDA\x42\xE1\xC3\x17\x60\x50\xF2\xD1\x5C\x26\xB9\x82\xB7\xEA\x6D\xE4\x9C\x84\xE7\x03\x79\x17\xAF\x98\x3D\x94\xDB\xC7\xBA\x00\xE7\xB8\xBF\x01\x57\xC1\x77\x45\x32\x0C\x3B\xF1\xB4\x1C\x08\xB0\xFD\x51\xA0\xA1\xDD\x9A\x1D\x13\x36\x9A\x6D\xB7\xC7\x3C\xB9\xE1\xC5\xD9\x17\xFA\x83\xD5\x3D\x15\xA0\x3C\xBB\x1E\x0B\xE2\xC8\x90\x3F\xA8\x86\x0C\xFC\xF9\x8B\x5E\x85\xCB\x4F\x5B\x4B\x62\x11\x47\xC5\x45\x7C\x05\x2F\x41\xB1\x9E\x10\x69\x1B\x99\x96\xE0\x55\x79\xFB\x4E\x86\x99\xB8\x94\xDA\x86\x38\x6A\x93\xA3\xE7\xCB\x6E\xE5\xDF\xEA\x21\x55\x89\x9C\x7D\x7D\x7F\x98\xF5\x00\x89\xEE\xE3\x84\xC0\x5C\x96\xB5\xC5\x46\xEA\x46\xE0\x85\x55\xB6\x1B\xC9\x12\xD6\xC1\xCD\xCD\x80\xF3\x02\x01\x3C\xC8\x69\xCB\x45\x48\x63\xD8\x94\xD0\xEC\x85\x0E\x3B\x4E\x11\x65\xF4\x82\x8C\xA6\x3D\xAE\x2E\x22\x94\x09\xC8\x5C\xEA\x3C\x81\x5D\x16\x2A\x03\x97\x16\x55\x09\xDB\x8A\x41\x82\x9E\x66\x9B\x11",
-	["OU=ApplicationCA,O=Japanese Government,C=JP"] = "\x30\x82\x03\xA0\x30\x82\x02\x88\xA0\x03\x02\x01\x02\x02\x01\x31\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x43\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x4A\x61\x70\x61\x6E\x65\x73\x65\x20\x47\x6F\x76\x65\x72\x6E\x6D\x65\x6E\x74\x31\x16\x30\x14\x06\x03\x55\x04\x0B\x13\x0D\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x43\x41\x30\x1E\x17\x0D\x30\x37\x31\x32\x31\x32\x31\x35\x30\x30\x30\x30\x5A\x17\x0D\x31\x37\x31\x32\x31\x32\x31\x35\x30\x30\x30\x30\x5A\x30\x43\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x1C\x30\x1A\x06\x03\x55\x04\x0A\x13\x13\x4A\x61\x70\x61\x6E\x65\x73\x65\x20\x47\x6F\x76\x65\x72\x6E\x6D\x65\x6E\x74\x31\x16\x30\x14\x06\x03\x55\x04\x0B\x13\x0D\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xA7\x6D\xE0\x74\x4E\x87\x8F\xA5\x06\xDE\x68\xA2\xDB\x86\x99\x4B\x64\x0D\x71\xF0\x0A\x05\x9B\x8E\xAA\xE1\xCC\x2E\xD2\x6A\x3B\xC1\x7A\xB4\x97\x61\x8D\x8A\xBE\xC6\x9A\x9C\x06\xB4\x86\x51\xE4\x37\x0E\x74\x78\x7E\x5F\x8A\x7F\x94\xA4\xD7\x47\x08\xFD\x50\x5A\x56\xE4\x68\xAC\x28\x73\xA0\x7B\xE9\x7F\x18\x92\x40\x4F\x2D\x9D\xF5\xAE\x44\x48\x73\x36\x06\x9E\x64\x2C\x3B\x34\x23\xDB\x5C\x26\xE4\x71\x79\x8F\xD4\x6E\x79\x22\xB9\x93\xC1\xCA\xCD\xC1\x56\xED\x88\x6A\xD7\xA0\x39\x21\x04\x57\x2C\xA2\xF5\xBC\x47\x41\x4F\x5E\x34\x22\x95\xB5\x1F\x29\x6D\x5E\x4A\xF3\x4D\x72\xBE\x41\x56\x20\x87\xFC\xE9\x50\x47\xD7\x30\x14\xEE\x5C\x8C\x55\xBA\x59\x8D\x87\xFC\x23\xDE\x93\xD0\x04\x8C\xFD\xEF\x6D\xBD\xD0\x7A\xC9\xA5\x3A\x6A\x72\x33\xC6\x4A\x0D\x05\x17\x2A\x2D\x7B\xB1\xA7\xD8\xD6\xF0\xBE\xF4\x3F\xEA\x0E\x28\x6D\x41\x61\x23\x76\x78\xC3\xB8\x65\xA4\xF3\x5A\xAE\xCC\xC2\xAA\xD9\xE7\x58\xDE\xB6\x7E\x9D\x85\x6E\x9F\x2A\x0A\x6F\x9F\x03\x29\x30\x97\x28\x1D\xBC\xB7\xCF\x54\x29\x4E\x51\x31\xF9\x27\xB6\x28\x26\xFE\xA2\x63\xE6\x41\x16\xF0\x33\x98\x47\x02\x03\x01\x00\x01\xA3\x81\x9E\x30\x81\x9B\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x54\x5A\xCB\x26\x3F\x71\xCC\x94\x46\x0D\x96\x53\xEA\x6B\x48\xD0\x93\xFE\x42\x75\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x59\x06\x03\x55\x1D\x11\x04\x52\x30\x50\xA4\x4E\x30\x4C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x0C\x0F\xE6\x97\xA5\xE6\x9C\xAC\xE5\x9B\xBD\xE6\x94\xBF\xE5\xBA\x9C\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x0C\x1A\xE3\x82\xA2\xE3\x83\x97\xE3\x83\xAA\xE3\x82\xB1\xE3\x83\xBC\xE3\x82\xB7\xE3\x83\xA7\xE3\x83\xB3\x43\x41\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x39\x6A\x44\x76\x77\x38\x3A\xEC\xA3\x67\x46\x0F\xF9\x8B\x06\xA8\xFB\x6A\x90\x31\xCE\x7E\xEC\xDA\xD1\x89\x7C\x7A\xEB\x2E\x0C\xBD\x99\x32\xE7\xB0\x24\xD6\xC3\xFF\xF5\xB2\x88\x09\x87\x2C\xE3\x54\xE1\xA3\xA6\xB2\x08\x0B\xC0\x85\xA8\xC8\xD2\x9C\x71\xF6\x1D\x9F\x60\xFC\x38\x33\x13\xE1\x9E\xDC\x0B\x5F\xDA\x16\x50\x29\x7B\x2F\x70\x91\x0F\x99\xBA\x34\x34\x8D\x95\x74\xC5\x7E\x78\xA9\x66\x5D\xBD\xCA\x21\x77\x42\x10\xAC\x66\x26\x3D\xDE\x91\xAB\xFD\x15\xF0\x6F\xED\x6C\x5F\x10\xF8\xF3\x16\xF6\x03\x8A\x8F\xA7\x12\x11\x0C\xCB\xFD\x3F\x79\xC1\x9C\xFD\x62\xEE\xA3\xCF\x54\x0C\xD1\x2B\x5F\x17\x3E\xE3\x3E\xBF\xC0\x2B\x3E\x09\x9B\xFE\x88\xA6\x7E\xB4\x92\x17\xFC\x23\x94\x81\xBD\x6E\xA7\xC5\x8C\xC2\xEB\x11\x45\xDB\xF8\x41\xC9\x96\x76\xEA\x70\x5F\x79\x12\x6B\xE4\xA3\x07\x5A\x05\xEF\x27\x49\xCF\x21\x9F\x8A\x4C\x09\x70\x66\xA9\x26\xC1\x2B\x11\x4E\x33\xD2\x0E\xFC\xD6\x6C\xD2\x0E\x32\x64\x68\xFF\xAD\x05\x78\x5F\x03\x1D\xA8\xE3\x90\xAC\x24\xE0\x0F\x40\xA7\x4B\xAE\x8B\x28\xB7\x82\xCA\x18\x07\xE6\xB7\x5B\x74\xE9\x20\x19\x7F\xB2\x1B\x89\x54",
 	["CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US"] = "\x30\x82\x03\xFE\x30\x82\x02\xE6\xA0\x03\x02\x01\x02\x02\x10\x15\xAC\x6E\x94\x19\xB2\x79\x4B\x41\xF6\x27\xA9\xC3\x18\x0F\x1F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\x98\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x39\x30\x37\x06\x03\x55\x04\x0B\x13\x30\x28\x63\x29\x20\x32\x30\x30\x38\x20\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x33\x30\x1E\x17\x0D\x30\x38\x30\x34\x30\x32\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x37\x31\x32\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x98\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x31\x39\x30\x37\x06\x03\x55\x04\x0B\x13\x30\x28\x63\x29\x20\x32\x30\x30\x38\x20\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2D\x47\x65\x6F\x54\x72\x75\x73\x74\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xDC\xE2\x5E\x62\x58\x1D\x33\x57\x39\x32\x33\xFA\xEB\xCB\x87\x8C\xA7\xD4\x4A\xDD\x06\x88\xEA\x64\x8E\x31\x98\xA5\x38\x90\x1E\x98\xCF\x2E\x63\x2B\xF0\x46\xBC\x44\xB2\x89\xA1\xC0\x28\x0C\x49\x70\x21\x95\x9F\x64\xC0\xA6\x93\x12\x02\x65\x26\x86\xC6\xA5\x89\xF0\xFA\xD7\x84\xA0\x70\xAF\x4F\x1A\x97\x3F\x06\x44\xD5\xC9\xEB\x72\x10\x7D\xE4\x31\x28\xFB\x1C\x61\xE6\x28\x07\x44\x73\x92\x22\x69\xA7\x03\x88\x6C\x9D\x63\xC8\x52\xDA\x98\x27\xE7\x08\x4C\x70\x3E\xB4\xC9\x12\xC1\xC5\x67\x83\x5D\x33\xF3\x03\x11\xEC\x6A\xD0\x53\xE2\xD1\xBA\x36\x60\x94\x80\xBB\x61\x63\x6C\x5B\x17\x7E\xDF\x40\x94\x1E\xAB\x0D\xC2\x21\x28\x70\x88\xFF\xD6\x26\x6C\x6C\x60\x04\x25\x4E\x55\x7E\x7D\xEF\xBF\x94\x48\xDE\xB7\x1D\xDD\x70\x8D\x05\x5F\x88\xA5\x9B\xF2\xC2\xEE\xEA\xD1\x40\x41\x6D\x62\x38\x1D\x56\x06\xC5\x03\x47\x51\x20\x19\xFC\x7B\x10\x0B\x0E\x62\xAE\x76\x55\xBF\x5F\x77\xBE\x3E\x49\x01\x53\x3D\x98\x25\x03\x76\x24\x5A\x1D\xB4\xDB\x89\xEA\x79\xE5\xB6\xB3\x3B\x3F\xBA\x4C\x28\x41\x7F\x06\xAC\x6A\x8E\xC1\xD0\xF6\x05\x1D\x7D\xE6\x42\x86\xE3\xA5\xD5\x47\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC4\x79\xCA\x8E\xA1\x4E\x03\x1D\x1C\xDC\x6B\xDB\x31\x5B\x94\x3E\x3F\x30\x7F\x2D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x2D\xC5\x13\xCF\x56\x80\x7B\x7A\x78\xBD\x9F\xAE\x2C\x99\xE7\xEF\xDA\xDF\x94\x5E\x09\x69\xA7\xE7\x6E\x68\x8C\xBD\x72\xBE\x47\xA9\x0E\x97\x12\xB8\x4A\xF1\x64\xD3\x39\xDF\x25\x34\xD4\xC1\xCD\x4E\x81\xF0\x0F\x04\xC4\x24\xB3\x34\x96\xC6\xA6\xAA\x30\xDF\x68\x61\x73\xD7\xF9\x8E\x85\x89\xEF\x0E\x5E\x95\x28\x4A\x2A\x27\x8F\x10\x8E\x2E\x7C\x86\xC4\x02\x9E\xDA\x0C\x77\x65\x0E\x44\x0D\x92\xFD\xFD\xB3\x16\x36\xFA\x11\x0D\x1D\x8C\x0E\x07\x89\x6A\x29\x56\xF7\x72\xF4\xDD\x15\x9C\x77\x35\x66\x57\xAB\x13\x53\xD8\x8E\xC1\x40\xC5\xD7\x13\x16\x5A\x72\xC7\xB7\x69\x01\xC4\x7A\xB1\x83\x01\x68\x7D\x8D\x41\xA1\x94\x18\xC1\x25\x5C\xFC\xF0\xFE\x83\x02\x87\x7C\x0D\x0D\xCF\x2E\x08\x5C\x4A\x40\x0D\x3E\xEC\x81\x61\xE6\x24\xDB\xCA\xE0\x0E\x2D\x07\xB2\x3E\x56\xDC\x8D\xF5\x41\x85\x07\x48\x9B\x0C\x0B\xCB\x49\x3F\x7D\xEC\xB7\xFD\xCB\x8D\x67\x89\x1A\xAB\xED\xBB\x1E\xA3\x00\x08\x08\x17\x2A\x82\x5C\x31\x5D\x46\x8A\x2D\x0F\x86\x9B\x74\xD9\x45\xFB\xD4\x40\xB1\x7A\xAA\x68\x2D\x86\xB2\x99\x22\xE1\xC1\x2B\xC7\x9C\xF8\xF3\x5F\xA8\x82\x12\xEB\x19\x11\x2D",
 	["CN=thawte Primary Root CA - G2,OU=(c) 2007 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US"] = "\x30\x82\x02\x88\x30\x82\x02\x0D\xA0\x03\x02\x01\x02\x02\x10\x35\xFC\x26\x5C\xD9\x84\x4F\xC9\x3D\x26\x3D\x57\x9B\xAE\xD7\x56\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x81\x84\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x31\x38\x30\x36\x06\x03\x55\x04\x0B\x13\x2F\x28\x63\x29\x20\x32\x30\x30\x37\x20\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x74\x68\x61\x77\x74\x65\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x1E\x17\x0D\x30\x37\x31\x31\x30\x35\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x84\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x31\x38\x30\x36\x06\x03\x55\x04\x0B\x13\x2F\x28\x63\x29\x20\x32\x30\x30\x37\x20\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x74\x68\x61\x77\x74\x65\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\xA2\xD5\x9C\x82\x7B\x95\x9D\xF1\x52\x78\x87\xFE\x8A\x16\xBF\x05\xE6\xDF\xA3\x02\x4F\x0D\x07\xC6\x00\x51\xBA\x0C\x02\x52\x2D\x22\xA4\x42\x39\xC4\xFE\x8F\xEA\xC9\xC1\xBE\xD4\x4D\xFF\x9F\x7A\x9E\xE2\xB1\x7C\x9A\xAD\xA7\x86\x09\x73\x87\xD1\xE7\x9A\xE3\x7A\xA5\xAA\x6E\xFB\xBA\xB3\x70\xC0\x67\x88\xA2\x35\xD4\xA3\x9A\xB1\xFD\xAD\xC2\xEF\x31\xFA\xA8\xB9\xF3\xFB\x08\xC6\x91\xD1\xFB\x29\x95\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x9A\xD8\x00\x30\x00\xE7\x6B\x7F\x85\x18\xEE\x8B\xB6\xCE\x8A\x0C\xF8\x11\xE1\xBB\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x69\x00\x30\x66\x02\x31\x00\xDD\xF8\xE0\x57\x47\x5B\xA7\xE6\x0A\xC3\xBD\xF5\x80\x8A\x97\x35\x0D\x1B\x89\x3C\x54\x86\x77\x28\xCA\xA1\xF4\x79\xDE\xB5\xE6\x38\xB0\xF0\x65\x70\x8C\x7F\x02\x54\xC2\xBF\xFF\xD8\xA1\x3E\xD9\xCF\x02\x31\x00\xC4\x8D\x94\xFC\xDC\x53\xD2\xDC\x9D\x78\x16\x1F\x15\x33\x23\x53\x52\xE3\x5A\x31\x5D\x9D\xCA\xAE\xBD\x13\x29\x44\x0D\x27\x5B\xA8\xE7\x68\x9C\x12\xF7\x58\x3F\x2E\x72\x02\x57\xA3\x8F\xA1\x14\x2E",
 	["CN=thawte Primary Root CA - G3,OU=(c) 2008 thawte\, Inc. - For authorized use only,OU=Certification Services Division,O=thawte\, Inc.,C=US"] = "\x30\x82\x04\x2A\x30\x82\x03\x12\xA0\x03\x02\x01\x02\x02\x10\x60\x01\x97\xB7\x46\xA7\xEA\xB4\xB4\x9A\xD6\x4B\x2F\xF7\x90\xFB\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\xAE\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x44\x69\x76\x69\x73\x69\x6F\x6E\x31\x38\x30\x36\x06\x03\x55\x04\x0B\x13\x2F\x28\x63\x29\x20\x32\x30\x30\x38\x20\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x74\x68\x61\x77\x74\x65\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x47\x33\x30\x1E\x17\x0D\x30\x38\x30\x34\x30\x32\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x37\x31\x32\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xAE\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x44\x69\x76\x69\x73\x69\x6F\x6E\x31\x38\x30\x36\x06\x03\x55\x04\x0B\x13\x2F\x28\x63\x29\x20\x32\x30\x30\x38\x20\x74\x68\x61\x77\x74\x65\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x74\x68\x61\x77\x74\x65\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x47\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB2\xBF\x27\x2C\xFB\xDB\xD8\x5B\xDD\x78\x7B\x1B\x9E\x77\x66\x81\xCB\x3E\xBC\x7C\xAE\xF3\xA6\x27\x9A\x34\xA3\x68\x31\x71\x38\x33\x62\xE4\xF3\x71\x66\x79\xB1\xA9\x65\xA3\xA5\x8B\xD5\x8F\x60\x2D\x3F\x42\xCC\xAA\x6B\x32\xC0\x23\xCB\x2C\x41\xDD\xE4\xDF\xFC\x61\x9C\xE2\x73\xB2\x22\x95\x11\x43\x18\x5F\xC4\xB6\x1F\x57\x6C\x0A\x05\x58\x22\xC8\x36\x4C\x3A\x7C\xA5\xD1\xCF\x86\xAF\x88\xA7\x44\x02\x13\x74\x71\x73\x0A\x42\x59\x02\xF8\x1B\x14\x6B\x42\xDF\x6F\x5F\xBA\x6B\x82\xA2\x9D\x5B\xE7\x4A\xBD\x1E\x01\x72\xDB\x4B\x74\xE8\x3B\x7F\x7F\x7D\x1F\x04\xB4\x26\x9B\xE0\xB4\x5A\xAC\x47\x3D\x55\xB8\xD7\xB0\x26\x52\x28\x01\x31\x40\x66\xD8\xD9\x24\xBD\xF6\x2A\xD8\xEC\x21\x49\x5C\x9B\xF6\x7A\xE9\x7F\x55\x35\x7E\x96\x6B\x8D\x93\x93\x27\xCB\x92\xBB\xEA\xAC\x40\xC0\x9F\xC2\xF8\x80\xCF\x5D\xF4\x5A\xDC\xCE\x74\x86\xA6\x3E\x6C\x0B\x53\xCA\xBD\x92\xCE\x19\x06\x72\xE6\x0C\x5C\x38\x69\xC7\x04\xD6\xBC\x6C\xCE\x5B\xF6\xF7\x68\x9C\xDC\x25\x15\x48\x88\xA1\xE9\xA9\xF8\x98\x9C\xE0\xF3\xD5\x31\x28\x61\x11\x6C\x67\x96\x8D\x39\x99\xCB\xC2\x45\x24\x39\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xAD\x6C\xAA\x94\x60\x9C\xED\xE4\xFF\xFA\x3E\x0A\x74\x2B\x63\x03\xF7\xB6\x59\xBF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x1A\x40\xD8\x95\x65\xAC\x09\x92\x89\xC6\x39\xF4\x10\xE5\xA9\x0E\x66\x53\x5D\x78\xDE\xFA\x24\x91\xBB\xE7\x44\x51\xDF\xC6\x16\x34\x0A\xEF\x6A\x44\x51\xEA\x2B\x07\x8A\x03\x7A\xC3\xEB\x3F\x0A\x2C\x52\x16\xA0\x2B\x43\xB9\x25\x90\x3F\x70\xA9\x33\x25\x6D\x45\x1A\x28\x3B\x27\xCF\xAA\xC3\x29\x42\x1B\xDF\x3B\x4C\xC0\x33\x34\x5B\x41\x88\xBF\x6B\x2B\x65\xAF\x28\xEF\xB2\xF5\xC3\xAA\x66\xCE\x7B\x56\xEE\xB7\xC8\xCB\x67\xC1\xC9\x9C\x1A\x18\xB8\xC4\xC3\x49\x03\xF1\x60\x0E\x50\xCD\x46\xC5\xF3\x77\x79\xF7\xB6\x15\xE0\x38\xDB\xC7\x2F\x28\xA0\x0C\x3F\x77\x26\x74\xD9\x25\x12\xDA\x31\xDA\x1A\x1E\xDC\x29\x41\x91\x22\x3C\x69\xA7\xBB\x02\xF2\xB6\x5C\x27\x03\x89\xF4\x06\xEA\x9B\xE4\x72\x82\xE3\xA1\x09\xC1\xE9\x00\x19\xD3\x3E\xD4\x70\x6B\xBA\x71\xA6\xAA\x58\xAE\xF4\xBB\xE9\x6C\xB6\xEF\x87\xCC\x9B\xBB\xFF\x39\xE6\x56\x61\xD3\x0A\xA7\xC4\x5C\x4C\x60\x7B\x05\x77\x26\x7A\xBF\xD8\x07\x52\x2C\x62\xF7\x70\x63\xD9\x39\xBC\x6F\x1C\xC2\x79\xDC\x76\x29\xAF\xCE\xC5\x2C\x64\x04\x5E\x88\x36\x6E\x31\xD4\x40\x1A\x62\x34\x36\x3F\x35\x01\xAE\xAC\x63\xA0",
@@ -84,10 +61,8 @@ redef root_certs += {
 	["CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU=(c) 2007 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x03\x84\x30\x82\x03\x0A\xA0\x03\x02\x01\x02\x02\x10\x2F\x80\xFE\x23\x8C\x0E\x22\x0F\x48\x67\x12\x28\x91\x87\xAC\xB3\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x32\x30\x30\x37\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x34\x30\x1E\x17\x0D\x30\x37\x31\x31\x30\x35\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xCA\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x54\x72\x75\x73\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x3A\x30\x38\x06\x03\x55\x04\x0B\x13\x31\x28\x63\x29\x20\x32\x30\x30\x37\x20\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x46\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x45\x30\x43\x06\x03\x55\x04\x03\x13\x3C\x56\x65\x72\x69\x53\x69\x67\x6E\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x47\x34\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\xA7\x56\x7A\x7C\x52\xDA\x64\x9B\x0E\x2D\x5C\xD8\x5E\xAC\x92\x3D\xFE\x01\xE6\x19\x4A\x3D\x14\x03\x4B\xFA\x60\x27\x20\xD9\x83\x89\x69\xFA\x54\xC6\x9A\x18\x5E\x55\x2A\x64\xDE\x06\xF6\x8D\x4A\x3B\xAD\x10\x3C\x65\x3D\x90\x88\x04\x89\xE0\x30\x61\xB3\xAE\x5D\x01\xA7\x7B\xDE\x7C\xB2\xBE\xCA\x65\x61\x00\x86\xAE\xDA\x8F\x7B\xD0\x89\xAD\x4D\x1D\x59\x9A\x41\xB1\xBC\x47\x80\xDC\x9E\x62\xC3\xF9\xA3\x81\xB2\x30\x81\xAF\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x6D\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x0C\x04\x61\x30\x5F\xA1\x5D\xA0\x5B\x30\x59\x30\x57\x30\x55\x16\x09\x69\x6D\x61\x67\x65\x2F\x67\x69\x66\x30\x21\x30\x1F\x30\x07\x06\x05\x2B\x0E\x03\x02\x1A\x04\x14\x8F\xE5\xD3\x1A\x86\xAC\x8D\x8E\x6B\xC3\xCF\x80\x6A\xD4\x48\x18\x2C\x7B\x19\x2E\x30\x25\x16\x23\x68\x74\x74\x70\x3A\x2F\x2F\x6C\x6F\x67\x6F\x2E\x76\x65\x72\x69\x73\x69\x67\x6E\x2E\x63\x6F\x6D\x2F\x76\x73\x6C\x6F\x67\x6F\x2E\x67\x69\x66\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB3\x16\x91\xFD\xEE\xA6\x6E\xE4\xB5\x2E\x49\x8F\x87\x78\x81\x80\xEC\xE5\xB1\xB5\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x30\x66\x21\x0C\x18\x26\x60\x5A\x38\x7B\x56\x42\xE0\xA7\xFC\x36\x84\x51\x91\x20\x2C\x76\x4D\x43\x3D\xC4\x1D\x84\x23\xD0\xAC\xD6\x7C\x35\x06\xCE\xCD\x69\xBD\x90\x0D\xDB\x6C\x48\x42\x1D\x0E\xAA\x42\x02\x31\x00\x9C\x3D\x48\x39\x23\x39\x58\x1A\x15\x12\x59\x6A\x9E\xEF\xD5\x59\xB2\x1D\x52\x2C\x99\x71\xCD\xC7\x29\xDF\x1B\x2A\x61\x7B\x71\xD1\xDE\xF3\xC0\xE5\x0D\x3A\x4A\xAA\x2D\xA7\xD8\x86\x2A\xDD\x2E\x10",
 	["CN=NetLock Arany (Class Gold) F\C5\91tan\C3\BAs\C3\ADtv\C3\A1ny,OU=Tan\C3\BAs\C3\ADtv\C3\A1nykiad\C3\B3k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU"] = "\x30\x82\x04\x15\x30\x82\x02\xFD\xA0\x03\x02\x01\x02\x02\x06\x49\x41\x2C\xE4\x00\x10\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\xA7\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x0C\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x0C\x0C\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x0C\x2E\x54\x61\x6E\xC3\xBA\x73\xC3\xAD\x74\x76\xC3\xA1\x6E\x79\x6B\x69\x61\x64\xC3\xB3\x6B\x20\x28\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x29\x31\x35\x30\x33\x06\x03\x55\x04\x03\x0C\x2C\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x41\x72\x61\x6E\x79\x20\x28\x43\x6C\x61\x73\x73\x20\x47\x6F\x6C\x64\x29\x20\x46\xC5\x91\x74\x61\x6E\xC3\xBA\x73\xC3\xAD\x74\x76\xC3\xA1\x6E\x79\x30\x1E\x17\x0D\x30\x38\x31\x32\x31\x31\x31\x35\x30\x38\x32\x31\x5A\x17\x0D\x32\x38\x31\x32\x30\x36\x31\x35\x30\x38\x32\x31\x5A\x30\x81\xA7\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x0C\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x0C\x0C\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x4B\x66\x74\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x0C\x2E\x54\x61\x6E\xC3\xBA\x73\xC3\xAD\x74\x76\xC3\xA1\x6E\x79\x6B\x69\x61\x64\xC3\xB3\x6B\x20\x28\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x29\x31\x35\x30\x33\x06\x03\x55\x04\x03\x0C\x2C\x4E\x65\x74\x4C\x6F\x63\x6B\x20\x41\x72\x61\x6E\x79\x20\x28\x43\x6C\x61\x73\x73\x20\x47\x6F\x6C\x64\x29\x20\x46\xC5\x91\x74\x61\x6E\xC3\xBA\x73\xC3\xAD\x74\x76\xC3\xA1\x6E\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC4\x24\x5E\x73\xBE\x4B\x6D\x14\xC3\xA1\xF4\xE3\x97\x90\x6E\xD2\x30\x45\x1E\x3C\xEE\x67\xD9\x64\xE0\x1A\x8A\x7F\xCA\x30\xCA\x83\xE3\x20\xC1\xE3\xF4\x3A\xD3\x94\x5F\x1A\x7C\x5B\x6D\xBF\x30\x4F\x84\x27\xF6\x9F\x1F\x49\xBC\xC6\x99\x0A\x90\xF2\x0F\xF5\x7F\x43\x84\x37\x63\x51\x8B\x7A\xA5\x70\xFC\x7A\x58\xCD\x8E\x9B\xED\xC3\x46\x6C\x84\x70\x5D\xDA\xF3\x01\x90\x23\xFC\x4E\x30\xA9\x7E\xE1\x27\x63\xE7\xED\x64\x3C\xA0\xB8\xC9\x33\x63\xFE\x16\x90\xFF\xB0\xB8\xFD\xD7\xA8\xC0\xC0\x94\x43\x0B\xB6\xD5\x59\xA6\x9E\x56\xD0\x24\x1F\x70\x79\xAF\xDB\x39\x54\x0D\x65\x75\xD9\x15\x41\x94\x01\xAF\x5E\xEC\xF6\x8D\xF1\xFF\xAD\x64\xFE\x20\x9A\xD7\x5C\xEB\xFE\xA6\x1F\x08\x64\xA3\x8B\x76\x55\xAD\x1E\x3B\x28\x60\x2E\x87\x25\xE8\xAA\xAF\x1F\xC6\x64\x46\x20\xB7\x70\x7F\x3C\xDE\x48\xDB\x96\x53\xB7\x39\x77\xE4\x1A\xE2\xC7\x16\x84\x76\x97\x5B\x2F\xBB\x19\x15\x85\xF8\x69\x85\xF5\x99\xA7\xA9\xF2\x34\xA7\xA9\xB6\xA6\x03\xFC\x6F\x86\x3D\x54\x7C\x76\x04\x9B\x6B\xF9\x40\x5D\x00\x34\xC7\x2E\x99\x75\x9D\xE5\x88\x03\xAA\x4D\xF8\x03\xD2\x42\x76\xC0\x1B\x02\x03\x00\xA8\x8B\xA3\x45\x30\x43\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x04\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xCC\xFA\x67\x93\xF0\xB6\xB8\xD0\xA5\xC0\x1E\xF3\x53\xFD\x8C\x53\xDF\x83\xD7\x96\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\xAB\x7F\xEE\x1C\x16\xA9\x9C\x3C\x51\x00\xA0\xC0\x11\x08\x05\xA7\x99\xE6\x6F\x01\x88\x54\x61\x6E\xF1\xB9\x18\xAD\x4A\xAD\xFE\x81\x40\x23\x94\x2F\xFB\x75\x7C\x2F\x28\x4B\x62\x24\x81\x82\x0B\xF5\x61\xF1\x1C\x6E\xB8\x61\x38\xEB\x81\xFA\x62\xA1\x3B\x5A\x62\xD3\x94\x65\xC4\xE1\xE6\x6D\x82\xF8\x2F\x25\x70\xB2\x21\x26\xC1\x72\x51\x1F\x8C\x2C\xC3\x84\x90\xC3\x5A\x8F\xBA\xCF\xF4\xA7\x65\xA5\xEB\x98\xD1\xFB\x05\xB2\x46\x75\x15\x23\x6A\x6F\x85\x63\x30\x80\xF0\xD5\x9E\x1F\x29\x1C\xC2\x6C\xB0\x50\x59\x5D\x90\x5B\x3B\xA8\x0D\x30\xCF\xBF\x7D\x7F\xCE\xF1\x9D\x83\xBD\xC9\x46\x6E\x20\xA6\xF9\x61\x51\xBA\x21\x2F\x7B\xBE\xA5\x15\x63\xA1\xD4\x95\x87\xF1\x9E\xB9\xF3\x89\xF3\x3D\x85\xB8\xB8\xDB\xBE\xB5\xB9\x29\xF9\xDA\x37\x05\x00\x49\x94\x03\x84\x44\xE7\xBF\x43\x31\xCF\x75\x8B\x25\xD1\xF4\xA6\x64\xF5\x92\xF6\xAB\x05\xEB\x3D\xE9\xA5\x0B\x36\x62\xDA\xCC\x06\x5F\x36\x8B\xB6\x5E\x31\xB8\x2A\xFB\x5E\xF6\x71\xDF\x44\x26\x9E\xC4\xE6\x0D\x91\xB4\x2E\x75\x95\x80\x51\x6A\x4B\x30\xA6\xB0\x62\xA1\x93\xF1\x9B\xD8\xCE\xC4\x63\x75\x3F\x59\x47\xB1",
 	["CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL"] = "\x30\x82\x05\xCA\x30\x82\x03\xB2\xA0\x03\x02\x01\x02\x02\x04\x00\x98\x96\x8C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4C\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x0C\x15\x53\x74\x61\x61\x74\x20\x64\x65\x72\x20\x4E\x65\x64\x65\x72\x6C\x61\x6E\x64\x65\x6E\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x0C\x22\x53\x74\x61\x61\x74\x20\x64\x65\x72\x20\x4E\x65\x64\x65\x72\x6C\x61\x6E\x64\x65\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x1E\x17\x0D\x30\x38\x30\x33\x32\x36\x31\x31\x31\x38\x31\x37\x5A\x17\x0D\x32\x30\x30\x33\x32\x35\x31\x31\x30\x33\x31\x30\x5A\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4C\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x0C\x15\x53\x74\x61\x61\x74\x20\x64\x65\x72\x20\x4E\x65\x64\x65\x72\x6C\x61\x6E\x64\x65\x6E\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x0C\x22\x53\x74\x61\x61\x74\x20\x64\x65\x72\x20\x4E\x65\x64\x65\x72\x6C\x61\x6E\x64\x65\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x47\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC5\x59\xE7\x6F\x75\xAA\x3E\x4B\x9C\xB5\xB8\xAC\x9E\x0B\xE4\xF9\xD9\xCA\xAB\x5D\x8F\xB5\x39\x10\x82\xD7\xAF\x51\xE0\x3B\xE1\x00\x48\x6A\xCF\xDA\xE1\x06\x43\x11\x99\xAA\x14\x25\x12\xAD\x22\xE8\x00\x6D\x43\xC4\xA9\xB8\xE5\x1F\x89\x4B\x67\xBD\x61\x48\xEF\xFD\xD2\xE0\x60\x88\xE5\xB9\x18\x60\x28\xC3\x77\x2B\xAD\xB0\x37\xAA\x37\xDE\x64\x59\x2A\x46\x57\xE4\x4B\xB9\xF8\x37\x7C\xD5\x36\xE7\x80\xC1\xB6\xF3\xD4\x67\x9B\x96\xE8\xCE\xD7\xC6\x0A\x53\xD0\x6B\x49\x96\xF3\xA3\x0B\x05\x77\x48\xF7\x25\xE5\x70\xAC\x30\x14\x20\x25\xE3\x7F\x75\x5A\xE5\x48\xF8\x4E\x7B\x03\x07\x04\xFA\x82\x61\x87\x6E\xF0\x3B\xC4\xA4\xC7\xD0\xF5\x74\x3E\xA5\x5D\x1A\x08\xF2\x9B\x25\xD2\xF6\xAC\x04\x26\x3E\x55\x3A\x62\x28\xA5\x7B\xB2\x30\xAF\xF8\x37\xC2\xD1\xBA\xD6\x38\xFD\xF4\xEF\x49\x30\x37\x99\x26\x21\x48\x85\x01\xA9\xE5\x16\xE7\xDC\x90\x55\xDF\x0F\xE8\x38\xCD\x99\x37\x21\x4F\x5D\xF5\x22\x6F\x6A\xC5\x12\x16\x60\x17\x55\xF2\x65\x66\xA6\xA7\x30\x91\x38\xC1\x38\x1D\x86\x04\x84\xBA\x1A\x25\x78\x5E\x9D\xAF\xCC\x50\x60\xD6\x13\x87\x52\xED\x63\x1F\x6D\x65\x7D\xC2\x15\x18\x74\xCA\xE1\x7E\x64\x29\x8C\x72\xD8\x16\x13\x7D\x0B\x49\x4A\xF1\x28\x1B\x20\x74\x6B\xC5\x3D\xDD\xB0\xAA\x48\x09\x3D\x2E\x82\x94\xCD\x1A\x65\xD9\x2B\x88\x9A\x99\xBC\x18\x7E\x9F\xEE\x7D\x66\x7C\x3E\xBD\x94\xB8\x81\xCE\xCD\x98\x30\x78\xC1\x6F\x67\xD0\xBE\x5F\xE0\x68\xED\xDE\xE2\xB1\xC9\x2C\x59\x78\x92\xAA\xDF\x2B\x60\x63\xF2\xE5\x5E\xB9\xE3\xCA\xFA\x7F\x50\x86\x3E\xA2\x34\x18\x0C\x09\x68\x28\x11\x1C\xE4\xE1\xB9\x5C\x3E\x47\xBA\x32\x3F\x18\xCC\x5B\x84\xF5\xF3\x6B\x74\xC4\x72\x74\xE1\xE3\x8B\xA0\x4A\xBD\x8D\x66\x2F\xEA\xAD\x35\xDA\x20\xD3\x88\x82\x61\xF0\x12\x22\xB6\xBC\xD0\xD5\xA4\xEC\xAF\x54\x88\x25\x24\x3C\xA7\x6D\xB1\x72\x29\x3F\x3E\x57\xA6\x7F\x55\xAF\x6E\x26\xC6\xFE\xE7\xCC\x40\x5C\x51\x44\x81\x0A\x78\xDE\x4A\xCE\x55\xBF\x1D\xD5\xD9\xB7\x56\xEF\xF0\x76\xFF\x0B\x79\xB5\xAF\xBD\xFB\xA9\x69\x91\x46\x97\x68\x80\x14\x36\x1D\xB3\x7F\xBB\x29\x98\x36\xA5\x20\xFA\x82\x60\x62\x33\xA4\xEC\xD6\xBA\x07\xA7\x6E\xC5\xCF\x14\xA6\xE7\xD6\x92\x34\xD8\x81\xF5\xFC\x1D\x5D\xAA\x5C\x1E\xF6\xA3\x4D\x3B\xB8\xF7\x39\x02\x03\x01\x00\x01\xA3\x81\x97\x30\x81\x94\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x52\x06\x03\x55\x1D\x20\x04\x4B\x30\x49\x30\x47\x06\x04\x55\x1D\x20\x00\x30\x3F\x30\x3D\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x31\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x70\x6B\x69\x6F\x76\x65\x72\x68\x65\x69\x64\x2E\x6E\x6C\x2F\x70\x6F\x6C\x69\x63\x69\x65\x73\x2F\x72\x6F\x6F\x74\x2D\x70\x6F\x6C\x69\x63\x79\x2D\x47\x32\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x91\x68\x32\x87\x15\x1D\x89\xE2\xB5\xF1\xAC\x36\x28\x34\x8D\x0B\x7C\x62\x88\xEB\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\xA8\x41\x4A\x67\x2A\x92\x81\x82\x50\x6E\xE1\xD7\xD8\xB3\x39\x3B\xF3\x02\x15\x09\x50\x51\xEF\x2D\xBD\x24\x7B\x88\x86\x3B\xF9\xB4\xBC\x92\x09\x96\xB9\xF6\xC0\xAB\x23\x60\x06\x79\x8C\x11\x4E\x51\xD2\x79\x80\x33\xFB\x9D\x48\xBE\xEC\x41\x43\x81\x1F\x7E\x47\x40\x1C\xE5\x7A\x08\xCA\xAA\x8B\x75\xAD\x14\xC4\xC2\xE8\x66\x3C\x82\x07\xA7\xE6\x27\x82\x5B\x18\xE6\x0F\x6E\xD9\x50\x3E\x8A\x42\x18\x29\xC6\xB4\x56\xFC\x56\x10\xA0\x05\x17\xBD\x0C\x23\x7F\xF4\x93\xED\x9C\x1A\x51\xBE\xDD\x45\x41\xBF\x91\x24\xB4\x1F\x8C\xE9\x5F\xCF\x7B\x21\x99\x9F\x95\x9F\x39\x3A\x46\x1C\x6C\xF9\xCD\x7B\x9C\x90\xCD\x28\xA9\xC7\xA9\x55\xBB\xAC\x62\x34\x62\x35\x13\x4B\x14\x3A\x55\x83\xB9\x86\x8D\x92\xA6\xC6\xF4\x07\x25\x54\xCC\x16\x57\x12\x4A\x82\x78\xC8\x14\xD9\x17\x82\x26\x2D\x5D\x20\x1F\x79\xAE\xFE\xD4\x70\x16\x16\x95\x83\xD8\x35\x39\xFF\x52\x5D\x75\x1C\x16\xC5\x13\x55\xCF\x47\xCC\x75\x65\x52\x4A\xDE\xF0\xB0\xA7\xE4\x0A\x96\x0B\xFB\xAD\xC2\xE2\x25\x84\xB2\xDD\xE4\xBD\x7E\x59\x6C\x9B\xF0\xF0\xD8\xE7\xCA\xF2\xE9\x97\x38\x7E\x89\xBE\xCC\xFB\x39\x17\x61\x3F\x72\xDB\x3A\x91\xD8\x65\x01\x19\x1D\xAD\x50\xA4\x57\x0A\x7C\x4B\xBC\x9C\x71\x73\x2A\x45\x51\x19\x85\xCC\x8E\xFD\x47\xA7\x74\x95\x1D\xA8\xD1\xAF\x4E\x17\xB1\x69\x26\xC2\xAA\x78\x57\x5B\xC5\x4D\xA7\xE5\x9E\x05\x17\x94\xCA\xB2\x5F\xA0\x49\x18\x8D\x34\xE9\x26\x6C\x48\x1E\xAA\x68\x92\x05\xE1\x82\x73\x5A\x9B\xDC\x07\x5B\x08\x6D\x7D\x9D\xD7\x8D\x21\xD9\xFC\x14\x20\xAA\xC2\x45\xDF\x3F\xE7\x00\xB2\x51\xE4\xC2\xF8\x05\xB9\x79\x1A\x8C\x34\xF3\x9E\x5B\xE4\x37\x5B\x6B\x4A\xDF\x2C\x57\x8A\x40\x5A\x36\xBA\xDD\x75\x44\x08\x37\x42\x70\x0C\xFE\xDC\x5E\x21\xA0\xA3\x8A\xC0\x90\x9C\x68\xDA\x50\xE6\x45\x10\x47\x78\xB6\x4E\xD2\x65\xC9\xC3\x37\xDF\xE1\x42\x63\xB0\x57\x37\x45\x2D\x7B\x8A\x9C\xBF\x05\xEA\x65\x55\x33\xF7\x39\x10\xC5\x28\x2A\x21\x7A\x1B\x8A\xC4\x24\xF9\x3F\x15\xC8\x9A\x15\x20\xF5\x55\x62\x96\xED\x6D\x93\x50\xBC\xE4\xAA\x78\xAD\xD9\xCB\x0A\x65\x87\xA6\x66\xC1\xC4\x81\xA3\x77\x3A\x58\x1E\x0B\xEE\x83\x8B\x9D\x1E\xD2\x52\xA4\xCC\x1D\x6F\xB0\x98\x6D\x94\x31\xB5\xF8\x71\x0A\xDC\xB9\xFC\x7D\x32\x60\xE6\xEB\xAF\x8A\x01",
-	["CN=Juur-SK,O=AS Sertifitseerimiskeskus,C=EE,emailAddress=pki@sk.ee"] = "\x30\x82\x04\xE6\x30\x82\x03\xCE\xA0\x03\x02\x01\x02\x02\x04\x3B\x8E\x4B\xFC\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x5D\x31\x18\x30\x16\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x09\x70\x6B\x69\x40\x73\x6B\x2E\x65\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x45\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x13\x19\x41\x53\x20\x53\x65\x72\x74\x69\x66\x69\x74\x73\x65\x65\x72\x69\x6D\x69\x73\x6B\x65\x73\x6B\x75\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x03\x13\x07\x4A\x75\x75\x72\x2D\x53\x4B\x30\x1E\x17\x0D\x30\x31\x30\x38\x33\x30\x31\x34\x32\x33\x30\x31\x5A\x17\x0D\x31\x36\x30\x38\x32\x36\x31\x34\x32\x33\x30\x31\x5A\x30\x5D\x31\x18\x30\x16\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x09\x70\x6B\x69\x40\x73\x6B\x2E\x65\x65\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x45\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x13\x19\x41\x53\x20\x53\x65\x72\x74\x69\x66\x69\x74\x73\x65\x65\x72\x69\x6D\x69\x73\x6B\x65\x73\x6B\x75\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x03\x13\x07\x4A\x75\x75\x72\x2D\x53\x4B\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x81\x71\x36\x3E\x33\x07\xD6\xE3\x30\x8D\x13\x7E\x77\x32\x46\xCB\xCF\x19\xB2\x60\x31\x46\x97\x86\xF4\x98\x46\xA4\xC2\x65\x45\xCF\xD3\x40\x7C\xE3\x5A\x22\xA8\x10\x78\x33\xCC\x88\xB1\xD3\x81\x4A\xF6\x62\x17\x7B\x5F\x4D\x0A\x2E\xD0\xCF\x8B\x23\xEE\x4F\x02\x4E\xBB\xEB\x0E\xCA\xBD\x18\x63\xE8\x80\x1C\x8D\xE1\x1C\x8D\x3D\xE0\xFF\x5B\x5F\xEA\x64\xE5\x97\xE8\x3F\x99\x7F\x0C\x0A\x09\x33\x00\x1A\x53\xA7\x21\xE1\x38\x4B\xD6\x83\x1B\xAD\xAF\x64\xC2\xF9\x1C\x7A\x8C\x66\x48\x4D\x66\x1F\x18\x0A\xE2\x3E\xBB\x1F\x07\x65\x93\x85\xB9\x1A\xB0\xB9\xC4\xFB\x0D\x11\xF6\xF5\xD6\xF9\x1B\xC7\x2C\x2B\xB7\x18\x51\xFE\xE0\x7B\xF6\xA8\x48\xAF\x6C\x3B\x4F\x2F\xEF\xF8\xD1\x47\x1E\x26\x57\xF0\x51\x1D\x33\x96\xFF\xEF\x59\x3D\xDA\x4D\xD1\x15\x34\xC7\xEA\x3F\x16\x48\x7B\x91\x1C\x80\x43\x0F\x3D\xB8\x05\x3E\xD1\xB3\x95\xCD\xD8\xCA\x0F\xC2\x43\x67\xDB\xB7\x93\xE0\x22\x82\x2E\xBE\xF5\x68\x28\x83\xB9\xC1\x3B\x69\x7B\x20\xDA\x4E\x9C\x6D\xE1\xBA\xCD\x8F\x7A\x6C\xB0\x09\x22\xD7\x8B\x0B\xDB\x1C\xD5\x5A\x26\x5B\x0D\xC0\xEA\xE5\x60\xD0\x9F\xFE\x35\xDF\x3F\x02\x03\x01\x00\x01\xA3\x82\x01\xAC\x30\x82\x01\xA8\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x82\x01\x16\x06\x03\x55\x1D\x20\x04\x82\x01\x0D\x30\x82\x01\x09\x30\x82\x01\x05\x06\x0A\x2B\x06\x01\x04\x01\xCE\x1F\x01\x01\x01\x30\x81\xF6\x30\x81\xD0\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x81\xC3\x1E\x81\xC0\x00\x53\x00\x65\x00\x65\x00\x20\x00\x73\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x6B\x00\x61\x00\x61\x00\x74\x00\x20\x00\x6F\x00\x6E\x00\x20\x00\x76\x00\xE4\x00\x6C\x00\x6A\x00\x61\x00\x73\x00\x74\x00\x61\x00\x74\x00\x75\x00\x64\x00\x20\x00\x41\x00\x53\x00\x2D\x00\x69\x00\x73\x00\x20\x00\x53\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x74\x00\x73\x00\x65\x00\x65\x00\x72\x00\x69\x00\x6D\x00\x69\x00\x73\x00\x6B\x00\x65\x00\x73\x00\x6B\x00\x75\x00\x73\x00\x20\x00\x61\x00\x6C\x00\x61\x00\x6D\x00\x2D\x00\x53\x00\x4B\x00\x20\x00\x73\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x6B\x00\x61\x00\x61\x00\x74\x00\x69\x00\x64\x00\x65\x00\x20\x00\x6B\x00\x69\x00\x6E\x00\x6E\x00\x69\x00\x74\x00\x61\x00\x6D\x00\x69\x00\x73\x00\x65\x00\x6B\x00\x73\x30\x21\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x15\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x73\x6B\x2E\x65\x65\x2F\x63\x70\x73\x2F\x30\x2B\x06\x03\x55\x1D\x1F\x04\x24\x30\x22\x30\x20\xA0\x1E\xA0\x1C\x86\x1A\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x73\x6B\x2E\x65\x65\x2F\x6A\x75\x75\x72\x2F\x63\x72\x6C\x2F\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x04\xAA\x7A\x47\xA3\xE4\x89\xAF\x1A\xCF\x0A\x40\xA7\x18\x3F\x6F\xEF\xE9\x7D\xBE\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x04\xAA\x7A\x47\xA3\xE4\x89\xAF\x1A\xCF\x0A\x40\xA7\x18\x3F\x6F\xEF\xE9\x7D\xBE\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\xE6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x7B\xC1\x18\x94\x53\xA2\x09\xF3\xFE\x26\x67\x9A\x50\xE4\xC3\x05\x2F\x2B\x35\x78\x91\x4C\x7C\xA8\x11\x11\x79\x4C\x49\x59\xAC\xC8\xF7\x85\x65\x5C\x46\xBB\x3B\x10\xA0\x02\xAF\xCD\x4F\xB5\xCC\x36\x2A\xEC\x5D\xFE\xEF\xA0\x91\xC9\xB6\x93\x6F\x7C\x80\x54\xEC\xC7\x08\x70\x0D\x8E\xFB\x82\xEC\x2A\x60\x78\x69\x36\x36\xD1\xC5\x9C\x8B\x69\xB5\x40\xC8\x94\x65\x77\xF2\x57\x21\x66\x3B\xCE\x85\x40\xB6\x33\x63\x1A\xBF\x79\x1E\xFC\x5C\x1D\xD3\x1D\x93\x1B\x8B\x0C\x5D\x85\xBD\x99\x30\x32\x18\x09\x91\x52\xE9\x7C\xA1\xBA\xFF\x64\x92\x9A\xEC\xFE\x35\xEE\x8C\x2F\xAE\xFC\x20\x86\xEC\x4A\xDE\x1B\x78\x32\x37\xA6\x81\xD2\x9D\xAF\x5A\x12\x16\xCA\x99\x5B\xFC\x6F\x6D\x0E\xC5\xA0\x1E\x86\xC9\x91\xD0\x5C\x98\x82\x5F\x63\x0C\x8A\x5A\xAB\xD8\x95\xA6\xCC\xCB\x8A\xD6\xBF\x64\x4B\x8E\xCA\x8A\xB2\xB0\xE9\x21\x32\x9E\xAA\xA8\x85\x98\x34\x81\x39\x21\x3B\xA8\x3A\x52\x32\x3D\xF6\x6B\x37\x86\x06\x5A\x15\x98\xDC\xF0\x11\x66\xFE\x34\x20\xB7\x03\xF4\x41\x10\x7D\x39\x84\x79\x96\x72\x63\xB6\x96\x02\xE5\x6B\xB9\xAD\x19\x4D\xBB\xC6\x44\xDB\x36\xCB\x2A\x9C\x8E",
 	["CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK"] = "\x30\x82\x03\x30\x30\x82\x02\x18\xA0\x03\x02\x01\x02\x02\x02\x03\xE8\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x47\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x4B\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x48\x6F\x6E\x67\x6B\x6F\x6E\x67\x20\x50\x6F\x73\x74\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x48\x6F\x6E\x67\x6B\x6F\x6E\x67\x20\x50\x6F\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x1E\x17\x0D\x30\x33\x30\x35\x31\x35\x30\x35\x31\x33\x31\x34\x5A\x17\x0D\x32\x33\x30\x35\x31\x35\x30\x34\x35\x32\x32\x39\x5A\x30\x47\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x4B\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x48\x6F\x6E\x67\x6B\x6F\x6E\x67\x20\x50\x6F\x73\x74\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x48\x6F\x6E\x67\x6B\x6F\x6E\x67\x20\x50\x6F\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAC\xFF\x38\xB6\xE9\x66\x02\x49\xE3\xA2\xB4\xE1\x90\xF9\x40\x8F\x79\xF9\xE2\xBD\x79\xFE\x02\xBD\xEE\x24\x92\x1D\x22\xF6\xDA\x85\x72\x69\xFE\xD7\x3F\x09\xD4\xDD\x91\xB5\x02\x9C\xD0\x8D\x5A\xE1\x55\xC3\x50\x86\xB9\x29\x26\xC2\xE3\xD9\xA0\xF1\x69\x03\x28\x20\x80\x45\x22\x2D\x56\xA7\x3B\x54\x95\x56\x22\x59\x1F\x28\xDF\x1F\x20\x3D\x6D\xA2\x36\xBE\x23\xA0\xB1\x6E\xB5\xB1\x27\x3F\x39\x53\x09\xEA\xAB\x6A\xE8\x74\xB2\xC2\x65\x5C\x8E\xBF\x7C\xC3\x78\x84\xCD\x9E\x16\xFC\xF5\x2E\x4F\x20\x2A\x08\x9F\x77\xF3\xC5\x1E\xC4\x9A\x52\x66\x1E\x48\x5E\xE3\x10\x06\x8F\x22\x98\xE1\x65\x8E\x1B\x5D\x23\x66\x3B\xB8\xA5\x32\x51\xC8\x86\xAA\xA1\xA9\x9E\x7F\x76\x94\xC2\xA6\x6C\xB7\x41\xF0\xD5\xC8\x06\x38\xE6\xD4\x0C\xE2\xF3\x3B\x4C\x6D\x50\x8C\xC4\x83\x27\xC1\x13\x84\x59\x3D\x9E\x75\x74\xB6\xD8\x02\x5E\x3A\x90\x7A\xC0\x42\x36\x72\xEC\x6A\x4D\xDC\xEF\xC4\x00\xDF\x13\x18\x57\x5F\x26\x78\xC8\xD6\x0A\x79\x77\xBF\xF7\xAF\xB7\x76\xB9\xA5\x0B\x84\x17\x5D\x10\xEA\x6F\xE1\xAB\x95\x11\x5F\x6D\x3C\xA3\x5C\x4D\x83\x5B\xF2\xB3\x19\x8A\x80\x8B\x0B\x87\x02\x03\x01\x00\x01\xA3\x26\x30\x24\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x03\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\xC6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x0E\x46\xD5\x3C\xAE\xE2\x87\xD9\x5E\x81\x8B\x02\x98\x41\x08\x8C\x4C\xBC\xDA\xDB\xEE\x27\x1B\x82\xE7\x6A\x45\xEC\x16\x8B\x4F\x85\xA0\xF3\xB2\x70\xBD\x5A\x96\xBA\xCA\x6E\x6D\xEE\x46\x8B\x6E\xE7\x2A\x2E\x96\xB3\x19\x33\xEB\xB4\x9F\xA8\xB2\x37\xEE\x98\xA8\x97\xB6\x2E\xB6\x67\x27\xD4\xA6\x49\xFD\x1C\x93\x65\x76\x9E\x42\x2F\xDC\x22\x6C\x9A\x4F\xF2\x5A\x15\x39\xB1\x71\xD7\x2B\x51\xE8\x6D\x1C\x98\xC0\xD9\x2A\xF4\xA1\x82\x7B\xD5\xC9\x41\xA2\x23\x01\x74\x38\x55\x8B\x0F\xB9\x2E\x67\xA2\x20\x04\x37\xDA\x9C\x0B\xD3\x17\x21\xE0\x8F\x97\x79\x34\x6F\x84\x48\x02\x20\x33\x1B\xE6\x34\x44\x9F\x91\x70\xF4\x80\x5E\x84\x43\xC2\x29\xD2\x6C\x12\x14\xE4\x61\x8D\xAC\x10\x90\x9E\x84\x50\xBB\xF0\x96\x6F\x45\x9F\x8A\xF3\xCA\x6C\x4F\xFA\x11\x3A\x15\x15\x46\xC3\xCD\x1F\x83\x5B\x2D\x41\x12\xED\x50\x67\x41\x13\x3D\x21\xAB\x94\x8A\xAA\x4E\x7C\xC1\xB1\xFB\xA7\xD6\xB5\x27\x2F\x97\xAB\x6E\xE0\x1D\xE2\xD1\x1C\x2C\x1F\x44\xE2\xFC\xBE\x91\xA1\x9C\xFB\xD6\x29\x53\x73\x86\x9F\x53\xD8\x43\x0E\x5D\xD6\x63\x82\x71\x1D\x80\x74\xCA\xF6\xE2\x02\x6B\xD9\x5A",
 	["CN=SecureSign RootCA11,O=Japan Certification Services\, Inc.,C=JP"] = "\x30\x82\x03\x6D\x30\x82\x02\x55\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x58\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x2B\x30\x29\x06\x03\x55\x04\x0A\x13\x22\x4A\x61\x70\x61\x6E\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x53\x65\x63\x75\x72\x65\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x43\x41\x31\x31\x30\x1E\x17\x0D\x30\x39\x30\x34\x30\x38\x30\x34\x35\x36\x34\x37\x5A\x17\x0D\x32\x39\x30\x34\x30\x38\x30\x34\x35\x36\x34\x37\x5A\x30\x58\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x2B\x30\x29\x06\x03\x55\x04\x0A\x13\x22\x4A\x61\x70\x61\x6E\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x53\x65\x72\x76\x69\x63\x65\x73\x2C\x20\x49\x6E\x63\x2E\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x53\x65\x63\x75\x72\x65\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x43\x41\x31\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xFD\x77\xAA\xA5\x1C\x90\x05\x3B\xCB\x4C\x9B\x33\x8B\x5A\x14\x45\xA4\xE7\x90\x16\xD1\xDF\x57\xD2\x21\x10\xA4\x17\xFD\xDF\xAC\xD6\x1F\xA7\xE4\xDB\x7C\xF7\xEC\xDF\xB8\x03\xDA\x94\x58\xFD\x5D\x72\x7C\x8C\x3F\x5F\x01\x67\x74\x15\x96\xE3\x02\x3C\x87\xDB\xAE\xCB\x01\x8E\xC2\xF3\x66\xC6\x85\x45\xF4\x02\xC6\x3A\xB5\x62\xB2\xAF\xFA\x9C\xBF\xA4\xE6\xD4\x80\x30\x98\xF3\x0D\xB6\x93\x8F\xA9\xD4\xD8\x36\xF2\xB0\xFC\x8A\xCA\x2C\xA1\x15\x33\x95\x31\xDA\xC0\x1B\xF2\xEE\x62\x99\x86\x63\x3F\xBF\xDD\x93\x2A\x83\xA8\x76\xB9\x13\x1F\xB7\xCE\x4E\x42\x85\x8F\x22\xE7\x2E\x1A\xF2\x95\x09\xB2\x05\xB5\x44\x4E\x77\xA1\x20\xBD\xA9\xF2\x4E\x0A\x7D\x50\xAD\xF5\x05\x0D\x45\x4F\x46\x71\xFD\x28\x3E\x53\xFB\x04\xD8\x2D\xD7\x65\x1D\x4A\x1B\xFA\xCF\x3B\xB0\x31\x9A\x35\x6E\xC8\x8B\x06\xD3\x00\x91\xF2\x94\x08\x65\x4C\xB1\x34\x06\x00\x7A\x89\xE2\xF0\xC7\x03\x59\xCF\xD5\xD6\xE8\xA7\x32\xB3\xE6\x98\x40\x86\xC5\xCD\x27\x12\x8B\xCC\x7B\xCE\xB7\x11\x3C\x62\x60\x07\x23\x3E\x2B\x40\x6E\x94\x80\x09\x6D\xB6\xB3\x6F\x77\x6F\x35\x08\x50\xFB\x02\x87\xC5\x3E\x89\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x5B\xF8\x4D\x4F\xB2\xA5\x86\xD4\x3A\xD2\xF1\x63\x9A\xA0\xBE\x09\xF6\x57\xB7\xDE\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA0\xA1\x38\x16\x66\x2E\xA7\x56\x1F\x21\x9C\x06\xFA\x1D\xED\xB9\x22\xC5\x38\x26\xD8\x4E\x4F\xEC\xA3\x7F\x79\xDE\x46\x21\xA1\x87\x77\x8F\x07\x08\x9A\xB2\xA4\xC5\xAF\x0F\x32\x98\x0B\x7C\x66\x29\xB6\x9B\x7D\x25\x52\x49\x43\xAB\x4C\x2E\x2B\x6E\x7A\x70\xAF\x16\x0E\xE3\x02\x6C\xFB\x42\xE6\x18\x9D\x45\xD8\x55\xC8\xE8\x3B\xDD\xE7\xE1\xF4\x2E\x0B\x1C\x34\x5C\x6C\x58\x4A\xFB\x8C\x88\x50\x5F\x95\x1C\xBF\xED\xAB\x22\xB5\x65\xB3\x85\xBA\x9E\x0F\xB8\xAD\xE5\x7A\x1B\x8A\x50\x3A\x1D\xBD\x0D\xBC\x7B\x54\x50\x0B\xB9\x42\xAF\x55\xA0\x18\x81\xAD\x65\x99\xEF\xBE\xE4\x9C\xBF\xC4\x85\xAB\x41\xB2\x54\x6F\xDC\x25\xCD\xED\x78\xE2\x8E\x0C\x8D\x09\x49\xDD\x63\x7B\x5A\x69\x96\x02\x21\xA8\xBD\x52\x59\xE9\x7D\x35\xCB\xC8\x52\xCA\x7F\x81\xFE\xD9\x6B\xD3\xF7\x11\xED\x25\xDF\xF8\xE7\xF9\xA4\xFA\x72\x97\x84\x53\x0D\xA5\xD0\x32\x18\x51\x76\x59\x14\x6C\x0F\xEB\xEC\x5F\x80\x8C\x75\x43\x83\xC3\x85\x98\xFF\x4C\x9E\x2D\x0D\xE4\x77\x83\x93\x4E\xB5\x96\x07\x8B\x28\x13\x9B\x8C\x19\x8D\x41\x27\x49\x40\xEE\xDE\xE6\x23\x44\x39\xDC\xA1\x22\xD6\xBA\x03\xF2",
-	["C=ES,O=EDICOM,OU=PKI,CN=ACEDICOM Root"] = "\x30\x82\x05\xB5\x30\x82\x03\x9D\xA0\x03\x02\x01\x02\x02\x08\x61\x8D\xC7\x86\x3B\x01\x82\x05\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x44\x31\x16\x30\x14\x06\x03\x55\x04\x03\x0C\x0D\x41\x43\x45\x44\x49\x43\x4F\x4D\x20\x52\x6F\x6F\x74\x31\x0C\x30\x0A\x06\x03\x55\x04\x0B\x0C\x03\x50\x4B\x49\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x0C\x06\x45\x44\x49\x43\x4F\x4D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x30\x1E\x17\x0D\x30\x38\x30\x34\x31\x38\x31\x36\x32\x34\x32\x32\x5A\x17\x0D\x32\x38\x30\x34\x31\x33\x31\x36\x32\x34\x32\x32\x5A\x30\x44\x31\x16\x30\x14\x06\x03\x55\x04\x03\x0C\x0D\x41\x43\x45\x44\x49\x43\x4F\x4D\x20\x52\x6F\x6F\x74\x31\x0C\x30\x0A\x06\x03\x55\x04\x0B\x0C\x03\x50\x4B\x49\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x0C\x06\x45\x44\x49\x43\x4F\x4D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xFF\x92\x95\xE1\x68\x06\x76\xB4\x2C\xC8\x58\x48\xCA\xFD\x80\x54\x29\x55\x63\x24\xFF\x90\x65\x9B\x10\x75\x7B\xC3\x6A\xDB\x62\x02\x01\xF2\x18\x86\xB5\x7C\x5A\x38\xB1\xE4\x58\xB9\xFB\xD3\xD8\x2D\x9F\xBD\x32\x37\xBF\x2C\x15\x6D\xBE\xB5\xF4\x21\xD2\x13\x91\xD9\x07\xAD\x01\x05\xD6\xF3\xBD\x77\xCE\x5F\x42\x81\x0A\xF9\x6A\xE3\x83\x00\xA8\x2B\x2E\x55\x13\x63\x81\xCA\x47\x1C\x7B\x5C\x16\x57\x7A\x1B\x83\x60\x04\x3A\x3E\x65\xC3\xCD\x01\xDE\xDE\xA4\xD6\x0C\xBA\x8E\xDE\xD9\x04\xEE\x17\x56\x22\x9B\x8F\x63\xFD\x4D\x16\x0B\xB7\x7B\x77\x8C\xF9\x25\xB5\xD1\x6D\x99\x12\x2E\x4F\x1A\xB8\xE6\xEA\x04\x92\xAE\x3D\x11\xB9\x51\x42\x3D\x87\xB0\x31\x85\xAF\x79\x5A\x9C\xFE\xE7\x4E\x5E\x92\x4F\x43\xFC\xAB\x3A\xAD\xA5\x12\x26\x66\xB9\xE2\x0C\xD7\x98\xCE\xD4\x58\xA5\x95\x40\x0A\xB7\x44\x9D\x13\x74\x2B\xC2\xA5\xEB\x22\x15\x98\x10\xD8\x8B\xC5\x04\x9F\x1D\x8F\x60\xE5\x06\x1B\x9B\xCF\xB9\x79\xA0\x3D\xA2\x23\x3F\x42\x3F\x6B\xFA\x1C\x03\x7B\x30\x8D\xCE\x6C\xC0\xBF\xE6\x1B\x5F\xBF\x67\xB8\x84\x19\xD5\x15\xEF\x7B\xCB\x90\x36\x31\x62\xC9\xBC\x02\xAB\x46\x5F\x9B\xFE\x1A\x68\x94\x34\x3D\x90\x8E\xAD\xF6\xE4\x1D\x09\x7F\x4A\x88\x38\x3F\xBE\x67\xFD\x34\x96\xF5\x1D\xBC\x30\x74\xCB\x38\xEE\xD5\x6C\xAB\xD4\xFC\xF4\x00\xB7\x00\x5B\x85\x32\x16\x76\x33\xE9\xD8\xA3\x99\x9D\x05\x00\xAA\x16\xE6\xF3\x81\x7D\x6F\x7D\xAA\x86\x6D\xAD\x15\x74\xD3\xC4\xA2\x71\xAA\xF4\x14\x7D\xE7\x32\xB8\x1F\xBC\xD5\xF1\x4E\xBD\x6F\x17\x02\x39\xD7\x0E\x95\x42\x3A\xC7\x00\x3E\xE9\x26\x63\x11\xEA\x0B\xD1\x4A\xFF\x18\x9D\xB2\xD7\x7B\x2F\x3A\xD9\x96\xFB\xE8\x1E\x92\xAE\x13\x55\xC8\xD9\x27\xF6\xDC\x48\x1B\xB0\x24\xC1\x85\xE3\x77\x9D\x9A\xA4\xF3\x0C\x11\x1D\x0D\xC8\xB4\x14\xEE\xB5\x82\x57\x09\xBF\x20\x58\x7F\x2F\x22\x23\xD8\x70\xCB\x79\x6C\xC9\x4B\xF2\xA9\x2A\xC8\xFC\x87\x2B\xD7\x1A\x50\xF8\x27\xE8\x2F\x43\xE3\x3A\xBD\xD8\x57\x71\xFD\xCE\xA6\x52\x5B\xF9\xDD\x4D\xED\xE5\xF6\x6F\x89\xED\xBB\x93\x9C\x76\x21\x75\xF0\x92\x4C\x29\xF7\x2F\x9C\x01\x2E\xFE\x50\x46\x9E\x64\x0C\x14\xB3\x07\x5B\xC5\xC2\x73\x6C\xF1\x07\x5C\x45\x24\x14\x35\xAE\x83\xF1\x6A\x4D\x89\x7A\xFA\xB3\xD8\x2D\x66\xF0\x36\x87\xF5\x2B\x53\x02\x03\x01\x00\x01\xA3\x81\xAA\x30\x81\xA7\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xA6\xB3\xE1\x2B\x2B\x49\xB6\xD7\x73\xA1\xAA\x94\xF5\x01\xE7\x73\x65\x4C\xAC\x50\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA6\xB3\xE1\x2B\x2B\x49\xB6\xD7\x73\xA1\xAA\x94\xF5\x01\xE7\x73\x65\x4C\xAC\x50\x30\x44\x06\x03\x55\x1D\x20\x04\x3D\x30\x3B\x30\x39\x06\x04\x55\x1D\x20\x00\x30\x31\x30\x2F\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x23\x68\x74\x74\x70\x3A\x2F\x2F\x61\x63\x65\x64\x69\x63\x6F\x6D\x2E\x65\x64\x69\x63\x6F\x6D\x67\x72\x6F\x75\x70\x2E\x63\x6F\x6D\x2F\x64\x6F\x63\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\xCE\x2C\x0B\x52\x51\x62\x26\x7D\x0C\x27\x83\x8F\xC5\xF6\xDA\xA0\x68\x7B\x4F\x92\x5E\xEA\xA4\x73\x32\x11\x53\x44\xB2\x44\xCB\x9D\xEC\x0F\x79\x42\xB3\x10\xA6\xC7\x0D\x9D\xCB\xB6\xFA\x3F\x3A\x7C\xEA\xBF\x88\x53\x1B\x3C\xF7\x82\xFA\x05\x35\x33\xE1\x35\xA8\x57\xC0\xE7\xFD\x8D\x4F\x3F\x93\x32\x4F\x78\x66\x03\x77\x07\x58\xE9\x95\xC8\x7E\x3E\xD0\x79\x00\x8C\xF2\x1B\x51\x33\x9B\xBC\x94\xE9\x3A\x7B\x6E\x52\x2D\x32\x9E\x23\xA4\x45\xFB\xB6\x2E\x13\xB0\x8B\x18\xB1\xDD\xCE\xD5\x1D\xA7\x42\x7F\x55\xBE\xFB\x5B\xBB\x47\xD4\xFC\x24\xCD\x04\xAE\x96\x05\x15\xD6\xAC\xCE\x30\xF3\xCA\x0B\xC5\xBA\xE2\x22\xE0\xA6\xAD\x22\xE4\x02\xEE\x74\x11\x7F\x4C\xFF\x78\x1D\x35\xDA\xE6\x02\x34\xEB\x18\x12\x61\x77\x06\x09\x16\x63\xEA\x18\xAD\xA2\x87\x1F\xF2\xC7\x80\x09\x09\x75\x4E\x10\xA8\x8F\x3D\x86\xB8\x75\x11\xC0\x24\x62\x8A\x96\x7B\x4A\x45\xE9\xEC\x59\xC5\xBE\x6B\x83\xE6\xE1\xE8\xAC\xB5\x30\x1E\xFE\x05\x07\x80\xF9\xE1\x23\x0D\x50\x8F\x05\x98\xFF\x2C\x5F\xE8\x3B\xB6\xAD\xCF\x81\xB5\x21\x87\xCA\x08\x2A\x23\x27\x30\x20\x2B\xCF\xED\x94\x5B\xAC\xB2\x7A\xD2\xC7\x28\xA1\x8A\x0B\x9B\x4D\x4A\x2C\x6D\x85\x3F\x09\x72\x3C\x67\xE2\xD9\xDC\x07\xBA\xEB\x65\x7B\x5A\x01\x63\xD6\x90\x5B\x4F\x17\x66\x3D\x7F\x0B\x19\xA3\x93\x63\x10\x52\x2A\x9F\x14\x16\x58\xE2\xDC\xA5\xF4\xA1\x16\x8B\x0E\x91\x8B\x81\xCA\x9B\x59\xFA\xD8\x6B\x91\x07\x65\x55\x5F\x52\x1F\xAF\x3A\xFB\x90\xDD\x69\xA5\x5B\x9C\x6D\x0E\x2C\xB6\xFA\xCE\xAC\xA5\x7C\x32\x4A\x67\x40\xDC\x30\x34\x23\xDD\xD7\x04\x23\x66\xF0\xFC\x55\x80\xA7\xFB\x66\x19\x82\x35\x67\x62\x70\x39\x5E\x6F\xC7\xEA\x90\x40\x44\x08\x1E\xB8\xB2\xD6\xDB\xEE\x59\xA7\x0D\x18\x79\x34\xBC\x54\x18\x5E\x53\xCA\x34\x51\xED\x45\x0A\xE6\x8E\xC7\x82\x36\x3E\xA7\x38\x63\xA9\x30\x2C\x17\x10\x60\x92\x9F\x55\x87\x12\x59\x10\xC2\x0F\x67\x69\x11\xCC\x4E\x1E\x7E\x4A\x9A\xAD\xAF\x40\xA8\x75\xAC\x56\x90\x74\xB8\xA0\x9C\xA5\x79\x6F\xDC\xE9\x1A\xC8\x69\x05\xE9\xBA\xFA\x03\xB3\x7C\xE4\xE0\x4E\xC2\xCE\x9D\xE8\xB6\x46\x0D\x6E\x7E\x57\x3A\x67\x94\xC2\xCB\x1F\x9C\x77\x4A\x67\x4E\x69\x86\x43\x93\x38\xFB\xB6\xDB\x4F\x83\x91\xD4\x60\x7E\x4B\x3E\x2B\x38\x07\x55\x98\x5E\xA4",
 	["emailAddress=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU"] = "\x30\x82\x04\x0A\x30\x82\x02\xF2\xA0\x03\x02\x01\x02\x02\x09\x00\xC2\x7E\x43\x04\x4E\x47\x3F\x19\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x0C\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x0C\x0D\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x4C\x74\x64\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x03\x0C\x1E\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x30\x39\x31\x1F\x30\x1D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x10\x69\x6E\x66\x6F\x40\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x30\x1E\x17\x0D\x30\x39\x30\x36\x31\x36\x31\x31\x33\x30\x31\x38\x5A\x17\x0D\x32\x39\x31\x32\x33\x30\x31\x31\x33\x30\x31\x38\x5A\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x48\x55\x31\x11\x30\x0F\x06\x03\x55\x04\x07\x0C\x08\x42\x75\x64\x61\x70\x65\x73\x74\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x0C\x0D\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x4C\x74\x64\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x03\x0C\x1E\x4D\x69\x63\x72\x6F\x73\x65\x63\x20\x65\x2D\x53\x7A\x69\x67\x6E\x6F\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x30\x39\x31\x1F\x30\x1D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x10\x69\x6E\x66\x6F\x40\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE9\xF8\x8F\xF3\x63\xAD\xDA\x86\xD8\xA7\xE0\x42\xFB\xCF\x91\xDE\xA6\x26\xF8\x99\xA5\x63\x70\xAD\x9B\xAE\xCA\x33\x40\x7D\x6D\x96\x6E\xA1\x0E\x44\xEE\xE1\x13\x9D\x94\x42\x52\x9A\xBD\x75\x85\x74\x2C\xA8\x0E\x1D\x93\xB6\x18\xB7\x8C\x2C\xA8\xCF\xFB\x5C\x71\xB9\xDA\xEC\xFE\xE8\x7E\x8F\xE4\x2F\x1D\xB2\xA8\x75\x87\xD8\xB7\xA1\xE5\x3B\xCF\x99\x4A\x46\xD0\x83\x19\x7D\xC0\xA1\x12\x1C\x95\x6D\x4A\xF4\xD8\xC7\xA5\x4D\x33\x2E\x85\x39\x40\x75\x7E\x14\x7C\x80\x12\x98\x50\xC7\x41\x67\xB8\xA0\x80\x61\x54\xA6\x6C\x4E\x1F\xE0\x9D\x0E\x07\xE9\xC9\xBA\x33\xE7\xFE\xC0\x55\x28\x2C\x02\x80\xA7\x19\xF5\x9E\xDC\x55\x53\x03\x97\x7B\x07\x48\xFF\x99\xFB\x37\x8A\x24\xC4\x59\xCC\x50\x10\x63\x8E\xAA\xA9\x1A\xB0\x84\x1A\x86\xF9\x5F\xBB\xB1\x50\x6E\xA4\xD1\x0A\xCC\xD5\x71\x7E\x1F\xA7\x1B\x7C\xF5\x53\x6E\x22\x5F\xCB\x2B\xE6\xD4\x7C\x5D\xAE\xD6\xC2\xC6\x4C\xE5\x05\x01\xD9\xED\x57\xFC\xC1\x23\x79\xFC\xFA\xC8\x24\x83\x95\xF3\xB5\x6A\x51\x01\xD0\x77\xD6\xE9\x12\xA1\xF9\x1A\x83\xFB\x82\x1B\xB9\xB0\x97\xF4\x76\x06\x33\x43\x49\xA0\xFF\x0B\xB5\xFA\xB5\x02\x03\x01\x00\x01\xA3\x81\x80\x30\x7E\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xCB\x0F\xC6\xDF\x42\x43\xCC\x3D\xCB\xB5\x48\x23\xA1\x1A\x7A\xA6\x2A\xBB\x34\x68\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xCB\x0F\xC6\xDF\x42\x43\xCC\x3D\xCB\xB5\x48\x23\xA1\x1A\x7A\xA6\x2A\xBB\x34\x68\x30\x1B\x06\x03\x55\x1D\x11\x04\x14\x30\x12\x81\x10\x69\x6E\x66\x6F\x40\x65\x2D\x73\x7A\x69\x67\x6E\x6F\x2E\x68\x75\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\xC9\xD1\x0E\x5E\x2E\xD5\xCC\xB3\x7C\x3E\xCB\xFC\x3D\xFF\x0D\x28\x95\x93\x04\xC8\xBF\xDA\xCD\x79\xB8\x43\x90\xF0\xA4\xBE\xEF\xF2\xEF\x21\x98\xBC\xD4\xD4\x5D\x06\xF6\xEE\x42\xEC\x30\x6C\xA0\xAA\xA9\xCA\xF1\xAF\x8A\xFA\x3F\x0B\x73\x6A\x3E\xEA\x2E\x40\x7E\x1F\xAE\x54\x61\x79\xEB\x2E\x08\x37\xD7\x23\xF3\x8C\x9F\xBE\x1D\xB1\xE1\xA4\x75\xDB\xA0\xE2\x54\x14\xB1\xBA\x1C\x29\xA4\x18\xF6\x12\xBA\xA2\x14\x14\xE3\x31\x35\xC8\x40\xFF\xB7\xE0\x05\x76\x57\xC1\x1C\x59\xF2\xF8\xBF\xE4\xED\x25\x62\x5C\x84\xF0\x7E\x7E\x1F\xB3\xBE\xF9\xB7\x21\x11\xCC\x03\x01\x56\x70\xA7\x10\x92\x1E\x1B\x34\x81\x1E\xAD\x9C\x1A\xC3\x04\x3C\xED\x02\x61\xD6\x1E\x06\xF3\x5F\x3A\x87\xF2\x2B\xF1\x45\x87\xE5\x3D\xAC\xD1\xC7\x57\x84\xBD\x6B\xAE\xDC\xD8\xF9\xB6\x1B\x62\x70\x0B\x3D\x36\xC9\x42\xF2\x32\xD7\x7A\x61\xE6\xD2\xDB\x3D\xCF\xC8\xA9\xC9\x9B\xDC\xDB\x58\x44\xD7\x6F\x38\xAF\x7F\x78\xD3\xA3\xAD\x1A\x75\xBA\x1C\xC1\x36\x7C\x8F\x1E\x6D\x1C\xC3\x75\x46\xAE\x35\x05\xA6\xF6\x5C\x3D\x21\xEE\x56\xF0\xC9\x82\x22\x2D\x7A\x54\xAB\x70\xC3\x7D\x22\x65\x82\x70\x96",
 	["CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3"] = "\x30\x82\x03\x5F\x30\x82\x02\x47\xA0\x03\x02\x01\x02\x02\x0B\x04\x00\x00\x00\x00\x01\x21\x58\x53\x08\xA2\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x4C\x31\x20\x30\x1E\x06\x03\x55\x04\x0B\x13\x17\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x52\x33\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x31\x13\x30\x11\x06\x03\x55\x04\x03\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x30\x1E\x17\x0D\x30\x39\x30\x33\x31\x38\x31\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x39\x30\x33\x31\x38\x31\x30\x30\x30\x30\x30\x5A\x30\x4C\x31\x20\x30\x1E\x06\x03\x55\x04\x0B\x13\x17\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x2D\x20\x52\x33\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x31\x13\x30\x11\x06\x03\x55\x04\x03\x13\x0A\x47\x6C\x6F\x62\x61\x6C\x53\x69\x67\x6E\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xCC\x25\x76\x90\x79\x06\x78\x22\x16\xF5\xC0\x83\xB6\x84\xCA\x28\x9E\xFD\x05\x76\x11\xC5\xAD\x88\x72\xFC\x46\x02\x43\xC7\xB2\x8A\x9D\x04\x5F\x24\xCB\x2E\x4B\xE1\x60\x82\x46\xE1\x52\xAB\x0C\x81\x47\x70\x6C\xDD\x64\xD1\xEB\xF5\x2C\xA3\x0F\x82\x3D\x0C\x2B\xAE\x97\xD7\xB6\x14\x86\x10\x79\xBB\x3B\x13\x80\x77\x8C\x08\xE1\x49\xD2\x6A\x62\x2F\x1F\x5E\xFA\x96\x68\xDF\x89\x27\x95\x38\x9F\x06\xD7\x3E\xC9\xCB\x26\x59\x0D\x73\xDE\xB0\xC8\xE9\x26\x0E\x83\x15\xC6\xEF\x5B\x8B\xD2\x04\x60\xCA\x49\xA6\x28\xF6\x69\x3B\xF6\xCB\xC8\x28\x91\xE5\x9D\x8A\x61\x57\x37\xAC\x74\x14\xDC\x74\xE0\x3A\xEE\x72\x2F\x2E\x9C\xFB\xD0\xBB\xBF\xF5\x3D\x00\xE1\x06\x33\xE8\x82\x2B\xAE\x53\xA6\x3A\x16\x73\x8C\xDD\x41\x0E\x20\x3A\xC0\xB4\xA7\xA1\xE9\xB2\x4F\x90\x2E\x32\x60\xE9\x57\xCB\xB9\x04\x92\x68\x68\xE5\x38\x26\x60\x75\xB2\x9F\x77\xFF\x91\x14\xEF\xAE\x20\x49\xFC\xAD\x40\x15\x48\xD1\x02\x31\x61\x19\x5E\xB8\x97\xEF\xAD\x77\xB7\x64\x9A\x7A\xBF\x5F\xC1\x13\xEF\x9B\x62\xFB\x0D\x6C\xE0\x54\x69\x16\xA9\x03\xDA\x6E\xE9\x83\x93\x71\x76\xC6\x69\x85\x82\x17\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x8F\xF0\x4B\x7F\xA8\x2E\x45\x24\xAE\x4D\x50\xFA\x63\x9A\x8B\xDE\xE2\xDD\x1B\xBC\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x4B\x40\xDB\xC0\x50\xAA\xFE\xC8\x0C\xEF\xF7\x96\x54\x45\x49\xBB\x96\x00\x09\x41\xAC\xB3\x13\x86\x86\x28\x07\x33\xCA\x6B\xE6\x74\xB9\xBA\x00\x2D\xAE\xA4\x0A\xD3\xF5\xF1\xF1\x0F\x8A\xBF\x73\x67\x4A\x83\xC7\x44\x7B\x78\xE0\xAF\x6E\x6C\x6F\x03\x29\x8E\x33\x39\x45\xC3\x8E\xE4\xB9\x57\x6C\xAA\xFC\x12\x96\xEC\x53\xC6\x2D\xE4\x24\x6C\xB9\x94\x63\xFB\xDC\x53\x68\x67\x56\x3E\x83\xB8\xCF\x35\x21\xC3\xC9\x68\xFE\xCE\xDA\xC2\x53\xAA\xCC\x90\x8A\xE9\xF0\x5D\x46\x8C\x95\xDD\x7A\x58\x28\x1A\x2F\x1D\xDE\xCD\x00\x37\x41\x8F\xED\x44\x6D\xD7\x53\x28\x97\x7E\xF3\x67\x04\x1E\x15\xD7\x8A\x96\xB4\xD3\xDE\x4C\x27\xA4\x4C\x1B\x73\x73\x76\xF4\x17\x99\xC2\x1F\x7A\x0E\xE3\x2D\x08\xAD\x0A\x1C\x2C\xFF\x3C\xAB\x55\x0E\x0F\x91\x7E\x36\xEB\xC3\x57\x49\xBE\xE1\x2E\x2D\x7C\x60\x8B\xC3\x41\x51\x13\x23\x9D\xCE\xF7\x32\x6B\x94\x01\xA8\x99\xE7\x2C\x33\x1F\x3A\x3B\x25\xD2\x86\x40\xCE\x3B\x2C\x86\x78\xC9\x61\x2F\x14\xBA\xEE\xDB\x55\x6F\xDF\x84\xEE\x05\x09\x4D\xBD\x28\xD8\x72\xCE\xD3\x62\x50\x65\x1E\xEB\x92\x97\x83\x31\xD9\xB3\xB5\xCA\x47\x58\x3F\x5F",
 	["CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES"] = "\x30\x82\x06\x14\x30\x82\x03\xFC\xA0\x03\x02\x01\x02\x02\x08\x53\xEC\x3B\xEE\xFB\xB2\x48\x5F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x51\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x42\x30\x40\x06\x03\x55\x04\x03\x0C\x39\x41\x75\x74\x6F\x72\x69\x64\x61\x64\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x46\x69\x72\x6D\x61\x70\x72\x6F\x66\x65\x73\x69\x6F\x6E\x61\x6C\x20\x43\x49\x46\x20\x41\x36\x32\x36\x33\x34\x30\x36\x38\x30\x1E\x17\x0D\x30\x39\x30\x35\x32\x30\x30\x38\x33\x38\x31\x35\x5A\x17\x0D\x33\x30\x31\x32\x33\x31\x30\x38\x33\x38\x31\x35\x5A\x30\x51\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x42\x30\x40\x06\x03\x55\x04\x03\x0C\x39\x41\x75\x74\x6F\x72\x69\x64\x61\x64\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x46\x69\x72\x6D\x61\x70\x72\x6F\x66\x65\x73\x69\x6F\x6E\x61\x6C\x20\x43\x49\x46\x20\x41\x36\x32\x36\x33\x34\x30\x36\x38\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xCA\x96\x6B\x8E\xEA\xF8\xFB\xF1\xA2\x35\xE0\x7F\x4C\xDA\xE0\xC3\x52\xD7\x7D\xB6\x10\xC8\x02\x5E\xB3\x43\x2A\xC4\x4F\x6A\xB2\xCA\x1C\x5D\x28\x9A\x78\x11\x1A\x69\x59\x57\xAF\xB5\x20\x42\xE4\x8B\x0F\xE6\xDF\x5B\xA6\x03\x92\x2F\xF5\x11\xE4\x62\xD7\x32\x71\x38\xD9\x04\x0C\x71\xAB\x3D\x51\x7E\x0F\x07\xDF\x63\x05\x5C\xE9\xBF\x94\x6F\xC1\x29\x82\xC0\xB4\xDA\x51\xB0\xC1\x3C\xBB\xAD\x37\x4A\x5C\xCA\xF1\x4B\x36\x0E\x24\xAB\xBF\xC3\x84\x77\xFD\xA8\x50\xF4\xB1\xE7\xC6\x2F\xD2\x2D\x59\x8D\x7A\x0A\x4E\x96\x69\x52\x02\xAA\x36\x98\xEC\xFC\xFA\x14\x83\x0C\x37\x1F\xC9\x92\x37\x7F\xD7\x81\x2D\xE5\xC4\xB9\xE0\x3E\x34\xFE\x67\xF4\x3E\x66\xD1\xD3\xF4\x40\xCF\x5E\x62\x34\x0F\x70\x06\x3E\x20\x18\x5A\xCE\xF7\x72\x1B\x25\x6C\x93\x74\x14\x93\xA3\x73\xB1\x0E\xAA\x87\x10\x23\x59\x5F\x20\x05\x19\x47\xED\x68\x8E\x92\x12\xCA\x5D\xFC\xD6\x2B\xB2\x92\x3C\x20\xCF\xE1\x5F\xAF\x20\xBE\xA0\x76\x7F\x76\xE5\xEC\x1A\x86\x61\x33\x3E\xE7\x7B\xB4\x3F\xA0\x0F\x8E\xA2\xB9\x6A\x6F\xB9\x87\x26\x6F\x41\x6C\x88\xA6\x50\xFD\x6A\x63\x0B\xF5\x93\x16\x1B\x19\x8F\xB2\xED\x9B\x9B\xC9\x90\xF5\x01\x0C\xDF\x19\x3D\x0F\x3E\x38\x23\xC9\x2F\x8F\x0C\xD1\x02\xFE\x1B\x55\xD6\x4E\xD0\x8D\x3C\xAF\x4F\xA4\xF3\xFE\xAF\x2A\xD3\x05\x9D\x79\x08\xA1\xCB\x57\x31\xB4\x9C\xC8\x90\xB2\x67\xF4\x18\x16\x93\x3A\xFC\x47\xD8\xD1\x78\x96\x31\x1F\xBA\x2B\x0C\x5F\x5D\x99\xAD\x63\x89\x5A\x24\x20\x76\xD8\xDF\xFD\xAB\x4E\xA6\x22\xAA\x9D\x5E\xE6\x27\x8A\x7D\x68\x29\xA3\xE7\x8A\xB8\xDA\x11\xBB\x17\x2D\x99\x9D\x13\x24\x46\xF7\xC5\xE2\xD8\x9F\x8E\x7F\xC7\x8F\x74\x6D\x5A\xB2\xE8\x72\xF5\xAC\xEE\x24\x10\xAD\x2F\x14\xDA\xFF\x2D\x9A\x46\x71\x47\xBE\x42\xDF\xBB\x01\xDB\xF4\x7F\xD3\x28\x8F\x31\x59\x5B\xD3\xC9\x02\xA6\xB4\x52\xCA\x6E\x97\xFB\x43\xC5\x08\x26\x6F\x8A\xF4\xBB\xFD\x9F\x28\xAA\x0D\xD5\x45\xF3\x13\x3A\x1D\xD8\xC0\x78\x8F\x41\x67\x3C\x1E\x94\x64\xAE\x7B\x0B\xC5\xE8\xD9\x01\x88\x39\x1A\x97\x86\x64\x41\xD5\x3B\x87\x0C\x6E\xFA\x0F\xC6\xBD\x48\x14\xBF\x39\x4D\xD4\x9E\x41\xB6\x8F\x96\x1D\x63\x96\x93\xD9\x95\x06\x78\x31\x68\x9E\x37\x06\x3B\x80\x89\x45\x61\x39\x23\xC7\x1B\x44\xA3\x15\xE5\x1C\xF8\x92\x30\xBB\x02\x03\x01\x00\x01\xA3\x81\xEF\x30\x81\xEC\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x01\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x65\xCD\xEB\xAB\x35\x1E\x00\x3E\x7E\xD5\x74\xC0\x1C\xB4\x73\x47\x0E\x1A\x64\x2F\x30\x81\xA6\x06\x03\x55\x1D\x20\x04\x81\x9E\x30\x81\x9B\x30\x81\x98\x06\x04\x55\x1D\x20\x00\x30\x81\x8F\x30\x2F\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x23\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x66\x69\x72\x6D\x61\x70\x72\x6F\x66\x65\x73\x69\x6F\x6E\x61\x6C\x2E\x63\x6F\x6D\x2F\x63\x70\x73\x30\x5C\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x50\x1E\x4E\x00\x50\x00\x61\x00\x73\x00\x65\x00\x6F\x00\x20\x00\x64\x00\x65\x00\x20\x00\x6C\x00\x61\x00\x20\x00\x42\x00\x6F\x00\x6E\x00\x61\x00\x6E\x00\x6F\x00\x76\x00\x61\x00\x20\x00\x34\x00\x37\x00\x20\x00\x42\x00\x61\x00\x72\x00\x63\x00\x65\x00\x6C\x00\x6F\x00\x6E\x00\x61\x00\x20\x00\x30\x00\x38\x00\x30\x00\x31\x00\x37\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x17\x7D\xA0\xF9\xB4\xDD\xC5\xC5\xEB\xAD\x4B\x24\xB5\xA1\x02\xAB\xDD\xA5\x88\x4A\xB2\x0F\x55\x4B\x2B\x57\x8C\x3B\xE5\x31\xDD\xFE\xC4\x32\xF1\xE7\x5B\x64\x96\x36\x32\x18\xEC\xA5\x32\x77\xD7\xE3\x44\xB6\xC0\x11\x2A\x80\xB9\x3D\x6A\x6E\x7C\x9B\xD3\xAD\xFC\xC3\xD6\xA3\xE6\x64\x29\x7C\xD1\xE1\x38\x1E\x82\x2B\xFF\x27\x65\xAF\xFB\x16\x15\xC4\x2E\x71\x84\xE5\xB5\xFF\xFA\xA4\x47\xBD\x64\x32\xBB\xF6\x25\x84\xA2\x27\x42\xF5\x20\xB0\xC2\x13\x10\x11\xCD\x10\x15\xBA\x42\x90\x2A\xD2\x44\xE1\x96\x26\xEB\x31\x48\x12\xFD\x2A\xDA\xC9\x06\xCF\x74\x1E\xA9\x4B\xD5\x87\x28\xF9\x79\x34\x92\x3E\x2E\x44\xE8\xF6\x8F\x4F\x8F\x35\x3F\x25\xB3\x39\xDC\x63\x2A\x90\x6B\x20\x5F\xC4\x52\x12\x4E\x97\x2C\x2A\xAC\x9D\x97\xDE\x48\xF2\xA3\x66\xDB\xC2\xD2\x83\x95\xA6\x66\xA7\x9E\x25\x0F\xE9\x0B\x33\x91\x65\x0A\x5A\xC3\xD9\x54\x12\xDD\xAF\xC3\x4E\x0E\x1F\x26\x5E\x0D\xDC\xB3\x8D\xEC\xD5\x81\x70\xDE\xD2\x4F\x24\x05\xF3\x6C\x4E\xF5\x4C\x49\x66\x8D\xD1\xFF\xD2\x0B\x25\x41\x48\xFE\x51\x84\xC6\x42\xAF\x80\x04\xCF\xD0\x7E\x64\x49\xE4\xF2\xDF\xA2\xEC\xB1\x4C\xC0\x2A\x1D\xE7\xB4\xB1\x65\xA2\xC4\xBC\xF1\x98\xF4\xAA\x70\x07\x63\xB4\xB8\xDA\x3B\x4C\xFA\x40\x22\x30\x5B\x11\xA6\xF0\x05\x0E\xC6\x02\x03\x48\xAB\x86\x9B\x85\xDD\xDB\xDD\xEA\xA2\x76\x80\x73\x7D\xF5\x9C\x04\xC4\x45\x8D\xE7\xB9\x1C\x8B\x9E\xEA\xD7\x75\xD1\x72\xB1\xDE\x75\x44\xE7\x42\x7D\xE2\x57\x6B\x7D\xDC\x99\xBC\x3D\x83\x28\xEA\x80\x93\x8D\xC5\x4C\x65\xC1\x70\x81\xB8\x38\xFC\x43\x31\xB2\xF6\x03\x34\x47\xB2\xAC\xFB\x22\x06\xCB\x1E\xDD\x17\x47\x1C\x5F\x66\xB9\xD3\x1A\xA2\xDA\x11\xB1\xA4\xBC\x23\xC9\xE4\xBE\x87\xFF\xB9\x94\xB6\xF8\x5D\x20\x4A\xD4\x5F\xE7\xBD\x68\x7B\x65\xF2\x15\x1E\xD2\x3A\xA9\x2D\xE9\xD8\x6B\x24\xAC\x97\x58\x44\x47\xAD\x59\x18\xF1\x21\x65\x70\xDE\xCE\x34\x60\xA8\x40\xF1\xF3\x3C\xA4\xC3\x28\x23\x8C\xFE\x27\x33\x43\x40\xA0\x17\x3C\xEB\xEA\x3B\xB0\x72\xA6\xA3\xB9\x4A\x4B\x5E\x16\x48\xF4\xB2\xBC\xC8\x8C\x92\xC5\x9D\x9F\xAC\x72\x36\xBC\x34\x80\x34\x6B\xA9\x8B\x92\xC0\xB8\x17\xED\xEC\x76\x53\xF5\x24\x01\x8C\xB3\x22\xE8\x4B\x7C\x55\xC6\x9D\xFA\xA3\x14\xBB\x65\x85\x6E\x6E\x4F\x12\x7E\x0A\x3C\x9D\x95",
@@ -102,27 +77,18 @@ redef root_certs += {
 	["CN=AffirmTrust Premium,O=AffirmTrust,C=US"] = "\x30\x82\x05\x46\x30\x82\x03\x2E\xA0\x03\x02\x01\x02\x02\x08\x6D\x8C\x14\x46\xB1\xA6\x0A\xEE\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x30\x41\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x0C\x13\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x20\x50\x72\x65\x6D\x69\x75\x6D\x30\x1E\x17\x0D\x31\x30\x30\x31\x32\x39\x31\x34\x31\x30\x33\x36\x5A\x17\x0D\x34\x30\x31\x32\x33\x31\x31\x34\x31\x30\x33\x36\x5A\x30\x41\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x0C\x13\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x20\x50\x72\x65\x6D\x69\x75\x6D\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC4\x12\xDF\xA9\x5F\xFE\x41\xDD\xDD\xF5\x9F\x8A\xE3\xF6\xAC\xE1\x3C\x78\x9A\xBC\xD8\xF0\x7F\x7A\xA0\x33\x2A\xDC\x8D\x20\x5B\xAE\x2D\x6F\xE7\x93\xD9\x36\x70\x6A\x68\xCF\x8E\x51\xA3\x85\x5B\x67\x04\xA0\x10\x24\x6F\x5D\x28\x82\xC1\x97\x57\xD8\x48\x29\x13\xB6\xE1\xBE\x91\x4D\xDF\x85\x0C\x53\x18\x9A\x1E\x24\xA2\x4F\x8F\xF0\xA2\x85\x0B\xCB\xF4\x29\x7F\xD2\xA4\x58\xEE\x26\x4D\xC9\xAA\xA8\x7B\x9A\xD9\xFA\x38\xDE\x44\x57\x15\xE5\xF8\x8C\xC8\xD9\x48\xE2\x0D\x16\x27\x1D\x1E\xC8\x83\x85\x25\xB7\xBA\xAA\x55\x41\xCC\x03\x22\x4B\x2D\x91\x8D\x8B\xE6\x89\xAF\x66\xC7\xE9\xFF\x2B\xE9\x3C\xAC\xDA\xD2\xB3\xC3\xE1\x68\x9C\x89\xF8\x7A\x00\x56\xDE\xF4\x55\x95\x6C\xFB\xBA\x64\xDD\x62\x8B\xDF\x0B\x77\x32\xEB\x62\xCC\x26\x9A\x9B\xBB\xAA\x62\x83\x4C\xB4\x06\x7A\x30\xC8\x29\xBF\xED\x06\x4D\x97\xB9\x1C\xC4\x31\x2B\xD5\x5F\xBC\x53\x12\x17\x9C\x99\x57\x29\x66\x77\x61\x21\x31\x07\x2E\x25\x49\x9D\x18\xF2\xEE\xF3\x2B\x71\x8C\xB5\xBA\x39\x07\x49\x77\xFC\xEF\x2E\x92\x90\x05\x8D\x2D\x2F\x77\x7B\xEF\x43\xBF\x35\xBB\x9A\xD8\xF9\x73\xA7\x2C\xF2\xD0\x57\xEE\x28\x4E\x26\x5F\x8F\x90\x68\x09\x2F\xB8\xF8\xDC\x06\xE9\x2E\x9A\x3E\x51\xA7\xD1\x22\xC4\x0A\xA7\x38\x48\x6C\xB3\xF9\xFF\x7D\xAB\x86\x57\xE3\xBA\xD6\x85\x78\x77\xBA\x43\xEA\x48\x7F\xF6\xD8\xBE\x23\x6D\x1E\xBF\xD1\x36\x6C\x58\x5C\xF1\xEE\xA4\x19\x54\x1A\xF5\x03\xD2\x76\xE6\xE1\x8C\xBD\x3C\xB3\xD3\x48\x4B\xE2\xC8\xF8\x7F\x92\xA8\x76\x46\x9C\x42\x65\x3E\xA4\x1E\xC1\x07\x03\x5A\x46\x2D\xB8\x97\xF3\xB7\xD5\xB2\x55\x21\xEF\xBA\xDC\x4C\x00\x97\xFB\x14\x95\x27\x33\xBF\xE8\x43\x47\x46\xD2\x08\x99\x16\x60\x3B\x9A\x7E\xD2\xE6\xED\x38\xEA\xEC\x01\x1E\x3C\x48\x56\x49\x09\xC7\x4C\x37\x00\x9E\x88\x0E\xC0\x73\xE1\x6F\x66\xE9\x72\x47\x30\x3E\x10\xE5\x0B\x03\xC9\x9A\x42\x00\x6C\xC5\x94\x7E\x61\xC4\x8A\xDF\x7F\x82\x1A\x0B\x59\xC4\x59\x32\x77\xB3\xBC\x60\x69\x56\x39\xFD\xB4\x06\x7B\x2C\xD6\x64\x36\xD9\xBD\x48\xED\x84\x1F\x7E\xA5\x22\x8F\x2A\xB8\x42\xF4\x82\xB7\xD4\x53\x90\x78\x4E\x2D\x1A\xFD\x81\x6F\x44\xD7\x3B\x01\x74\x96\x42\xE0\x00\xE2\x2E\x6B\xEA\xC5\xEE\x72\xAC\xBB\xBF\xFE\xEA\xAA\xA8\xF8\xDC\xF6\xB2\x79\x8A\xB6\x67\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x9D\xC0\x67\xA6\x0C\x22\xD9\x26\xF5\x45\xAB\xA6\x65\x52\x11\x27\xD8\x45\xAC\x63\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x03\x82\x02\x01\x00\xB3\x57\x4D\x10\x62\x4E\x3A\xE4\xAC\xEA\xB8\x1C\xAF\x32\x23\xC8\xB3\x49\x5A\x51\x9C\x76\x28\x8D\x79\xAA\x57\x46\x17\xD5\xF5\x52\xF6\xB7\x44\xE8\x08\x44\xBF\x18\x84\xD2\x0B\x80\xCD\xC5\x12\xFD\x00\x55\x05\x61\x87\x41\xDC\xB5\x24\x9E\x3C\xC4\xD8\xC8\xFB\x70\x9E\x2F\x78\x96\x83\x20\x36\xDE\x7C\x0F\x69\x13\x88\xA5\x75\x36\x98\x08\xA6\xC6\xDF\xAC\xCE\xE3\x58\xD6\xB7\x3E\xDE\xBA\xF3\xEB\x34\x40\xD8\xA2\x81\xF5\x78\x3F\x2F\xD5\xA5\xFC\xD9\xA2\xD4\x5E\x04\x0E\x17\xAD\xFE\x41\xF0\xE5\xB2\x72\xFA\x44\x82\x33\x42\xE8\x2D\x58\xF7\x56\x8C\x62\x3F\xBA\x42\xB0\x9C\x0C\x5C\x7E\x2E\x65\x26\x5C\x53\x4F\x00\xB2\x78\x7E\xA1\x0D\x99\x2D\x8D\xB8\x1D\x8E\xA2\xC4\xB0\xFD\x60\xD0\x30\xA4\x8E\xC8\x04\x62\xA9\xC4\xED\x35\xDE\x7A\x97\xED\x0E\x38\x5E\x92\x2F\x93\x70\xA5\xA9\x9C\x6F\xA7\x7D\x13\x1D\x7E\xC6\x08\x48\xB1\x5E\x67\xEB\x51\x08\x25\xE9\xE6\x25\x6B\x52\x29\x91\x9C\xD2\x39\x73\x08\x57\xDE\x99\x06\xB4\x5B\x9D\x10\x06\xE1\xC2\x00\xA8\xB8\x1C\x4A\x02\x0A\x14\xD0\xC1\x41\xCA\xFB\x8C\x35\x21\x7D\x82\x38\xF2\xA9\x54\x91\x19\x35\x93\x94\x6D\x6A\x3A\xC5\xB2\xD0\xBB\x89\x86\x93\xE8\x9B\xC9\x0F\x3A\xA7\x7A\xB8\xA1\xF0\x78\x46\xFA\xFC\x37\x2F\xE5\x8A\x84\xF3\xDF\xFE\x04\xD9\xA1\x68\xA0\x2F\x24\xE2\x09\x95\x06\xD5\x95\xCA\xE1\x24\x96\xEB\x7C\xF6\x93\x05\xBB\xED\x73\xE9\x2D\xD1\x75\x39\xD7\xE7\x24\xDB\xD8\x4E\x5F\x43\x8F\x9E\xD0\x14\x39\xBF\x55\x70\x48\x99\x57\x31\xB4\x9C\xEE\x4A\x98\x03\x96\x30\x1F\x60\x06\xEE\x1B\x23\xFE\x81\x60\x23\x1A\x47\x62\x85\xA5\xCC\x19\x34\x80\x6F\xB3\xAC\x1A\xE3\x9F\xF0\x7B\x48\xAD\xD5\x01\xD9\x67\xB6\xA9\x72\x93\xEA\x2D\x66\xB5\xB2\xB8\xE4\x3D\x3C\xB2\xEF\x4C\x8C\xEA\xEB\x07\xBF\xAB\x35\x9A\x55\x86\xBC\x18\xA6\xB5\xA8\x5E\xB4\x83\x6C\x6B\x69\x40\xD3\x9F\xDC\xF1\xC3\x69\x6B\xB9\xE1\x6D\x09\xF4\xF1\xAA\x50\x76\x0A\x7A\x7D\x7A\x17\xA1\x55\x96\x42\x99\x31\x09\xDD\x60\x11\x8D\x05\x30\x7E\xE6\x8E\x46\xD1\x9D\x14\xDA\xC7\x17\xE4\x05\x96\x8C\xC4\x24\xB5\x1B\xCF\x14\x07\xB2\x40\xF8\xA3\x9E\x41\x86\xBC\x04\xD0\x6B\x96\xC8\x2A\x80\x34\xFD\xBF\xEF\x06\xA3\xDD\x58\xC5\x85\x3D\x3E\x8F\xFE\x9E\x29\xE0\xB6\xB8\x09\x68\x19\x1C\x18\x43",
 	["CN=AffirmTrust Premium ECC,O=AffirmTrust,C=US"] = "\x30\x82\x01\xFE\x30\x82\x01\x85\xA0\x03\x02\x01\x02\x02\x08\x74\x97\x25\x8A\xC7\x3F\x7A\x54\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x0C\x17\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x20\x50\x72\x65\x6D\x69\x75\x6D\x20\x45\x43\x43\x30\x1E\x17\x0D\x31\x30\x30\x31\x32\x39\x31\x34\x32\x30\x32\x34\x5A\x17\x0D\x34\x30\x31\x32\x33\x31\x31\x34\x32\x30\x32\x34\x5A\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x14\x30\x12\x06\x03\x55\x04\x0A\x0C\x0B\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x0C\x17\x41\x66\x66\x69\x72\x6D\x54\x72\x75\x73\x74\x20\x50\x72\x65\x6D\x69\x75\x6D\x20\x45\x43\x43\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x0D\x30\x5E\x1B\x15\x9D\x03\xD0\xA1\x79\x35\xB7\x3A\x3C\x92\x7A\xCA\x15\x1C\xCD\x62\xF3\x9C\x26\x5C\x07\x3D\xE5\x54\xFA\xA3\xD6\xCC\x12\xEA\xF4\x14\x5F\xE8\x8E\x19\xAB\x2F\x2E\x48\xE6\xAC\x18\x43\x78\xAC\xD0\x37\xC3\xBD\xB2\xCD\x2C\xE6\x47\xE2\x1A\xE6\x63\xB8\x3D\x2E\x2F\x78\xC4\x4F\xDB\xF4\x0F\xA4\x68\x4C\x55\x72\x6B\x95\x1D\x4E\x18\x42\x95\x78\xCC\x37\x3C\x91\xE2\x9B\x65\x2B\x29\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x9A\xAF\x29\x7A\xC0\x11\x35\x35\x26\x51\x30\x00\xC3\x6A\xFE\x40\xD5\xAE\xD6\x3C\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x67\x00\x30\x64\x02\x30\x17\x09\xF3\x87\x88\x50\x5A\xAF\xC8\xC0\x42\xBF\x47\x5F\xF5\x6C\x6A\x86\xE0\xC4\x27\x74\xE4\x38\x53\xD7\x05\x7F\x1B\x34\xE3\xC6\x2F\xB3\xCA\x09\x3C\x37\x9D\xD7\xE7\xB8\x46\xF1\xFD\xA1\xE2\x71\x02\x30\x42\x59\x87\x43\xD4\x51\xDF\xBA\xD3\x09\x32\x5A\xCE\x88\x7E\x57\x3D\x9C\x5F\x42\x6B\xF5\x07\x2D\xB5\xF0\x82\x93\xF9\x59\x6F\xAE\x64\xFA\x58\xE5\x8B\x1E\xE3\x63\xBE\xB5\x81\xCD\x6F\x02\x8C\x79",
 	["CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL"] = "\x30\x82\x03\xBB\x30\x82\x02\xA3\xA0\x03\x02\x01\x02\x02\x03\x04\x44\xC0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x7E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x13\x19\x55\x6E\x69\x7A\x65\x74\x6F\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x20\x53\x2E\x41\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x43\x65\x72\x74\x75\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x43\x65\x72\x74\x75\x6D\x20\x54\x72\x75\x73\x74\x65\x64\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x43\x41\x30\x1E\x17\x0D\x30\x38\x31\x30\x32\x32\x31\x32\x30\x37\x33\x37\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x31\x32\x30\x37\x33\x37\x5A\x30\x7E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x13\x19\x55\x6E\x69\x7A\x65\x74\x6F\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x20\x53\x2E\x41\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x43\x65\x72\x74\x75\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x22\x30\x20\x06\x03\x55\x04\x03\x13\x19\x43\x65\x72\x74\x75\x6D\x20\x54\x72\x75\x73\x74\x65\x64\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xE3\xFB\x7D\xA3\x72\xBA\xC2\xF0\xC9\x14\x87\xF5\x6B\x01\x4E\xE1\x6E\x40\x07\xBA\x6D\x27\x5D\x7F\xF7\x5B\x2D\xB3\x5A\xC7\x51\x5F\xAB\xA4\x32\xA6\x61\x87\xB6\x6E\x0F\x86\xD2\x30\x02\x97\xF8\xD7\x69\x57\xA1\x18\x39\x5D\x6A\x64\x79\xC6\x01\x59\xAC\x3C\x31\x4A\x38\x7C\xD2\x04\xD2\x4B\x28\xE8\x20\x5F\x3B\x07\xA2\xCC\x4D\x73\xDB\xF3\xAE\x4F\xC7\x56\xD5\x5A\xA7\x96\x89\xFA\xF3\xAB\x68\xD4\x23\x86\x59\x27\xCF\x09\x27\xBC\xAC\x6E\x72\x83\x1C\x30\x72\xDF\xE0\xA2\xE9\xD2\xE1\x74\x75\x19\xBD\x2A\x9E\x7B\x15\x54\x04\x1B\xD7\x43\x39\xAD\x55\x28\xC5\xE2\x1A\xBB\xF4\xC0\xE4\xAE\x38\x49\x33\xCC\x76\x85\x9F\x39\x45\xD2\xA4\x9E\xF2\x12\x8C\x51\xF8\x7C\xE4\x2D\x7F\xF5\xAC\x5F\xEB\x16\x9F\xB1\x2D\xD1\xBA\xCC\x91\x42\x77\x4C\x25\xC9\x90\x38\x6F\xDB\xF0\xCC\xFB\x8E\x1E\x97\x59\x3E\xD5\x60\x4E\xE6\x05\x28\xED\x49\x79\x13\x4B\xBA\x48\xDB\x2F\xF9\x72\xD3\x39\xCA\xFE\x1F\xD8\x34\x72\xF5\xB4\x40\xCF\x31\x01\xC3\xEC\xDE\x11\x2D\x17\x5D\x1F\xB8\x50\xD1\x5E\x19\xA7\x69\xDE\x07\x33\x28\xCA\x50\x95\xF9\xA7\x54\xCB\x54\x86\x50\x45\xA9\xF9\x49\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x08\x76\xCD\xCB\x07\xFF\x24\xF6\xC5\xCD\xED\xBB\x90\xBC\xE2\x84\x37\x46\x75\xF7\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA6\xA8\xAD\x22\xCE\x01\x3D\xA6\xA3\xFF\x62\xD0\x48\x9D\x8B\x5E\x72\xB0\x78\x44\xE3\xDC\x1C\xAF\x09\xFD\x23\x48\xFA\xBD\x2A\xC4\xB9\x55\x04\xB5\x10\xA3\x8D\x27\xDE\x0B\x82\x63\xD0\xEE\xDE\x0C\x37\x79\x41\x5B\x22\xB2\xB0\x9A\x41\x5C\xA6\x70\xE0\xD4\xD0\x77\xCB\x23\xD3\x00\xE0\x6C\x56\x2F\xE1\x69\x0D\x0D\xD9\xAA\xBF\x21\x81\x50\xD9\x06\xA5\xA8\xFF\x95\x37\xD0\xAA\xFE\xE2\xB3\xF5\x99\x2D\x45\x84\x8A\xE5\x42\x09\xD7\x74\x02\x2F\xF7\x89\xD8\x99\xE9\xBC\x27\xD4\x47\x8D\xBA\x0D\x46\x1C\x77\xCF\x14\xA4\x1C\xB9\xA4\x31\xC4\x9C\x28\x74\x03\x34\xFF\x33\x19\x26\xA5\xE9\x0D\x74\xB7\x3E\x97\xC6\x76\xE8\x27\x96\xA3\x66\xDD\xE1\xAE\xF2\x41\x5B\xCA\x98\x56\x83\x73\x70\xE4\x86\x1A\xD2\x31\x41\xBA\x2F\xBE\x2D\x13\x5A\x76\x6F\x4E\xE8\x4E\x81\x0E\x3F\x5B\x03\x22\xA0\x12\xBE\x66\x58\x11\x4A\xCB\x03\xC4\xB4\x2A\x2A\x2D\x96\x17\xE0\x39\x54\xBC\x48\xD3\x76\x27\x9D\x9A\x2D\x06\xA6\xC9\xEC\x39\xD2\xAB\xDB\x9F\x9A\x0B\x27\x02\x35\x29\xB1\x40\x95\xE7\xF9\xE8\x9C\x55\x88\x19\x46\xD6\xB7\x34\xF5\x7E\xCE\x39\x9A\xD9\x38\xF1\x51\xF7\x4F\x2C",
-	["CN=Certinomis - Autorit\C3\A9 Racine,OU=0002 433998903,O=Certinomis,C=FR"] = "\x30\x82\x05\x9C\x30\x82\x03\x84\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x31\x17\x30\x15\x06\x03\x55\x04\x0B\x13\x0E\x30\x30\x30\x32\x20\x34\x33\x33\x39\x39\x38\x39\x30\x33\x31\x26\x30\x24\x06\x03\x55\x04\x03\x0C\x1D\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x20\x2D\x20\x41\x75\x74\x6F\x72\x69\x74\xC3\xA9\x20\x52\x61\x63\x69\x6E\x65\x30\x1E\x17\x0D\x30\x38\x30\x39\x31\x37\x30\x38\x32\x38\x35\x39\x5A\x17\x0D\x32\x38\x30\x39\x31\x37\x30\x38\x32\x38\x35\x39\x5A\x30\x63\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x31\x17\x30\x15\x06\x03\x55\x04\x0B\x13\x0E\x30\x30\x30\x32\x20\x34\x33\x33\x39\x39\x38\x39\x30\x33\x31\x26\x30\x24\x06\x03\x55\x04\x03\x0C\x1D\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x20\x2D\x20\x41\x75\x74\x6F\x72\x69\x74\xC3\xA9\x20\x52\x61\x63\x69\x6E\x65\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x9D\x85\x9F\x86\xD3\xE3\xAF\xC7\xB2\x6B\x6E\x33\xE0\x9E\xB7\x42\x34\x55\x9D\xF9\x81\xBE\x63\xD8\x23\x76\x0E\x97\x54\xCD\x99\x4C\x1A\xF1\x39\xC7\x88\xD8\x17\x50\x0C\x9E\x61\xDA\xC0\x4E\x55\xDE\xE7\x5A\xB8\x7A\x4E\x77\x87\x0D\xE5\xB8\xEB\xFA\x9E\x5E\x7B\x1E\xC4\xCF\x28\x74\xC7\x93\xF5\x14\xC6\x22\x28\x04\xF9\x91\xC3\xAB\x27\x73\x6A\x0E\x2E\x4D\xF3\x2E\x28\x1F\x70\xDF\x55\x2F\x4E\xED\xC7\x71\x6F\x09\x72\x2E\xED\xD5\x32\x97\xD0\xF1\x58\x77\xD1\x60\xBC\x4E\x5E\xDB\x9A\x84\xF6\x47\x61\x45\x2B\xF6\x50\xA6\x7F\x6A\x71\x27\x48\x84\x35\x9E\xAC\xFE\x69\xA9\x9E\x7A\x5E\x35\x25\xFA\xB4\xA7\x49\x35\x77\x96\xA7\x36\x5B\xE1\xCD\xDF\x23\x70\xD8\x5D\x4C\xA5\x08\x83\xF1\xA6\x24\x38\x13\xA8\xEC\x2F\xA8\xA1\x67\xC7\xA6\x2D\x86\x47\xEE\x8A\xFC\xEC\x9B\x0E\x74\xF4\x2B\x49\x02\x7B\x90\x75\x8C\xFC\x99\x39\x01\x39\xD6\x4A\x89\xE5\x9E\x76\xAB\x3E\x96\x28\x38\x26\x8B\xDD\x8D\x8C\xC0\xF6\x01\x1E\x6F\xA5\x31\x12\x38\x7D\x95\xC2\x71\xEE\xED\x74\xAE\xE4\x36\xA2\x43\x75\xD5\xF1\x00\x9B\xE2\xE4\xD7\xCC\x42\x03\x4B\x78\x7A\xE5\x7D\xBB\xB8\xAE\x2E\x20\x93\xD3\xE4\x61\xDF\x71\xE1\x76\x67\x97\x3F\xB6\xDF\x6A\x73\x5A\x64\x22\xE5\x42\xDB\xCF\x81\x03\x93\xD8\xF4\xE3\x10\xE0\x72\xF6\x00\x70\xAC\xF0\xC1\x7A\x0F\x05\x7F\xCF\x34\x69\x45\xB5\x93\xE4\x19\xDB\x52\x16\x23\x05\x89\x0E\x8D\x48\xE4\x25\x6F\xB3\x78\xBF\x62\xF5\x07\xFA\x95\x24\xC2\x96\xB2\xE8\xA3\x23\xC2\x5D\x03\xFC\xC3\xD3\xE5\x7C\xC9\x75\x23\xD7\xF4\xF5\xBC\xDE\xE4\xDF\xCD\x80\xBF\x91\x88\x7D\xA7\x13\xB4\x39\xBA\x2C\xBA\xBD\xD1\x6B\xCC\xF3\xA5\x28\xED\x44\x9E\x7D\x52\xA3\x6F\x96\x2E\x19\x7E\x1C\xF3\x5B\xC7\x16\x8E\xBB\x60\x7D\x77\x66\x47\x54\x82\x00\x11\x60\x6C\x32\xC1\xA8\x38\x1B\xEB\x6E\x98\x13\xD6\xEE\x38\xF5\xF0\x9F\x0E\xEF\xFE\x31\x81\xC1\xD2\x24\x95\x2F\x53\x7A\x69\xA2\xF0\x0F\x86\x45\x8E\x58\x82\x2B\x4C\x22\xD4\x5E\xA0\xE7\x7D\x26\x27\x48\xDF\x25\x46\x8D\x4A\x28\x7C\x86\x9E\xF9\x9B\x1A\x59\xB9\x65\xBF\x05\xDD\xB6\x42\x5D\x3D\xE6\x00\x48\x82\x5E\x20\xF7\x11\x82\xDE\xCA\xD8\x9F\xE6\x37\x47\x26\x1E\xEB\x78\xF7\x61\xC3\x41\x64\x58\x02\x41\xF9\xDA\xE0\xD1\xF8\xF9\xE8\xFD\x52\x38\xB6\xF5\x89\xDF\x02\x03\x01\x00\x01\xA3\x5B\x30\x59\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x0D\x8C\xB6\x61\xDA\x44\xB8\xD1\x14\x7D\xC3\xBE\x7D\x5E\x48\xF0\xCE\xCA\x6A\xB0\x30\x17\x06\x03\x55\x1D\x20\x04\x10\x30\x0E\x30\x0C\x06\x0A\x2A\x81\x7A\x01\x56\x02\x02\x00\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x24\x3E\x60\x06\x7E\x1D\xEF\x3A\x3E\xDB\xEA\xAF\x1C\x9A\x2C\x01\x0B\xF4\xC5\xB5\xD9\x49\x31\xF4\x5D\x41\x8D\x89\x0C\x4E\xFF\x6C\xA2\xFD\xFF\xE2\x06\xC8\x39\x9F\xF1\x5A\xA9\xDD\x22\x58\x15\xA8\x8A\xD3\xB1\xE6\x32\x09\x82\x03\x6C\xD7\x3F\x08\xC7\xF8\xB9\xBA\x00\x6D\xB9\xD6\xFC\x52\x32\x5D\xA4\x7F\xA4\x31\x94\xBB\xB6\x4C\x38\x7F\x28\x30\x35\xFF\x9F\x23\x53\xB7\xB6\xEE\x14\x70\x00\x40\x2B\xDA\x47\xAB\x34\x7E\x5E\xA7\x56\x30\x61\x2B\x8B\x43\xAC\xFD\xB6\x88\x28\xF5\x6B\xB6\x3E\x60\x4A\xBA\x42\x90\x34\x67\x8D\xEA\xEB\x5F\x45\x54\x3B\x17\xAC\x8B\xE4\xC6\x65\x0F\xEE\xD0\x8C\x5D\x66\x39\xCE\x32\xA7\xD8\x10\x97\xC0\x7E\x34\x9C\x9F\x94\xF3\xF6\x86\x1F\xCF\x1B\x73\xAD\x94\x79\x87\x68\x70\xC3\x33\xA5\x70\xE7\xD8\xD5\x38\x94\x6F\x63\x79\xEB\xBF\x0A\x0E\x08\xE7\xC5\x2F\x0F\x42\xA0\x2B\x14\x40\xFF\x21\xE0\x05\xC5\x27\xE1\x84\x11\x13\xBA\xD6\x86\x1D\x41\x0B\x13\x23\x89\xD3\xC9\x0B\xE8\x8A\xBA\x7A\xA3\xA3\x73\x37\x35\x80\x7D\x12\xB8\x33\x77\x40\x38\xC0\xFA\x5E\x30\xD2\xF2\xB6\xA3\xB1\xD6\xA2\x95\x97\x81\x9B\x52\xED\x69\x4C\xFF\x80\xE4\x53\xDB\x54\x5B\x03\x6D\x54\x5F\xB1\xB8\xEF\x24\xBD\x6F\x9F\x11\xC3\xC7\x64\xC2\x0F\x28\x62\x85\x66\x5E\x1A\x7B\xB2\xB7\xEF\xAE\x35\xC9\x19\x33\xA8\xB8\x27\xDB\x33\x55\xBF\x68\xE1\x75\x48\x44\x56\xFB\xCD\xD3\x48\xBB\x47\x89\x3A\xAC\x69\xF5\x80\xC6\xE4\x44\x50\x2F\x54\xC4\xAA\x43\xC5\x31\x31\x58\xBD\x96\xC5\xEA\x75\x6C\x9A\x75\xB1\x4D\xF8\xF7\x97\xFF\x96\x16\xF2\x97\x4D\xE8\xF6\xF3\x11\xF9\x3A\x7D\x8A\x38\x6E\x04\xCB\xE1\xD3\x45\x15\xAA\xA5\xD1\x1D\x9D\x5D\x63\xE8\x24\xE6\x36\x14\xE2\x87\xAD\x1B\x59\xF5\x44\x9B\xFB\xD7\x77\x7C\x1F\x01\x70\x62\xA1\x20\x1A\xA2\xC5\x1A\x28\xF4\x21\x03\xEE\x2E\xD9\xC1\x80\xEA\xB9\xD9\x82\xD6\x5B\x76\xC2\xCB\x3B\xB5\xD2\x00\xF0\xA3\x0E\xE1\xAD\x6E\x40\xF7\xDB\xA0\xB4\xD0\x46\xAE\x15\xD7\x44\xC2\x4D\x35\xF9\xD2\x0B\xF2\x17\xF6\xAC\x66\xD5\x24\xB2\x4F\xD1\x1C\x99\xC0\x6E\xF5\x7D\xEB\x74\x04\xB8\xF9\x4D\x77\x09\xD7\xB4\xCF\x07\x30\x09\xF1\xB8\x00\x56\xD9\x17\x16\x16\x0A\x2B\x86\xDF\x8F\x01\x19\x1A\xE5\xBB\x82\x63\xFF\xBE\x0B\x76\x16\x5E\x37\x37\xE6\xD8\x74\x97\xA2\x99\x45\x79",
-	["CN=Root CA Generalitat Valenciana,OU=PKIGVA,O=Generalitat Valenciana,C=ES"] = "\x30\x82\x06\x8B\x30\x82\x05\x73\xA0\x03\x02\x01\x02\x02\x04\x3B\x45\xE5\x68\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x1F\x30\x1D\x06\x03\x55\x04\x0A\x13\x16\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x31\x0F\x30\x0D\x06\x03\x55\x04\x0B\x13\x06\x50\x4B\x49\x47\x56\x41\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x52\x6F\x6F\x74\x20\x43\x41\x20\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x30\x1E\x17\x0D\x30\x31\x30\x37\x30\x36\x31\x36\x32\x32\x34\x37\x5A\x17\x0D\x32\x31\x30\x37\x30\x31\x31\x35\x32\x32\x34\x37\x5A\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x1F\x30\x1D\x06\x03\x55\x04\x0A\x13\x16\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x31\x0F\x30\x0D\x06\x03\x55\x04\x0B\x13\x06\x50\x4B\x49\x47\x56\x41\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x52\x6F\x6F\x74\x20\x43\x41\x20\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC6\x2A\xAB\x57\x11\x37\x2F\x22\x8A\xCA\x03\x74\x1D\xCA\xED\x2D\xA2\x0B\xBC\x33\x52\x40\x26\x47\xBE\x5A\x69\xA6\x3B\x72\x36\x17\x4C\xE8\xDF\xB8\xBB\x2F\x76\xE1\x40\x46\x74\x65\x02\x90\x52\x08\xB4\xFF\xA8\x8C\xC1\xE0\xC7\x89\x56\x10\x39\x33\xEF\x68\xB4\x5F\x5F\xDA\x6D\x23\xA1\x89\x5E\x22\xA3\x4A\x06\xF0\x27\xF0\x57\xB9\xF8\xE9\x4E\x32\x77\x0A\x3F\x41\x64\xF3\xEB\x65\xEE\x76\xFE\x54\xAA\x7D\x1D\x20\xAE\xF3\xD7\x74\xC2\x0A\x5F\xF5\x08\x28\x52\x08\xCC\x55\x5D\xD2\x0F\xDB\x9A\x81\xA5\xBB\xA1\xB3\xC1\x94\xCD\x54\xE0\x32\x75\x31\x91\x1A\x62\xB2\xDE\x75\xE2\xCF\x4F\x89\xD9\x91\x90\x0F\x41\x1B\xB4\x5A\x4A\x77\xBD\x67\x83\xE0\x93\xE7\x5E\xA7\x0C\xE7\x81\xD3\xF4\x52\xAC\x53\xB2\x03\xC7\x44\x26\xFB\x79\xE5\xCB\x34\x60\x50\x10\x7B\x1B\xDB\x6B\xD7\x47\xAB\x5F\x7C\x68\xCA\x6E\x9D\x41\x03\x10\xEE\x6B\x99\x7B\x5E\x25\xA8\xC2\xAB\xE4\xC0\xF3\x5C\x9C\xE3\xBE\xCE\x31\x4C\x64\x1E\x5E\x80\xA2\xF5\x83\x7E\x0C\xD6\xCA\x8C\x55\x8E\xBE\xE0\xBE\x49\x07\x0F\xA3\x24\x41\x7A\x58\x1D\x84\xEA\x58\x12\xC8\xE1\xB7\xED\xEF\x93\xDE\x94\x08\x31\x02\x03\x01\x00\x01\xA3\x82\x03\x3B\x30\x82\x03\x37\x30\x32\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x01\x04\x26\x30\x24\x30\x22\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x01\x86\x16\x68\x74\x74\x70\x3A\x2F\x2F\x6F\x63\x73\x70\x2E\x70\x6B\x69\x2E\x67\x76\x61\x2E\x65\x73\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x02\x30\x82\x02\x34\x06\x03\x55\x1D\x20\x04\x82\x02\x2B\x30\x82\x02\x27\x30\x82\x02\x23\x06\x0A\x2B\x06\x01\x04\x01\xBF\x55\x02\x01\x00\x30\x82\x02\x13\x30\x82\x01\xE8\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x82\x01\xDA\x1E\x82\x01\xD6\x00\x41\x00\x75\x00\x74\x00\x6F\x00\x72\x00\x69\x00\x64\x00\x61\x00\x64\x00\x20\x00\x64\x00\x65\x00\x20\x00\x43\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x63\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x52\x00\x61\x00\xED\x00\x7A\x00\x20\x00\x64\x00\x65\x00\x20\x00\x6C\x00\x61\x00\x20\x00\x47\x00\x65\x00\x6E\x00\x65\x00\x72\x00\x61\x00\x6C\x00\x69\x00\x74\x00\x61\x00\x74\x00\x20\x00\x56\x00\x61\x00\x6C\x00\x65\x00\x6E\x00\x63\x00\x69\x00\x61\x00\x6E\x00\x61\x00\x2E\x00\x0D\x00\x0A\x00\x4C\x00\x61\x00\x20\x00\x44\x00\x65\x00\x63\x00\x6C\x00\x61\x00\x72\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x64\x00\x65\x00\x20\x00\x50\x00\x72\x00\xE1\x00\x63\x00\x74\x00\x69\x00\x63\x00\x61\x00\x73\x00\x20\x00\x64\x00\x65\x00\x20\x00\x43\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x63\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x71\x00\x75\x00\x65\x00\x20\x00\x72\x00\x69\x00\x67\x00\x65\x00\x20\x00\x65\x00\x6C\x00\x20\x00\x66\x00\x75\x00\x6E\x00\x63\x00\x69\x00\x6F\x00\x6E\x00\x61\x00\x6D\x00\x69\x00\x65\x00\x6E\x00\x74\x00\x6F\x00\x20\x00\x64\x00\x65\x00\x20\x00\x6C\x00\x61\x00\x20\x00\x70\x00\x72\x00\x65\x00\x73\x00\x65\x00\x6E\x00\x74\x00\x65\x00\x20\x00\x41\x00\x75\x00\x74\x00\x6F\x00\x72\x00\x69\x00\x64\x00\x61\x00\x64\x00\x20\x00\x64\x00\x65\x00\x20\x00\x43\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x63\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x73\x00\x65\x00\x20\x00\x65\x00\x6E\x00\x63\x00\x75\x00\x65\x00\x6E\x00\x74\x00\x72\x00\x61\x00\x20\x00\x65\x00\x6E\x00\x20\x00\x6C\x00\x61\x00\x20\x00\x64\x00\x69\x00\x72\x00\x65\x00\x63\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x77\x00\x65\x00\x62\x00\x20\x00\x68\x00\x74\x00\x74\x00\x70\x00\x3A\x00\x2F\x00\x2F\x00\x77\x00\x77\x00\x77\x00\x2E\x00\x70\x00\x6B\x00\x69\x00\x2E\x00\x67\x00\x76\x00\x61\x00\x2E\x00\x65\x00\x73\x00\x2F\x00\x63\x00\x70\x00\x73\x30\x25\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x19\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x70\x6B\x69\x2E\x67\x76\x61\x2E\x65\x73\x2F\x63\x70\x73\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x7B\x35\xD3\x40\xD2\x1C\x78\x19\x66\xEF\x74\x10\x28\xDC\x3E\x4F\xB2\x78\x04\xFC\x30\x81\x95\x06\x03\x55\x1D\x23\x04\x81\x8D\x30\x81\x8A\x80\x14\x7B\x35\xD3\x40\xD2\x1C\x78\x19\x66\xEF\x74\x10\x28\xDC\x3E\x4F\xB2\x78\x04\xFC\xA1\x6C\xA4\x6A\x30\x68\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x1F\x30\x1D\x06\x03\x55\x04\x0A\x13\x16\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x31\x0F\x30\x0D\x06\x03\x55\x04\x0B\x13\x06\x50\x4B\x49\x47\x56\x41\x31\x27\x30\x25\x06\x03\x55\x04\x03\x13\x1E\x52\x6F\x6F\x74\x20\x43\x41\x20\x47\x65\x6E\x65\x72\x61\x6C\x69\x74\x61\x74\x20\x56\x61\x6C\x65\x6E\x63\x69\x61\x6E\x61\x82\x04\x3B\x45\xE5\x68\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x24\x61\x4E\xF5\xB5\xC8\x42\x02\x2A\xB3\x5C\x75\xAD\xC5\x6D\xCA\xE7\x94\x3F\xA5\x68\x95\x88\xC1\x54\xC0\x10\x69\xA2\x12\x2F\x18\x3F\x25\x50\xA8\x7C\x4A\xEA\xC6\x09\xD9\xF4\x75\xC6\x40\xDA\xAF\x50\x9D\x3D\xA5\x16\xBB\x6D\x31\xC6\xC7\x73\x0A\x48\xFE\x20\x72\xED\x6F\xCC\xE8\x83\x61\x16\x46\x90\x01\x95\x4B\x7D\x8E\x9A\x52\x09\x2F\xF6\x6F\x1C\xE4\xA1\x71\xCF\x8C\x2A\x5A\x17\x73\x83\x47\x4D\x0F\x36\xFB\x04\x4D\x49\x51\xE2\x14\xC9\x64\x61\xFB\xD4\x14\xE0\xF4\x9E\xB7\x34\x8F\x0A\x26\xBD\x97\x5C\xF4\x79\x3A\x4A\x30\x19\xCC\xAD\x4F\xA0\x98\x8A\xB4\x31\x97\x2A\xE2\x73\x6D\x7E\x78\xB8\xF8\x88\x89\x4F\xB1\x22\x91\x64\x4B\xF5\x50\xDE\x03\xDB\xE5\xC5\x76\xE7\x13\x66\x75\x7E\x65\xFB\x01\x9F\x93\x87\x88\x9D\xF9\x46\x57\x7C\x4D\x60\xAF\x98\x73\x13\x23\xA4\x20\x91\x81\xFA\xD0\x61\x66\xB8\x7D\xD1\xAF\xD6\x6F\x1E\x6C\x3D\xE9\x11\xFD\xA9\xF9\x82\x22\x86\x99\x33\x71\x5A\xEA\x19\x57\x3D\x91\xCD\xA9\xC0\xA3\x6E\x07\x13\xA6\xC9\xED\xF8\x68\xA3\x9E\xC3\x5A\x72\x09\x87\x28\xD1\xC4\x73\xC4\x73\x18\x5F\x50\x75\x16\x31\x9F\xB7\xE8\x7C\xC3",
 	["CN=TWCA Root Certification Authority,OU=Root CA,O=TAIWAN-CA,C=TW"] = "\x30\x82\x03\x7B\x30\x82\x02\x63\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x54\x41\x49\x57\x41\x4E\x2D\x43\x41\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x0C\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x0C\x21\x54\x57\x43\x41\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x30\x38\x30\x38\x32\x38\x30\x37\x32\x34\x33\x33\x5A\x17\x0D\x33\x30\x31\x32\x33\x31\x31\x35\x35\x39\x35\x39\x5A\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x54\x41\x49\x57\x41\x4E\x2D\x43\x41\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x0C\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x0C\x21\x54\x57\x43\x41\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB0\x7E\x72\xB8\xA4\x03\x94\xE6\xA7\xDE\x09\x38\x91\x4A\x11\x40\x87\xA7\x7C\x59\x64\x14\x7B\xB5\x11\x10\xDD\xFE\xBF\xD5\xC0\xBB\x56\xE2\x85\x25\xF4\x35\x72\x0F\xF8\x53\xD0\x41\xE1\x44\x01\xC2\xB4\x1C\xC3\x31\x42\x16\x47\x85\x33\x22\x76\xB2\x0A\x6F\x0F\xE5\x25\x50\x4F\x85\x86\xBE\xBF\x98\x2E\x10\x67\x1E\xBE\x11\x05\x86\x05\x90\xC4\x59\xD0\x7C\x78\x10\xB0\x80\x5C\xB7\xE1\xC7\x2B\x75\xCB\x7C\x9F\xAE\xB5\xD1\x9D\x23\x37\x63\xA7\xDC\x42\xA2\x2D\x92\x04\x1B\x50\xC1\x7B\xB8\x3E\x1B\xC9\x56\x04\x8B\x2F\x52\x9B\xAD\xA9\x56\xE9\xC1\xFF\xAD\xA9\x58\x87\x30\xB6\x81\xF7\x97\x45\xFC\x19\x57\x3B\x2B\x6F\xE4\x47\xF4\x99\x45\xFE\x1D\xF1\xF8\x97\xA3\x88\x1D\x37\x1C\x5C\x8F\xE0\x76\x25\x9A\x50\xF8\xA0\x54\xFF\x44\x90\x76\x23\xD2\x32\xC6\xC3\xAB\x06\xBF\xFC\xFB\xBF\xF3\xAD\x7D\x92\x62\x02\x5B\x29\xD3\x35\xA3\x93\x9A\x43\x64\x60\x5D\xB2\xFA\x32\xFF\x3B\x04\xAF\x4D\x40\x6A\xF9\xC7\xE3\xEF\x23\xFD\x6B\xCB\xE5\x0F\x8B\x38\x0D\xEE\x0A\xFC\xFE\x0F\x98\x9F\x30\x31\xDD\x6C\x52\x65\xF9\x8B\x81\xBE\x22\xE1\x1C\x58\x03\xBA\x91\x1B\x89\x07\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x6A\x38\x5B\x26\x8D\xDE\x8B\x5A\xF2\x4F\x7A\x54\x83\x19\x18\xE3\x08\x35\xA6\xBA\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x3C\xD5\x77\x3D\xDA\xDF\x89\xBA\x87\x0C\x08\x54\x6A\x20\x50\x92\xBE\xB0\x41\x3D\xB9\x26\x64\x83\x0A\x2F\xE8\x40\xC0\x97\x28\x27\x82\x30\x4A\xC9\x93\xFF\x6A\xE7\xA6\x00\x7F\x89\x42\x9A\xD6\x11\xE5\x53\xCE\x2F\xCC\xF2\xDA\x05\xC4\xFE\xE2\x50\xC4\x3A\x86\x7D\xCC\xDA\x7E\x10\x09\x3B\x92\x35\x2A\x53\xB2\xFE\xEB\x2B\x05\xD9\x6C\x5D\xE6\xD0\xEF\xD3\x6A\x66\x9E\x15\x28\x85\x7A\xE8\x82\x00\xAC\x1E\xA7\x09\x69\x56\x42\xD3\x68\x51\x18\xBE\x54\x9A\xBF\x44\x41\xBA\x49\xBE\x20\xBA\x69\x5C\xEE\xB8\x77\xCD\xCE\x6C\x1F\xAD\x83\x96\x18\x7D\x0E\xB5\x14\x39\x84\xF1\x28\xE9\x2D\xA3\x9E\x7B\x1E\x7A\x72\x5A\x83\xB3\x79\x6F\xEF\xB4\xFC\xD0\x0A\xA5\x58\x4F\x46\xDF\xFB\x6D\x79\x59\xF2\x84\x22\x52\xAE\x0F\xCC\xFB\x7C\x3B\xE7\x6A\xCA\x47\x61\xC3\x7A\xF8\xD3\x92\x04\x1F\xB8\x20\x84\xE1\x36\x54\x16\xC7\x40\xDE\x3B\x8A\x73\xDC\xDF\xC6\x09\x4C\xDF\xEC\xDA\xFF\xD4\x53\x42\xA1\xC9\xF2\x62\x1D\x22\x83\x3C\x97\xC5\xF9\x19\x62\x27\xAC\x65\x22\xD7\xD3\x3C\xC6\xE5\x8E\xB2\x53\xCC\x49\xCE\xBC\x30\xFE\x7B\x0E\x33\x90\xFB\xED\xD2\x14\x91\x1F\x07\xAF",
 	["OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP"] = "\x30\x82\x03\x77\x30\x82\x02\x5F\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x5D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x43\x4F\x2E\x2C\x4C\x54\x44\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x52\x6F\x6F\x74\x43\x41\x32\x30\x1E\x17\x0D\x30\x39\x30\x35\x32\x39\x30\x35\x30\x30\x33\x39\x5A\x17\x0D\x32\x39\x30\x35\x32\x39\x30\x35\x30\x30\x33\x39\x5A\x30\x5D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x25\x30\x23\x06\x03\x55\x04\x0A\x13\x1C\x53\x45\x43\x4F\x4D\x20\x54\x72\x75\x73\x74\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x43\x4F\x2E\x2C\x4C\x54\x44\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x53\x65\x63\x75\x72\x69\x74\x79\x20\x43\x6F\x6D\x6D\x75\x6E\x69\x63\x61\x74\x69\x6F\x6E\x20\x52\x6F\x6F\x74\x43\x41\x32\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xD0\x15\x39\x52\xB1\x52\xB3\xBA\xC5\x59\x82\xC4\x5D\x52\xAE\x3A\x43\x65\x80\x4B\xC7\xF2\x96\xBC\xDB\x36\x97\xD6\xA6\x64\x8C\xA8\x5E\xF0\xE3\x0A\x1C\xF7\xDF\x97\x3D\x4B\xAE\xF6\x5D\xEC\x21\xB5\x41\xAB\xCD\xB9\x7E\x76\x9F\xBE\xF9\x3E\x36\x34\xA0\x3B\xC1\xF6\x31\x11\x45\x74\x93\x3D\x57\x80\xC5\xF9\x89\x99\xCA\xE5\xAB\x6A\xD4\xB5\xDA\x41\x90\x10\xC1\xD6\xD6\x42\x89\xC2\xBF\xF4\x38\x12\x95\x4C\x54\x05\xF7\x36\xE4\x45\x83\x7B\x14\x65\xD6\xDC\x0C\x4D\xD1\xDE\x7E\x0C\xAB\x3B\xC4\x15\xBE\x3A\x56\xA6\x5A\x6F\x76\x69\x52\xA9\x7A\xB9\xC8\xEB\x6A\x9A\x5D\x52\xD0\x2D\x0A\x6B\x35\x16\x09\x10\x84\xD0\x6A\xCA\x3A\x06\x00\x37\x47\xE4\x7E\x57\x4F\x3F\x8B\xEB\x67\xB8\x88\xAA\xC5\xBE\x53\x55\xB2\x91\xC4\x7D\xB9\xB0\x85\x19\x06\x78\x2E\xDB\x61\x1A\xFA\x85\xF5\x4A\x91\xA1\xE7\x16\xD5\x8E\xA2\x39\xDF\x94\xB8\x70\x1F\x28\x3F\x8B\xFC\x40\x5E\x63\x83\x3C\x83\x2A\x1A\x99\x6B\xCF\xDE\x59\x6A\x3B\xFC\x6F\x16\xD7\x1F\xFD\x4A\x10\xEB\x4E\x82\x16\x3A\xAC\x27\x0C\x53\xF1\xAD\xD5\x24\xB0\x6B\x03\x50\xC1\x2D\x3C\x16\xDD\x44\x34\x27\x1A\x75\xFB\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x0A\x85\xA9\x77\x65\x05\x98\x7C\x40\x81\xF8\x0F\x97\x2C\x38\xF1\x0A\xEC\x3C\xCF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x4C\x3A\xA3\x44\xAC\xB9\x45\xB1\xC7\x93\x7E\xC8\x0B\x0A\x42\xDF\x64\xEA\x1C\xEE\x59\x6C\x08\xBA\x89\x5F\x6A\xCA\x4A\x95\x9E\x7A\x8F\x07\xC5\xDA\x45\x72\x82\x71\x0E\x3A\xD2\xCC\x6F\xA7\xB4\xA1\x23\xBB\xF6\x24\x9F\xCB\x17\xFE\x8C\xA6\xCE\xC2\xD2\xDB\xCC\x8D\xFC\x71\xFC\x03\x29\xC1\x6C\x5D\x33\x5F\x64\xB6\x65\x3B\x89\x6F\x18\x76\x78\xF5\xDC\xA2\x48\x1F\x19\x3F\x8E\x93\xEB\xF1\xFA\x17\xEE\xCD\x4E\xE3\x04\x12\x55\xD6\xE5\xE4\xDD\xFB\x3E\x05\x7C\xE2\x1D\x5E\xC6\xA7\xBC\x97\x4F\x68\x3A\xF5\xE9\x2E\x0A\x43\xB6\xAF\x57\x5C\x62\x68\x7C\xB7\xFD\xA3\x8A\x84\xA0\xAC\x62\xBE\x2B\x09\x87\x34\xF0\x6A\x01\xBB\x9B\x29\x56\x3C\xFE\x00\x37\xCF\x23\x6C\xF1\x4E\xAA\xB6\x74\x46\x12\x6C\x91\xEE\x34\xD5\xEC\x9A\x91\xE7\x44\xBE\x90\x31\x72\xD5\x49\x02\xF6\x02\xE5\xF4\x1F\xEB\x7C\xD9\x96\x55\xA9\xFF\xEC\x8A\xF9\x99\x47\xFF\x35\x5A\x02\xAA\x04\xCB\x8A\x5B\x87\x71\x29\x91\xBD\xA4\xB4\x7A\x0D\xBD\x9A\xF5\x57\x23\x00\x07\x21\x17\x3F\x4A\x39\xD1\x05\x49\x0B\xA7\xB6\x37\x81\xA5\x5D\x8C\xAA\x33\x5E\x81\x28\x7C\xA7\x7D\x27\xEB\x00\xAE\x8D\x37",
 	["CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES"] = "\x30\x82\x05\x56\x30\x82\x04\x3E\xA0\x03\x02\x01\x02\x02\x10\xEE\x2B\x3D\xEB\xD4\x21\xDE\x14\xA8\x62\xAC\x04\xF3\xDD\xC4\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xF3\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x3B\x30\x39\x06\x03\x55\x04\x0A\x13\x32\x41\x67\x65\x6E\x63\x69\x61\x20\x43\x61\x74\x61\x6C\x61\x6E\x61\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x20\x28\x4E\x49\x46\x20\x51\x2D\x30\x38\x30\x31\x31\x37\x36\x2D\x49\x29\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x53\x65\x72\x76\x65\x69\x73\x20\x50\x75\x62\x6C\x69\x63\x73\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x56\x65\x67\x65\x75\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x61\x74\x63\x65\x72\x74\x2E\x6E\x65\x74\x2F\x76\x65\x72\x61\x72\x72\x65\x6C\x20\x28\x63\x29\x30\x33\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x4A\x65\x72\x61\x72\x71\x75\x69\x61\x20\x45\x6E\x74\x69\x74\x61\x74\x73\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x20\x43\x61\x74\x61\x6C\x61\x6E\x65\x73\x31\x0F\x30\x0D\x06\x03\x55\x04\x03\x13\x06\x45\x43\x2D\x41\x43\x43\x30\x1E\x17\x0D\x30\x33\x30\x31\x30\x37\x32\x33\x30\x30\x30\x30\x5A\x17\x0D\x33\x31\x30\x31\x30\x37\x32\x32\x35\x39\x35\x39\x5A\x30\x81\xF3\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x3B\x30\x39\x06\x03\x55\x04\x0A\x13\x32\x41\x67\x65\x6E\x63\x69\x61\x20\x43\x61\x74\x61\x6C\x61\x6E\x61\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x20\x28\x4E\x49\x46\x20\x51\x2D\x30\x38\x30\x31\x31\x37\x36\x2D\x49\x29\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x53\x65\x72\x76\x65\x69\x73\x20\x50\x75\x62\x6C\x69\x63\x73\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x56\x65\x67\x65\x75\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x61\x74\x63\x65\x72\x74\x2E\x6E\x65\x74\x2F\x76\x65\x72\x61\x72\x72\x65\x6C\x20\x28\x63\x29\x30\x33\x31\x35\x30\x33\x06\x03\x55\x04\x0B\x13\x2C\x4A\x65\x72\x61\x72\x71\x75\x69\x61\x20\x45\x6E\x74\x69\x74\x61\x74\x73\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x20\x43\x61\x74\x61\x6C\x61\x6E\x65\x73\x31\x0F\x30\x0D\x06\x03\x55\x04\x03\x13\x06\x45\x43\x2D\x41\x43\x43\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB3\x22\xC7\x4F\xE2\x97\x42\x95\x88\x47\x83\x40\xF6\x1D\x17\xF3\x83\x73\x24\x1E\x51\xF3\x98\x8A\xC3\x92\xB8\xFF\x40\x90\x05\x70\x87\x60\xC9\x00\xA9\xB5\x94\x65\x19\x22\x15\x17\xC2\x43\x6C\x66\x44\x9A\x0D\x04\x3E\x39\x6F\xA5\x4B\x7A\xAA\x63\xB7\x8A\x44\x9D\xD9\x63\x91\x84\x66\xE0\x28\x0F\xBA\x42\xE3\x6E\x8E\xF7\x14\x27\x93\x69\xEE\x91\x0E\xA3\x5F\x0E\xB1\xEB\x66\xA2\x72\x4F\x12\x13\x86\x65\x7A\x3E\xDB\x4F\x07\xF4\xA7\x09\x60\xDA\x3A\x42\x99\xC7\xB2\x7F\xB3\x16\x95\x1C\xC7\xF9\x34\xB5\x94\x85\xD5\x99\x5E\xA0\x48\xA0\x7E\xE7\x17\x65\xB8\xA2\x75\xB8\x1E\xF3\xE5\x42\x7D\xAF\xED\xF3\x8A\x48\x64\x5D\x82\x14\x93\xD8\xC0\xE4\xFF\xB3\x50\x72\xF2\x76\xF6\xB3\x5D\x42\x50\x79\xD0\x94\x3E\x6B\x0C\x00\xBE\xD8\x6B\x0E\x4E\x2A\xEC\x3E\xD2\xCC\x82\xA2\x18\x65\x33\x13\x77\x9E\x9A\x5D\x1A\x13\xD8\xC3\xDB\x3D\xC8\x97\x7A\xEE\x70\xED\xA7\xE6\x7C\xDB\x71\xCF\x2D\x94\x62\xDF\x6D\xD6\xF5\x38\xBE\x3F\xA5\x85\x0A\x19\xB8\xA8\xD8\x09\x75\x42\x70\xC4\xEA\xEF\xCB\x0E\xC8\x34\xA8\x12\x22\x98\x0C\xB8\x13\x94\xB6\x4B\xEC\xF0\xD0\x90\xE7\x27\x02\x03\x01\x00\x01\xA3\x81\xE3\x30\x81\xE0\x30\x1D\x06\x03\x55\x1D\x11\x04\x16\x30\x14\x81\x12\x65\x63\x5F\x61\x63\x63\x40\x63\x61\x74\x63\x65\x72\x74\x2E\x6E\x65\x74\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA0\xC3\x8B\x44\xAA\x37\xA5\x45\xBF\x97\x80\x5A\xD1\xF1\x78\xA2\x9B\xE9\x5D\x8D\x30\x7F\x06\x03\x55\x1D\x20\x04\x78\x30\x76\x30\x74\x06\x0B\x2B\x06\x01\x04\x01\xF5\x78\x01\x03\x01\x0A\x30\x65\x30\x2C\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x61\x74\x63\x65\x72\x74\x2E\x6E\x65\x74\x2F\x76\x65\x72\x61\x72\x72\x65\x6C\x30\x35\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x29\x1A\x27\x56\x65\x67\x65\x75\x20\x68\x74\x74\x70\x73\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x61\x74\x63\x65\x72\x74\x2E\x6E\x65\x74\x2F\x76\x65\x72\x61\x72\x72\x65\x6C\x20\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA0\x48\x5B\x82\x01\xF6\x4D\x48\xB8\x39\x55\x35\x9C\x80\x7A\x53\x99\xD5\x5A\xFF\xB1\x71\x3B\xCC\x39\x09\x94\x5E\xD6\xDA\xEF\xBE\x01\x5B\x5D\xD3\x1E\xD8\xFD\x7D\x4F\xCD\xA0\x41\xE0\x34\x93\xBF\xCB\xE2\x86\x9C\x37\x92\x90\x56\x1C\xDC\xEB\x29\x05\xE5\xC4\x9E\xC7\x35\xDF\x8A\x0C\xCD\xC5\x21\x43\xE9\xAA\x88\xE5\x35\xC0\x19\x42\x63\x5A\x02\x5E\xA4\x48\x18\x3A\x85\x6F\xDC\x9D\xBC\x3F\x9D\x9C\xC1\x87\xB8\x7A\x61\x08\xE9\x77\x0B\x7F\x70\xAB\x7A\xDD\xD9\x97\x2C\x64\x1E\x85\xBF\xBC\x74\x96\xA1\xC3\x7A\x12\xEC\x0C\x1A\x6E\x83\x0C\x3C\xE8\x72\x46\x9F\xFB\x48\xD5\x5E\x97\xE6\xB1\xA1\xF8\xE4\xEF\x46\x25\x94\x9C\x89\xDB\x69\x38\xBE\xEC\x5C\x0E\x56\xC7\x65\x51\xE5\x50\x88\x88\xBF\x42\xD5\x2B\x3D\xE5\xF9\xBA\x9E\x2E\xB3\xCA\xF4\x73\x92\x02\x0B\xBE\x4C\x66\xEB\x20\xFE\xB9\xCB\xB5\x99\x7F\xE6\xB6\x13\xFA\xCA\x4B\x4D\xD9\xEE\x53\x46\x06\x3B\xC6\x4E\xAD\x93\x5A\x81\x7E\x6C\x2A\x4B\x6A\x05\x45\x8C\xF2\x21\xA4\x31\x90\x87\x6C\x65\x9C\x9D\xA5\x60\x95\x3A\x52\x7F\xF5\xD1\xAB\x08\x6E\xF3\xEE\x5B\xF9\x88\x3D\x7E\xB8\x6F\x6E\x03\xE4\x42",
 	["CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR"] = "\x30\x82\x04\x31\x30\x82\x03\x19\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x95\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x52\x31\x44\x30\x42\x06\x03\x55\x04\x0A\x13\x3B\x48\x65\x6C\x6C\x65\x6E\x69\x63\x20\x41\x63\x61\x64\x65\x6D\x69\x63\x20\x61\x6E\x64\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x69\x6F\x6E\x73\x20\x43\x65\x72\x74\x2E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x40\x30\x3E\x06\x03\x55\x04\x03\x13\x37\x48\x65\x6C\x6C\x65\x6E\x69\x63\x20\x41\x63\x61\x64\x65\x6D\x69\x63\x20\x61\x6E\x64\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x69\x6F\x6E\x73\x20\x52\x6F\x6F\x74\x43\x41\x20\x32\x30\x31\x31\x30\x1E\x17\x0D\x31\x31\x31\x32\x30\x36\x31\x33\x34\x39\x35\x32\x5A\x17\x0D\x33\x31\x31\x32\x30\x31\x31\x33\x34\x39\x35\x32\x5A\x30\x81\x95\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x52\x31\x44\x30\x42\x06\x03\x55\x04\x0A\x13\x3B\x48\x65\x6C\x6C\x65\x6E\x69\x63\x20\x41\x63\x61\x64\x65\x6D\x69\x63\x20\x61\x6E\x64\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x69\x6F\x6E\x73\x20\x43\x65\x72\x74\x2E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x40\x30\x3E\x06\x03\x55\x04\x03\x13\x37\x48\x65\x6C\x6C\x65\x6E\x69\x63\x20\x41\x63\x61\x64\x65\x6D\x69\x63\x20\x61\x6E\x64\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x69\x6F\x6E\x73\x20\x52\x6F\x6F\x74\x43\x41\x20\x32\x30\x31\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xA9\x53\x00\xE3\x2E\xA6\xF6\x8E\xFA\x60\xD8\x2D\x95\x3E\xF8\x2C\x2A\x54\x4E\xCD\xB9\x84\x61\x94\x58\x4F\x8F\x3D\x8B\xE4\x43\xF3\x75\x89\x8D\x51\xE4\xC3\x37\xD2\x8A\x88\x4D\x79\x1E\xB7\x12\xDD\x43\x78\x4A\x8A\x92\xE6\xD7\x48\xD5\x0F\xA4\x3A\x29\x44\x35\xB8\x07\xF6\x68\x1D\x55\xCD\x38\x51\xF0\x8C\x24\x31\x85\xAF\x83\xC9\x7D\xE9\x77\xAF\xED\x1A\x7B\x9D\x17\xF9\xB3\x9D\x38\x50\x0F\xA6\x5A\x79\x91\x80\xAF\x37\xAE\xA6\xD3\x31\xFB\xB5\x26\x09\x9D\x3C\x5A\xEF\x51\xC5\x2B\xDF\x96\x5D\xEB\x32\x1E\x02\xDA\x70\x49\xEC\x6E\x0C\xC8\x9A\x37\x8D\xF7\xF1\x36\x60\x4B\x26\x2C\x82\x9E\xD0\x78\xF3\x0D\x0F\x63\xA4\x51\x30\xE1\xF9\x2B\x27\x12\x07\xD8\xEA\xBD\x18\x62\x98\xB0\x59\x37\x7D\xBE\xEE\xF3\x20\x51\x42\x5A\x83\xEF\x93\xBA\x69\x15\xF1\x62\x9D\x9F\x99\x39\x82\xA1\xB7\x74\x2E\x8B\xD4\xC5\x0B\x7B\x2F\xF0\xC8\x0A\xDA\x3D\x79\x0A\x9A\x93\x1C\xA5\x28\x72\x73\x91\x43\x9A\xA7\xD1\x4D\x85\x84\xB9\xA9\x74\x8F\x14\x40\xC7\xDC\xDE\xAC\x41\x64\x6C\xB4\x19\x9B\x02\x63\x6D\x24\x64\x8F\x44\xB2\x25\xEA\xCE\x5D\x74\x0C\x63\x32\x5C\x8D\x87\xE5\x02\x03\x01\x00\x01\xA3\x81\x89\x30\x81\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xA6\x91\x42\xFD\x13\x61\x4A\x23\x9E\x08\xA4\x29\xE5\xD8\x13\x04\x23\xEE\x41\x25\x30\x47\x06\x03\x55\x1D\x1E\x04\x40\x30\x3E\xA0\x3C\x30\x05\x82\x03\x2E\x67\x72\x30\x05\x82\x03\x2E\x65\x75\x30\x06\x82\x04\x2E\x65\x64\x75\x30\x06\x82\x04\x2E\x6F\x72\x67\x30\x05\x81\x03\x2E\x67\x72\x30\x05\x81\x03\x2E\x65\x75\x30\x06\x81\x04\x2E\x65\x64\x75\x30\x06\x81\x04\x2E\x6F\x72\x67\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x1F\xEF\x79\x41\xE1\x7B\x6E\x3F\xB2\x8C\x86\x37\x42\x4A\x4E\x1C\x37\x1E\x8D\x66\xBA\x24\x81\xC9\x4F\x12\x0F\x21\xC0\x03\x97\x86\x25\x6D\x5D\xD3\x22\x29\xA8\x6C\xA2\x0D\xA9\xEB\x3D\x06\x5B\x99\x3A\xC7\xCC\xC3\x9A\x34\x7F\xAB\x0E\xC8\x4E\x1C\xE1\xFA\xE4\xDC\xCD\x0D\xBE\xBF\x24\xFE\x6C\xE7\x6B\xC2\x0D\xC8\x06\x9E\x4E\x8D\x61\x28\xA6\x6A\xFD\xE5\xF6\x62\xEA\x18\x3C\x4E\xA0\x53\x9D\xB2\x3A\x9C\xEB\xA5\x9C\x91\x16\xB6\x4D\x82\xE0\x0C\x05\x48\xA9\x6C\xF5\xCC\xF8\xCB\x9D\x49\xB4\xF0\x02\xA5\xFD\x70\x03\xED\x8A\x21\xA5\xAE\x13\x86\x49\xC3\x33\x73\xBE\x87\x3B\x74\x8B\x17\x45\x26\x4C\x16\x91\x83\xFE\x67\x7D\xCD\x4D\x63\x67\xFA\xF3\x03\x12\x96\x78\x06\x8D\xB1\x67\xED\x8E\x3F\xBE\x9F\x4F\x02\xF5\xB3\x09\x2F\xF3\x4C\x87\xDF\x2A\xCB\x95\x7C\x01\xCC\xAC\x36\x7A\xBF\xA2\x73\x7A\xF7\x8F\xC1\xB5\x9A\xA1\x14\xB2\x8F\x33\x9F\x0D\xEF\x22\xDC\x66\x7B\x84\xBD\x45\x17\x06\x3D\x3C\xCA\xB9\x77\x34\x8F\xCA\xEA\xCF\x3F\x31\x3E\xE3\x88\xE3\x80\x49\x25\xC8\x97\xB5\x9D\x9A\x99\x4D\xB0\x3C\xF8\x4A\x00\x9B\x64\xDD\x9F\x39\x4B\xD1\x27\xD7\xB8",
 	["CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT"] = "\x30\x82\x05\xBB\x30\x82\x03\xA3\xA0\x03\x02\x01\x02\x02\x08\x57\x0A\x11\x97\x42\xC4\xE3\xCC\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x6B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x54\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x0C\x05\x4D\x69\x6C\x61\x6E\x31\x23\x30\x21\x06\x03\x55\x04\x0A\x0C\x1A\x41\x63\x74\x61\x6C\x69\x73\x20\x53\x2E\x70\x2E\x41\x2E\x2F\x30\x33\x33\x35\x38\x35\x32\x30\x39\x36\x37\x31\x27\x30\x25\x06\x03\x55\x04\x03\x0C\x1E\x41\x63\x74\x61\x6C\x69\x73\x20\x41\x75\x74\x68\x65\x6E\x74\x69\x63\x61\x74\x69\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x31\x31\x30\x39\x32\x32\x31\x31\x32\x32\x30\x32\x5A\x17\x0D\x33\x30\x30\x39\x32\x32\x31\x31\x32\x32\x30\x32\x5A\x30\x6B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x54\x31\x0E\x30\x0C\x06\x03\x55\x04\x07\x0C\x05\x4D\x69\x6C\x61\x6E\x31\x23\x30\x21\x06\x03\x55\x04\x0A\x0C\x1A\x41\x63\x74\x61\x6C\x69\x73\x20\x53\x2E\x70\x2E\x41\x2E\x2F\x30\x33\x33\x35\x38\x35\x32\x30\x39\x36\x37\x31\x27\x30\x25\x06\x03\x55\x04\x03\x0C\x1E\x41\x63\x74\x61\x6C\x69\x73\x20\x41\x75\x74\x68\x65\x6E\x74\x69\x63\x61\x74\x69\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xA7\xC6\xC4\xA5\x29\xA4\x2C\xEF\xE5\x18\xC5\xB0\x50\xA3\x6F\x51\x3B\x9F\x0A\x5A\xC9\xC2\x48\x38\x0A\xC2\x1C\xA0\x18\x7F\x91\xB5\x87\xB9\x40\x3F\xDD\x1D\x68\x1F\x08\x83\xD5\x2D\x1E\x88\xA0\xF8\x8F\x56\x8F\x6D\x99\x02\x92\x90\x16\xD5\x5F\x08\x6C\x89\xD7\xE1\xAC\xBC\x20\xC2\xB1\xE0\x83\x51\x8A\x69\x4D\x00\x96\x5A\x6F\x2F\xC0\x44\x7E\xA3\x0E\xE4\x91\xCD\x58\xEE\xDC\xFB\xC7\x1E\x45\x47\xDD\x27\xB9\x08\x01\x9F\xA6\x21\x1D\xF5\x41\x2D\x2F\x4C\xFD\x28\xAD\xE0\x8A\xAD\x22\xB4\x56\x65\x8E\x86\x54\x8F\x93\x43\x29\xDE\x39\x46\x78\xA3\x30\x23\xBA\xCD\xF0\x7D\x13\x57\xC0\x5D\xD2\x83\x6B\x48\x4C\xC4\xAB\x9F\x80\x5A\x5B\x3A\xBD\xC9\xA7\x22\x3F\x80\x27\x33\x5B\x0E\xB7\x8A\x0C\x5D\x07\x37\x08\xCB\x6C\xD2\x7A\x47\x22\x44\x35\xC5\xCC\xCC\x2E\x8E\xDD\x2A\xED\xB7\x7D\x66\x0D\x5F\x61\x51\x22\x55\x1B\xE3\x46\xE3\xE3\x3D\xD0\x35\x62\x9A\xDB\xAF\x14\xC8\x5B\xA1\xCC\x89\x1B\xE1\x30\x26\xFC\xA0\x9B\x1F\x81\xA7\x47\x1F\x04\xEB\xA3\x39\x92\x06\x9F\x99\xD3\xBF\xD3\xEA\x4F\x50\x9C\x19\xFE\x96\x87\x1E\x3C\x65\xF6\xA3\x18\x24\x83\x86\x10\xE7\x54\x3E\xA8\x3A\x76\x24\x4F\x81\x21\xC5\xE3\x0F\x02\xF8\x93\x94\x47\x20\xBB\xFE\xD4\x0E\xD3\x68\xB9\xDD\xC4\x7A\x84\x82\xE3\x53\x54\x79\xDD\xDB\x9C\xD2\xF2\x07\x9B\x2E\xB6\xBC\x3E\xED\x85\x6D\xEF\x25\x11\xF2\x97\x1A\x42\x61\xF7\x4A\x97\xE8\x8B\xB1\x10\x07\xFA\x65\x81\xB2\xA2\x39\xCF\xF7\x3C\xFF\x18\xFB\xC6\xF1\x5A\x8B\x59\xE2\x02\xAC\x7B\x92\xD0\x4E\x14\x4F\x59\x45\xF6\x0C\x5E\x28\x5F\xB0\xE8\x3F\x45\xCF\xCF\xAF\x9B\x6F\xFB\x84\xD3\x77\x5A\x95\x6F\xAC\x94\x84\x9E\xEE\xBC\xC0\x4A\x8F\x4A\x93\xF8\x44\x21\xE2\x31\x45\x61\x50\x4E\x10\xD8\xE3\x35\x7C\x4C\x19\xB4\xDE\x05\xBF\xA3\x06\x9F\xC8\xB5\xCD\xE4\x1F\xD7\x17\x06\x0D\x7A\x95\x74\x55\x0D\x68\x1A\xFC\x10\x1B\x62\x64\x9D\x6D\xE0\x95\xA0\xC3\x94\x07\x57\x0D\x14\xE6\xBD\x05\xFB\xB8\x9F\xE6\xDF\x8B\xE2\xC6\xE7\x7E\x96\xF6\x53\xC5\x80\x34\x50\x28\x58\xF0\x12\x50\x71\x17\x30\xBA\xE6\x78\x63\xBC\xF4\xB2\xAD\x9B\x2B\xB2\xFE\xE1\x39\x8C\x5E\xBA\x0B\x20\x94\xDE\x7B\x83\xB8\xFF\xE3\x56\x8D\xB7\x11\xE9\x3B\x8C\xF2\xB1\xC1\x5D\x9D\xA4\x0B\x4C\x2B\xD9\xB2\x18\xF5\xB5\x9F\x4B\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x52\xD8\x88\x3A\xC8\x9F\x78\x66\xED\x89\xF3\x7B\x38\x70\x94\xC9\x02\x02\x36\xD0\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x52\xD8\x88\x3A\xC8\x9F\x78\x66\xED\x89\xF3\x7B\x38\x70\x94\xC9\x02\x02\x36\xD0\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x0B\x7B\x72\x87\xC0\x60\xA6\x49\x4C\x88\x58\xE6\x1D\x88\xF7\x14\x64\x48\xA6\xD8\x58\x0A\x0E\x4F\x13\x35\xDF\x35\x1D\xD4\xED\x06\x31\xC8\x81\x3E\x6A\xD5\xDD\x3B\x1A\x32\xEE\x90\x3D\x11\xD2\x2E\xF4\x8E\xC3\x63\x2E\x23\x66\xB0\x67\xBE\x6F\xB6\xC0\x13\x39\x60\xAA\xA2\x34\x25\x93\x75\x52\xDE\xA7\x9D\xAD\x0E\x87\x89\x52\x71\x6A\x16\x3C\x19\x1D\x83\xF8\x9A\x29\x65\xBE\xF4\x3F\x9A\xD9\xF0\xF3\x5A\x87\x21\x71\x80\x4D\xCB\xE0\x38\x9B\x3F\xBB\xFA\xE0\x30\x4D\xCF\x86\xD3\x65\x10\x19\x18\xD1\x97\x02\xB1\x2B\x72\x42\x68\xAC\xA0\xBD\x4E\x5A\xDA\x18\xBF\x6B\x98\x81\xD0\xFD\x9A\xBE\x5E\x15\x48\xCD\x11\x15\xB9\xC0\x29\x5C\xB4\xE8\x88\xF7\x3E\x36\xAE\xB7\x62\xFD\x1E\x62\xDE\x70\x78\x10\x1C\x48\x5B\xDA\xBC\xA4\x38\xBA\x67\xED\x55\x3E\x5E\x57\xDF\xD4\x03\x40\x4C\x81\xA4\xD2\x4F\x63\xA7\x09\x42\x09\x14\xFC\x00\xA9\xC2\x80\x73\x4F\x2E\xC0\x40\xD9\x11\x7B\x48\xEA\x7A\x02\xC0\xD3\xEB\x28\x01\x26\x58\x74\xC1\xC0\x73\x22\x6D\x93\x95\xFD\x39\x7D\xBB\x2A\xE3\xF6\x82\xE3\x2C\x97\x5F\x4E\x1F\x91\x94\xFA\xFE\x2C\xA3\xD8\x76\x1A\xB8\x4D\xB2\x38\x4F\x9B\xFA\x1D\x48\x60\x79\x26\xE2\xF3\xFD\xA9\xD0\x9A\xE8\x70\x8F\x49\x7A\xD6\xE5\xBD\x0A\x0E\xDB\x2D\xF3\x8D\xBF\xEB\xE3\xA4\x7D\xCB\xC7\x95\x71\xE8\xDA\xA3\x7C\xC5\xC2\xF8\x74\x92\x04\x1B\x86\xAC\xA4\x22\x53\x40\xB6\xAC\xFE\x4C\x76\xCF\xFB\x94\x32\xC0\x35\x9F\x76\x3F\x6E\xE5\x90\x6E\xA0\xA6\x26\xA2\xB8\x2C\xBE\xD1\x2B\x85\xFD\xA7\x68\xC8\xBA\x01\x2B\xB1\x6C\x74\x1D\xB8\x73\x95\xE7\xEE\xB7\xC7\x25\xF0\x00\x4C\x00\xB2\x7E\xB6\x0B\x8B\x1C\xF3\xC0\x50\x9E\x25\xB9\xE0\x08\xDE\x36\x66\xFF\x37\xA5\xD1\xBB\x54\x64\x2C\xC9\x27\xB5\x4B\x92\x7E\x65\xFF\xD3\x2D\xE1\xB9\x4E\xBC\x7F\xA4\x41\x21\x90\x41\x77\xA6\x39\x1F\xEA\x9E\xE3\x9F\xD0\x66\x6F\x05\xEC\xAA\x76\x7E\xBF\x6B\x16\xA0\xEB\xB5\xC7\xFC\x92\x54\x2F\x2B\x11\x27\x25\x37\x78\x4C\x51\x6A\xB0\xF3\xCC\x58\x5D\x14\xF1\x6A\x48\x15\xFF\xC2\x07\xB6\xB1\x8D\x0F\x8E\x5C\x50\x46\xB3\x3D\xBF\x01\x98\x4F\xB2\x59\x54\x47\x3E\x34\x7B\x78\x6D\x56\x93\x2E\x73\xEA\x66\x28\x78\xCD\x1D\x14\xBF\xA0\x8F\x2F\x2E\xB8\x2E\x8E\xF2\x14\x8A\xCC\xE9\xB5\x7C\xFB\x6C\x9D\x0C\xA5\xE1\x96",
 	["OU=Trustis FPS Root CA,O=Trustis Limited,C=GB"] = "\x30\x82\x03\x67\x30\x82\x02\x4F\xA0\x03\x02\x01\x02\x02\x10\x1B\x1F\xAD\xB6\x20\xF9\x24\xD3\x36\x6B\xF7\xC7\xF1\x8C\xA0\x59\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x54\x72\x75\x73\x74\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1C\x30\x1A\x06\x03\x55\x04\x0B\x13\x13\x54\x72\x75\x73\x74\x69\x73\x20\x46\x50\x53\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x33\x31\x32\x32\x33\x31\x32\x31\x34\x30\x36\x5A\x17\x0D\x32\x34\x30\x31\x32\x31\x31\x31\x33\x36\x35\x34\x5A\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x54\x72\x75\x73\x74\x69\x73\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1C\x30\x1A\x06\x03\x55\x04\x0B\x13\x13\x54\x72\x75\x73\x74\x69\x73\x20\x46\x50\x53\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC5\x50\x7B\x9E\x3B\x35\xD0\xDF\xC4\x8C\xCD\x8E\x9B\xED\xA3\xC0\x36\x99\xF4\x42\xEA\xA7\x3E\x80\x83\x0F\xA6\xA7\x59\x87\xC9\x90\x45\x43\x7E\x00\xEA\x86\x79\x2A\x03\xBD\x3D\x37\x99\x89\x66\xB7\xE5\x8A\x56\x86\x93\x9C\x68\x4B\x68\x04\x8C\x93\x93\x02\x3E\x30\xD2\x37\x3A\x22\x61\x89\x1C\x85\x4E\x7D\x8F\xD5\xAF\x7B\x35\xF6\x7E\x28\x47\x89\x31\xDC\x0E\x79\x64\x1F\x99\xD2\x5B\xBA\xFE\x7F\x60\xBF\xAD\xEB\xE7\x3C\x38\x29\x6A\x2F\xE5\x91\x0B\x55\xFF\xEC\x6F\x58\xD5\x2D\xC9\xDE\x4C\x66\x71\x8F\x0C\xD7\x04\xDA\x07\xE6\x1E\x18\xE3\xBD\x29\x02\xA8\xFA\x1C\xE1\x5B\xB9\x83\xA8\x41\x48\xBC\x1A\x71\x8D\xE7\x62\xE5\x2D\xB2\xEB\xDF\x7C\xCF\xDB\xAB\x5A\xCA\x31\xF1\x4C\x22\xF3\x05\x13\xF7\x82\xF9\x73\x79\x0C\xBE\xD7\x4B\x1C\xC0\xD1\x15\x3C\x93\x41\x64\xD1\xE6\xBE\x23\x17\x22\x00\x89\x5E\x1F\x6B\xA5\xAC\x6E\xA7\x4B\x8C\xED\xA3\x72\xE6\xAF\x63\x4D\x2F\x85\xD2\x14\x35\x9A\x2E\x4E\x8C\xEA\x32\x98\x28\x86\xA1\x91\x09\x41\x3A\xB4\xE1\xE3\xF2\xFA\xF0\xC9\x0A\xA2\x41\xDD\xA9\xE3\x03\xC7\x88\x15\x3B\x1C\xD4\x1A\x94\xD7\x9F\x64\x59\x12\x6D\x02\x03\x01\x00\x01\xA3\x53\x30\x51\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xBA\xFA\x71\x25\x79\x8B\x57\x41\x25\x21\x86\x0B\x71\xEB\xB2\x64\x0E\x8B\x21\x67\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xBA\xFA\x71\x25\x79\x8B\x57\x41\x25\x21\x86\x0B\x71\xEB\xB2\x64\x0E\x8B\x21\x67\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x7E\x58\xFF\xFD\x35\x19\x7D\x9C\x18\x4F\x9E\xB0\x2B\xBC\x8E\x8C\x14\xFF\x2C\xA0\xDA\x47\x5B\xC3\xEF\x81\x2D\xAF\x05\xEA\x74\x48\x5B\xF3\x3E\x4E\x07\xC7\x6D\xC5\xB3\x93\xCF\x22\x35\x5C\xB6\x3F\x75\x27\x5F\x09\x96\xCD\xA0\xFE\xBE\x40\x0C\x5C\x12\x55\xF8\x93\x82\xCA\x29\xE9\x5E\x3F\x56\x57\x8B\x38\x36\xF7\x45\x1A\x4C\x28\xCD\x9E\x41\xB8\xED\x56\x4C\x84\xA4\x40\xC8\xB8\xB0\xA5\x2B\x69\x70\x04\x6A\xC3\xF8\xD4\x12\x32\xF9\x0E\xC3\xB1\xDC\x32\x84\x44\x2C\x6F\xCB\x46\x0F\xEA\x66\x41\x0F\x4F\xF1\x58\xA5\xA6\x0D\x0D\x0F\x61\xDE\xA5\x9E\x5D\x7D\x65\xA1\x3C\x17\xE7\xA8\x55\x4E\xEF\xA0\xC7\xED\xC6\x44\x7F\x54\xF5\xA3\xE0\x8F\xF0\x7C\x55\x22\x8F\x29\xB6\x81\xA3\xE1\x6D\x4E\x2C\x1B\x80\x67\xEC\xAD\x20\x9F\x0C\x62\x61\xD5\x97\xFF\x43\xED\x2D\xC1\xDA\x5D\x29\x2A\x85\x3F\xAC\x65\xEE\x86\x0F\x05\x8D\x90\x5F\xDF\xEE\x9F\xF4\xBF\xEE\x1D\xFB\x98\xE4\x7F\x90\x2B\x84\x78\x10\x0E\x6C\x49\x53\xEF\x15\x5B\x65\x46\x4A\x5D\xAF\xBA\xFB\x3A\x72\x1D\xCD\xF6\x25\x88\x1E\x97\xCC\x21\x9C\x29\x01\x0D\x65\xEB\x57\xD9\xF3\x57\x96\xBB\x48\xCD\x81",
-	["CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL"] = "\x30\x82\x05\x63\x30\x82\x03\x4B\xA0\x03\x02\x01\x02\x02\x01\x3B\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x53\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x4C\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x4C\x74\x64\x2E\x31\x2C\x30\x2A\x06\x03\x55\x04\x03\x13\x23\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x47\x32\x30\x1E\x17\x0D\x31\x30\x30\x31\x30\x31\x30\x31\x30\x30\x30\x31\x5A\x17\x0D\x33\x39\x31\x32\x33\x31\x32\x33\x35\x39\x30\x31\x5A\x30\x53\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x49\x4C\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x4C\x74\x64\x2E\x31\x2C\x30\x2A\x06\x03\x55\x04\x03\x13\x23\x53\x74\x61\x72\x74\x43\x6F\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x47\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xB6\x89\x36\x5B\x07\xB7\x20\x36\xBD\x82\xBB\xE1\x16\x20\x03\x95\x7A\xAF\x0E\xA3\x55\xC9\x25\x99\x4A\xC5\xD0\x56\x41\x87\x90\x4D\x21\x60\xA4\x14\x87\x3B\xCD\xFD\xB2\x3E\xB4\x67\x03\x6A\xED\xE1\x0F\x4B\xC0\x91\x85\x70\x45\xE0\x42\x9E\xDE\x29\x23\xD4\x01\x0D\xA0\x10\x79\xB8\xDB\x03\xBD\xF3\xA9\x2F\xD1\xC6\xE0\x0F\xCB\x9E\x8A\x14\x0A\xB8\xBD\xF6\x56\x62\xF1\xC5\x72\xB6\x32\x25\xD9\xB2\xF3\xBD\x65\xC5\x0D\x2C\x6E\xD5\x92\x6F\x18\x8B\x00\x41\x14\x82\x6F\x40\x20\x26\x7A\x28\x0F\xF5\x1E\x7F\x27\xF7\x94\xB1\x37\x3D\xB7\xC7\x91\xF7\xE2\x01\xEC\xFD\x94\x89\xE1\xCC\x6E\xD3\x36\xD6\x0A\x19\x79\xAE\xD7\x34\x82\x65\xFF\x7C\x42\xBB\xB6\xDD\x0B\xA6\x34\xAF\x4B\x60\xFE\x7F\x43\x49\x06\x8B\x8C\x43\xB8\x56\xF2\xD9\x7F\x21\x43\x17\xEA\xA7\x48\x95\x01\x75\x75\xEA\x2B\xA5\x43\x95\xEA\x15\x84\x9D\x08\x8D\x26\x6E\x55\x9B\xAB\xDC\xD2\x39\xD2\x31\x1D\x60\xE2\xAC\xCC\x56\x45\x24\xF5\x1C\x54\xAB\xEE\x86\xDD\x96\x32\x85\xF8\x4C\x4F\xE8\x95\x76\xB6\x05\xDD\x36\x23\x67\xBC\xFF\x15\xE2\xCA\x3B\xE6\xA6\xEC\x3B\xEC\x26\x11\x34\x48\x8D\xF6\x80\x2B\x1A\x23\x02\xEB\x8A\x1C\x3A\x76\x2A\x7B\x56\x16\x1C\x72\x2A\xB3\xAA\xE3\x60\xA5\x00\x9F\x04\x9B\xE2\x6F\x1E\x14\x58\x5B\xA5\x6C\x8B\x58\x3C\xC3\xBA\x4E\x3A\x5C\xF7\xE1\x96\x2B\x3E\xEF\x07\xBC\xA4\xE5\x5D\xCC\x4D\x9F\x0D\xE1\xDC\xAA\xBB\xE1\x6E\x1A\xEC\x8F\xE1\xB6\x4C\x4D\x79\x72\x5D\x17\x35\x0B\x1D\xD7\xC1\x47\xDA\x96\x24\xE0\xD0\x72\xA8\x5A\x5F\x66\x2D\x10\xDC\x2F\x2A\x13\xAE\x26\xFE\x0A\x1C\x19\xCC\xD0\x3E\x0B\x9C\xC8\x09\x2E\xF9\x5B\x96\x7A\x47\x9C\xE9\x7A\xF3\x05\x50\x74\x95\x73\x9E\x30\x09\xF3\x97\x82\x5E\xE6\x8F\x39\x08\x1E\x59\xE5\x35\x14\x42\x13\xFF\x00\x9C\xF7\xBE\xAA\x50\xCF\xE2\x51\x48\xD7\xB8\x6F\xAF\xF8\x4E\x7E\x33\x98\x92\x14\x62\x3A\x75\x63\xCF\x7B\xFA\xDE\x82\x3B\xA9\xBB\x39\xE2\xC4\xBD\x2C\x00\x0E\xC8\x17\xAC\x13\xEF\x4D\x25\x8E\xD8\xB3\x90\x2F\xA9\xDA\x29\x7D\x1D\xAF\x74\x3A\xB2\x27\xC0\xC1\x1E\x3E\x75\xA3\x16\xA9\xAF\x7A\x22\x5D\x9F\x13\x1A\xCF\xA7\xA0\xEB\xE3\x86\x0A\xD3\xFD\xE6\x96\x95\xD7\x23\xC8\x37\xDD\xC4\x7C\xAA\x36\xAC\x98\x1A\x12\xB1\xE0\x4E\xE8\xB1\x3B\xF5\xD6\x6F\xF1\x30\xD7\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x4B\xC5\xB4\x40\x6B\xAD\x1C\xB3\xA5\x1C\x65\x6E\x46\x36\x89\x87\x05\x0C\x0E\xB6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x73\x57\x3F\x2C\xD5\x95\x32\x7E\x37\xDB\x96\x92\xEB\x19\x5E\x7E\x53\xE7\x41\xEC\x11\xB6\x47\xEF\xB5\xDE\xED\x74\x5C\xC5\xF1\x8E\x49\xE0\xFC\x6E\x99\x13\xCD\x9F\x8A\xDA\xCD\x3A\x0A\xD8\x3A\x5A\x09\x3F\x5F\x34\xD0\x2F\x03\xD2\x66\x1D\x1A\xBD\x9C\x90\x37\xC8\x0C\x8E\x07\x5A\x94\x45\x46\x2A\xE6\xBE\x7A\xDA\xA1\xA9\xA4\x69\x12\x92\xB0\x7D\x36\xD4\x44\x87\xD7\x51\xF1\x29\x63\xD6\x75\xCD\x16\xE4\x27\x89\x1D\xF8\xC2\x32\x48\xFD\xDB\x99\xD0\x8F\x5F\x54\x74\xCC\xAC\x67\x34\x11\x62\xD9\x0C\x0A\x37\x87\xD1\xA3\x17\x48\x8E\xD2\x17\x1D\xF6\xD7\xFD\xDB\x65\xEB\xFD\xA8\xD4\xF5\xD6\x4F\xA4\x5B\x75\xE8\xC5\xD2\x60\xB2\xDB\x09\x7E\x25\x8B\x7B\xBA\x52\x92\x9E\x3E\xE8\xC5\x77\xA1\x3C\xE0\x4A\x73\x6B\x61\xCF\x86\xDC\x43\xFF\xFF\x21\xFE\x23\x5D\x24\x4A\xF5\xD3\x6D\x0F\x62\x04\x05\x57\x82\xDA\x6E\xA4\x33\x25\x79\x4B\x2E\x54\x19\x8B\xCC\x2C\x3D\x30\xE9\xD1\x06\xFF\xE8\x32\x46\xBE\xB5\x33\x76\x77\xA8\x01\x5D\x96\xC1\xC1\xD5\xBE\xAE\x25\xC0\xC9\x1E\x0A\x09\x20\x88\xA1\x0E\xC9\xF3\x6F\x4D\x82\x54\x00\x20\xA7\xD2\x8F\xE4\x39\x54\x17\x2E\x8D\x1E\xB8\x1B\xBB\x1B\xBD\x9A\x4E\x3B\x10\x34\xDC\x9C\x88\x53\xEF\xA2\x31\x5B\x58\x4F\x91\x62\xC8\xC2\x9A\x9A\xCD\x15\x5D\x38\xA9\xD6\xBE\xF8\x13\xB5\x9F\x12\x69\xF2\x50\x62\xAC\xFB\x17\x37\xF4\xEE\xB8\x75\x67\x60\x10\xFB\x83\x50\xF9\x44\xB5\x75\x9C\x40\x17\xB2\xFE\xFD\x79\x5D\x6E\x58\x58\x5F\x30\xFC\x00\xAE\xAF\x33\xC1\x0E\x4E\x6C\xBA\xA7\xA6\xA1\x7F\x32\xDB\x38\xE0\xB1\x72\x17\x0A\x2B\x91\xEC\x6A\x63\x26\xED\x89\xD4\x78\xCC\x74\x1E\x05\xF8\x6B\xFE\x8C\x6A\x76\x39\x29\xAE\x65\x23\x12\x95\x08\x22\x1C\x97\xCE\x5B\x06\xEE\x0C\xE2\xBB\xBC\x1F\x44\x93\xF6\xD8\x38\x45\x05\x21\xED\xE4\xAD\xAB\x12\xB6\x03\xA4\x42\x2E\x2D\xC4\x09\x3A\x03\x67\x69\x84\x9A\xE1\x59\x90\x8A\x28\x85\xD5\x5D\x74\xB1\xD1\x0E\x20\x58\x9B\x13\xA5\xB0\x63\xA6\xED\x7B\x47\xFD\x45\x55\x30\xA4\xEE\x9A\xD4\xE6\xE2\x87\xEF\x98\xC9\x32\x82\x11\x29\x22\xBC\x00\x0A\x31\x5E\x2D\x0F\xC0\x8E\xE9\x6B\xB2\x8F\x2E\x06\xD8\xD1\x91\xC7\xC6\x12\xF4\x4C\xFD\x30\x17\xC3\xC1\xDA\x38\x5B\xE3\xA9\xEA\xE6\xA1\xBA\x79\xEF\x73\xD8\xB6\x53\x57\x2D\xF6\xD0\xE1\xD7\x48",
 	["CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO"] = "\x30\x82\x05\x59\x30\x82\x03\x41\xA0\x03\x02\x01\x02\x02\x01\x02\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4F\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x41\x53\x2D\x39\x38\x33\x31\x36\x33\x33\x32\x37\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x0C\x17\x42\x75\x79\x70\x61\x73\x73\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x31\x30\x31\x30\x32\x36\x30\x38\x33\x38\x30\x33\x5A\x17\x0D\x34\x30\x31\x30\x32\x36\x30\x38\x33\x38\x30\x33\x5A\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4F\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x41\x53\x2D\x39\x38\x33\x31\x36\x33\x33\x32\x37\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x0C\x17\x42\x75\x79\x70\x61\x73\x73\x20\x43\x6C\x61\x73\x73\x20\x32\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xD7\xC7\x5E\xF7\xC1\x07\xD4\x77\xFB\x43\x21\xF4\xF4\xF5\x69\xE4\xEE\x32\x01\xDB\xA3\x86\x1F\xE4\x59\x0D\xBA\xE7\x75\x83\x52\xEB\xEA\x1C\x61\x15\x48\xBB\x1D\x07\xCA\x8C\xAE\xB0\xDC\x96\x9D\xEA\xC3\x60\x92\x86\x82\x28\x73\x9C\x56\x06\xFF\x4B\x64\xF0\x0C\x2A\x37\x49\xB5\xE5\xCF\x0C\x7C\xEE\xF1\x4A\xBB\x73\x30\x65\xF3\xD5\x2F\x83\xB6\x7E\xE3\xE7\xF5\x9E\xAB\x60\xF9\xD3\xF1\x9D\x92\x74\x8A\xE4\x1C\x96\xAC\x5B\x80\xE9\xB5\xF4\x31\x87\xA3\x51\xFC\xC7\x7E\xA1\x6F\x8E\x53\x77\xD4\x97\xC1\x55\x33\x92\x3E\x18\x2F\x75\xD4\xAD\x86\x49\xCB\x95\xAF\x54\x06\x6C\xD8\x06\x13\x8D\x5B\xFF\xE1\x26\x19\x59\xC0\x24\xBA\x81\x71\x79\x90\x44\x50\x68\x24\x94\x5F\xB8\xB3\x11\xF1\x29\x41\x61\xA3\x41\xCB\x23\x36\xD5\xC1\xF1\x32\x50\x10\x4E\x7F\xF4\x86\x93\xEC\x84\xD3\x8E\xBC\x4B\xBF\x5C\x01\x4E\x07\x3D\xDC\x14\x8A\x94\x0A\xA4\xEA\x73\xFB\x0B\x51\xE8\x13\x07\x18\xFA\x0E\xF1\x2B\xD1\x54\x15\x7D\x3C\xE1\xF7\xB4\x19\x42\x67\x62\x5E\x77\xE0\xA2\x55\xEC\xB6\xD9\x69\x17\xD5\x3A\xAF\x44\xED\x4A\xC5\x9E\xE4\x7A\x27\x7C\xE5\x75\xD7\xAA\xCB\x25\xE7\xDF\x6B\x0A\xDB\x0F\x4D\x93\x4E\xA8\xA0\xCD\x7B\x2E\xF2\x59\x01\x6A\xB7\x0D\xB8\x07\x81\x7E\x8B\x38\x1B\x38\xE6\x0A\x57\x99\x3D\xEE\x21\xE8\xA3\xF5\x0C\x16\xDD\x8B\xEC\x34\x8E\x9C\x2A\x1C\x00\x15\x17\x8D\x68\x83\xD2\x70\x9F\x18\x08\xCD\x11\x68\xD5\xC9\x6B\x52\xCD\xC4\x46\x8F\xDC\xB5\xF3\xD8\x57\x73\x1E\xE9\x94\x39\x04\xBF\xD3\xDE\x38\xDE\xB4\x53\xEC\x69\x1C\xA2\x7E\xC4\x8F\xE4\x1B\x70\xAD\xF2\xA2\xF9\xFB\xF7\x16\x64\x66\x69\x9F\x49\x51\xA2\xE2\x15\x18\x67\x06\x4A\x7F\xD5\x6C\xB5\x4D\xB3\x33\xE0\x61\xEB\x5D\xBE\xE9\x98\x0F\x32\xD7\x1D\x4B\x3C\x2E\x5A\x01\x52\x91\x09\xF2\xDF\xEA\x8D\xD8\x06\x40\x63\xAA\x11\xE4\xFE\xC3\x37\x9E\x14\x52\x3F\xF4\xE2\xCC\xF2\x61\x93\xD1\xFD\x67\x6B\xD7\x52\xAE\xBF\x68\xAB\x40\x43\xA0\x57\x35\x53\x78\xF0\x53\xF8\x61\x42\x07\x64\xC6\xD7\x6F\x9B\x4C\x38\x0D\x63\xAC\x62\xAF\x36\x8B\xA2\x73\x0A\x0D\xF5\x21\xBD\x74\xAA\x4D\xEA\x72\x03\x49\xDB\xC7\x5F\x1D\x62\x63\xC7\xFD\xDD\x91\xEC\x33\xEE\xF5\x6D\xB4\x6E\x30\x68\xDE\xC8\xD6\x26\xB0\x75\x5E\x7B\xB4\x07\x20\x98\xA1\x76\x32\xB8\x4D\x6C\x4F\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xC9\x80\x77\xE0\x62\x92\x82\xF5\x46\x9C\xF3\xBA\xF7\x4C\xC3\xDE\xB8\xA3\xAD\x39\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x53\x5F\x21\xF5\xBA\xB0\x3A\x52\x39\x2C\x92\xB0\x6C\x00\xC9\xEF\xCE\x20\xEF\x06\xF2\x96\x9E\xE9\xA4\x74\x7F\x7A\x16\xFC\xB7\xF5\xB6\xFB\x15\x1B\x3F\xAB\xA6\xC0\x72\x5D\x10\xB1\x71\xEE\xBC\x4F\xE3\xAD\xAC\x03\x6D\x2E\x71\x2E\xAF\xC4\xE3\xAD\xA3\xBD\x0C\x11\xA7\xB4\xFF\x4A\xB2\x7B\x10\x10\x1F\xA7\x57\x41\xB2\xC0\xAE\xF4\x2C\x59\xD6\x47\x10\x88\xF3\x21\x51\x29\x30\xCA\x60\x86\xAF\x46\xAB\x1D\xED\x3A\x5B\xB0\x94\xDE\x44\xE3\x41\x08\xA2\xC1\xEC\x1D\xD6\xFD\x4F\xB6\xD6\x47\xD0\x14\x0B\xCA\xE6\xCA\xB5\x7B\x77\x7E\x41\x1F\x5E\x83\xC7\xB6\x8C\x39\x96\xB0\x3F\x96\x81\x41\x6F\x60\x90\xE2\xE8\xF9\xFB\x22\x71\xD9\x7D\xB3\x3D\x46\xBF\xB4\x84\xAF\x90\x1C\x0F\x8F\x12\x6A\xAF\xEF\xEE\x1E\x7A\xAE\x02\x4A\x8A\x17\x2B\x76\xFE\xAC\x54\x89\x24\x2C\x4F\x3F\xB6\xB2\xA7\x4E\x8C\xA8\x91\x97\xFB\x29\xC6\x7B\x5C\x2D\xB9\xCB\x66\xB6\xB7\xA8\x5B\x12\x51\x85\xB5\x09\x7E\x62\x78\x70\xFE\xA9\x6A\x60\xB6\x1D\x0E\x79\x0C\xFD\xCA\xEA\x24\x80\x72\xC3\x97\x3F\xF2\x77\xAB\x43\x22\x0A\xC7\xEB\xB6\x0C\x84\x82\x2C\x80\x6B\x41\x8A\x08\xC0\xEB\xA5\x6B\xDF\x99\x12\xCB\x8A\xD5\x5E\x80\x0C\x91\xE0\x26\x08\x36\x48\xC5\xFA\x38\x11\x35\xFF\x25\x83\x2D\xF2\x7A\xBF\xDA\xFD\x8E\xFE\xA5\xCB\x45\x2C\x1F\xC4\x88\x53\xAE\x77\x0E\xD9\x9A\x76\xC5\x8E\x2C\x1D\xA3\xBA\xD5\xEC\x32\xAE\xC0\xAA\xAC\xF7\xD1\x7A\x4D\xEB\xD4\x07\xE2\x48\xF7\x22\x8E\xB0\xA4\x9F\x6A\xCE\x8E\xB2\xB2\x60\xF4\xA3\x22\xD0\x23\xEB\x94\x5A\x7A\x69\xDD\x0F\xBF\x40\x57\xAC\x6B\x59\x50\xD9\xA3\x99\xE1\x6E\xFE\x8D\x01\x79\x27\x23\x15\xDE\x92\x9D\x7B\x09\x4D\x5A\xE7\x4B\x48\x30\x5A\x18\xE6\x0A\x6D\xE6\x8F\xE0\xD2\xBB\xE6\xDF\x7C\x6E\x21\x82\xC1\x68\x39\x4D\xB4\x98\x58\x66\x62\xCC\x4A\x90\x5E\xC3\xFA\x27\x04\xB1\x79\x15\x74\x99\xCC\xBE\xAD\x20\xDE\x26\x60\x1C\xEB\x56\x51\xA6\xA3\xEA\xE4\xA3\x3F\xA7\xFF\x61\xDC\xF1\x5A\x4D\x6C\x32\x23\x43\xEE\xAC\xA8\xEE\xEE\x4A\x12\x09\x3C\x5D\x71\xC2\xBE\x79\xFA\xC2\x87\x68\x1D\x0B\xFD\x5C\x69\xCC\x06\xD0\x9A\x7D\x54\x99\x2A\xC9\x39\x1A\x19\xAF\x4B\x2A\x43\xF3\x63\x5D\x5A\x58\xE2\x2F\xE3\x1D\xE4\xA9\xD6\xD0\x0A\xD0\x9E\xBF\xD7\x81\x09\xF1\xC9\xC7\x26\x0D\xAC\x98\x16\x56\xA0",
 	["CN=Buypass Class 3 Root CA,O=Buypass AS-983163327,C=NO"] = "\x30\x82\x05\x59\x30\x82\x03\x41\xA0\x03\x02\x01\x02\x02\x01\x02\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4F\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x41\x53\x2D\x39\x38\x33\x31\x36\x33\x33\x32\x37\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x0C\x17\x42\x75\x79\x70\x61\x73\x73\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x31\x30\x31\x30\x32\x36\x30\x38\x32\x38\x35\x38\x5A\x17\x0D\x34\x30\x31\x30\x32\x36\x30\x38\x32\x38\x35\x38\x5A\x30\x4E\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4E\x4F\x31\x1D\x30\x1B\x06\x03\x55\x04\x0A\x0C\x14\x42\x75\x79\x70\x61\x73\x73\x20\x41\x53\x2D\x39\x38\x33\x31\x36\x33\x33\x32\x37\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x0C\x17\x42\x75\x79\x70\x61\x73\x73\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xA5\xDA\x0A\x95\x16\x50\xE3\x95\xF2\x5E\x9D\x76\x31\x06\x32\x7A\x9B\xF1\x10\x76\xB8\x00\x9A\xB5\x52\x36\xCD\x24\x47\xB0\x9F\x18\x64\xBC\x9A\xF6\xFA\xD5\x79\xD8\x90\x62\x4C\x22\x2F\xDE\x38\x3D\xD6\xE0\xA8\xE9\x1C\x2C\xDB\x78\x11\xE9\x8E\x68\x51\x15\x72\xC7\xF3\x33\x87\xE4\xA0\x5D\x0B\x5C\xE0\x57\x07\x2A\x30\xF5\xCD\xC4\x37\x77\x28\x4D\x18\x91\xE6\xBF\xD5\x52\xFD\x71\x2D\x70\x3E\xE7\xC6\xC4\x8A\xE3\xF0\x28\x0B\xF4\x76\x98\xA1\x8B\x87\x55\xB2\x3A\x13\xFC\xB7\x3E\x27\x37\x8E\x22\xE3\xA8\x4F\x2A\xEF\x60\xBB\x3D\xB7\x39\xC3\x0E\x01\x47\x99\x5D\x12\x4F\xDB\x43\xFA\x57\xA1\xED\xF9\x9D\xBE\x11\x47\x26\x5B\x13\x98\xAB\x5D\x16\x8A\xB0\x37\x1C\x57\x9D\x45\xFF\x88\x96\x36\xBF\xBB\xCA\x07\x7B\x6F\x87\x63\xD7\xD0\x32\x6A\xD6\x5D\x6C\x0C\xF1\xB3\x6E\x39\xE2\x6B\x31\x2E\x39\x00\x27\x14\xDE\x38\xC0\xEC\x19\x66\x86\x12\xE8\x9D\x72\x16\x13\x64\x52\xC7\xA9\x37\x1C\xFD\x82\x30\xED\x84\x18\x1D\xF4\xAE\x5C\xFF\x70\x13\x00\xEB\xB1\xF5\x33\x7A\x4B\xD6\x55\xF8\x05\x8D\x4B\x69\xB0\xF5\xB3\x28\x36\x5C\x14\xC4\x51\x73\x4D\x6B\x0B\xF1\x34\x07\xDB\x17\x39\xD7\xDC\x28\x7B\x6B\xF5\x9F\xF3\x2E\xC1\x4F\x17\x2A\x10\xF3\xCC\xCA\xE8\xEB\xFD\x6B\xAB\x2E\x9A\x9F\x2D\x82\x6E\x04\xD4\x52\x01\x93\x2D\x3D\x86\xFC\x7E\xFC\xDF\xEF\x42\x1D\xA6\x6B\xEF\xB9\x20\xC6\xF7\xBD\xA0\xA7\x95\xFD\xA7\xE6\x89\x24\xD8\xCC\x8C\x34\x6C\xE2\x23\x2F\xD9\x12\x1A\x21\xB9\x55\x91\x6F\x0B\x91\x79\x19\x0C\xAD\x40\x88\x0B\x70\xE2\x7A\xD2\x0E\xD8\x68\x48\xBB\x82\x13\x39\x10\x58\xE9\xD8\x2A\x07\xC6\x12\xDB\x58\xDB\xD2\x3B\x55\x10\x47\x05\x15\x67\x62\x7E\x18\x63\xA6\x46\x3F\x09\x0E\x54\x32\x5E\xBF\x0D\x62\x7A\x27\xEF\x80\xE8\xDB\xD9\x4B\x06\x5A\x37\x5A\x25\xD0\x08\x12\x77\xD4\x6F\x09\x50\x97\x3D\xC8\x1D\xC3\xDF\x8C\x45\x30\x56\xC6\xD3\x64\xAB\x66\xF3\xC0\x5E\x96\x9C\xC3\xC4\xEF\xC3\x7C\x6B\x8B\x3A\x79\x7F\xB3\x49\xCF\x3D\xE2\x89\x9F\xA0\x30\x4B\x85\xB9\x9C\x94\x24\x79\x8F\x7D\x6B\xA9\x45\x68\x0F\x2B\xD0\xF1\xDA\x1C\xCB\x69\xB8\xCA\x49\x62\x6D\xC8\xD0\x63\x62\xDD\x60\x0F\x58\xAA\x8F\xA1\xBC\x05\xA5\x66\xA2\xCF\x1B\x76\xB2\x84\x64\xB1\x4C\x39\x52\xC0\x30\xBA\xF0\x8C\x4B\x02\xB0\xB6\xB7\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x47\xB8\xCD\xFF\xE5\x6F\xEE\xF8\xB2\xEC\x2F\x4E\x0E\xF9\x25\xB0\x8E\x3C\x6B\xC3\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x00\x20\x23\x41\x35\x04\x90\xC2\x40\x62\x60\xEF\xE2\x35\x4C\xD7\x3F\xAC\xE2\x34\x90\xB8\xA1\x6F\x76\xFA\x16\x16\xA4\x48\x37\x2C\xE9\x90\xC2\xF2\x3C\xF8\x0A\x9F\xD8\x81\xE5\xBB\x5B\xDA\x25\x2C\xA4\xA7\x55\x71\x24\x32\xF6\xC8\x0B\xF2\xBC\x6A\xF8\x93\xAC\xB2\x07\xC2\x5F\x9F\xDB\xCC\xC8\x8A\xAA\xBE\x6A\x6F\xE1\x49\x10\xCC\x31\xD7\x80\xBB\xBB\xC8\xD8\xA2\x0E\x64\x57\xEA\xA2\xF5\xC2\xA9\x31\x15\xD2\x20\x6A\xEC\xFC\x22\x01\x28\xCF\x86\xB8\x80\x1E\xA9\xCC\x11\xA5\x3C\xF2\x16\xB3\x47\x9D\xFC\xD2\x80\x21\xC4\xCB\xD0\x47\x70\x41\xA1\xCA\x83\x19\x08\x2C\x6D\xF2\x5D\x77\x9C\x8A\x14\x13\xD4\x36\x1C\x92\xF0\xE5\x06\x37\xDC\xA6\xE6\x90\x9B\x38\x8F\x5C\x6B\x1B\x46\x86\x43\x42\x5F\x3E\x01\x07\x53\x54\x5D\x65\x7D\xF7\x8A\x73\xA1\x9A\x54\x5A\x1F\x29\x43\x14\x27\xC2\x85\x0F\xB5\x88\x7B\x1A\x3B\x94\xB7\x1D\x60\xA7\xB5\x9C\xE7\x29\x69\x57\x5A\x9B\x93\x7A\x43\x30\x1B\x03\xD7\x62\xC8\x40\xA6\xAA\xFC\x64\xE4\x4A\xD7\x91\x53\x01\xA8\x20\x88\x6E\x9C\x5F\x44\xB9\xCB\x60\x81\x34\xEC\x6F\xD3\x7D\xDA\x48\x5F\xEB\xB4\x90\xBC\x2D\xA9\x1C\x0B\xAC\x1C\xD5\xA2\x68\x20\x80\x04\xD6\xFC\xB1\x8F\x2F\xBB\x4A\x31\x0D\x4A\x86\x1C\xEB\xE2\x36\x29\x26\xF5\xDA\xD8\xC4\xF2\x75\x61\xCF\x7E\xAE\x76\x63\x4A\x7A\x40\x65\x93\x87\xF8\x1E\x80\x8C\x86\xE5\x86\xD6\x8F\x0E\xFC\x53\x2C\x60\xE8\x16\x61\x1A\xA2\x3E\x43\x7B\xCD\x39\x60\x54\x6A\xF5\xF2\x89\x26\x01\x68\x83\x48\xA2\x33\xE8\xC9\x04\x91\xB2\x11\x34\x11\x3E\xEA\xD0\x43\x19\x1F\x03\x93\x90\x0C\xFF\x51\x3D\x57\xF4\x41\x6E\xE1\xCB\xA0\xBE\xEB\xC9\x63\xCD\x6D\xCC\xE4\xF8\x36\xAA\x68\x9D\xED\xBD\x5D\x97\x70\x44\x0D\xB6\x0E\x35\xDC\xE1\x0C\x5D\xBB\xA0\x51\x94\xCB\x7E\x16\xEB\x11\x2F\xA3\x92\x45\xC8\x4C\x71\xD9\xBC\xC9\x99\x52\x57\x46\x2F\x50\xCF\xBD\x35\x69\xF4\x3D\x15\xCE\x06\xA5\x2C\x0F\x3E\xF6\x81\xBA\x94\xBB\xC3\xBB\xBF\x65\x78\xD2\x86\x79\xFF\x49\x3B\x1A\x83\x0C\xF0\xDE\x78\xEC\xC8\xF2\x4D\x4C\x1A\xDE\x82\x29\xF8\xC1\x5A\xDA\xED\xEE\xE6\x27\x5E\xE8\x45\xD0\x9D\x1C\x51\xA8\x68\xAB\x44\xE3\xD0\x8B\x6A\xE3\xF8\x3B\xBB\xDC\x4D\xD7\x64\xF2\x51\xBE\xE6\xAA\xAB\x5A\xE9\x31\xEE\x06\xBC\x73\xBF\x13\x62\x0A\x9F\xC7\xB9\x97",
 	["CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE"] = "\x30\x82\x03\xC3\x30\x82\x02\xAB\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x2B\x30\x29\x06\x03\x55\x04\x0A\x0C\x22\x54\x2D\x53\x79\x73\x74\x65\x6D\x73\x20\x45\x6E\x74\x65\x72\x70\x72\x69\x73\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x47\x6D\x62\x48\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x0C\x16\x54\x2D\x53\x79\x73\x74\x65\x6D\x73\x20\x54\x72\x75\x73\x74\x20\x43\x65\x6E\x74\x65\x72\x31\x25\x30\x23\x06\x03\x55\x04\x03\x0C\x1C\x54\x2D\x54\x65\x6C\x65\x53\x65\x63\x20\x47\x6C\x6F\x62\x61\x6C\x52\x6F\x6F\x74\x20\x43\x6C\x61\x73\x73\x20\x33\x30\x1E\x17\x0D\x30\x38\x31\x30\x30\x31\x31\x30\x32\x39\x35\x36\x5A\x17\x0D\x33\x33\x31\x30\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x2B\x30\x29\x06\x03\x55\x04\x0A\x0C\x22\x54\x2D\x53\x79\x73\x74\x65\x6D\x73\x20\x45\x6E\x74\x65\x72\x70\x72\x69\x73\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x20\x47\x6D\x62\x48\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x0C\x16\x54\x2D\x53\x79\x73\x74\x65\x6D\x73\x20\x54\x72\x75\x73\x74\x20\x43\x65\x6E\x74\x65\x72\x31\x25\x30\x23\x06\x03\x55\x04\x03\x0C\x1C\x54\x2D\x54\x65\x6C\x65\x53\x65\x63\x20\x47\x6C\x6F\x62\x61\x6C\x52\x6F\x6F\x74\x20\x43\x6C\x61\x73\x73\x20\x33\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBD\x75\x93\xF0\x62\x22\x6F\x24\xAE\xE0\x7A\x76\xAC\x7D\xBD\xD9\x24\xD5\xB8\xB7\xFC\xCD\xF0\x42\xE0\xEB\x78\x88\x56\x5E\x9B\x9A\x54\x1D\x4D\x0C\x8A\xF6\xD3\xCF\x70\xF4\x52\xB5\xD8\x93\x04\xE3\x46\x86\x71\x41\x4A\x2B\xF0\x2A\x2C\x55\x03\xD6\x48\xC3\xE0\x39\x38\xED\xF2\x5C\x3C\x3F\x44\xBC\x93\x3D\x61\xAB\x4E\xCD\x0D\xBE\xF0\x20\x27\x58\x0E\x44\x7F\x04\x1A\x87\xA5\xD7\x96\x14\x36\x90\xD0\x49\x7B\xA1\x75\xFB\x1A\x6B\x73\xB1\xF8\xCE\xA9\x09\x2C\xF2\x53\xD5\xC3\x14\x44\xB8\x86\xA5\xF6\x8B\x2B\x39\xDA\xA3\x33\x54\xD9\xFA\x72\x1A\xF7\x22\x15\x1C\x88\x91\x6B\x7F\x66\xE5\xC3\x6A\x80\xB0\x24\xF3\xDF\x86\x45\x88\xFD\x19\x7F\x75\x87\x1F\x1F\xB1\x1B\x0A\x73\x24\x5B\xB9\x65\xE0\x2C\x54\xC8\x60\xD3\x66\x17\x3F\xE1\xCC\x54\x33\x73\x91\x02\x3A\xA6\x7F\x7B\x76\x39\xA2\x1F\x96\xB6\x38\xAE\xB5\xC8\x93\x74\x1D\x9E\xB9\xB4\xE5\x60\x9D\x2F\x56\xD1\xE0\xEB\x5E\x5B\x4C\x12\x70\x0C\x6C\x44\x20\xAB\x11\xD8\xF4\x19\xF6\xD2\x9C\x52\x37\xE7\xFA\xB6\xC2\x31\x3B\x4A\xD4\x14\x99\xAD\xC7\x1A\xF5\x5D\x5F\xFA\x07\xB8\x7C\x0D\x1F\xD6\x83\x1E\xB3\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB5\x03\xF7\x76\x3B\x61\x82\x6A\x12\xAA\x18\x53\xEB\x03\x21\x94\xBF\xFE\xCE\xCA\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x56\x3D\xEF\x94\xD5\xBD\xDA\x73\xB2\x58\xBE\xAE\x90\xAD\x98\x27\x97\xFE\x01\xB1\xB0\x52\x00\xB8\x4D\xE4\x1B\x21\x74\x1B\x7E\xC0\xEE\x5E\x69\x2A\x25\xAF\x5C\xD6\x1D\xDA\xD2\x79\xC9\xF3\x97\x29\xE0\x86\x87\xDE\x04\x59\x0F\xF1\x59\xD4\x64\x85\x4B\x99\xAF\x25\x04\x1E\xC9\x46\xA9\x97\xDE\x82\xB2\x1B\x70\x9F\x9C\xF6\xAF\x71\x31\xDD\x7B\x05\xA5\x2C\xD3\xB9\xCA\x47\xF6\xCA\xF2\xF6\xE7\xAD\xB9\x48\x3F\xBC\x16\xB7\xC1\x6D\xF4\xEA\x09\xAF\xEC\xF3\xB5\xE7\x05\x9E\xA6\x1E\x8A\x53\x51\xD6\x93\x81\xCC\x74\x93\xF6\xB9\xDA\xA6\x25\x05\x74\x79\x5A\x7E\x40\x3E\x82\x4B\x26\x11\x30\x6E\xE1\x3F\x41\xC7\x47\x00\x35\xD5\xF5\xD3\xF7\x54\x3E\x81\x3D\xDA\x49\x6A\x9A\xB3\xEF\x10\x3D\xE6\xEB\x6F\xD1\xC8\x22\x47\xCB\xCC\xCF\x01\x31\x92\xD9\x18\xE3\x22\xBE\x09\x1E\x1A\x3E\x5A\xB2\xE4\x6B\x0C\x54\x7A\x7D\x43\x4E\xB8\x89\xA5\x7B\xD7\xA2\x3D\x96\x86\xCC\xF2\x26\x34\x2D\x6A\x92\x9D\x9A\x1A\xD0\x30\xE2\x5D\x4E\x04\xB0\x5F\x8B\x20\x7E\x77\xC1\x3D\x95\x82\xD1\x46\x9A\x3B\x3C\x78\xB8\x6F\xA1\xD0\x0D\x64\xA2\x78\x1E\x29\x4E\x93\xC3\xA4\x54\x14\x5B",
 	["emailAddress=pki@sk.ee,CN=EE Certification Centre Root CA,O=AS Sertifitseerimiskeskus,C=EE"] = "\x30\x82\x04\x03\x30\x82\x02\xEB\xA0\x03\x02\x01\x02\x02\x10\x54\x80\xF9\xA0\x73\xED\x3F\x00\x4C\xCA\x89\xD8\xE3\x71\xE6\x4A\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x75\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x45\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x0C\x19\x41\x53\x20\x53\x65\x72\x74\x69\x66\x69\x74\x73\x65\x65\x72\x69\x6D\x69\x73\x6B\x65\x73\x6B\x75\x73\x31\x28\x30\x26\x06\x03\x55\x04\x03\x0C\x1F\x45\x45\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x43\x65\x6E\x74\x72\x65\x20\x52\x6F\x6F\x74\x20\x43\x41\x31\x18\x30\x16\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x09\x70\x6B\x69\x40\x73\x6B\x2E\x65\x65\x30\x22\x18\x0F\x32\x30\x31\x30\x31\x30\x33\x30\x31\x30\x31\x30\x33\x30\x5A\x18\x0F\x32\x30\x33\x30\x31\x32\x31\x37\x32\x33\x35\x39\x35\x39\x5A\x30\x75\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x45\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x0C\x19\x41\x53\x20\x53\x65\x72\x74\x69\x66\x69\x74\x73\x65\x65\x72\x69\x6D\x69\x73\x6B\x65\x73\x6B\x75\x73\x31\x28\x30\x26\x06\x03\x55\x04\x03\x0C\x1F\x45\x45\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x43\x65\x6E\x74\x72\x65\x20\x52\x6F\x6F\x74\x20\x43\x41\x31\x18\x30\x16\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x09\x70\x6B\x69\x40\x73\x6B\x2E\x65\x65\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xC8\x20\xC0\xEC\xE0\xC5\x4B\xAB\x07\x78\x95\xF3\x44\xEE\xFB\x0B\x0C\xFF\x74\x8E\x61\xBB\xB1\x62\xEA\x23\xD8\xAB\xA1\x65\x32\x7A\xEB\x8E\x17\x4F\x96\xD8\x0A\x7B\x91\xA2\x63\x6C\xC7\x8C\x4C\x2E\x79\xBF\xA9\x05\xFC\x69\x5C\x95\x8D\x62\xF9\xB9\x70\xED\xC3\x51\x7D\xD0\x93\xE6\x6C\xEB\x30\x4B\xE1\xBC\x7D\xBF\x52\x9B\xCE\x6E\x7B\x65\xF2\x38\xB1\xC0\xA2\x32\xEF\x62\xB2\x68\xE0\x61\x53\xC1\x36\x95\xFF\xEC\x94\xBA\x36\xAE\x9C\x1C\xA7\x32\x0F\xE5\x7C\xB4\xC6\x6F\x74\xFD\x7B\x18\xE8\xAC\x57\xED\x06\x20\x4B\x32\x30\x58\x5B\xFD\xCD\xA8\xE6\xA1\xFC\x70\xBC\x8E\x92\x73\xDB\x97\xA7\x7C\x21\xAE\x3D\xC1\xF5\x48\x87\x6C\x27\xBD\x9F\x25\x74\x81\x55\xB0\xF7\x75\xF6\x3D\xA4\x64\x6B\xD6\x4F\xE7\xCE\x40\xAD\x0F\xDD\x32\xD3\xBC\x8A\x12\x53\x98\xC9\x89\xFB\x10\x1D\x4D\x7E\xCD\x7E\x1F\x56\x0D\x21\x70\x85\xF6\x20\x83\x1F\xF6\xBA\x1F\x04\x8F\xEA\x77\x88\x35\xC4\xFF\xEA\x4E\xA1\x8B\x4D\x3F\x63\x1B\x44\xC3\x44\xD4\x25\x76\xCA\xB7\x8D\xD7\x1E\x4A\x66\x64\xCD\x5C\xC5\x9C\x83\xE1\xC2\x08\x88\x9A\xEC\x4E\xA3\xF1\x3E\x1C\x2C\xD9\x6C\x1D\xA1\x4B\x02\x03\x01\x00\x01\xA3\x81\x8A\x30\x81\x87\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x12\xF2\x5A\x3E\xEA\x56\x1C\xBF\xCD\x06\xAC\xF1\xF1\x25\xC9\xA9\x4B\xD4\x14\x99\x30\x45\x06\x03\x55\x1D\x25\x04\x3E\x30\x3C\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x02\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x01\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x03\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x04\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x08\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x09\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x7B\xF6\xE4\xC0\x0D\xAA\x19\x47\xB7\x4D\x57\xA3\xFE\xAD\xBB\xB1\x6A\xD5\x0F\x9E\xDB\xE4\x63\xC5\x8E\xA1\x50\x56\x93\x96\xB8\x38\xC0\x24\x22\x66\xBC\x53\x14\x61\x95\xBF\xD0\xC7\x2A\x96\x39\x3F\x7D\x28\xB3\x10\x40\x21\x6A\xC4\xAF\xB0\x52\x77\x18\xE1\x96\xD8\x56\x5D\xE3\xDD\x36\x5E\x1D\xA7\x50\x54\xA0\xC5\x2A\xE4\xAA\x8C\x94\x8A\x4F\x9D\x35\xFF\x76\xA4\x06\x13\x91\xA2\xA2\x7D\x00\x44\x3F\x55\xD3\x82\x3C\x1A\xD5\x5B\xBC\x56\x4C\x22\x2E\x46\x43\x8A\x24\x40\x2D\xF3\x12\xB8\x3B\x70\x1A\xA4\x96\xB9\x1A\xAF\x87\x41\x1A\x6A\x18\x0D\x06\x4F\xC7\x3E\x6E\xB9\x29\x4D\x0D\x49\x89\x11\x87\x32\x5B\xE6\x4B\x04\xC8\xE4\x5C\xE6\x74\x73\x94\x5D\x16\x98\x13\x95\xFE\xFB\xDB\xB1\x44\xE5\x3A\x70\xAC\x37\x6B\xE6\xB3\x33\x72\x28\xC9\xB3\x57\xA0\xF6\x02\x16\x88\x06\x0B\xB6\xA6\x4B\x20\x28\xD4\xDE\x3D\x8B\xAD\x37\x05\x53\x74\xFE\x6E\xCC\xBC\x43\x17\x71\x5E\xF9\xC5\xCC\x1A\xA9\x61\xEE\xF7\x76\x0C\xF3\x72\xF4\x72\xAD\xCF\x72\x02\x36\x07\x47\xCF\xEF\x19\x50\x89\x60\xCC\xE9\x24\x95\x0F\xC2\xCB\x1D\xF2\x6F\x76\x90\xC7\xCC\x75\xC1\x96\xC5\x9D",
-	["O=T\C3\9CRKTRUST Bilgi \C4\B0leti\C5\9Fim ve Bili\C5\9Fim G\C3\BCvenli\C4\9Fi Hizmetleri A.\C5\9E. (c) Aral\C4\B1k 2007,L=Ankara,C=TR,CN=T\C3\9CRKTRUST Elektronik Sertifika Hizmet Sa\C4\9Flay\C4\B1c\C4\B1s\C4\B1"] = "\x30\x82\x04\x3D\x30\x82\x03\x25\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\xBF\x31\x3F\x30\x3D\x06\x03\x55\x04\x03\x0C\x36\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x0C\x06\x41\x6E\x6B\x61\x72\x61\x31\x5E\x30\x5C\x06\x03\x55\x04\x0A\x0C\x55\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x42\x69\x6C\x67\x69\x20\xC4\xB0\x6C\x65\x74\x69\xC5\x9F\x69\x6D\x20\x76\x65\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x47\xC3\xBC\x76\x65\x6E\x6C\x69\xC4\x9F\x69\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x20\x28\x63\x29\x20\x41\x72\x61\x6C\xC4\xB1\x6B\x20\x32\x30\x30\x37\x30\x1E\x17\x0D\x30\x37\x31\x32\x32\x35\x31\x38\x33\x37\x31\x39\x5A\x17\x0D\x31\x37\x31\x32\x32\x32\x31\x38\x33\x37\x31\x39\x5A\x30\x81\xBF\x31\x3F\x30\x3D\x06\x03\x55\x04\x03\x0C\x36\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x0C\x06\x41\x6E\x6B\x61\x72\x61\x31\x5E\x30\x5C\x06\x03\x55\x04\x0A\x0C\x55\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x42\x69\x6C\x67\x69\x20\xC4\xB0\x6C\x65\x74\x69\xC5\x9F\x69\x6D\x20\x76\x65\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x47\xC3\xBC\x76\x65\x6E\x6C\x69\xC4\x9F\x69\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x20\x28\x63\x29\x20\x41\x72\x61\x6C\xC4\xB1\x6B\x20\x32\x30\x30\x37\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAB\xB7\x3E\x0A\x8C\xC8\xA5\x58\x15\xE6\x8A\xEF\x27\x3D\x4A\xB4\xE8\x25\xD3\xCD\x33\xC2\x20\xDC\x19\xEE\x88\x3F\x4D\x62\xF0\xDD\x13\x77\x8F\x61\xA9\x2A\xB5\xD4\xF2\xB9\x31\x58\x29\x3B\x2F\x3F\x6A\x9C\x6F\x73\x76\x25\xEE\x34\x20\x80\xEE\xEA\xB7\xF0\xC4\x0A\xCD\x2B\x86\x94\xC9\xE3\x60\xB1\x44\x52\xB2\x5A\x29\xB4\x91\x97\x83\xD8\xB7\xA6\x14\x2F\x29\x49\xA2\xF3\x05\x06\xFB\xB4\x4F\xDA\xA1\x6C\x9A\x66\x9F\xF0\x43\x09\xCA\xEA\x72\x8F\xEB\x00\xD7\x35\x39\xD7\x56\x17\x47\x17\x30\xF4\xBE\xBF\x3F\xC2\x68\xAF\x36\x40\xC1\xA9\xF4\xA9\xA7\xE8\x10\x6B\x08\x8A\xF7\x86\x1E\xDC\x9A\x2A\x15\x06\xF6\xA3\xF0\xF4\xE0\xC7\x14\xD4\x51\x7F\xCF\xB4\xDB\x6D\xAF\x47\x96\x17\x9B\x77\x71\xD8\xA7\x71\x9D\x24\x0C\xF6\x94\x3F\x85\x31\x12\x4F\xBA\xEE\x4E\x82\xB8\xB9\x3E\x8F\x23\x37\x5E\xCC\xA2\xAA\x75\xF7\x18\x6F\x09\xD3\xAE\xA7\x54\x28\x34\xFB\xE1\xE0\x3B\x60\x7D\xA0\xBE\x79\x89\x86\xC8\x9F\x2D\xF9\x0A\x4B\xC4\x50\xA2\xE7\xFD\x79\x16\xC7\x7A\x0B\x18\xCF\xCE\x4C\xEF\x7D\xD6\x07\x6F\x98\xF1\xAF\xB1\xC1\x7A\xD7\x81\x35\xB8\xAA\x17\xB4\xE0\xCB\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x29\xC5\x90\xAB\x25\xAF\x11\xE4\x61\xBF\xA3\xFF\x88\x61\x91\xE6\x0E\xFE\x9C\x81\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x10\x0D\xDA\xF8\x3A\xEC\x28\xD1\x14\x95\x82\xB1\x12\x2C\x51\x7A\x41\x25\x36\x4C\x9F\xEC\x3F\x1F\x84\x9D\x65\x54\x5C\xA8\x16\x02\x40\xFA\x6E\x1A\x37\x84\xEF\x72\x9D\x86\x0A\x55\x9D\x56\x28\xAC\x66\x2C\xD0\x3A\x56\x93\x34\x07\x25\xAD\x08\xB0\x8F\xC8\x0F\x09\x59\xCA\x9D\x98\x1C\xE5\x54\xF8\xB9\x45\x7F\x6A\x97\x6F\x88\x68\x4D\x4A\x06\x26\x37\x88\x02\x0E\xB6\xC6\xD6\x72\x99\xCE\x6B\x77\xDA\x62\x31\xA4\x56\x1F\xAE\x5F\x8D\x77\xDA\x5D\xF6\x88\xFC\x1A\xD9\x9E\xB5\x81\xF0\x32\xB8\xE3\x88\xD0\x9C\xF3\x6A\xA0\xB9\x9B\x14\x59\x35\x36\x4F\xCF\xF3\x8E\x5E\x5D\x17\xAD\x15\x95\xD8\xDD\xB2\xD5\x15\x6E\x00\x4E\xB3\x4B\xCF\x66\x94\xE4\xE0\xCD\xB5\x05\xDA\x63\x57\x8B\xE5\xB3\xAA\xDB\xC0\x2E\x1C\x90\x44\xDB\x1A\x5D\x18\xA4\xEE\xBE\x04\x5B\x99\xD5\x71\x5F\x55\x65\x64\x62\xD5\xA2\x9B\x04\x59\x86\xC8\x62\x77\xE7\x7C\x82\x45\x6A\x3D\x17\xBF\xEC\x9D\x75\x0C\xAE\xA3\x6F\x5A\xD3\x2F\x98\x36\xF4\xF0\xF5\x19\xAB\x11\x5D\xC8\xA6\xE3\x2A\x58\x6A\x42\x09\xC3\xBD\x92\x26\x66\x32\x0D\x5D\x08\x55\x74\xFF\x8C\x98\xD0\x0A\xA6\x84\x6A\xD1\x39\x7D",
 	["CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE"] = "\x30\x82\x04\x33\x30\x82\x03\x1B\xA0\x03\x02\x01\x02\x02\x03\x09\x83\xF3\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x4D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x0C\x0C\x44\x2D\x54\x72\x75\x73\x74\x20\x47\x6D\x62\x48\x31\x27\x30\x25\x06\x03\x55\x04\x03\x0C\x1E\x44\x2D\x54\x52\x55\x53\x54\x20\x52\x6F\x6F\x74\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x43\x41\x20\x32\x20\x32\x30\x30\x39\x30\x1E\x17\x0D\x30\x39\x31\x31\x30\x35\x30\x38\x33\x35\x35\x38\x5A\x17\x0D\x32\x39\x31\x31\x30\x35\x30\x38\x33\x35\x35\x38\x5A\x30\x4D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x0C\x0C\x44\x2D\x54\x72\x75\x73\x74\x20\x47\x6D\x62\x48\x31\x27\x30\x25\x06\x03\x55\x04\x03\x0C\x1E\x44\x2D\x54\x52\x55\x53\x54\x20\x52\x6F\x6F\x74\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x43\x41\x20\x32\x20\x32\x30\x30\x39\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xD3\xB2\x4A\xCF\x7A\x47\xEF\x75\x9B\x23\xFA\x3A\x2F\xD6\x50\x45\x89\x35\x3A\xC6\x6B\xDB\xFE\xDB\x00\x68\xA8\xE0\x03\x11\x1D\x37\x50\x08\x9F\x4D\x4A\x68\x94\x35\xB3\x53\xD1\x94\x63\xA7\x20\x56\xAF\xDE\x51\x78\xEC\x2A\x3D\xF3\x48\x48\x50\x3E\x0A\xDF\x46\x55\x8B\x27\x6D\xC3\x10\x4D\x0D\x91\x52\x43\xD8\x87\xE0\x5D\x4E\x36\xB5\x21\xCA\x5F\x39\x40\x04\x5F\x5B\x7E\xCC\xA3\xC6\x2B\xA9\x40\x1E\xD9\x36\x84\xD6\x48\xF3\x92\x1E\x34\x46\x20\x24\xC1\xA4\x51\x8E\x4A\x1A\xEF\x50\x3F\x69\x5D\x19\x7F\x45\xC3\xC7\x01\x8F\x51\xC9\x23\xE8\x72\xAE\xB4\xBC\x56\x09\x7F\x12\xCB\x1C\xB1\xAF\x29\x90\x0A\xC9\x55\xCC\x0F\xD3\xB4\x1A\xED\x47\x35\x5A\x4A\xED\x9C\x73\x04\x21\xD0\xAA\xBD\x0C\x13\xB5\x00\xCA\x26\x6C\xC4\x6B\x0C\x94\x5A\x95\x94\xDA\x50\x9A\xF1\xFF\xA5\x2B\x66\x31\xA4\xC9\x38\xA0\xDF\x1D\x1F\xB8\x09\x2E\xF3\xA7\xE8\x67\x52\xAB\x95\x1F\xE0\x46\x3E\xD8\xA4\xC3\xCA\x5A\xC5\x31\x80\xE8\x48\x9A\x9F\x94\x69\xFE\x19\xDD\xD8\x73\x7C\x81\xCA\x96\xDE\x8E\xED\xB3\x32\x05\x65\x84\x34\xE6\xE6\xFD\x57\x10\xB5\x5F\x76\xBF\x2F\xB0\x10\x0D\xC5\x02\x03\x01\x00\x01\xA3\x82\x01\x1A\x30\x82\x01\x16\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xFD\xDA\x14\xC4\x9F\x30\xDE\x21\xBD\x1E\x42\x39\xFC\xAB\x63\x23\x49\xE0\xF1\x84\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x81\xD3\x06\x03\x55\x1D\x1F\x04\x81\xCB\x30\x81\xC8\x30\x81\x80\xA0\x7E\xA0\x7C\x86\x7A\x6C\x64\x61\x70\x3A\x2F\x2F\x64\x69\x72\x65\x63\x74\x6F\x72\x79\x2E\x64\x2D\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x4E\x3D\x44\x2D\x54\x52\x55\x53\x54\x25\x32\x30\x52\x6F\x6F\x74\x25\x32\x30\x43\x6C\x61\x73\x73\x25\x32\x30\x33\x25\x32\x30\x43\x41\x25\x32\x30\x32\x25\x32\x30\x32\x30\x30\x39\x2C\x4F\x3D\x44\x2D\x54\x72\x75\x73\x74\x25\x32\x30\x47\x6D\x62\x48\x2C\x43\x3D\x44\x45\x3F\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x72\x65\x76\x6F\x63\x61\x74\x69\x6F\x6E\x6C\x69\x73\x74\x30\x43\xA0\x41\xA0\x3F\x86\x3D\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x64\x2D\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x63\x72\x6C\x2F\x64\x2D\x74\x72\x75\x73\x74\x5F\x72\x6F\x6F\x74\x5F\x63\x6C\x61\x73\x73\x5F\x33\x5F\x63\x61\x5F\x32\x5F\x32\x30\x30\x39\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x7F\x97\xDB\x30\xC8\xDF\xA4\x9C\x7D\x21\x7A\x80\x70\xCE\x14\x12\x69\x88\x14\x95\x60\x44\x01\xAC\xB2\xE9\x30\x4F\x9B\x50\xC2\x66\xD8\x7E\x8D\x30\xB5\x70\x31\xE9\xE2\x69\xC7\xF3\x70\xDB\x20\x15\x86\xD0\x0D\xF0\xBE\xAC\x01\x75\x84\xCE\x7E\x9F\x4D\xBF\xB7\x60\x3B\x9C\xF3\xCA\x1D\xE2\x5E\x68\xD8\xA3\x9D\x97\xE5\x40\x60\xD2\x36\x21\xFE\xD0\xB4\xB8\x17\xDA\x74\xA3\x7F\xD4\xDF\xB0\x98\x02\xAC\x6F\x6B\x6B\x2C\x25\x24\x72\xA1\x65\xEE\x25\x5A\xE5\xE6\x32\xE7\xF2\xDF\xAB\x49\xFA\xF3\x90\x69\x23\xDB\x04\xD9\xE7\x5C\x58\xFC\x65\xD4\x97\xBE\xCC\xFC\x2E\x0A\xCC\x25\x2A\x35\x04\xF8\x60\x91\x15\x75\x3D\x41\xFF\x23\x1F\x19\xC8\x6C\xEB\x82\x53\x04\xA6\xE4\x4C\x22\x4D\x8D\x8C\xBA\xCE\x5B\x73\xEC\x64\x54\x50\x6D\xD1\x9C\x55\xFB\x69\xC3\x36\xC3\x8C\xBC\x3C\x85\xA6\x6B\x0A\x26\x0D\xE0\x93\x98\x60\xAE\x7E\xC6\x24\x97\x8A\x61\x5F\x91\x8E\x66\x92\x09\x87\x36\xCD\x8B\x9B\x2D\x3E\xF6\x51\xD4\x50\xD4\x59\x28\xBD\x83\xF2\xCC\x28\x7B\x53\x86\x6D\xD8\x26\x88\x70\xD7\xEA\x91\xCD\x3E\xB9\xCA\xC0\x90\x6E\x5A\xC6\x5E\x74\x65\xD7\x5C\xFE\xA3\xE2",
 	["CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE"] = "\x30\x82\x04\x43\x30\x82\x03\x2B\xA0\x03\x02\x01\x02\x02\x03\x09\x83\xF4\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x50\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x0C\x0C\x44\x2D\x54\x72\x75\x73\x74\x20\x47\x6D\x62\x48\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x0C\x21\x44\x2D\x54\x52\x55\x53\x54\x20\x52\x6F\x6F\x74\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x43\x41\x20\x32\x20\x45\x56\x20\x32\x30\x30\x39\x30\x1E\x17\x0D\x30\x39\x31\x31\x30\x35\x30\x38\x35\x30\x34\x36\x5A\x17\x0D\x32\x39\x31\x31\x30\x35\x30\x38\x35\x30\x34\x36\x5A\x30\x50\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x0C\x0C\x44\x2D\x54\x72\x75\x73\x74\x20\x47\x6D\x62\x48\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x0C\x21\x44\x2D\x54\x52\x55\x53\x54\x20\x52\x6F\x6F\x74\x20\x43\x6C\x61\x73\x73\x20\x33\x20\x43\x41\x20\x32\x20\x45\x56\x20\x32\x30\x30\x39\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x99\xF1\x84\x34\x70\xBA\x2F\xB7\x30\xA0\x8E\xBD\x7C\x04\xCF\xBE\x62\xBC\x99\xFD\x82\x97\xD2\x7A\x0A\x67\x96\x38\x09\xF6\x10\x4E\x95\x22\x73\x99\x8D\xDA\x15\x2D\xE7\x05\xFC\x19\x73\x22\xB7\x8E\x98\x00\xBC\x3C\x3D\xAC\xA1\x6C\xFB\xD6\x79\x25\x4B\xAD\xF0\xCC\x64\xDA\x88\x3E\x29\xB8\x0F\x09\xD3\x34\xDD\x33\xF5\x62\xD1\xE1\xCD\x19\xE9\xEE\x18\x4F\x4C\x58\xAE\xE2\x1E\xD6\x0C\x5B\x15\x5A\xD8\x3A\xB8\xC4\x18\x64\x1E\xE3\x33\xB2\xB5\x89\x77\x4E\x0C\xBF\xD9\x94\x6B\x13\x97\x6F\x12\xA3\xFE\x99\xA9\x04\xCC\x15\xEC\x60\x68\x36\xED\x08\x7B\xB7\xF5\xBF\x93\xED\x66\x31\x83\x8C\xC6\x71\x34\x87\x4E\x17\xEA\xAF\x8B\x91\x8D\x1C\x56\x41\xAE\x22\x37\x5E\x37\xF2\x1D\xD9\xD1\x2D\x0D\x2F\x69\x51\xA7\xBE\x66\xA6\x8A\x3A\x2A\xBD\xC7\x1A\xB1\xE1\x14\xF0\xBE\x3A\x1D\xB9\xCF\x5B\xB1\x6A\xFE\xB4\xB1\x46\x20\xA2\xFB\x1E\x3B\x70\xEF\x93\x98\x7D\x8C\x73\x96\xF2\xC5\xEF\x85\x70\xAD\x29\x26\xFC\x1E\x04\x3E\x1C\xA0\xD8\x0F\xCB\x52\x83\x62\x7C\xEE\x8B\x53\x95\x90\xA9\x57\xA2\xEA\x61\x05\xD8\xF9\x4D\xC4\x27\xFA\x6E\xAD\xED\xF9\xD7\x51\xF7\x6B\xA5\x02\x03\x01\x00\x01\xA3\x82\x01\x24\x30\x82\x01\x20\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xD3\x94\x8A\x4C\x62\x13\x2A\x19\x2E\xCC\xAF\x72\x8A\x7D\x36\xD7\x9A\x1C\xDC\x67\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x81\xDD\x06\x03\x55\x1D\x1F\x04\x81\xD5\x30\x81\xD2\x30\x81\x87\xA0\x81\x84\xA0\x81\x81\x86\x7F\x6C\x64\x61\x70\x3A\x2F\x2F\x64\x69\x72\x65\x63\x74\x6F\x72\x79\x2E\x64\x2D\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x43\x4E\x3D\x44\x2D\x54\x52\x55\x53\x54\x25\x32\x30\x52\x6F\x6F\x74\x25\x32\x30\x43\x6C\x61\x73\x73\x25\x32\x30\x33\x25\x32\x30\x43\x41\x25\x32\x30\x32\x25\x32\x30\x45\x56\x25\x32\x30\x32\x30\x30\x39\x2C\x4F\x3D\x44\x2D\x54\x72\x75\x73\x74\x25\x32\x30\x47\x6D\x62\x48\x2C\x43\x3D\x44\x45\x3F\x63\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x72\x65\x76\x6F\x63\x61\x74\x69\x6F\x6E\x6C\x69\x73\x74\x30\x46\xA0\x44\xA0\x42\x86\x40\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x64\x2D\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x63\x72\x6C\x2F\x64\x2D\x74\x72\x75\x73\x74\x5F\x72\x6F\x6F\x74\x5F\x63\x6C\x61\x73\x73\x5F\x33\x5F\x63\x61\x5F\x32\x5F\x65\x76\x5F\x32\x30\x30\x39\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x34\xED\x7B\x5A\x3C\xA4\x94\x88\xEF\x1A\x11\x75\x07\x2F\xB3\xFE\x3C\xFA\x1E\x51\x26\xEB\x87\xF6\x29\xDE\xE0\xF1\xD4\xC6\x24\x09\xE9\xC1\xCF\x55\x1B\xB4\x30\xD9\xCE\x1A\xFE\x06\x51\xA6\x15\xA4\x2D\xEF\xB2\x4B\xBF\x20\x28\x25\x49\xD1\xA6\x36\x77\x34\xE8\x64\xDF\x52\xB1\x11\xC7\x73\x7A\xCD\x39\x9E\xC2\xAD\x8C\x71\x21\xF2\x5A\x6B\xAF\xDF\x3C\x4E\x55\xAF\xB2\x84\x65\x14\x89\xB9\x77\xCB\x2A\x31\xBE\xCF\xA3\x6D\xCF\x6F\x48\x94\x32\x46\x6F\xE7\x71\x8C\xA0\xA6\x84\x19\x37\x07\xF2\x03\x45\x09\x2B\x86\x75\x7C\xDF\x5F\x69\x57\x00\xDB\x6E\xD8\xA6\x72\x22\x4B\x50\xD4\x75\x98\x56\xDF\xB7\x18\xFF\x43\x43\x50\xAE\x7A\x44\x7B\xF0\x79\x51\xD7\x43\x3D\xA7\xD3\x81\xD3\xF0\xC9\x4F\xB9\xDA\xC6\x97\x86\xD0\x82\xC3\xE4\x42\x6D\xFE\xB0\xE2\x64\x4E\x0E\x26\xE7\x40\x34\x26\xB5\x08\x89\xD7\x08\x63\x63\x38\x27\x75\x1E\x33\xEA\x6E\xA8\xDD\x9F\x99\x4F\x74\x4D\x81\x89\x80\x4B\xDD\x9A\x97\x29\x5C\x2F\xBE\x81\x41\xB9\x8C\xFF\xEA\x7D\x60\x06\x9E\xCD\xD7\x3D\xD3\x2E\xA3\x15\xBC\xA8\xE6\x26\xE5\x6F\xC3\xDC\xB8\x03\x21\xEA\x9F\x16\xF1\x2C\x54\xB5",
-	["CN=PSCProcert,C=VE,O=Sistema Nacional de Certificacion Electronica,OU=Proveedor de Certificados PROCERT,ST=Miranda,L=Chacao,emailAddress=contacto@procert.net.ve"] = "\x30\x82\x09\x86\x30\x82\x07\x6E\xA0\x03\x02\x01\x02\x02\x01\x0B\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x82\x01\x1E\x31\x3E\x30\x3C\x06\x03\x55\x04\x03\x13\x35\x41\x75\x74\x6F\x72\x69\x64\x61\x64\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x52\x61\x69\x7A\x20\x64\x65\x6C\x20\x45\x73\x74\x61\x64\x6F\x20\x56\x65\x6E\x65\x7A\x6F\x6C\x61\x6E\x6F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x56\x45\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x43\x61\x72\x61\x63\x61\x73\x31\x19\x30\x17\x06\x03\x55\x04\x08\x13\x10\x44\x69\x73\x74\x72\x69\x74\x6F\x20\x43\x61\x70\x69\x74\x61\x6C\x31\x36\x30\x34\x06\x03\x55\x04\x0A\x13\x2D\x53\x69\x73\x74\x65\x6D\x61\x20\x4E\x61\x63\x69\x6F\x6E\x61\x6C\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x45\x6C\x65\x63\x74\x72\x6F\x6E\x69\x63\x61\x31\x43\x30\x41\x06\x03\x55\x04\x0B\x13\x3A\x53\x75\x70\x65\x72\x69\x6E\x74\x65\x6E\x64\x65\x6E\x63\x69\x61\x20\x64\x65\x20\x53\x65\x72\x76\x69\x63\x69\x6F\x73\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x45\x6C\x65\x63\x74\x72\x6F\x6E\x69\x63\x61\x31\x25\x30\x23\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x16\x61\x63\x72\x61\x69\x7A\x40\x73\x75\x73\x63\x65\x72\x74\x65\x2E\x67\x6F\x62\x2E\x76\x65\x30\x1E\x17\x0D\x31\x30\x31\x32\x32\x38\x31\x36\x35\x31\x30\x30\x5A\x17\x0D\x32\x30\x31\x32\x32\x35\x32\x33\x35\x39\x35\x39\x5A\x30\x81\xD1\x31\x26\x30\x24\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x17\x63\x6F\x6E\x74\x61\x63\x74\x6F\x40\x70\x72\x6F\x63\x65\x72\x74\x2E\x6E\x65\x74\x2E\x76\x65\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x13\x06\x43\x68\x61\x63\x61\x6F\x31\x10\x30\x0E\x06\x03\x55\x04\x08\x13\x07\x4D\x69\x72\x61\x6E\x64\x61\x31\x2A\x30\x28\x06\x03\x55\x04\x0B\x13\x21\x50\x72\x6F\x76\x65\x65\x64\x6F\x72\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x64\x6F\x73\x20\x50\x52\x4F\x43\x45\x52\x54\x31\x36\x30\x34\x06\x03\x55\x04\x0A\x13\x2D\x53\x69\x73\x74\x65\x6D\x61\x20\x4E\x61\x63\x69\x6F\x6E\x61\x6C\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x45\x6C\x65\x63\x74\x72\x6F\x6E\x69\x63\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x56\x45\x31\x13\x30\x11\x06\x03\x55\x04\x03\x13\x0A\x50\x53\x43\x50\x72\x6F\x63\x65\x72\x74\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xD5\xB7\xF4\xA3\x94\x33\xA1\x46\xA9\x55\x61\x49\x0D\xA8\x87\x73\x5E\x91\x2D\x70\xC1\x06\x1A\x94\xDA\x3D\xEC\x15\x42\xC1\xF5\x8C\xAE\x6A\x17\xF1\x8A\xAD\xFC\x80\x95\xEA\x83\x44\xA2\x5B\x7A\x55\xCE\x4F\xA7\xA5\xD5\xBA\xB8\x1F\xA0\x27\xC0\x50\x53\x3E\x8D\xB9\xC0\x0E\xB8\x15\xDC\xD6\x6C\xF8\x9E\xF8\x04\x25\xDF\x80\x8F\x10\x85\xDD\x7D\x2F\x7B\x80\xDD\x57\x00\x64\x23\xF8\x6E\xC9\xBE\x95\x4F\xE1\x75\xEC\xE0\x7E\x5E\x95\xCD\xB1\xEF\xBE\x7A\x42\xD8\xC9\x2C\xD3\xEB\x1A\x1A\x22\x8B\xB7\x7F\x06\x89\xE5\x3C\xF5\x12\xC0\xBB\xD3\x0B\x99\x5F\x90\x7C\x8E\x2D\x2F\x77\x33\x92\x4A\x21\x46\xA8\xA9\x08\xAC\xF1\xF6\x11\x02\xD9\x95\x16\x9E\x8D\x2F\x96\xE6\x02\xDD\x75\xC2\x14\x2A\x5A\xD6\xC9\x7D\x25\xC2\xC1\xFC\xAA\x67\x85\xE2\xEC\xBE\xD1\x7C\x3C\xFA\xAF\xD5\x6E\xFF\x53\x41\xD4\xF5\x32\x38\xB1\xE2\x5F\xC4\xF9\x8E\x10\xEF\x06\xA9\x02\x89\xFF\xE3\x0C\x6E\x97\xE0\xDF\x9D\xDB\x21\xD0\xF4\x3E\x08\x69\x6C\xD8\xD4\xE4\x36\xF8\x83\xB6\xB2\x36\x8F\x9C\xEF\x3A\x37\x16\x7D\xBF\xA2\x69\xD7\x3B\x5B\x72\xD0\xAF\xAA\x3F\x5C\x66\x93\xAC\x0A\x22\x61\xB6\xD2\xA0\x99\xC8\x54\x93\x5D\xA8\xB6\xD1\xBD\x5D\x0A\x5E\x77\x94\xA2\x2D\xC0\x82\x8E\xBC\xCA\x03\x2A\x34\xAE\x73\xF1\xD4\xB5\x0C\xBD\xBE\x67\x9B\x54\xEB\xE1\xFA\xA0\x5A\xEC\x38\x7E\x3E\xC1\xCC\xA2\xC7\x44\x31\x75\xEA\x3F\xE5\x07\xD2\xAB\xA1\x25\x96\xF6\xE6\xE4\xA0\x5D\x37\x18\x39\x61\x00\x33\x5D\x46\xD4\x00\xC4\xB4\xCA\x3C\xF1\xA2\xA3\x3E\xF3\x3A\xFF\x69\x30\x2E\x40\xDD\xF6\x9F\x9C\x26\xC9\x96\x37\xAD\xE7\x39\xA2\xBF\xEA\x69\xDB\x55\x22\x95\x53\x2A\x94\xB5\xDF\xAD\x16\x38\x81\x75\x66\xE3\xC7\x2C\x1B\x93\x9C\xAA\x8C\xA3\xCA\xD9\x6C\x3C\x17\x6D\x9C\xDC\x7C\x53\xE0\x20\x27\x43\x36\xF9\x12\xE1\x3C\x5C\xBD\x66\xBF\xA2\x69\x23\x38\xB8\x99\x60\x99\x0E\x56\x53\x3A\x9C\x7E\x14\x8C\xB0\x06\x6F\xF1\x86\x76\x90\xAF\xFD\xAF\xFE\x90\xC6\x8F\x9F\x7F\x8B\x92\x23\x9C\xE7\x15\x76\x8F\xD5\x8B\x94\x13\x72\x69\xFB\x2B\x61\x63\x88\xEF\xE6\xA4\x5E\xE6\xA3\x17\x6A\x58\x47\xCB\x71\x4F\x14\x0B\x5E\xC8\x02\x08\x26\xA2\xCB\xE9\xAF\x6B\x8A\x19\xC7\xCB\x14\x56\xF5\xE1\xDA\xB5\xD9\xFC\xBF\x73\x38\xDA\xF9\xE7\xAF\x6E\xA4\x37\xE2\x07\x27\x02\x03\x01\x00\x01\xA3\x82\x03\x17\x30\x82\x03\x13\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x01\x30\x37\x06\x03\x55\x1D\x12\x04\x30\x30\x2E\x82\x0F\x73\x75\x73\x63\x65\x72\x74\x65\x2E\x67\x6F\x62\x2E\x76\x65\xA0\x1B\x06\x05\x60\x86\x5E\x02\x02\xA0\x12\x0C\x10\x52\x49\x46\x2D\x47\x2D\x32\x30\x30\x30\x34\x30\x33\x36\x2D\x30\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x41\x0F\x19\x38\xAA\x99\x7F\x42\x0B\xA4\xD7\x27\x98\x54\xA2\x17\x4C\x2D\x51\x54\x30\x82\x01\x50\x06\x03\x55\x1D\x23\x04\x82\x01\x47\x30\x82\x01\x43\x80\x14\xAD\xBB\x22\x1D\xC6\xE0\xD2\x01\xA8\xFD\x76\x50\x52\x93\xED\x98\xC1\x4D\xAE\xD3\xA1\x82\x01\x26\xA4\x82\x01\x22\x30\x82\x01\x1E\x31\x3E\x30\x3C\x06\x03\x55\x04\x03\x13\x35\x41\x75\x74\x6F\x72\x69\x64\x61\x64\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x52\x61\x69\x7A\x20\x64\x65\x6C\x20\x45\x73\x74\x61\x64\x6F\x20\x56\x65\x6E\x65\x7A\x6F\x6C\x61\x6E\x6F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x56\x45\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x43\x61\x72\x61\x63\x61\x73\x31\x19\x30\x17\x06\x03\x55\x04\x08\x13\x10\x44\x69\x73\x74\x72\x69\x74\x6F\x20\x43\x61\x70\x69\x74\x61\x6C\x31\x36\x30\x34\x06\x03\x55\x04\x0A\x13\x2D\x53\x69\x73\x74\x65\x6D\x61\x20\x4E\x61\x63\x69\x6F\x6E\x61\x6C\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x45\x6C\x65\x63\x74\x72\x6F\x6E\x69\x63\x61\x31\x43\x30\x41\x06\x03\x55\x04\x0B\x13\x3A\x53\x75\x70\x65\x72\x69\x6E\x74\x65\x6E\x64\x65\x6E\x63\x69\x61\x20\x64\x65\x20\x53\x65\x72\x76\x69\x63\x69\x6F\x73\x20\x64\x65\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x63\x69\x6F\x6E\x20\x45\x6C\x65\x63\x74\x72\x6F\x6E\x69\x63\x61\x31\x25\x30\x23\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x16\x61\x63\x72\x61\x69\x7A\x40\x73\x75\x73\x63\x65\x72\x74\x65\x2E\x67\x6F\x62\x2E\x76\x65\x82\x01\x0A\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x4D\x06\x03\x55\x1D\x11\x04\x46\x30\x44\x82\x0E\x70\x72\x6F\x63\x65\x72\x74\x2E\x6E\x65\x74\x2E\x76\x65\xA0\x15\x06\x05\x60\x86\x5E\x02\x01\xA0\x0C\x0C\x0A\x50\x53\x43\x2D\x30\x30\x30\x30\x30\x32\xA0\x1B\x06\x05\x60\x86\x5E\x02\x02\xA0\x12\x0C\x10\x52\x49\x46\x2D\x4A\x2D\x33\x31\x36\x33\x35\x33\x37\x33\x2D\x37\x30\x76\x06\x03\x55\x1D\x1F\x04\x6F\x30\x6D\x30\x46\xA0\x44\xA0\x42\x86\x40\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x73\x75\x73\x63\x65\x72\x74\x65\x2E\x67\x6F\x62\x2E\x76\x65\x2F\x6C\x63\x72\x2F\x43\x45\x52\x54\x49\x46\x49\x43\x41\x44\x4F\x2D\x52\x41\x49\x5A\x2D\x53\x48\x41\x33\x38\x34\x43\x52\x4C\x44\x45\x52\x2E\x63\x72\x6C\x30\x23\xA0\x21\xA0\x1F\x86\x1D\x6C\x64\x61\x70\x3A\x2F\x2F\x61\x63\x72\x61\x69\x7A\x2E\x73\x75\x73\x63\x65\x72\x74\x65\x2E\x67\x6F\x62\x2E\x76\x65\x30\x37\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x01\x04\x2B\x30\x29\x30\x27\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x01\x86\x1B\x68\x74\x74\x70\x3A\x2F\x2F\x6F\x63\x73\x70\x2E\x73\x75\x73\x63\x65\x72\x74\x65\x2E\x67\x6F\x62\x2E\x76\x65\x30\x41\x06\x03\x55\x1D\x20\x04\x3A\x30\x38\x30\x36\x06\x06\x60\x86\x5E\x03\x01\x02\x30\x2C\x30\x2A\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x1E\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x73\x75\x73\x63\x65\x72\x74\x65\x2E\x67\x6F\x62\x2E\x76\x65\x2F\x64\x70\x63\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x2B\x59\xEB\x22\x99\xBB\x84\xAA\x4F\xDE\x90\xC6\xD1\x86\x71\x23\x9E\x4B\x03\x91\x47\x70\xBB\xC0\x92\x60\xEC\xE0\xD4\xE7\x6D\xC6\xD3\xED\x67\x83\x77\x52\xD5\xF2\xE5\x77\xA7\x36\xB2\xE3\x54\xBE\xD9\xBB\x0A\x9B\x11\xEF\x61\xF4\xC6\x99\x33\x99\xF5\xAF\x00\x39\x8D\x83\xBF\xA6\xBD\x35\x7E\x2C\x5C\x31\x34\x6F\x6C\xDB\xF3\x64\x01\x98\xAA\x94\x2C\x41\xDD\x15\x86\xCA\x6B\x29\x4E\x16\xC0\x49\xFC\xD7\x83\x48\x13\x07\x51\x84\x31\x52\x88\xBB\x86\x17\xC7\x6B\x2F\x8A\x20\xAD\xC5\x0B\x8F\x70\x3E\x2A\xBB\x1B\x71\x8F\xB9\xA4\xA0\xFD\xD8\x95\xD9\xAF\x59\xBF\x25\x2B\x98\xE9\x63\x93\x2F\x60\x1E\xC4\xAA\xF8\x77\xF5\x8B\x6C\x2F\xED\x7E\x2E\xB5\x4F\x40\x0D\xEE\xBC\x57\x77\xE7\xD9\xB6\xD4\x3F\x95\x27\x3A\x20\xD5\xE5\xAE\xAB\x6C\x35\x9F\xC1\xA1\x1D\x59\xDC\x84\x81\xEE\x4D\x07\xE2\x48\xB6\x9E\x4B\x95\x2D\x41\xB1\xE1\xE8\xDE\x7E\x2F\x05\x1E\x68\xEE\xBF\xBB\x90\x65\x3A\xC8\xEE\xEA\xB1\x18\x37\x1C\x62\x93\xA4\xA0\x31\xEC\x71\x6C\x91\xE6\xA4\x79\x89\x5A\x14\xA7\x14\x50\x05\x4C\xA4\x00\x57\x30\x2C\xC1\xB5\x61\x96\xDC\x3E\x1E\x84\xAF\x39\x42\xCF\xE5\xD0\x2C\xB1\x24\xBC\xDF\x40\xC3\xED\x7F\x63\x4A\xBD\xE1\x4F\x12\x64\x86\x95\xF3\xB0\xE7\xC8\xB7\xE1\x53\xBD\x92\xE6\xF3\x0C\x96\xB9\xEB\xE8\xE6\x92\xED\xA7\x81\x09\x14\x0B\xFC\x95\x7A\xCF\x8F\xD6\x34\x4F\x36\x12\xDC\x5E\xD1\x34\x75\xC6\x46\x80\x2F\x95\x04\x8C\xC7\x86\xC4\xA8\x26\x89\xA8\x3F\x19\x9B\x81\xBB\x51\xA4\x4A\x86\xAB\x0B\x11\x0F\xB1\xAE\x63\x53\x6D\x28\xEA\xDD\x33\x56\x38\x1C\xB2\xAD\x80\xD3\xD7\x72\xBD\x9A\x6C\x99\x63\xE8\x00\xBB\x41\x76\x05\xB7\x5B\x99\x18\x8A\xC3\xB8\x12\x5C\x56\xCF\x56\x0C\x7D\xE8\xE2\xCF\xED\xBC\x74\x47\xFB\xEE\xD3\x17\x4E\x22\x4F\x56\xFF\x50\xF3\x2E\xE6\x39\xA6\x82\xD6\x71\xCA\xDE\xB7\xD5\xBA\x68\x08\xED\x99\xCC\xFD\xA2\x92\xCB\x69\xB8\x9D\xF9\x0A\xA4\xA6\x3E\x4F\x93\x28\x2A\x61\x6C\x07\x26\x00\xFF\x96\x5F\x68\x86\xB8\xB8\xCE\xCA\x55\xE0\xAB\xB1\x3D\x7F\x98\xD7\x33\x0E\x5A\x3D\xD8\x78\xC2\xC4\x60\x2F\xC7\x62\xF0\x61\x91\xD2\x38\xB0\xF6\x9E\x55\xDB\x40\x80\x05\x12\x33\xCE\x1D\x92\x9B\xD1\x69\xB3\xFF\xBF\xF1\x92\x0A\x61\x35\x3F\xDD\xFE\x86\xF4\xBC\xE0\x1A\x71\xB3\x62\xA6",
-	["CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN"] = "\x30\x82\x03\xF7\x30\x82\x02\xDF\xA0\x03\x02\x01\x02\x02\x04\x48\x9F\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x81\x8A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x32\x30\x30\x06\x03\x55\x04\x0A\x0C\x29\x43\x68\x69\x6E\x61\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x49\x6E\x66\x6F\x72\x6D\x61\x74\x69\x6F\x6E\x20\x43\x65\x6E\x74\x65\x72\x31\x47\x30\x45\x06\x03\x55\x04\x03\x0C\x3E\x43\x68\x69\x6E\x61\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x49\x6E\x66\x6F\x72\x6D\x61\x74\x69\x6F\x6E\x20\x43\x65\x6E\x74\x65\x72\x20\x45\x56\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x73\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x31\x30\x30\x38\x33\x31\x30\x37\x31\x31\x32\x35\x5A\x17\x0D\x33\x30\x30\x38\x33\x31\x30\x37\x31\x31\x32\x35\x5A\x30\x81\x8A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x32\x30\x30\x06\x03\x55\x04\x0A\x0C\x29\x43\x68\x69\x6E\x61\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x49\x6E\x66\x6F\x72\x6D\x61\x74\x69\x6F\x6E\x20\x43\x65\x6E\x74\x65\x72\x31\x47\x30\x45\x06\x03\x55\x04\x03\x0C\x3E\x43\x68\x69\x6E\x61\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x49\x6E\x66\x6F\x72\x6D\x61\x74\x69\x6F\x6E\x20\x43\x65\x6E\x74\x65\x72\x20\x45\x56\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x73\x20\x52\x6F\x6F\x74\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x9B\x7E\x73\xEE\xBD\x3B\x78\xAA\x64\x43\x41\xF5\x50\xDF\x94\xF2\x2E\xB2\x8D\x4A\x8E\x46\x54\xD2\x21\x12\xC8\x39\x32\x42\x06\xE9\x83\xD5\x9F\x52\xED\xE5\x67\x03\x3B\x54\xC1\x8C\x99\x99\xCC\xE9\xC0\x0F\xFF\x0D\xD9\x84\x11\xB2\xB8\xD1\xCB\x5B\xDC\x1E\xF9\x68\x31\x64\xE1\x9B\xFA\x74\xEB\x68\xB9\x20\x95\xF7\xC6\x0F\x8D\x47\xAC\x5A\x06\xDD\x61\xAB\xE2\xEC\xD8\x9F\x17\x2D\x9C\xCA\x3C\x35\x97\x55\x71\xCD\x43\x85\xB1\x47\x16\xF5\x2C\x53\x80\x76\xCF\xD3\x00\x64\xBD\x40\x99\xDD\xCC\xD8\xDB\xC4\x9F\xD6\x13\x5F\x41\x83\x8B\xF9\x0D\x87\x92\x56\x34\x6C\x1A\x10\x0B\x17\xD5\x5A\x1C\x97\x58\x84\x3C\x84\x1A\x2E\x5C\x91\x34\x6E\x19\x5F\x7F\x17\x69\xC5\x65\xEF\x6B\x21\xC6\xD5\x50\x3A\xBF\x61\xB9\x05\x8D\xEF\x6F\x34\x3A\xB2\x6F\x14\x63\xBF\x16\x3B\x9B\xA9\x2A\xFD\xB7\x2B\x38\x66\x06\xC5\x2C\xE2\xAA\x67\x1E\x45\xA7\x8D\x04\x66\x42\xF6\x8F\x2B\xEF\x88\x20\x69\x8F\x32\x8C\x14\x73\xDA\x2B\x86\x91\x63\x22\x9A\xF2\xA7\xDB\xCE\x89\x8B\xAB\x5D\xC7\x14\xC1\x5B\x30\x6A\x1F\xB1\xB7\x9E\x2E\x81\x01\x02\xED\xCF\x96\x5E\x63\xDB\xA8\xE6\x38\xB7\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x7C\x72\x4B\x39\xC7\xC0\xDB\x62\xA5\x4F\x9B\xAA\x18\x34\x92\xA2\xCA\x83\x82\x59\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x7C\x72\x4B\x39\xC7\xC0\xDB\x62\xA5\x4F\x9B\xAA\x18\x34\x92\xA2\xCA\x83\x82\x59\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x2A\xC3\xC7\x43\x37\x8F\xDD\xAD\xA4\xB2\x0C\xEE\xDC\x14\x6D\x8F\x28\xA4\x98\x49\xCB\x0C\x80\xEA\xF3\xED\x23\x66\x75\x7D\xC5\xD3\x21\x67\x79\xD1\x73\xC5\xB5\x03\xB7\x58\xAC\x0C\x54\x2F\xC6\x56\x13\x0F\x31\xDA\x06\xE7\x65\x3B\x1D\x6F\x36\xDB\xC8\x1D\xF9\xFD\x80\x06\xCA\xA3\x3D\x66\x16\xA8\x9D\x4C\x16\x7D\xC0\x95\x46\xB5\x51\xE4\xE2\x1F\xD7\xEA\x06\x4D\x63\x8D\x96\x8C\xEF\xE7\x33\x57\x42\x3A\xEB\x8C\xC1\x79\xC8\x4D\x76\x7D\xDE\xF6\xB1\xB7\x81\xE0\xA0\xF9\xA1\x78\x46\x17\x1A\x56\x98\xF0\x4E\x3D\xAB\x1C\xED\xEC\x39\xDC\x07\x48\xF7\x63\xFE\x06\xAE\xC2\xA4\x5C\x6A\x5B\x32\x88\xC5\xC7\x33\x85\xAC\x66\x42\x47\xC2\x58\x24\x99\xE1\xE5\x3E\xE5\x75\x2C\x8E\x43\xD6\x5D\x3C\x78\x1E\xA8\x95\x82\x29\x50\xD1\xD1\x16\xBA\xEF\xC1\xBE\x7A\xD9\xB4\xD8\xCC\x1E\x4C\x46\xE1\x77\xB1\x31\xAB\xBD\x2A\xC8\xCE\x8F\x6E\xA1\x5D\x7F\x03\x75\x34\xE4\xAD\x89\x45\x54\x5E\xBE\xAE\x28\xA5\xBB\x3F\x78\x79\xEB\x73\xB3\x0A\x0D\xFD\xBE\xC9\xF7\x56\xAC\xF6\xB7\xED\x2F\x9B\x21\x29\xC7\x38\xB6\x95\xC4\x04\xF2\xC3\x2D\xFD\x14\x2A\x90\x99\xB9\x07\xCC\x9F",
-	["CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch"] = "\x30\x82\x05\xD9\x30\x82\x03\xC1\xA0\x03\x02\x01\x02\x02\x10\x1E\x9E\x28\xE8\x48\xF2\xE5\xEF\xC3\x7C\x4A\x1E\x5A\x18\x67\xB6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x64\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x63\x68\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x53\x77\x69\x73\x73\x63\x6F\x6D\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x53\x77\x69\x73\x73\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x1E\x17\x0D\x31\x31\x30\x36\x32\x34\x30\x38\x33\x38\x31\x34\x5A\x17\x0D\x33\x31\x30\x36\x32\x35\x30\x37\x33\x38\x31\x34\x5A\x30\x64\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x63\x68\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x53\x77\x69\x73\x73\x63\x6F\x6D\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x53\x77\x69\x73\x73\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x95\x42\x4E\x84\x9D\x51\xE6\xD3\x09\xE8\x72\x5A\x23\x69\xDB\x78\x70\x8E\x16\xF1\x2B\x8F\x0D\x03\xCE\x93\xCC\x2E\x00\x08\x7B\xAB\x33\x8C\xF4\xE9\x40\xE6\x17\x4C\xAB\x9E\xB8\x47\x14\x32\x77\x32\xDD\x28\x0C\xDE\x18\x4B\x5F\x76\x9F\xF8\x39\x3B\xFC\x4E\x89\xD8\x7C\xC5\x67\xEF\xAB\xD2\xB9\x34\x5F\x6B\x3A\xF3\x64\x36\xCE\xC2\xB0\xCF\x13\x68\xCA\xC8\xCB\xEB\xB5\xE2\x3D\x2E\x21\xDF\xEA\x2C\xD4\xE0\xF9\x70\x96\x4C\xFF\x6A\x58\x98\xB7\x17\xE4\x1B\x52\xE5\x7E\x07\x00\x1D\x5F\xDA\xE6\x3E\x95\x04\xB7\x69\x88\x39\xA1\x41\x60\x25\x61\x4B\x95\x39\x68\x62\x1C\xB1\x0B\x05\x89\xC0\x36\x82\x14\x21\x3F\xAE\xDB\xA1\xFD\xBC\x6F\x1C\x60\x86\xB6\x53\x94\x49\xB9\x2B\x46\xC5\x4F\x00\x2B\xBF\xA1\xBB\xCB\x3F\xE0\xC7\x57\x1C\x57\xE8\xD6\x69\xF8\xC1\x24\x52\x9D\x88\x55\xDD\xC2\x87\x2E\x74\x23\xD0\x14\xFD\x2A\x47\x5A\xBB\xA6\x9D\xFD\x94\xE4\xD1\x8A\xA5\x5F\x86\x63\x76\x85\xCB\xAF\xFF\x49\x28\xFC\x80\xED\x4C\x79\xD2\xBB\xE4\xC0\xEF\x01\xEE\x50\x41\x08\x35\x23\x70\x2B\xA9\x16\xB4\x8C\x6E\x85\xE9\xB6\x11\xCF\x31\xDD\x53\x26\x1B\xDF\x2D\x5A\x4A\x02\x40\xFC\xC4\xC0\xB6\xE9\x31\x1A\x08\x28\xE5\x60\xC3\x1F\xC4\x90\x8E\x10\x62\x60\x44\x0D\xEC\x0A\xBE\x55\x18\x71\x2C\xA5\xF4\xB2\xBC\x15\x62\xFF\x1C\xE3\xBE\x1D\xDA\x1E\x57\xB3\x3C\x7E\xCD\x82\x1D\x91\xE3\x4B\xEB\x2C\x52\x34\xB0\x8A\xFD\x12\x4E\x96\xB0\xEB\x70\x7F\x9E\x39\xF7\x66\x42\xB1\xAB\xAC\x52\xDA\x76\x40\x57\x7B\x2A\xBD\xE8\x6E\x03\xB2\x0B\x80\x85\x88\x9D\x0C\xC7\xC2\x77\xB0\x9A\x9A\x57\xF4\xB8\xFA\x13\x5C\x68\x93\x3A\x67\xA4\x97\xD0\x1B\x99\xB7\x86\x32\x4B\x60\xD8\xCE\xEF\xD0\x0C\x7F\x95\x9F\x6F\x87\x4F\x87\x8A\x8E\x5F\x08\x7C\xAA\x5B\xFC\x5A\xBE\xA1\x91\x9F\x55\x7D\x4E\xB0\x0B\x69\xCC\xB0\x94\xA8\xA7\x87\xF2\xD3\x4A\x50\xDC\x5F\x72\xB0\x16\x75\x1E\xCB\xB4\x18\x62\x9A\xB0\xA7\x39\xAA\x9B\x9F\x66\xD8\x8D\xA6\x6C\x96\x15\xE3\xE6\xF2\xF8\xF1\x83\x62\x6C\xBB\x55\xE9\x61\x93\xA3\x3D\xF5\xB1\x57\x8B\x4F\x23\xB0\x9B\xE5\x94\x6A\x2F\xDF\x8C\xDF\x95\x51\x29\x60\xA1\x0B\x29\xE4\x5C\x55\x58\xB7\xA8\xFC\x99\xEE\x25\x4D\x4C\x0E\xB3\xD3\x4C\x8F\x84\xE8\x29\x0F\xFD\x10\x54\x02\x85\xC8\xF9\xE5\xC3\x8B\xCF\xE7\x0F\x02\x03\x01\x00\x01\xA3\x81\x86\x30\x81\x83\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x21\x04\x16\x30\x14\x30\x12\x06\x07\x60\x85\x74\x01\x53\x02\x01\x06\x07\x60\x85\x74\x01\x53\x02\x01\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x07\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x4D\x26\x20\x22\x89\x4B\xD3\xD5\xA4\x0A\xA1\x6F\xDE\xE2\x12\x81\xC5\xF1\x3C\x2E\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x4D\x26\x20\x22\x89\x4B\xD3\xD5\xA4\x0A\xA1\x6F\xDE\xE2\x12\x81\xC5\xF1\x3C\x2E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x32\x0A\xB2\xA4\x1B\xCB\x7D\xBE\x82\x57\x89\xB9\x6A\x7F\xF3\xF4\xC1\x2E\x11\x7D\xB8\x19\x3E\x79\xB7\xA8\xA8\x72\x37\x66\x9B\x1A\xED\xAC\x13\x3B\x0E\xBF\x62\xF0\x9C\xDF\x9E\x7B\xA1\x53\x48\x0E\x41\x7A\xCA\x20\xA7\x17\x1B\xB6\x78\xEC\x40\x91\xF3\x42\xAD\x10\xC3\x5C\xEF\xFF\x60\x59\x7F\xCD\x85\xA3\x8B\x3D\x48\x1C\x25\x02\x3C\x67\x7D\xF5\x32\xE9\x2F\x30\xE5\x7D\xA5\x7A\x38\xD0\xF3\x66\x2A\x66\x1E\x8D\x33\x83\x8A\x6F\x7C\x6E\xA8\x5A\x75\x9A\xB8\xD7\xDA\x58\x48\x44\x47\xA8\x4C\xFA\x4C\x49\x0A\x4A\xC2\x12\x37\xA8\x40\x0C\xC3\xC8\xE1\xD0\x57\x0D\x97\x32\x95\xC7\x3A\x9F\x97\xD3\x57\xF8\x0B\xDE\xE5\x72\xF3\xA3\xDB\xFF\xB5\xD8\x59\xB2\x73\xDD\x4D\x2A\x71\xB2\xBA\x49\xF5\xCB\x1C\xD5\xF5\x79\xC8\x99\xB3\xFC\xC1\x4C\x74\xE3\xB4\xBD\x29\x37\x15\x04\x28\x1E\xDE\x45\x46\x70\xEC\xAF\xBA\x78\x0E\x8A\x2A\xCE\x00\x79\xDC\xC0\x5F\x19\x67\x2C\x6B\x4B\xEF\x68\x68\x0B\x43\xE3\xAC\xC1\x62\x09\xEF\xA6\xDD\x65\x61\xA0\xAF\x84\x55\x48\x91\x52\x1C\xC6\x25\x91\x2A\xD0\xC1\x22\x23\x61\x59\xAF\x45\x11\x85\x1D\x01\x24\x34\x8F\xCF\xB3\xFF\x17\x72\x20\x13\xC2\x80\xAA\x21\x2C\x71\x39\x0E\xD0\x8F\x5C\xC1\xD3\xD1\x8E\x22\x72\x46\x4C\x1D\x96\xAE\x4F\x71\xB1\xE1\x05\x29\x96\x59\xF4\xBB\x9E\x75\x3D\xCF\x0D\x37\x0D\x62\xDB\x26\x8C\x63\xA9\x23\xDF\x67\x06\x3C\x7C\x3A\xDA\x34\x42\xE1\x66\xB4\x46\x04\xDE\xC6\x96\x98\x0F\x4B\x48\x7A\x24\x32\x75\x91\x9F\xAC\xF7\x68\xE9\x2A\xB9\x55\x65\xCE\x5D\x61\xD3\x27\x70\xD8\x37\xFE\x9F\xB9\xAF\xA0\x2E\x56\xB7\xA3\x65\x51\xED\x3B\xAB\x14\xBF\x4C\x51\x03\xE8\x5F\x8A\x05\x9B\xEE\x8A\x6E\x9C\xEF\xBF\x68\xFA\xC8\xDA\x0B\xE3\x42\xC9\xD0\x17\x14\x9C\xB7\x4A\xE0\xAF\x93\x27\x21\x55\x26\xB5\x64\x2F\x8D\xF1\xFF\xA6\x40\x05\x85\x05\x5C\xCA\x07\x19\x5C\x0B\x13\x28\x4C\x58\x7F\xC2\xA5\xEF\x45\xDA\x60\xD3\xAE\x65\x61\x9D\x53\x83\x74\xC2\xAE\xF2\x5C\xC2\x16\xED\x92\x3E\x84\x3E\x73\x60\x88\xBC\x76\xF4\x2C\xCF\xD0\x7D\x7D\xD3\xB8\x5E\xD1\x91\x12\x10\xE9\xCD\xDD\xCA\x25\xE3\xD5\xED\x99\x2F\xBE\x75\x81\x4B\x24\xF9\x45\x46\x94\xC9\x29\x21\x53\x9C\x26\x45\xAA\x13\x17\xE4\xE7\xCD\x78\xE2\x39\xC1\x2B\x12\x9E\xA6\x9E\x1B\xC5\xE6\x0E\xD9\x31\xD9",
-	["CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch"] = "\x30\x82\x05\xE0\x30\x82\x03\xC8\xA0\x03\x02\x01\x02\x02\x11\x00\xF2\xFA\x64\xE2\x74\x63\xD3\x8D\xFD\x10\x1D\x04\x1F\x76\xCA\x58\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x63\x68\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x53\x77\x69\x73\x73\x63\x6F\x6D\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x31\x1E\x30\x1C\x06\x03\x55\x04\x03\x13\x15\x53\x77\x69\x73\x73\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x45\x56\x20\x43\x41\x20\x32\x30\x1E\x17\x0D\x31\x31\x30\x36\x32\x34\x30\x39\x34\x35\x30\x38\x5A\x17\x0D\x33\x31\x30\x36\x32\x35\x30\x38\x34\x35\x30\x38\x5A\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x63\x68\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x13\x08\x53\x77\x69\x73\x73\x63\x6F\x6D\x31\x25\x30\x23\x06\x03\x55\x04\x0B\x13\x1C\x44\x69\x67\x69\x74\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x53\x65\x72\x76\x69\x63\x65\x73\x31\x1E\x30\x1C\x06\x03\x55\x04\x03\x13\x15\x53\x77\x69\x73\x73\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x45\x56\x20\x43\x41\x20\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC4\xF7\x1D\x2F\x57\xEA\x57\x6C\xF7\x70\x5D\x63\xB0\x71\x52\x09\x60\x44\x28\x33\xA3\x7A\x4E\x0A\xFA\xD8\xEA\x6C\x8B\x51\x16\x1A\x55\xAE\x54\x26\xC4\xCC\x45\x07\x41\x4F\x10\x79\x7F\x71\xD2\x7A\x4E\x3F\x38\x4E\xB3\x00\xC6\x95\xCA\x5B\xCD\xC1\x2A\x83\xD7\x27\x1F\x31\x0E\x23\x16\xB7\x25\xCB\x1C\xB4\xB9\x80\x32\x5E\x1A\x9D\x93\xF1\xE8\x3C\x60\x2C\xA7\x5E\x57\x19\x58\x51\x5E\xBC\x2C\x56\x0B\xB8\xD8\xEF\x8B\x82\xB4\x3C\xB8\xC2\x24\xA8\x13\xC7\xA0\x21\x36\x1B\x7A\x57\x29\x28\xA7\x2E\xBF\x71\x25\x90\xF3\x44\x83\x69\x50\xA4\xE4\xE1\x1B\x62\x19\x94\x09\xA3\xF3\xC3\xBC\xEF\xF4\xBD\xEC\xDB\x13\x9D\xCF\x9D\x48\x09\x52\x67\xC0\x37\x29\x11\x1E\xFB\xD2\x11\xA7\x85\x18\x74\x79\xE4\x4F\x85\x14\xEB\x52\x37\xE2\xB1\x45\xD8\xCC\x0D\x43\x7F\xAE\x13\xD2\x6B\x2B\x3F\xA7\xC2\xE2\xA8\x6D\x76\x5B\x43\x9F\xBE\xB4\x9D\xB3\x26\x86\x3B\x1F\x7F\xE5\xF2\xE8\x66\x28\x16\x25\xD0\x4B\x97\x38\xA7\xE4\xCF\x09\xD1\x36\xC3\x0B\xBE\xDA\x3B\x44\x58\x8D\xBE\xF1\x9E\x09\x6B\x3E\xF3\x32\xC7\x2B\x87\xC6\xEC\x5E\x9C\xF6\x87\x65\xAD\x33\x29\xC4\x2F\x89\xD9\xB9\xCB\xC9\x03\x9D\xFB\x6C\x94\x51\x97\x10\x1B\x86\x0B\x1A\x1B\x3F\xF6\x02\x7E\x7B\xD4\xC5\x51\x64\x28\x9D\xF5\xD3\xAC\x83\x81\x88\xD3\x74\xB4\x59\x9D\xC1\xEB\x61\x33\x5A\x45\xD1\xCB\x39\xD0\x06\x6A\x53\x60\x1D\xAF\xF6\xFB\x69\xBC\x6A\xDC\x01\xCF\xBD\xF9\x8F\xD9\xBD\x5B\xC1\x3A\x5F\x8E\xDA\x0F\x4B\xA9\x9B\x9D\x2A\x28\x6B\x1A\x0A\x7C\x3C\xAB\x22\x0B\xE5\x77\x2D\x71\xF6\x82\x35\x81\xAE\xF8\x7B\x81\xE6\xEA\xFE\xAC\xF4\x1A\x9B\x74\x5C\xE8\x8F\x24\xF6\x5D\x9D\x46\xC4\x2C\xD2\x1E\x2B\x21\x6A\x83\x27\x67\x55\x4A\xA4\xE3\xC8\x32\x97\x66\x90\x72\xDA\xE3\xD4\x64\x2E\x5F\xE3\xA1\x6A\xF6\x60\xD4\xE7\x35\xCD\xCA\xC4\x68\x8D\xD7\x71\xC8\xD3\x24\x33\x73\xB1\x6C\xF9\x6A\xE1\x28\xDB\x5F\xC6\x3D\xE8\xBE\x55\xE6\x37\x1B\xED\x24\xD9\x0F\x19\x8F\x5F\x63\x18\x58\x50\x81\x51\x65\x6F\xF2\x9F\x7E\x6A\x04\xE7\x34\x24\x71\xBA\x76\x4B\x58\x1E\x19\xBD\x15\x60\x45\xAA\x0C\x12\x40\x01\x9D\x10\xE2\xC7\x38\x07\x72\x0A\x65\xC0\xB6\xBB\x25\x29\xDA\x16\x9E\x8B\x35\x8B\x61\xED\xE5\x71\x57\x83\xB5\x3C\x71\x9F\xE3\x4F\xBF\x7E\x1E\x81\x9F\x41\x97\x02\x03\x01\x00\x01\xA3\x81\x86\x30\x81\x83\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x21\x04\x16\x30\x14\x30\x12\x06\x07\x60\x85\x74\x01\x53\x02\x02\x06\x07\x60\x85\x74\x01\x53\x02\x02\x30\x12\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x08\x30\x06\x01\x01\xFF\x02\x01\x03\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x45\xD9\xA5\x81\x6E\x3D\x88\x4D\x8D\x71\xD2\x46\xC1\x6E\x45\x1E\xF3\xC4\x80\x9D\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x45\xD9\xA5\x81\x6E\x3D\x88\x4D\x8D\x71\xD2\x46\xC1\x6E\x45\x1E\xF3\xC4\x80\x9D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x94\x3A\x73\x06\x9F\x52\x4B\x30\x5C\xD4\xFE\xB1\x5C\x25\xF9\xD7\x8E\x6F\xF5\x87\x64\x9F\xED\x14\x8E\xB8\x04\x8E\x28\x4B\x8F\xAA\x7B\x8E\x39\xB4\xD9\x58\xF6\x7B\xA1\x35\x0A\xA1\x9D\x8A\xF7\x63\xE5\xEB\xBD\x39\x82\xD4\xE3\x7A\x2D\x6F\xDF\x13\x3C\xBA\xFE\x7E\x56\x98\x0B\xF3\x54\x9F\xCD\x44\x4E\x6E\x3C\xE1\x3E\x15\xBF\x06\x26\x9D\xE4\xF0\x90\xB6\xD4\xC2\x9E\x30\x2E\x1F\xEF\xC7\x7A\xC4\x50\xC7\xEA\x7B\xDA\x50\xCB\x7A\x26\xCB\x00\xB4\x5A\xAB\xB5\x93\x1F\x80\x89\x84\x04\x95\x8D\x8D\x7F\x09\x93\xBF\xD4\xA8\xA8\xE4\x63\x6D\xD9\x64\xE4\xB8\x29\x5A\x08\xBF\x50\xE1\x84\x0F\x55\x7B\x5F\x08\x22\x1B\xF5\xBD\x99\x1E\x14\xF6\xCE\xF4\x58\x10\x82\xB3\x0A\x3D\x19\xC1\xBF\x5B\xAB\xAA\x99\xD8\xF2\x31\xBD\xE5\x38\x66\xDC\x58\x05\xC7\xED\x63\x1A\x2E\x0A\x97\x7C\x87\x93\x2B\xB2\x8A\xE3\xF1\xEC\x18\xE5\x75\xB6\x29\x87\xE7\xDC\x8B\x1A\x7E\xB4\xD8\xC9\xD3\x8A\x17\x6C\x7D\x29\x44\xBE\x8A\xAA\xF5\x7E\x3A\x2E\x68\x31\x93\xB9\x6A\xDA\x9A\xE0\xDB\xE9\x2E\xA5\x84\xCD\x1C\x0A\xB8\x4A\x08\xF9\x9C\xF1\x61\x26\x98\x93\xB7\x7B\x66\xEC\x91\x5E\xDD\x51\x3F\xDB\x73\x0F\xAD\x04\x58\x09\xDD\x04\x02\x95\x0A\x3E\xD3\x76\xDF\xA6\x10\x1E\x80\x3D\xE8\xCD\xA4\x64\xD1\x33\xC7\x92\xC7\xE2\x4E\x44\xE3\x09\xC9\x4E\xC2\x5D\x87\x0E\x12\x9E\xBF\x0F\xC9\x05\x10\xDE\x7A\xA3\xB1\x3C\xF2\x3F\xA5\xAA\x27\x79\xAD\x31\x7D\x1F\xFD\xFC\x19\x69\xC5\xDD\xB9\x3F\x7C\xCD\xC6\xB4\xC2\x30\x1E\x7E\x6E\x92\xD7\x7F\x61\x76\x5A\x8F\xEB\x95\x4D\xBC\x11\x6E\x21\x7C\x59\x37\x99\xD0\x06\xBC\xF9\x06\x6D\x32\x16\xA5\xD9\x69\xA8\xE1\xDC\x3C\x80\x1E\x60\x51\xDC\xD7\x54\x21\x1E\xCA\x62\x77\x4F\xFA\xD8\x8F\xB3\x2B\x3A\x0D\x78\x72\xC9\x68\x41\x5A\x47\x4A\xC2\xA3\xEB\x1A\xD7\x0A\xAB\x3C\x32\x55\xC8\x0A\x11\x9C\xDF\x74\xD6\xF0\x40\x15\x1D\xC8\xB9\x8F\xB5\x36\xC5\xAF\xF8\x22\xB8\xCA\x1D\xF3\xD6\xB6\x19\x0F\x9F\x61\x65\x6A\xEA\x74\xC8\x7C\x8F\xC3\x4F\x5D\x65\x82\x1F\xD9\x0D\x89\xDA\x75\x72\xFB\xEF\xF1\x47\x67\x13\xB3\xC8\xD1\x19\x88\x27\x26\x9A\x99\x79\x7F\x1E\xE4\x2C\x3F\x7B\xEE\xF1\xDE\x4D\x8B\x96\x97\xC3\xD5\x3F\x7C\x1B\x23\xED\xA4\xB3\x1D\x16\x72\x43\x4B\x20\xE1\x59\x7E\xC2\xE8\xAD\x26\xBF\xA2\xF7",
-	["CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK"] = "\x30\x82\x05\x69\x30\x82\x03\x51\xA0\x03\x02\x01\x02\x02\x09\x00\xC3\x03\x9A\xEE\x50\x90\x6E\x28\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x52\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x4B\x31\x13\x30\x11\x06\x03\x55\x04\x07\x13\x0A\x42\x72\x61\x74\x69\x73\x6C\x61\x76\x61\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x44\x69\x73\x69\x67\x20\x61\x2E\x73\x2E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x43\x41\x20\x44\x69\x73\x69\x67\x20\x52\x6F\x6F\x74\x20\x52\x31\x30\x1E\x17\x0D\x31\x32\x30\x37\x31\x39\x30\x39\x30\x36\x35\x36\x5A\x17\x0D\x34\x32\x30\x37\x31\x39\x30\x39\x30\x36\x35\x36\x5A\x30\x52\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x4B\x31\x13\x30\x11\x06\x03\x55\x04\x07\x13\x0A\x42\x72\x61\x74\x69\x73\x6C\x61\x76\x61\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x44\x69\x73\x69\x67\x20\x61\x2E\x73\x2E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x43\x41\x20\x44\x69\x73\x69\x67\x20\x52\x6F\x6F\x74\x20\x52\x31\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xAA\xC3\x78\xF7\xDC\x98\xA3\xA7\x5A\x5E\x77\x18\xB2\xDD\x04\x64\x0F\x63\xFD\x9B\x96\x09\x80\xD5\xE8\xAA\xA5\xE2\x9C\x26\x94\x3A\xE8\x99\x73\x8C\x9D\xDF\xD7\xDF\x83\xF3\x78\x4F\x40\xE1\x7F\xD2\xA7\xD2\xE5\xCA\x13\x93\xE7\xED\xC6\x77\x5F\x36\xB5\x94\xAF\xE8\x38\x8E\xDB\x9B\xE5\x7C\xBB\xCC\x8D\xEB\x75\x73\xE1\x24\xCD\xE6\xA7\x2D\x19\x2E\xD8\xD6\x8A\x6B\x14\xEB\x08\x62\x0A\xD8\xDC\xB3\x00\x4D\xC3\x23\x7C\x5F\x43\x08\x23\x32\x12\xDC\xED\x0C\xAD\xC0\x7D\x0F\xA5\x7A\x42\xD9\x5A\x70\xD9\xBF\xA7\xD7\x01\x1C\xF6\x9B\xAB\x8E\xB7\x4A\x86\x78\xA0\x1E\x56\x31\xAE\xEF\x82\x0A\x80\x41\xF7\x1B\xC9\xAE\xAB\x32\x26\xD4\x2C\x6B\xED\x7D\x6B\xE4\xE2\x5E\x22\x0A\x45\xCB\x84\x31\x4D\xAC\xFE\xDB\xD1\x47\xBA\xF9\x60\x97\x39\xB1\x65\xC7\xDE\xFB\x99\xE4\x0A\x22\xB1\x2D\x4D\xE5\x48\x26\x69\xAB\xE2\xAA\xF3\xFB\xFC\x92\x29\x32\xE9\xB3\x3E\x4D\x1F\x27\xA1\xCD\x8E\xB9\x17\xFB\x25\x3E\xC9\x6E\xF3\x77\xDA\x0D\x12\xF6\x5D\xC7\xBB\x36\x10\xD5\x54\xD6\xF3\xE0\xE2\x47\x48\xE6\xDE\x14\xDA\x61\x52\xAF\x26\xB4\xF5\x71\x4F\xC9\xD7\xD2\x06\xDF\x63\xCA\xFF\x21\xE8\x59\x06\xE0\x08\xD5\x84\x15\x53\xF7\x43\xE5\x7C\xC5\xA0\x89\x98\x6B\x73\xC6\x68\xCE\x65\xDE\xBD\x7F\x05\xF7\xB1\xEE\xF6\x57\xA1\x60\x95\xC5\xCC\xEA\x93\x3A\xBE\x99\xAE\x9B\x02\xA3\xAD\xC9\x16\xB5\xCE\xDD\x5E\x99\x78\x7E\x1A\x39\x7E\xB2\xC0\x05\xA4\xC0\x82\xA5\xA3\x47\x9E\x8C\xEA\x5C\xB6\xBC\x67\xDB\xE6\x2A\x4D\xD2\x04\xDC\xA3\xAE\x45\xF7\xBC\x8B\x9C\x1C\xA7\xD6\xD5\x03\xDC\x08\xCB\x2E\x16\xCA\x5C\x40\x33\xE8\x67\xC3\x2E\xE7\xA6\x44\xEA\x11\x45\x1C\x35\x65\x2D\x1E\x45\x61\x24\x1B\x82\x2E\xA5\x9D\x33\x5D\x65\xF8\x41\xF9\x2E\xCB\x94\x3F\x1F\xA3\x0C\x31\x24\x44\xED\xC7\x5E\xAD\x50\xBA\xC6\x41\x9B\xAC\xF0\x17\x65\xC0\xF8\x5D\x6F\x5B\xA0\x0A\x34\x3C\xEE\xD7\xEA\x88\x9F\x98\xF9\xAF\x4E\x24\xFA\x97\xB2\x64\x76\xDA\xAB\xF4\xED\xE3\xC3\x60\xEF\xD5\xF9\x02\xC8\x2D\x9F\x83\xAF\x67\x69\x06\xA7\x31\x55\xD5\xCF\x4B\x6F\xFF\x04\x05\xC7\x58\xAC\x5F\x16\x1B\xE5\xD2\xA3\xEB\x31\xDB\x1F\x33\x15\x4D\xD0\xF2\xA5\x53\xF5\xCB\xE1\x3D\x4E\x68\x2D\xD8\x12\xDD\xAA\xF2\xE6\x4D\x9B\x49\xE5\xC5\x28\xA1\xBA\xB0\x5A\xC6\xA0\xB5\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x89\x0A\xB4\x38\x93\x1A\xE6\xAB\xEE\x9B\x91\x18\xF9\xF5\x3C\x3E\x35\xD0\xD3\x82\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x32\x8B\xF6\x9D\x4A\xC9\xBE\x14\xE5\x8C\xAC\x38\xCA\x3A\x09\xD4\x1B\xCE\x86\xB3\xDD\xEB\xD4\xBA\x28\xBE\x12\xAE\x45\x2C\x04\x74\xAC\x13\x51\xC5\x58\x18\x66\x4D\x82\xDA\xD5\xDC\x93\xC0\x27\xE1\xBE\x7C\x9F\x52\x9E\x12\x56\xF6\xD5\x9C\xA9\xF4\x75\x9C\xFA\x37\x12\x8F\x1C\x93\xEC\x57\xFE\x07\x0F\xAB\xD5\x12\xF7\x0F\xAE\x61\x5E\x56\x80\x49\xF5\xFC\x30\xF5\x9B\x4F\x1F\x41\x2F\x1C\x84\xD3\x89\xC7\xE2\xDA\x02\x76\xED\x09\xCF\x6C\xC1\xB8\x1C\x83\x1C\x16\xFA\x94\xCD\x7D\xA0\xC8\x18\xD2\xC8\x9D\x6E\xF5\xBD\x69\xD4\x6D\x3D\x35\xE8\x1E\xA2\x4F\x60\xD7\x07\x29\xFC\xB2\xA3\xA4\x9D\x6E\x15\x92\x56\x19\x4C\x0A\xB0\xE9\x7C\xD2\x19\x4D\x42\x46\xEC\xBD\xFD\xF6\x57\x5B\xDD\x98\x7E\xA4\x4D\xCC\x72\x03\x83\x58\x5D\xEF\x93\x3A\x41\x7A\x63\xAA\x7C\x3A\xA8\xF5\xAC\xA4\xD1\xDD\xA2\x2D\xB6\x2A\xFC\x9F\x01\x8E\xE2\x10\xB1\xC4\xCA\xE4\x67\xDB\x55\x25\x19\x3F\xFD\xE8\x36\x7E\xB3\xE1\xE1\x81\xAF\x11\x16\x8B\x50\x97\x60\x19\x82\x00\xC0\x6B\x4D\x73\xB8\xD1\x13\x07\x3E\xEA\xB6\x31\x4F\xF0\x42\x9A\x6D\xE2\x11\x74\xE5\x94\xAC\x8D\x84\x95\x3C\x21\xAF\xC5\xDA\x47\xC8\xDF\x39\x62\x62\xCB\x5B\x50\x0B\xD7\x81\x40\x05\x9C\x9B\xED\xBA\xB6\x8B\x1E\x04\x6F\x96\x20\x39\xED\xA4\x7D\x29\xDB\x48\xCE\x82\xDC\xD4\x02\x8D\x1D\x04\x31\x5A\xC7\x4B\xF0\x6C\x61\x52\xD7\xB4\x51\xC2\x81\x6C\xCD\xE1\xFB\xA7\xA1\xD2\x92\x76\xCF\xB1\x0F\x37\x58\xA4\xF2\x52\x71\x67\x3F\x0C\x88\x78\x80\x89\xC1\xC8\xB5\x1F\x92\x63\xBE\xA7\x7A\x8A\x56\x2C\x1A\xA8\xA6\x9C\xB5\x5D\xB3\x63\xD0\x13\x20\xA1\xEB\x91\x6C\xD0\x8D\x7D\xAF\xDF\x0B\xE4\x17\xB9\x86\x9E\x38\xB1\x94\x0C\x58\x8C\xE0\x55\xAA\x3B\x63\x6D\x9A\x89\x60\xB8\x64\x2A\x92\xC6\x37\xF4\x7E\x43\x43\xB7\x73\xE8\x01\xE7\x7F\x97\x0F\xD7\xF2\x7B\x19\xFD\x1A\xD7\x8F\xC9\xFA\x85\x6B\x7A\x9D\x9E\x89\xB6\xA6\x28\x99\x93\x88\x40\xF7\x3E\xCD\x51\xA3\xCA\xEA\xEF\x79\x47\x21\xB5\xFE\x32\xE2\xC7\xC3\x51\x6F\xBE\x80\x74\xF0\xA4\xC3\x3A\xF2\x4F\xE9\x5F\xDF\x19\x0A\xF2\x3B\x13\x43\xAC\x31\xA4\xB3\xE7\xEB\xFC\x18\xD6\x01\xA9\xF3\x2A\x8F\x36\x0E\xEB\xB4\xB1\xBC\xB7\x4C\xC9\x6B\xBF\xA1\xF3\xD9\xF4\xED\xE2\xF0\xE3\xED\x64\x9E\x3D\x2F\x96\x52\x4F\x80\x53\x8B",
 	["CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK"] = "\x30\x82\x05\x69\x30\x82\x03\x51\xA0\x03\x02\x01\x02\x02\x09\x00\x92\xB8\x88\xDB\xB0\x8A\xC1\x63\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x52\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x4B\x31\x13\x30\x11\x06\x03\x55\x04\x07\x13\x0A\x42\x72\x61\x74\x69\x73\x6C\x61\x76\x61\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x44\x69\x73\x69\x67\x20\x61\x2E\x73\x2E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x43\x41\x20\x44\x69\x73\x69\x67\x20\x52\x6F\x6F\x74\x20\x52\x32\x30\x1E\x17\x0D\x31\x32\x30\x37\x31\x39\x30\x39\x31\x35\x33\x30\x5A\x17\x0D\x34\x32\x30\x37\x31\x39\x30\x39\x31\x35\x33\x30\x5A\x30\x52\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x53\x4B\x31\x13\x30\x11\x06\x03\x55\x04\x07\x13\x0A\x42\x72\x61\x74\x69\x73\x6C\x61\x76\x61\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x44\x69\x73\x69\x67\x20\x61\x2E\x73\x2E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x43\x41\x20\x44\x69\x73\x69\x67\x20\x52\x6F\x6F\x74\x20\x52\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xA2\xA3\xC4\x00\x09\xD6\x85\x5D\x2D\x6D\x14\xF6\xC2\xC3\x73\x9E\x35\xC2\x71\x55\x7E\x81\xFB\xAB\x46\x50\xE0\xC1\x7C\x49\x78\xE6\xAB\x79\x58\x3C\xDA\xFF\x7C\x1C\x9F\xD8\x97\x02\x78\x3E\x6B\x41\x04\xE9\x41\xBD\xBE\x03\x2C\x45\xF6\x2F\x64\xD4\xAB\x5D\xA3\x47\x3D\x64\x9B\xE9\x68\x9A\xC6\xCC\x1B\x3F\xBA\xBE\xB2\x8B\x34\x02\x2E\x98\x55\x19\xFC\x8C\x6F\xAA\x5F\xDA\x4C\xCE\x4D\x03\x21\xA3\xD8\xD2\x34\x93\x56\x96\xCB\x4C\x0C\x00\x16\x3C\x5F\x1A\xCD\xC8\xC7\x6C\xA6\xAD\xD3\x31\xA7\xBC\xE8\xE5\xE1\x66\xD6\xD2\xFB\x03\xB4\x41\x65\xC9\x10\xAE\x0E\x05\x63\xC6\x80\x6A\x69\x30\xFD\xD2\xEE\x90\xEF\x0D\x27\xDF\x9F\x95\x73\xF4\xE1\x25\xDA\x6C\x16\xDE\x41\x38\x34\xEA\x8B\xFC\xD1\xE8\x04\x14\x61\x2D\x41\x7E\xAC\xC7\x77\x4E\xCB\x51\x54\xFB\x5E\x92\x18\x1B\x04\x5A\x68\xC6\xC9\xC4\xFA\xB7\x13\xA0\x98\xB7\x11\x2B\xB7\xD6\x57\xCC\x7C\x9E\x17\xD1\xCB\x25\xFE\x86\x4E\x24\x2E\x56\x0C\x78\x4D\x9E\x01\x12\xA6\x2B\xA7\x01\x65\x6E\x7C\x62\x1D\x84\x84\xDF\xEA\xC0\x6B\xB5\xA5\x2A\x95\x83\xC3\x53\x11\x0C\x73\x1D\x0B\xB2\x46\x90\xD1\x42\x3A\xCE\x40\x6E\x95\xAD\xFF\xC6\x94\xAD\x6E\x97\x84\x8E\x7D\x6F\x9E\x8A\x80\x0D\x49\x6D\x73\xE2\x7B\x92\x1E\xC3\xF3\xC1\xF3\xEB\x2E\x05\x6F\xD9\x1B\xCF\x37\x76\x04\xC8\xB4\x5A\xE4\x17\xA7\xCB\xDD\x76\x1F\xD0\x19\x76\xE8\x2C\x05\xB3\xD6\x9C\x34\xD8\x96\xDC\x61\x87\x91\x05\xE4\x44\x08\x33\xC1\xDA\xB9\x08\x65\xD4\xAE\xB2\x36\x0D\xEB\xBA\x38\xBA\x0C\xE5\x9B\x9E\xEB\x8D\x66\xDD\x99\xCF\xD6\x89\x41\xF6\x04\x92\x8A\x29\x29\x6D\x6B\x3A\x1C\xE7\x75\x7D\x02\x71\x0E\xF3\xC0\xE7\xBD\xCB\x19\xDD\x9D\x60\xB2\xC2\x66\x60\xB6\xB1\x04\xEE\xC9\xE6\x86\xB9\x9A\x66\x40\xA8\xE7\x11\xED\x81\x45\x03\x8B\xF6\x67\x59\xE8\xC1\x06\x11\xBD\xDD\xCF\x80\x02\x4F\x65\x40\x78\x5C\x47\x50\xC8\x9B\xE6\x1F\x81\x7B\xE4\x44\xA8\x5B\x85\x9A\xE2\xDE\x5A\xD5\xC7\xF9\x3A\x44\x66\x4B\xE4\x32\x54\x7C\xE4\x6C\x9C\xB3\x0E\x3D\x17\xA2\xB2\x34\x12\xD6\x7E\xB2\xA8\x49\xBB\xD1\x7A\x28\x40\xBE\xA2\x16\x1F\xDF\xE4\x37\x1F\x11\x73\xFB\x90\x0A\x65\x43\xA2\x0D\x7C\xF8\x06\x01\x55\x33\x7D\xB0\x0D\xB8\xF4\xF5\xAE\xA5\x42\x57\x7C\x36\x11\x8C\x7B\x5E\xC4\x03\x9D\x8C\x79\x9D\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB5\x99\xF8\xAF\xB0\x94\xF5\xE3\x20\xD6\x0A\xAD\xCE\x4E\x56\xA4\x2E\x6E\x42\xED\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x26\x06\x5E\x70\xE7\x65\x33\xC8\x82\x6E\xD9\x9C\x17\x3A\x1B\x7A\x66\xB2\x01\xF6\x78\x3B\x69\x5E\x2F\xEA\xFF\x4E\xF9\x28\xC3\x98\x2A\x61\x4C\xB4\x24\x12\x8A\x7D\x6D\x11\x14\xF7\x9C\xB5\xCA\xE6\xBC\x9E\x27\x8E\x4C\x19\xC8\xA9\xBD\x7A\xC0\xD7\x36\x0E\x6D\x85\x72\x6E\xA8\xC6\xA2\x6D\xF6\xFA\x73\x63\x7F\xBC\x6E\x79\x08\x1C\x9D\x8A\x9F\x1A\x8A\x53\xA6\xD8\xBB\xD9\x35\x55\xB1\x11\xC5\xA9\x03\xB3\x56\x3B\xB9\x84\x93\x22\x5E\x7E\xC1\xF6\x12\x52\x8B\xEA\x2C\x67\xBC\xFE\x36\x4C\xF5\xB8\xCF\xD1\xB3\x49\x92\x3B\xD3\x29\x0E\x99\x1B\x96\xF7\x61\xB8\x3B\xC4\x2B\xB6\x78\x6C\xB4\x23\x6F\xF0\xFD\xD3\xB2\x5E\x75\x1F\x99\x95\xA8\xAC\xF6\xDA\xE1\xC5\x31\x7B\xFB\xD1\x46\xB3\xD2\xBC\x67\xB4\x62\x54\xBA\x09\xF7\x63\xB0\x93\xA2\x9A\xF9\xE9\x52\x2E\x8B\x60\x12\xAB\xFC\xF5\x60\x56\xEF\x10\x5C\x8B\xC4\x1A\x42\xDC\x83\x5B\x64\x0E\xCB\xB5\xBC\xD6\x4F\xC1\x7C\x3C\x6E\x8D\x13\x6D\xFB\x7B\xEB\x30\xD0\xDC\x4D\xAF\xC5\xD5\xB6\xA5\x4C\x5B\x71\xC9\xE8\x31\xBE\xE8\x38\x06\x48\xA1\x1A\xE2\xEA\xD2\xDE\x12\x39\x58\x1A\xFF\x80\x0E\x82\x75\xE6\xB7\xC9\x07\x6C\x0E\xEF\xFF\x38\xF1\x98\x71\xC4\xB7\x7F\x0E\x15\xD0\x25\x69\xBD\x22\x9D\x2B\xED\x05\xF6\x46\x47\xAC\xED\xC0\xF0\xD4\x3B\xE2\xEC\xEE\x96\x5B\x90\x13\x4E\x1E\x56\x3A\xEB\xB0\xEF\x96\xBB\x96\x23\x11\xBA\xF2\x43\x86\x74\x64\x95\xC8\x28\x75\xDF\x1D\x35\xBA\xD2\x37\x83\x38\x53\x38\x36\x3B\xCF\x6C\xE9\xF9\x6B\x0E\xD0\xFB\x04\xE8\x4F\x77\xD7\x65\x01\x78\x86\x0C\x7A\x3E\x21\x62\xF1\x7F\x63\x71\x0C\xC9\x9F\x44\xDB\xA8\x27\xA2\x75\xBE\x6E\x81\x3E\xD7\xC0\xEB\x1B\x98\x0F\x70\x5C\x34\xB2\x8A\xCC\xC0\x85\x18\xEB\x6E\x7A\xB3\xF7\x5A\xA1\x07\xBF\xA9\x42\x92\xF3\x60\x22\x97\xE4\x14\xA1\x07\x9B\x4E\x76\xC0\x8E\x7D\xFD\xA4\x25\xC7\x47\xED\xFF\x1F\x73\xAC\xCC\xC3\xA5\xE9\x6F\x0A\x8E\x9B\x65\xC2\x50\x85\xB5\xA3\xA0\x53\x12\xCC\x55\x87\x61\xF3\x81\xAE\x10\x46\x61\xBD\x44\x21\xB8\xC2\x3D\x74\xCF\x7E\x24\x35\xFA\x1C\x07\x0E\x9B\x3D\x22\xCA\xEF\x31\x2F\x8C\xAC\x12\xBD\xEF\x40\x28\xFC\x29\x67\x9F\xB2\x13\x4F\x66\x24\xC4\x53\x19\xE9\x1E\x29\x15\xEF\xE6\x6D\xB0\x7F\x2D\x67\xFD\xF3\x6C\x1B\x75\x46\xA3\xE5\x4A\x17\xE9\xA4\xD7\x0B",
 	["C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1"] = "\x30\x82\x07\xD3\x30\x82\x05\xBB\xA0\x03\x02\x01\x02\x02\x08\x5E\xC3\xB7\xA6\x43\x7F\xA4\xE0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x42\x31\x12\x30\x10\x06\x03\x55\x04\x03\x0C\x09\x41\x43\x43\x56\x52\x41\x49\x5A\x31\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x0C\x07\x50\x4B\x49\x41\x43\x43\x56\x31\x0D\x30\x0B\x06\x03\x55\x04\x0A\x0C\x04\x41\x43\x43\x56\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x30\x1E\x17\x0D\x31\x31\x30\x35\x30\x35\x30\x39\x33\x37\x33\x37\x5A\x17\x0D\x33\x30\x31\x32\x33\x31\x30\x39\x33\x37\x33\x37\x5A\x30\x42\x31\x12\x30\x10\x06\x03\x55\x04\x03\x0C\x09\x41\x43\x43\x56\x52\x41\x49\x5A\x31\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x0C\x07\x50\x4B\x49\x41\x43\x43\x56\x31\x0D\x30\x0B\x06\x03\x55\x04\x0A\x0C\x04\x41\x43\x43\x56\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x9B\xA9\xAB\xBF\x61\x4A\x97\xAF\x2F\x97\x66\x9A\x74\x5F\xD0\xD9\x96\xFD\xCF\xE2\xE4\x66\xEF\x1F\x1F\x47\x33\xC2\x44\xA3\xDF\x9A\xDE\x1F\xB5\x54\xDD\x15\x7C\x69\x35\x11\x6F\xBB\xC8\x0C\x8E\x6A\x18\x1E\xD8\x8F\xD9\x16\xBC\x10\x48\x36\x5C\xF0\x63\xB3\x90\x5A\x5C\x24\x37\xD7\xA3\xD6\xCB\x09\x71\xB9\xF1\x01\x72\x84\xB0\x7D\xDB\x4D\x80\xCD\xFC\xD3\x6F\xC9\xF8\xDA\xB6\x0E\x82\xD2\x45\x85\xA8\x1B\x68\xA8\x3D\xE8\xF4\x44\x6C\xBD\xA1\xC2\xCB\x03\xBE\x8C\x3E\x13\x00\x84\xDF\x4A\x48\xC0\xE3\x22\x0A\xE8\xE9\x37\xA7\x18\x4C\xB1\x09\x0D\x23\x56\x7F\x04\x4D\xD9\x17\x84\x18\xA5\xC8\xDA\x40\x94\x73\xEB\xCE\x0E\x57\x3C\x03\x81\x3A\x9D\x0A\xA1\x57\x43\x69\xAC\x57\x6D\x79\x90\x78\xE5\xB5\xB4\x3B\xD8\xBC\x4C\x8D\x28\xA1\xA7\xA3\xA7\xBA\x02\x4E\x25\xD1\x2A\xAE\xED\xAE\x03\x22\xB8\x6B\x20\x0F\x30\x28\x54\x95\x7F\xE0\xEE\xCE\x0A\x66\x9D\xD1\x40\x2D\x6E\x22\xAF\x9D\x1A\xC1\x05\x19\xD2\x6F\xC0\xF2\x9F\xF8\x7B\xB3\x02\x42\xFB\x50\xA9\x1D\x2D\x93\x0F\x23\xAB\xC6\xC1\x0F\x92\xFF\xD0\xA2\x15\xF5\x53\x09\x71\x1C\xFF\x45\x13\x84\xE6\x26\x5E\xF8\xE0\x88\x1C\x0A\xFC\x16\xB6\xA8\x73\x06\xB8\xF0\x63\x84\x02\xA0\xC6\x5A\xEC\xE7\x74\xDF\x70\xAE\xA3\x83\x25\xEA\xD6\xC7\x97\x87\x93\xA7\xC6\x8A\x8A\x33\x97\x60\x37\x10\x3E\x97\x3E\x6E\x29\x15\xD6\xA1\x0F\xD1\x88\x2C\x12\x9F\x6F\xAA\xA4\xC6\x42\xEB\x41\xA2\xE3\x95\x43\xD3\x01\x85\x6D\x8E\xBB\x3B\xF3\x23\x36\xC7\xFE\x3B\xE0\xA1\x25\x07\x48\xAB\xC9\x89\x74\xFF\x08\x8F\x80\xBF\xC0\x96\x65\xF3\xEE\xEC\x4B\x68\xBD\x9D\x88\xC3\x31\xB3\x40\xF1\xE8\xCF\xF6\x38\xBB\x9C\xE4\xD1\x7F\xD4\xE5\x58\x9B\x7C\xFA\xD4\xF3\x0E\x9B\x75\x91\xE4\xBA\x52\x2E\x19\x7E\xD1\xF5\xCD\x5A\x19\xFC\xBA\x06\xF6\xFB\x52\xA8\x4B\x99\x04\xDD\xF8\xF9\xB4\x8B\x50\xA3\x4E\x62\x89\xF0\x87\x24\xFA\x83\x42\xC1\x87\xFA\xD5\x2D\x29\x2A\x5A\x71\x7A\x64\x6A\xD7\x27\x60\x63\x0D\xDB\xCE\x49\xF5\x8D\x1F\x90\x89\x32\x17\xF8\x73\x43\xB8\xD2\x5A\x93\x86\x61\xD6\xE1\x75\x0A\xEA\x79\x66\x76\x88\x4F\x71\xEB\x04\x25\xD6\x0A\x5A\x7A\x93\xE5\xB9\x4B\x17\x40\x0F\xB1\xB6\xB9\xF5\xDE\x4F\xDC\xE0\xB3\xAC\x3B\x11\x70\x60\x84\x4A\x43\x6E\x99\x20\xC0\x29\x71\x0A\xC0\x65\x02\x03\x01\x00\x01\xA3\x82\x02\xCB\x30\x82\x02\xC7\x30\x7D\x06\x08\x2B\x06\x01\x05\x05\x07\x01\x01\x04\x71\x30\x6F\x30\x4C\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x02\x86\x40\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x61\x63\x63\x76\x2E\x65\x73\x2F\x66\x69\x6C\x65\x61\x64\x6D\x69\x6E\x2F\x41\x72\x63\x68\x69\x76\x6F\x73\x2F\x63\x65\x72\x74\x69\x66\x69\x63\x61\x64\x6F\x73\x2F\x72\x61\x69\x7A\x61\x63\x63\x76\x31\x2E\x63\x72\x74\x30\x1F\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x01\x86\x13\x68\x74\x74\x70\x3A\x2F\x2F\x6F\x63\x73\x70\x2E\x61\x63\x63\x76\x2E\x65\x73\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xD2\x87\xB4\xE3\xDF\x37\x27\x93\x55\xF6\x56\xEA\x81\xE5\x36\xCC\x8C\x1E\x3F\xBD\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xD2\x87\xB4\xE3\xDF\x37\x27\x93\x55\xF6\x56\xEA\x81\xE5\x36\xCC\x8C\x1E\x3F\xBD\x30\x82\x01\x73\x06\x03\x55\x1D\x20\x04\x82\x01\x6A\x30\x82\x01\x66\x30\x82\x01\x62\x06\x04\x55\x1D\x20\x00\x30\x82\x01\x58\x30\x82\x01\x22\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x02\x30\x82\x01\x14\x1E\x82\x01\x10\x00\x41\x00\x75\x00\x74\x00\x6F\x00\x72\x00\x69\x00\x64\x00\x61\x00\x64\x00\x20\x00\x64\x00\x65\x00\x20\x00\x43\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x63\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x52\x00\x61\x00\xED\x00\x7A\x00\x20\x00\x64\x00\x65\x00\x20\x00\x6C\x00\x61\x00\x20\x00\x41\x00\x43\x00\x43\x00\x56\x00\x20\x00\x28\x00\x41\x00\x67\x00\x65\x00\x6E\x00\x63\x00\x69\x00\x61\x00\x20\x00\x64\x00\x65\x00\x20\x00\x54\x00\x65\x00\x63\x00\x6E\x00\x6F\x00\x6C\x00\x6F\x00\x67\x00\xED\x00\x61\x00\x20\x00\x79\x00\x20\x00\x43\x00\x65\x00\x72\x00\x74\x00\x69\x00\x66\x00\x69\x00\x63\x00\x61\x00\x63\x00\x69\x00\xF3\x00\x6E\x00\x20\x00\x45\x00\x6C\x00\x65\x00\x63\x00\x74\x00\x72\x00\xF3\x00\x6E\x00\x69\x00\x63\x00\x61\x00\x2C\x00\x20\x00\x43\x00\x49\x00\x46\x00\x20\x00\x51\x00\x34\x00\x36\x00\x30\x00\x31\x00\x31\x00\x35\x00\x36\x00\x45\x00\x29\x00\x2E\x00\x20\x00\x43\x00\x50\x00\x53\x00\x20\x00\x65\x00\x6E\x00\x20\x00\x68\x00\x74\x00\x74\x00\x70\x00\x3A\x00\x2F\x00\x2F\x00\x77\x00\x77\x00\x77\x00\x2E\x00\x61\x00\x63\x00\x63\x00\x76\x00\x2E\x00\x65\x00\x73\x30\x30\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x24\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x61\x63\x63\x76\x2E\x65\x73\x2F\x6C\x65\x67\x69\x73\x6C\x61\x63\x69\x6F\x6E\x5F\x63\x2E\x68\x74\x6D\x30\x55\x06\x03\x55\x1D\x1F\x04\x4E\x30\x4C\x30\x4A\xA0\x48\xA0\x46\x86\x44\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x61\x63\x63\x76\x2E\x65\x73\x2F\x66\x69\x6C\x65\x61\x64\x6D\x69\x6E\x2F\x41\x72\x63\x68\x69\x76\x6F\x73\x2F\x63\x65\x72\x74\x69\x66\x69\x63\x61\x64\x6F\x73\x2F\x72\x61\x69\x7A\x61\x63\x63\x76\x31\x5F\x64\x65\x72\x2E\x63\x72\x6C\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x17\x06\x03\x55\x1D\x11\x04\x10\x30\x0E\x81\x0C\x61\x63\x63\x76\x40\x61\x63\x63\x76\x2E\x65\x73\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\x97\x31\x02\x9F\xE7\xFD\x43\x67\x48\x44\x14\xE4\x29\x87\xED\x4C\x28\x66\xD0\x8F\x35\xDA\x4D\x61\xB7\x4A\x97\x4D\xB5\xDB\x90\xE0\x05\x2E\x0E\xC6\x79\xD0\xF2\x97\x69\x0F\xBD\x04\x47\xD9\xBE\xDB\xB5\x29\xDA\x9B\xD9\xAE\xA9\x99\xD5\xD3\x3C\x30\x93\xF5\x8D\xA1\xA8\xFC\x06\x8D\x44\xF4\xCA\x16\x95\x7C\x33\xDC\x62\x8B\xA8\x37\xF8\x27\xD8\x09\x2D\x1B\xEF\xC8\x14\x27\x20\xA9\x64\x44\xFF\x2E\xD6\x75\xAA\x6C\x4D\x60\x40\x19\x49\x43\x54\x63\xDA\xE2\xCC\xBA\x66\xE5\x4F\x44\x7A\x5B\xD9\x6A\x81\x2B\x40\xD5\x7F\xF9\x01\x27\x58\x2C\xC8\xED\x48\x91\x7C\x3F\xA6\x00\xCF\xC4\x29\x73\x11\x36\xDE\x86\x19\x3E\x9D\xEE\x19\x8A\x1B\xD5\xB0\xED\x8E\x3D\x9C\x2A\xC0\x0D\xD8\x3D\x66\xE3\x3C\x0D\xBD\xD5\x94\x5C\xE2\xE2\xA7\x35\x1B\x04\x00\xF6\x3F\x5A\x8D\xEA\x43\xBD\x5F\x89\x1D\xA9\xC1\xB0\xCC\x99\xE2\x4D\x00\x0A\xDA\xC9\x27\x5B\xE7\x13\x90\x5C\xE4\xF5\x33\xA2\x55\x6D\xDC\xE0\x09\x4D\x2F\xB1\x26\x5B\x27\x75\x00\x09\xC4\x62\x77\x29\x08\x5F\x9E\x59\xAC\xB6\x7E\xAD\x9F\x54\x30\x22\x03\xC1\x1E\x71\x64\xFE\xF9\x38\x0A\x96\x18\xDD\x02\x14\xAC\x23\xCB\x06\x1C\x1E\xA4\x7D\x8D\x0D\xDE\x27\x41\xE8\xAD\xDA\x15\xB7\xB0\x23\xDD\x2B\xA8\xD3\xDA\x25\x87\xED\xE8\x55\x44\x4D\x88\xF4\x36\x7E\x84\x9A\x78\xAC\xF7\x0E\x56\x49\x0E\xD6\x33\x25\xD6\x84\x50\x42\x6C\x20\x12\x1D\x2A\xD5\xBE\xBC\xF2\x70\x81\xA4\x70\x60\xBE\x05\xB5\x9B\x9E\x04\x44\xBE\x61\x23\xAC\xE9\xA5\x24\x8C\x11\x80\x94\x5A\xA2\xA2\xB9\x49\xD2\xC1\xDC\xD1\xA7\xED\x31\x11\x2C\x9E\x19\xA6\xEE\xE1\x55\xE1\xC0\xEA\xCF\x0D\x84\xE4\x17\xB7\xA2\x7C\xA5\xDE\x55\x25\x06\xEE\xCC\xC0\x87\x5C\x40\xDA\xCC\x95\x3F\x55\xE0\x35\xC7\xB8\x84\xBE\xB4\x5D\xCD\x7A\x83\x01\x72\xEE\x87\xE6\x5F\x1D\xAE\xB5\x85\xC6\x26\xDF\xE6\xC1\x9A\xE9\x1E\x02\x47\x9F\x2A\xA8\x6D\xA9\x5B\xCF\xEC\x45\x77\x7F\x98\x27\x9A\x32\x5D\x2A\xE3\x84\xEE\xC5\x98\x66\x2F\x96\x20\x1D\xDD\xD8\xC3\x27\xD7\xB0\xF9\xFE\xD9\x7D\xCD\xD0\x9F\x8F\x0B\x14\x58\x51\x9F\x2F\x8B\xC3\x38\x2D\xDE\xE8\x8F\xD6\x8D\x87\xA4\xF5\x56\x43\x16\x99\x2C\xF4\xA4\x56\xB4\x34\xB8\x61\x37\xC9\xC2\x58\x80\x1B\xA0\x97\xA1\xFC\x59\x8D\xE9\x11\xF6\xD1\x0F\x4B\x55\x34\x46\x2A\x8B\x86\x3B",
 	["CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW"] = "\x30\x82\x05\x41\x30\x82\x03\x29\xA0\x03\x02\x01\x02\x02\x02\x0C\xBE\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x51\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x54\x41\x49\x57\x41\x4E\x2D\x43\x41\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x13\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x54\x57\x43\x41\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x31\x32\x30\x36\x32\x37\x30\x36\x32\x38\x33\x33\x5A\x17\x0D\x33\x30\x31\x32\x33\x31\x31\x35\x35\x39\x35\x39\x5A\x30\x51\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x57\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x13\x09\x54\x41\x49\x57\x41\x4E\x2D\x43\x41\x31\x10\x30\x0E\x06\x03\x55\x04\x0B\x13\x07\x52\x6F\x6F\x74\x20\x43\x41\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x54\x57\x43\x41\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xB0\x05\xDB\xC8\xEB\x8C\xC4\x6E\x8A\x21\xEF\x8E\x4D\x9C\x71\x0A\x1F\x52\x70\xED\x6D\x82\x9C\x97\xC5\xD7\x4C\x4E\x45\x49\xCB\x40\x42\xB5\x12\x34\x6C\x19\xC2\x74\xA4\x31\x5F\x85\x02\x97\xEC\x43\x33\x0A\x53\xD2\x9C\x8C\x8E\xB7\xB8\x79\xDB\x2B\xD5\x6A\xF2\x8E\x66\xC4\xEE\x2B\x01\x07\x92\xD4\xB3\xD0\x02\xDF\x50\xF6\x55\xAF\x66\x0E\xCB\xE0\x47\x60\x2F\x2B\x32\x39\x35\x52\x3A\x28\x83\xF8\x7B\x16\xC6\x18\xB8\x62\xD6\x47\x25\x91\xCE\xF0\x19\x12\x4D\xAD\x63\xF5\xD3\x3F\x75\x5F\x29\xF0\xA1\x30\x1C\x2A\xA0\x98\xA6\x15\xBD\xEE\xFD\x19\x36\xF0\xE2\x91\x43\x8F\xFA\xCA\xD6\x10\x27\x49\x4C\xEF\xDD\xC1\xF1\x85\x70\x9B\xCA\xEA\xA8\x5A\x43\xFC\x6D\x86\x6F\x73\xE9\x37\x45\xA9\xF0\x36\xC7\xCC\x88\x75\x1E\xBB\x6C\x06\xFF\x9B\x6B\x3E\x17\xEC\x61\xAA\x71\x7C\xC6\x1D\xA2\xF7\x49\xE9\x15\xB5\x3C\xD6\xA1\x61\xF5\x11\xF7\x05\x6F\x1D\xFD\x11\xBE\xD0\x30\x07\xC2\x29\xB0\x09\x4E\x26\xDC\xE3\xA2\xA8\x91\x6A\x1F\xC2\x91\x45\x88\x5C\xE5\x98\xB8\x71\xA5\x15\x19\xC9\x7C\x75\x11\xCC\x70\x74\x4F\x2D\x9B\x1D\x91\x44\xFD\x56\x28\xA0\xFE\xBB\x86\x6A\xC8\xFA\x5C\x0B\x58\xDC\xC6\x4B\x76\xC8\xAB\x22\xD9\x73\x0F\xA5\xF4\x5A\x02\x89\x3F\x4F\x9E\x22\x82\xEE\xA2\x74\x53\x2A\x3D\x53\x27\x69\x1D\x6C\x8E\x32\x2C\x64\x00\x26\x63\x61\x36\x4E\xA3\x46\xB7\x3F\x7D\xB3\x2D\xAC\x6D\x90\xA2\x95\xA2\xCE\xCF\xDA\x82\xE7\x07\x34\x19\x96\xE9\xB8\x21\xAA\x29\x7E\xA6\x38\xBE\x8E\x29\x4A\x21\x66\x79\x1F\xB3\xC3\xB5\x09\x67\xDE\xD6\xD4\x07\x46\xF3\x2A\xDA\xE6\x22\x37\x60\xCB\x81\xB6\x0F\xA0\x0F\xE9\xC8\x95\x7F\xBF\x55\x91\x05\x7A\xCF\x3D\x15\xC0\x6F\xDE\x09\x94\x01\x83\xD7\x34\x1B\xCC\x40\xA5\xF0\xB8\x9B\x67\xD5\x98\x91\x3B\xA7\x84\x78\x95\x26\xA4\x5A\x08\xF8\x2B\x74\xB4\x00\x04\x3C\xDF\xB8\x14\x8E\xE8\xDF\xA9\x8D\x6C\x67\x92\x33\x1D\xC0\xB7\xD2\xEC\x92\xC8\xBE\x09\xBF\x2C\x29\x05\x6F\x02\x6B\x9E\xEF\xBC\xBF\x2A\xBC\x5B\xC0\x50\x8F\x41\x70\x71\x87\xB2\x4D\xB7\x04\xA9\x84\xA3\x32\xAF\xAE\xEE\x6B\x17\x8B\xB2\xB1\xFE\x6C\xE1\x90\x8C\x88\xA8\x97\x48\xCE\xC8\x4D\xCB\xF3\x06\xCF\x5F\x6A\x0A\x42\xB1\x1E\x1E\x77\x2F\x8E\xA0\xE6\x92\x0E\x06\xFC\x05\x22\xD2\x26\xE1\x31\x51\x7D\x32\xDC\x0F\x02\x03\x01\x00\x01\xA3\x23\x30\x21\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x5F\x34\x81\x76\xEF\x96\x1D\xD5\xE5\xB5\xD9\x02\x63\x84\x16\xC1\xAE\xA0\x70\x51\xA7\xF7\x4C\x47\x35\xC8\x0B\xD7\x28\x3D\x89\x71\xD9\xAA\x33\x41\xEA\x14\x1B\x6C\x21\x00\xC0\x6C\x42\x19\x7E\x9F\x69\x5B\x20\x42\xDF\xA2\xD2\xDA\xC4\x7C\x97\x4B\x8D\xB0\xE8\xAC\xC8\xEE\xA5\x69\x04\x99\x0A\x92\xA6\xAB\x27\x2E\x1A\x4D\x81\xBF\x84\xD4\x70\x1E\xAD\x47\xFE\xFD\x4A\x9D\x33\xE0\xF2\xB9\xC4\x45\x08\x21\x0A\xDA\x69\x69\x73\x72\x0D\xBE\x34\xFE\x94\x8B\xAD\xC3\x1E\x35\xD7\xA2\x83\xEF\xE5\x38\xC7\xA5\x85\x1F\xAB\xCF\x34\xEC\x3F\x28\xFE\x0C\xF1\x57\x86\x4E\xC9\x55\xF7\x1C\xD4\xD8\xA5\x7D\x06\x7A\x6F\xD5\xDF\x10\xDF\x81\x4E\x21\x65\xB1\xB6\xE1\x17\x79\x95\x45\x06\xCE\x5F\xCC\xDC\x46\x89\x63\x68\x44\x8D\x93\xF4\x64\x70\xA0\x3D\x9D\x28\x05\xC3\x39\x70\xB8\x62\x7B\x20\xFD\xE4\xDB\xE9\x08\xA1\xB8\x9E\x3D\x09\xC7\x4F\xFB\x2C\xF8\x93\x76\x41\xDE\x52\xE0\xE1\x57\xD2\x9D\x03\xBC\x77\x9E\xFE\x9E\x29\x5E\xF7\xC1\x51\x60\x1F\xDE\xDA\x0B\xB2\x2D\x75\xB7\x43\x48\x93\xE7\xF6\x79\xC6\x84\x5D\x80\x59\x60\x94\xFC\x78\x98\x8F\x3C\x93\x51\xED\x40\x90\x07\xDF\x64\x63\x24\xCB\x4E\x71\x05\xA1\xD7\x94\x1A\x88\x32\xF1\x22\x74\x22\xAE\xA5\xA6\xD8\x12\x69\x4C\x60\xA3\x02\xEE\x2B\xEC\xD4\x63\x92\x0B\x5E\xBE\x2F\x76\x6B\xA3\xB6\x26\xBC\x8F\x03\xD8\x0A\xF2\x4C\x64\x46\xBD\x39\x62\xE5\x96\xEB\x34\x63\x11\x28\xCC\x95\xF1\xAD\xEF\xEF\xDC\x80\x58\x48\xE9\x4B\xB8\xEA\x65\xAC\xE9\xFC\x80\xB5\xB5\xC8\x45\xF9\xAC\xC1\x9F\xD9\xB9\xEA\x62\x88\x8E\xC4\xF1\x4B\x83\x12\xAD\xE6\x8B\x84\xD6\x9E\xC2\xEB\x83\x18\x9F\x6A\xBB\x1B\x24\x60\x33\x70\xCC\xEC\xF7\x32\xF3\x5C\xD9\x79\x7D\xEF\x9E\xA4\xFE\xC9\x23\xC3\x24\xEE\x15\x92\xB1\x3D\x91\x4F\x26\x86\xBD\x66\x73\x24\x13\xEA\xA4\xAE\x63\xC1\xAD\x7D\x84\x03\x3C\x10\x78\x86\x1B\x79\xE3\xC4\xF3\xF2\x04\x95\x20\xAE\x23\x82\xC4\xB3\x3A\x00\x62\xBF\xE6\x36\x24\xE1\x57\xBA\xC7\x1E\x90\x75\xD5\x5F\x3F\x95\x61\x2B\xC1\x3B\xCD\xE5\xB3\x68\x61\xD0\x46\x26\xA9\x21\x52\x69\x2D\xEB\x2E\xC7\xEB\x77\xCE\xA6\x3A\xB5\x03\x33\x4F\x76\xD1\xE7\x5C\x54\x01\x5D\xCB\x78\xF4\xC9\x0C\xBF\xCF\x12\x8E\x17\x2D\x23\x68\x94\xE7\xAB\xFE\xA9\xB2\x2B\x06\xD0\x04\xCD",
@@ -138,8 +104,6 @@ redef root_certs += {
 	["CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US"] = "\x30\x82\x03\x8E\x30\x82\x02\x76\xA0\x03\x02\x01\x02\x02\x10\x03\x3A\xF1\xE6\xA7\x11\xA9\xA0\xBB\x28\x64\xB1\x1D\x09\xFA\xE5\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x44\x69\x67\x69\x43\x65\x72\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x47\x32\x30\x1E\x17\x0D\x31\x33\x30\x38\x30\x31\x31\x32\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x35\x31\x32\x30\x30\x30\x30\x5A\x30\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x44\x69\x67\x69\x43\x65\x72\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x47\x32\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBB\x37\xCD\x34\xDC\x7B\x6B\xC9\xB2\x68\x90\xAD\x4A\x75\xFF\x46\xBA\x21\x0A\x08\x8D\xF5\x19\x54\xC9\xFB\x88\xDB\xF3\xAE\xF2\x3A\x89\x91\x3C\x7A\xE6\xAB\x06\x1A\x6B\xCF\xAC\x2D\xE8\x5E\x09\x24\x44\xBA\x62\x9A\x7E\xD6\xA3\xA8\x7E\xE0\x54\x75\x20\x05\xAC\x50\xB7\x9C\x63\x1A\x6C\x30\xDC\xDA\x1F\x19\xB1\xD7\x1E\xDE\xFD\xD7\xE0\xCB\x94\x83\x37\xAE\xEC\x1F\x43\x4E\xDD\x7B\x2C\xD2\xBD\x2E\xA5\x2F\xE4\xA9\xB8\xAD\x3A\xD4\x99\xA4\xB6\x25\xE9\x9B\x6B\x00\x60\x92\x60\xFF\x4F\x21\x49\x18\xF7\x67\x90\xAB\x61\x06\x9C\x8F\xF2\xBA\xE9\xB4\xE9\x92\x32\x6B\xB5\xF3\x57\xE8\x5D\x1B\xCD\x8C\x1D\xAB\x95\x04\x95\x49\xF3\x35\x2D\x96\xE3\x49\x6D\xDD\x77\xE3\xFB\x49\x4B\xB4\xAC\x55\x07\xA9\x8F\x95\xB3\xB4\x23\xBB\x4C\x6D\x45\xF0\xF6\xA9\xB2\x95\x30\xB4\xFD\x4C\x55\x8C\x27\x4A\x57\x14\x7C\x82\x9D\xCD\x73\x92\xD3\x16\x4A\x06\x0C\x8C\x50\xD1\x8F\x1E\x09\xBE\x17\xA1\xE6\x21\xCA\xFD\x83\xE5\x10\xBC\x83\xA5\x0A\xC4\x67\x28\xF6\x73\x14\x14\x3D\x46\x76\xC3\x87\x14\x89\x21\x34\x4D\xAF\x0F\x45\x0C\xA6\x49\xA1\xBA\xBB\x9C\xC5\xB1\x33\x83\x29\x85\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x4E\x22\x54\x20\x18\x95\xE6\xE3\x6E\xE6\x0F\xFA\xFA\xB9\x12\xED\x06\x17\x8F\x39\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x60\x67\x28\x94\x6F\x0E\x48\x63\xEB\x31\xDD\xEA\x67\x18\xD5\x89\x7D\x3C\xC5\x8B\x4A\x7F\xE9\xBE\xDB\x2B\x17\xDF\xB0\x5F\x73\x77\x2A\x32\x13\x39\x81\x67\x42\x84\x23\xF2\x45\x67\x35\xEC\x88\xBF\xF8\x8F\xB0\x61\x0C\x34\xA4\xAE\x20\x4C\x84\xC6\xDB\xF8\x35\xE1\x76\xD9\xDF\xA6\x42\xBB\xC7\x44\x08\x86\x7F\x36\x74\x24\x5A\xDA\x6C\x0D\x14\x59\x35\xBD\xF2\x49\xDD\xB6\x1F\xC9\xB3\x0D\x47\x2A\x3D\x99\x2F\xBB\x5C\xBB\xB5\xD4\x20\xE1\x99\x5F\x53\x46\x15\xDB\x68\x9B\xF0\xF3\x30\xD5\x3E\x31\xE2\x8D\x84\x9E\xE3\x8A\xDA\xDA\x96\x3E\x35\x13\xA5\x5F\xF0\xF9\x70\x50\x70\x47\x41\x11\x57\x19\x4E\xC0\x8F\xAE\x06\xC4\x95\x13\x17\x2F\x1B\x25\x9F\x75\xF2\xB1\x8E\x99\xA1\x6F\x13\xB1\x41\x71\xFE\x88\x2A\xC8\x4F\x10\x20\x55\xD7\xF3\x14\x45\xE5\xE0\x44\xF4\xEA\x87\x95\x32\x93\x0E\xFE\x53\x46\xFA\x2C\x9D\xFF\x8B\x22\xB9\x4B\xD9\x09\x45\xA4\xDE\xA4\xB8\x9A\x58\xDD\x1B\x7D\x52\x9F\x8E\x59\x43\x88\x81\xA4\x9E\x26\xD5\x6F\xAD\xDD\x0D\xC6\x37\x7D\xED\x03\x92\x1B\xE5\x77\x5F\x76\xEE\x3C\x8D\xC4\x5D\x56\x5B\xA2\xD9\x66\x6E\xB3\x35\x37\xE5\x32\xB6",
 	["CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US"] = "\x30\x82\x02\x3F\x30\x82\x01\xC5\xA0\x03\x02\x01\x02\x02\x10\x05\x55\x56\xBC\xF2\x5E\xA4\x35\x35\xC3\xA4\x0F\xD5\xAB\x45\x72\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x44\x69\x67\x69\x43\x65\x72\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x47\x33\x30\x1E\x17\x0D\x31\x33\x30\x38\x30\x31\x31\x32\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x35\x31\x32\x30\x30\x30\x30\x5A\x30\x61\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x20\x30\x1E\x06\x03\x55\x04\x03\x13\x17\x44\x69\x67\x69\x43\x65\x72\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x47\x33\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\xDD\xA7\xD9\xBB\x8A\xB8\x0B\xFB\x0B\x7F\x21\xD2\xF0\xBE\xBE\x73\xF3\x33\x5D\x1A\xBC\x34\xEA\xDE\xC6\x9B\xBC\xD0\x95\xF6\xF0\xCC\xD0\x0B\xBA\x61\x5B\x51\x46\x7E\x9E\x2D\x9F\xEE\x8E\x63\x0C\x17\xEC\x07\x70\xF5\xCF\x84\x2E\x40\x83\x9C\xE8\x3F\x41\x6D\x3B\xAD\xD3\xA4\x14\x59\x36\x78\x9D\x03\x43\xEE\x10\x13\x6C\x72\xDE\xAE\x88\xA7\xA1\x6B\xB5\x43\xCE\x67\xDC\x23\xFF\x03\x1C\xA3\xE2\x3E\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB3\xDB\x48\xA4\xF9\xA1\xC5\xD8\xAE\x36\x41\xCC\x11\x63\x69\x62\x29\xBC\x4B\xC6\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x31\x00\xAD\xBC\xF2\x6C\x3F\x12\x4A\xD1\x2D\x39\xC3\x0A\x09\x97\x73\xF4\x88\x36\x8C\x88\x27\xBB\xE6\x88\x8D\x50\x85\xA7\x63\xF9\x9E\x32\xDE\x66\x93\x0F\xF1\xCC\xB1\x09\x8F\xDD\x6C\xAB\xFA\x6B\x7F\xA0\x02\x30\x39\x66\x5B\xC2\x64\x8D\xB8\x9E\x50\xDC\xA8\xD5\x49\xA2\xED\xC7\xDC\xD1\x49\x7F\x17\x01\xB8\xC8\x86\x8F\x4E\x8C\x88\x2B\xA8\x9A\xA9\x8A\xC5\xD1\x00\xBD\xF8\x54\xE2\x9A\xE5\x5B\x7C\xB3\x27\x17",
 	["CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US"] = "\x30\x82\x05\x90\x30\x82\x03\x78\xA0\x03\x02\x01\x02\x02\x10\x05\x9B\x1B\x57\x9E\x8E\x21\x32\xE2\x39\x07\xBD\xA7\x77\x75\x5C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x30\x62\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x44\x69\x67\x69\x43\x65\x72\x74\x20\x54\x72\x75\x73\x74\x65\x64\x20\x52\x6F\x6F\x74\x20\x47\x34\x30\x1E\x17\x0D\x31\x33\x30\x38\x30\x31\x31\x32\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x35\x31\x32\x30\x30\x30\x30\x5A\x30\x62\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x15\x30\x13\x06\x03\x55\x04\x0A\x13\x0C\x44\x69\x67\x69\x43\x65\x72\x74\x20\x49\x6E\x63\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x13\x10\x77\x77\x77\x2E\x64\x69\x67\x69\x63\x65\x72\x74\x2E\x63\x6F\x6D\x31\x21\x30\x1F\x06\x03\x55\x04\x03\x13\x18\x44\x69\x67\x69\x43\x65\x72\x74\x20\x54\x72\x75\x73\x74\x65\x64\x20\x52\x6F\x6F\x74\x20\x47\x34\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xBF\xE6\x90\x73\x68\xDE\xBB\xE4\x5D\x4A\x3C\x30\x22\x30\x69\x33\xEC\xC2\xA7\x25\x2E\xC9\x21\x3D\xF2\x8A\xD8\x59\xC2\xE1\x29\xA7\x3D\x58\xAB\x76\x9A\xCD\xAE\x7B\x1B\x84\x0D\xC4\x30\x1F\xF3\x1B\xA4\x38\x16\xEB\x56\xC6\x97\x6D\x1D\xAB\xB2\x79\xF2\xCA\x11\xD2\xE4\x5F\xD6\x05\x3C\x52\x0F\x52\x1F\xC6\x9E\x15\xA5\x7E\xBE\x9F\xA9\x57\x16\x59\x55\x72\xAF\x68\x93\x70\xC2\xB2\xBA\x75\x99\x6A\x73\x32\x94\xD1\x10\x44\x10\x2E\xDF\x82\xF3\x07\x84\xE6\x74\x3B\x6D\x71\xE2\x2D\x0C\x1B\xEE\x20\xD5\xC9\x20\x1D\x63\x29\x2D\xCE\xEC\x5E\x4E\xC8\x93\xF8\x21\x61\x9B\x34\xEB\x05\xC6\x5E\xEC\x5B\x1A\xBC\xEB\xC9\xCF\xCD\xAC\x34\x40\x5F\xB1\x7A\x66\xEE\x77\xC8\x48\xA8\x66\x57\x57\x9F\x54\x58\x8E\x0C\x2B\xB7\x4F\xA7\x30\xD9\x56\xEE\xCA\x7B\x5D\xE3\xAD\xC9\x4F\x5E\xE5\x35\xE7\x31\xCB\xDA\x93\x5E\xDC\x8E\x8F\x80\xDA\xB6\x91\x98\x40\x90\x79\xC3\x78\xC7\xB6\xB1\xC4\xB5\x6A\x18\x38\x03\x10\x8D\xD8\xD4\x37\xA4\x2E\x05\x7D\x88\xF5\x82\x3E\x10\x91\x70\xAB\x55\x82\x41\x32\xD7\xDB\x04\x73\x2A\x6E\x91\x01\x7C\x21\x4C\xD4\xBC\xAE\x1B\x03\x75\x5D\x78\x66\xD9\x3A\x31\x44\x9A\x33\x40\xBF\x08\xD7\x5A\x49\xA4\xC2\xE6\xA9\xA0\x67\xDD\xA4\x27\xBC\xA1\x4F\x39\xB5\x11\x58\x17\xF7\x24\x5C\x46\x8F\x64\xF7\xC1\x69\x88\x76\x98\x76\x3D\x59\x5D\x42\x76\x87\x89\x97\x69\x7A\x48\xF0\xE0\xA2\x12\x1B\x66\x9A\x74\xCA\xDE\x4B\x1E\xE7\x0E\x63\xAE\xE6\xD4\xEF\x92\x92\x3A\x9E\x3D\xDC\x00\xE4\x45\x25\x89\xB6\x9A\x44\x19\x2B\x7E\xC0\x94\xB4\xD2\x61\x6D\xEB\x33\xD9\xC5\xDF\x4B\x04\x00\xCC\x7D\x1C\x95\xC3\x8F\xF7\x21\xB2\xB2\x11\xB7\xBB\x7F\xF2\xD5\x8C\x70\x2C\x41\x60\xAA\xB1\x63\x18\x44\x95\x1A\x76\x62\x7E\xF6\x80\xB0\xFB\xE8\x64\xA6\x33\xD1\x89\x07\xE1\xBD\xB7\xE6\x43\xA4\x18\xB8\xA6\x77\x01\xE1\x0F\x94\x0C\x21\x1D\xB2\x54\x29\x25\x89\x6C\xE5\x0E\x52\x51\x47\x74\xBE\x26\xAC\xB6\x41\x75\xDE\x7A\xAC\x5F\x8D\x3F\xC9\xBC\xD3\x41\x11\x12\x5B\xE5\x10\x50\xEB\x31\xC5\xCA\x72\x16\x22\x09\xDF\x7C\x4C\x75\x3F\x63\xEC\x21\x5F\xC4\x20\x51\x6B\x6F\xB1\xAB\x86\x8B\x4F\xC2\xD6\x45\x5F\x9D\x20\xFC\xA1\x1E\xC5\xC0\x8F\xA2\xB1\x7E\x0A\x26\x99\xF5\xE4\x69\x2F\x98\x1D\x2D\xF5\xD9\xA9\xB2\x1D\xE5\x1B\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xEC\xD7\xE3\x82\xD2\x71\x5D\x64\x4C\xDF\x2E\x67\x3F\xE7\xBA\x98\xAE\x1C\x0F\x4F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x03\x82\x02\x01\x00\xBB\x61\xD9\x7D\xA9\x6C\xBE\x17\xC4\x91\x1B\xC3\xA1\xA2\x00\x8D\xE3\x64\x68\x0F\x56\xCF\x77\xAE\x70\xF9\xFD\x9A\x4A\x99\xB9\xC9\x78\x5C\x0C\x0C\x5F\xE4\xE6\x14\x29\x56\x0B\x36\x49\x5D\x44\x63\xE0\xAD\x9C\x96\x18\x66\x1B\x23\x0D\x3D\x79\xE9\x6D\x6B\xD6\x54\xF8\xD2\x3C\xC1\x43\x40\xAE\x1D\x50\xF5\x52\xFC\x90\x3B\xBB\x98\x99\x69\x6B\xC7\xC1\xA7\xA8\x68\xA4\x27\xDC\x9D\xF9\x27\xAE\x30\x85\xB9\xF6\x67\x4D\x3A\x3E\x8F\x59\x39\x22\x53\x44\xEB\xC8\x5D\x03\xCA\xED\x50\x7A\x7D\x62\x21\x0A\x80\xC8\x73\x66\xD1\xA0\x05\x60\x5F\xE8\xA5\xB4\xA7\xAF\xA8\xF7\x6D\x35\x9C\x7C\x5A\x8A\xD6\xA2\x38\x99\xF3\x78\x8B\xF4\x4D\xD2\x20\x0B\xDE\x04\xEE\x8C\x9B\x47\x81\x72\x0D\xC0\x14\x32\xEF\x30\x59\x2E\xAE\xE0\x71\xF2\x56\xE4\x6A\x97\x6F\x92\x50\x6D\x96\x8D\x68\x7A\x9A\xB2\x36\x14\x7A\x06\xF2\x24\xB9\x09\x11\x50\xD7\x08\xB1\xB8\x89\x7A\x84\x23\x61\x42\x29\xE5\xA3\xCD\xA2\x20\x41\xD7\xD1\x9C\x64\xD9\xEA\x26\xA1\x8B\x14\xD7\x4C\x19\xB2\x50\x41\x71\x3D\x3F\x4D\x70\x23\x86\x0C\x4A\xDC\x81\xD2\xCC\x32\x94\x84\x0D\x08\x09\x97\x1C\x4F\xC0\xEE\x6B\x20\x74\x30\xD2\xE0\x39\x34\x10\x85\x21\x15\x01\x08\xE8\x55\x32\xDE\x71\x49\xD9\x28\x17\x50\x4D\xE6\xBE\x4D\xD1\x75\xAC\xD0\xCA\xFB\x41\xB8\x43\xA5\xAA\xD3\xC3\x05\x44\x4F\x2C\x36\x9B\xE2\xFA\xE2\x45\xB8\x23\x53\x6C\x06\x6F\x67\x55\x7F\x46\xB5\x4C\x3F\x6E\x28\x5A\x79\x26\xD2\xA4\xA8\x62\x97\xD2\x1E\xE2\xED\x4A\x8B\xBC\x1B\xFD\x47\x4A\x0D\xDF\x67\x66\x7E\xB2\x5B\x41\xD0\x3B\xE4\xF4\x3B\xF4\x04\x63\xE9\xEF\xC2\x54\x00\x51\xA0\x8A\x2A\xC9\xCE\x78\xCC\xD5\xEA\x87\x04\x18\xB3\xCE\xAF\x49\x88\xAF\xF3\x92\x99\xB6\xB3\xE6\x61\x0F\xD2\x85\x00\xE7\x50\x1A\xE4\x1B\x95\x9D\x19\xA1\xB9\x9C\xB1\x9B\xB1\x00\x1E\xEF\xD0\x0F\x4F\x42\x6C\xC9\x0A\xBC\xEE\x43\xFA\x3A\x71\xA5\xC8\x4D\x26\xA5\x35\xFD\x89\x5D\xBC\x85\x62\x1D\x32\xD2\xA0\x2B\x54\xED\x9A\x57\xC1\xDB\xFA\x10\xCF\x19\xB7\x8B\x4A\x1B\x8F\x01\xB6\x27\x95\x53\xE8\xB6\x89\x6D\x5B\xBC\x68\xD4\x23\xE8\x8B\x51\xA2\x56\xF9\xF0\xA6\x80\xA0\xD6\x1E\xB3\xBC\x0F\x0F\x53\x75\x29\xAA\xEA\x13\x77\xE4\xDE\x8C\x81\x21\xAD\x07\x10\x47\x11\xAD\x87\x3D\x07\xD1\x75\xBC\xCF\xF3\x66\x7E",
-	["CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN"] = "\x30\x82\x05\x76\x30\x82\x03\x5E\xA0\x03\x02\x01\x02\x02\x10\x5E\x68\xD6\x11\x71\x94\x63\x50\x56\x00\x68\xF3\x3E\xC9\xC5\x91\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x55\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x13\x21\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x6F\x66\x20\x57\x6F\x53\x69\x67\x6E\x30\x1E\x17\x0D\x30\x39\x30\x38\x30\x38\x30\x31\x30\x30\x30\x31\x5A\x17\x0D\x33\x39\x30\x38\x30\x38\x30\x31\x30\x30\x30\x31\x5A\x30\x55\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x13\x21\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x6F\x66\x20\x57\x6F\x53\x69\x67\x6E\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xBD\xCA\x8D\xAC\xB8\x91\x15\x56\x97\x7B\x6B\x5C\x7A\xC2\xDE\x6B\xD9\xA1\xB0\xC3\x10\x23\xFA\xA7\xA1\xB2\xCC\x31\xFA\x3E\xD9\xA6\x29\x6F\x16\x3D\xE0\x6B\xF8\xB8\x40\x5F\xDB\x39\xA8\x00\x7A\x8B\xA0\x4D\x54\x7D\xC2\x22\x78\xFC\x8E\x09\xB8\xA8\x85\xD7\xCC\x95\x97\x4B\x74\xD8\x9E\x7E\xF0\x00\xE4\x0E\x89\xAE\x49\x28\x44\x1A\x10\x99\x32\x0F\x25\x88\x53\xA4\x0D\xB3\x0F\x12\x08\x16\x0B\x03\x71\x27\x1C\x7F\xE1\xDB\xD2\xFD\x67\x68\xC4\x05\x5D\x0A\x0E\x5D\x70\xD7\xD8\x97\xA0\xBC\x53\x41\x9A\x91\x8D\xF4\x9E\x36\x66\x7A\x7E\x56\xC1\x90\x5F\xE6\xB1\x68\x20\x36\xA4\x8C\x24\x2C\x2C\x47\x0B\x59\x76\x66\x30\xB5\xBE\xDE\xED\x8F\xF8\x9D\xD3\xBB\x01\x30\xE6\xF2\xF3\x0E\xE0\x2C\x92\x80\xF3\x85\xF9\x28\x8A\xB4\x54\x2E\x9A\xED\xF7\x76\xFC\x15\x68\x16\xEB\x4A\x6C\xEB\x2E\x12\x8F\xD4\xCF\xFE\x0C\xC7\x5C\x1D\x0B\x7E\x05\x32\xBE\x5E\xB0\x09\x2A\x42\xD5\xC9\x4E\x90\xB3\x59\x0D\xBB\x7A\x7E\xCD\xD5\x08\x5A\xB4\x7F\xD8\x1C\x69\x11\xF9\x27\x0F\x7B\x06\xAF\x54\x83\x18\x7B\xE1\xDD\x54\x7A\x51\x68\x6E\x77\xFC\xC6\xBF\x52\x4A\x66\x46\xA1\xB2\x67\x1A\xBB\xA3\x4F\x77\xA0\xBE\x5D\xFF\xFC\x56\x0B\x43\x72\x77\x90\xCA\x9E\xF9\xF2\x39\xF5\x0D\xA9\xF4\xEA\xD7\xE7\xB3\x10\x2F\x30\x42\x37\x21\xCC\x30\x70\xC9\x86\x98\x0F\xCC\x58\x4D\x83\xBB\x7D\xE5\x1A\xA5\x37\x8D\xB6\xAC\x32\x97\x00\x3A\x63\x71\x24\x1E\x9E\x37\xC4\xFF\x74\xD4\x37\xC0\xE2\xFE\x88\x46\x60\x11\xDD\x08\x3F\x50\x36\xAB\xB8\x7A\xA4\x95\x62\x6A\x6E\xB0\xCA\x6A\x21\x5A\x69\xF3\xF3\xFB\x1D\x70\x39\x95\xF3\xA7\x6E\xA6\x81\x89\xA1\x88\xC5\x3B\x71\xCA\xA3\x52\xEE\x83\xBB\xFD\xA0\x77\xF4\xE4\x6F\xE7\x42\xDB\x6D\x4A\x99\x8A\x34\x48\xBC\x17\xDC\xE4\x80\x08\x22\xB6\xF2\x31\xC0\x3F\x04\x3E\xEB\x9F\x20\x79\xD6\xB8\x06\x64\x64\x02\x31\xD7\xA9\xCD\x52\xFB\x84\x45\x69\x09\x00\x2A\xDC\x55\x8B\xC4\x06\x46\x4B\xC0\x4A\x1D\x09\x5B\x39\x28\xFD\xA9\xAB\xCE\x00\xF9\x2E\x48\x4B\x26\xE6\x30\x4C\xA5\x58\xCA\xB4\x44\x82\x4F\xE7\x91\x1E\x33\xC3\xB0\x93\xFF\x11\xFC\x81\xD2\xCA\x1F\x71\x29\xDD\x76\x4F\x92\x25\xAF\x1D\x81\xB7\x0F\x2F\x8C\xC3\x06\xCC\x2F\x27\xA3\x4A\xE4\x0E\x99\xBA\x7C\x1E\x45\x1F\x7F\xAA\x19\x45\x96\xFD\xFC\x3D\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE1\x66\xCF\x0E\xD1\xF1\xB3\x4B\xB7\x06\x20\x14\xFE\x87\x12\xD5\xF6\xFE\xFB\x3E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\xA8\xCB\x72\x40\xB2\x76\xC1\x7E\x7B\xFC\xAD\x64\xE3\x32\x7B\xCC\x3C\xB6\x5D\x46\xD3\xF5\x2C\xE2\x70\x5D\xC8\x2E\xD8\x06\x7D\x98\xD1\x0B\x21\xA0\x89\x59\x24\x01\x9D\xF9\xAF\x09\x7D\x0A\x23\x82\x34\xD5\xFC\x7C\x72\x99\xB9\xA3\xD7\x54\xF4\xEA\x52\x70\x0E\xC5\xF5\xD6\x3B\xE1\x3A\x09\x32\xE6\x21\x39\x93\xBD\xB3\x15\xEA\x4F\x6A\xF4\xF5\x8B\x3F\x2F\x7C\x8D\x58\x2E\xC5\xE1\x39\xA0\x3E\xC7\x3D\x4A\x73\x9E\x40\x7A\xC0\x2B\x61\xA9\x67\xC9\xF3\x24\xB9\xB3\x6D\x55\x2C\x5A\x1D\x9E\x25\x72\xCE\x0B\xAD\xAA\xC7\x55\x62\x0B\xBE\xFB\x63\xB3\x61\x44\x23\xA3\xCB\xE1\x1A\x0E\xF7\x9A\x06\x4D\xDE\xD4\x23\x4E\x21\x96\x5B\x39\x5B\x57\x1D\x2F\x5D\x08\x5E\x09\x79\xFF\x7C\x97\xB5\x4D\x83\xAE\x0D\xD6\xE6\xA3\x79\xE0\x33\xD0\x99\x96\x02\x30\xA7\x3E\xFF\xD2\xA3\x43\x3F\x05\x5A\x06\xEA\x44\x02\xDA\x7C\xF8\x48\xD0\x33\xA9\xF9\x07\xC7\x95\xE1\xF5\x3E\xF5\x5D\x71\xBA\xF2\x95\xA9\x74\x88\x61\x59\xE3\xBF\xCA\x5A\x13\xBA\x72\xB4\x8C\x5D\x36\x87\xE9\xA6\xC5\x3C\x13\xBF\xDE\xD0\x44\x26\xEE\xB7\xEC\x2E\x70\xFA\xD7\x9D\xB7\xAC\xE5\xC5\x40\x5A\xE6\xD7\x6C\x7B\x2C\xC3\x56\x9B\x47\xCD\x0B\xCE\xFA\x1B\xB4\x21\xD7\xB7\x66\xB8\xF4\x25\x30\x8B\x5C\x0D\xB9\xEA\x67\xB2\xF4\x6D\xAE\xD5\xA1\x9E\x4F\xD8\x9F\xE9\x27\x02\xB0\x1D\x06\xD6\x8F\xE3\xFB\x48\x12\x9F\x7F\x11\xA1\x10\x3E\x4C\x51\x3A\x96\xB0\xD1\x13\xF1\xC7\xD8\x26\xAE\x3A\xCA\x91\xC4\x69\x9D\xDF\x01\x29\x64\x51\x6F\x68\xDA\x14\xEC\x08\x41\x97\x90\x8D\xD0\xB2\x80\xF2\xCF\xC2\x3D\xBF\x91\x68\xC5\x80\x67\x1E\xC4\x60\x13\x55\xD5\x61\x99\x57\x7C\xBA\x95\x0F\x61\x49\x3A\xCA\x75\xBC\xC9\x0A\x93\x3F\x67\x0E\x12\xF2\x28\xE2\x31\x1B\xC0\x57\x16\xDF\x08\x7C\x19\xC1\x7E\x0F\x1F\x85\x1E\x0A\x36\x7C\x5B\x7E\x27\xBC\x7A\xBF\xE0\xDB\xF4\xDA\x52\xBD\xDE\x0C\x54\x70\x31\x91\x43\x95\xC8\xBC\xF0\x3E\xDD\x09\x7E\x30\x64\x50\xED\x7F\x01\xA4\x33\x67\x4D\x68\x4F\xBE\x15\xEF\xB0\xF6\x02\x11\xA2\x1B\x13\x25\x3A\xDC\xC2\x59\xF1\xE3\x5C\x46\xBB\x67\x2C\x02\x46\xEA\x1E\x48\xA6\xE6\x5B\xD9\xB5\xBC\x51\xA2\x92\x96\xDB\xAA\xC6\x37\x22\xA6\xFE\xCC\x20\x74\xA3\x2D\xA9\x2E\x6B\xCB\xC0\x82\x11\x21\xB5\x93\x79\xEE\x44\x86\xBE\xD7\x1E\xE4\x1E\xFB",
-	["CN=CA \E6\B2\83\E9\80\9A\E6\A0\B9\E8\AF\81\E4\B9\A6,O=WoSign CA Limited,C=CN"] = "\x30\x82\x05\x58\x30\x82\x03\x40\xA0\x03\x02\x01\x02\x02\x10\x50\x70\x6B\xCD\xD8\x13\xFC\x1B\x4E\x3B\x33\x72\xD2\x11\x48\x8D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x46\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x0C\x12\x43\x41\x20\xE6\xB2\x83\xE9\x80\x9A\xE6\xA0\xB9\xE8\xAF\x81\xE4\xB9\xA6\x30\x1E\x17\x0D\x30\x39\x30\x38\x30\x38\x30\x31\x30\x30\x30\x31\x5A\x17\x0D\x33\x39\x30\x38\x30\x38\x30\x31\x30\x30\x30\x31\x5A\x30\x46\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x0C\x12\x43\x41\x20\xE6\xB2\x83\xE9\x80\x9A\xE6\xA0\xB9\xE8\xAF\x81\xE4\xB9\xA6\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xD0\x49\x21\x1E\x25\xFC\x87\xC1\x2A\xC2\xAC\xDB\x76\x86\x06\x4E\xE7\xD0\x74\x34\xDC\xED\x65\x35\xFC\x50\xD6\x88\x3F\xA4\xF0\x7F\xEB\x0F\x5F\x79\x2F\x89\xB1\xFD\xBC\x63\x58\x37\x93\x9B\x38\xF8\xB7\x5B\xA9\xFA\xD8\x71\xC7\xB4\xBC\x80\x97\x8D\x6C\x4B\xF1\x50\xD5\x2A\x29\xAA\xA8\x19\x7A\x96\xE6\x95\x8E\x74\xED\x97\x0A\x57\x75\xF4\x05\xDB\x6D\x0B\x39\xB9\x01\x7F\xAA\xF6\xD6\xDA\x6C\xE6\x05\xE0\xA4\x4D\x52\xFC\xDB\xD0\x74\xB7\x11\x8C\x7B\x8D\x4F\xFF\x87\x83\xAE\xFF\x05\x03\x13\x57\x50\x37\xFE\x8C\x96\x52\x10\x4C\x5F\xBF\x94\x71\x69\xD9\x96\x3E\x0C\x43\x4F\xBE\x30\xC0\x9F\x39\x74\x4F\x06\x45\x5D\xA3\xD6\x56\x39\x68\x07\xCC\x87\x4F\x50\x77\x93\x71\xD9\x44\x08\xB1\x8A\x34\xE9\x89\xAC\xDB\x9B\x4E\xE1\xD9\xE4\x52\x45\x8C\x2E\x14\x1F\x91\x6B\x19\x1D\x68\x29\x2C\x56\xC4\xE2\x1E\x13\x57\x64\xF0\x61\xE3\xB9\x11\xDF\xB0\xE1\x57\xA0\x1B\xAD\xD7\x5F\xD1\xAF\xDB\x2B\x2D\x3F\xD0\x68\x8E\x0F\xEA\x9F\x0F\x8B\x35\x58\x1B\x13\x1C\xF4\xDE\x35\xA1\x0A\x5D\xD6\xEA\xDF\x12\x6F\xC0\xFB\x69\x07\x46\x72\xDC\x81\xF6\x04\x23\x17\xE0\x4D\x75\xE1\x72\x6F\xB0\x28\xEB\x9B\xE1\xE1\x83\xA1\x9F\x4A\x5D\xAF\xCC\x9B\xFA\x02\x20\xB6\x18\x62\x77\x91\x3B\xA3\xD5\x65\xAD\xDC\x7C\x90\x77\x1C\x44\x41\xA4\x4A\x8B\xEB\x95\x72\xE9\xF6\x09\x64\xDC\xA8\x2D\x9F\x74\x78\xE8\xC1\xA2\x09\x63\x9C\xEF\xA0\xDB\x4F\x9D\x95\xAB\x20\x4F\xB7\xB0\xF7\x87\x5C\xA6\xA0\xE4\x37\x38\xC7\x5C\xE3\x35\x0F\x2C\xAD\xA3\x80\xA2\xEC\x2E\x5D\xC0\xCF\xED\x8B\x05\xC2\xE6\x73\x6E\xF6\x89\xD5\xF5\xD2\x46\x8E\xEA\x6D\x63\x1B\x1E\x8A\xC9\x7D\xA6\xF8\x9C\xEB\xE5\xD5\x63\x85\x4D\x73\x66\x69\x11\xFE\xC8\x0E\xF4\xC1\xC7\x66\x49\x53\x7E\xE4\x19\x6B\xF1\xE9\x7A\x59\xA3\x6D\x7E\xC5\x17\xE6\x27\xC6\xEF\x1B\xDB\x6F\xFC\x0D\x4D\x06\x01\xB4\x0E\x5C\x30\x46\x55\x60\xAF\x38\x65\x3A\xCA\x47\xBA\xAC\x2C\xCC\x46\x1F\xB2\x46\x96\x3F\xF3\xED\x26\x05\xEE\x77\xA1\x6A\x6B\x7E\x2D\x6D\x58\x5C\x4A\xD4\x8E\x67\xB8\xF1\xDA\xD5\x46\x8A\x27\xF9\x11\xF2\xC9\x42\xFE\x4E\xDE\xDF\x1F\x5C\xC4\xA4\x86\x87\x16\x33\xA1\xA7\x17\x18\xA5\x0D\xE4\x05\xE5\x2B\xC2\x2B\x0B\xA2\x95\x90\xB9\xFD\x60\x3C\x4E\x89\x3E\xE7\x9C\xEE\x1F\xBB\x01\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE0\x4D\xBF\xDC\x9B\x41\x5D\x13\xE8\x64\xF0\xA7\xE9\x15\xA4\xE1\x81\xC1\xBA\x31\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x6A\x8A\x70\x38\x59\xB6\xDA\x8B\x18\xC8\xBE\x2A\xD3\xB6\x19\xD5\x66\x29\x7A\x5D\xCD\x5B\x2F\x73\x1C\x26\x4E\xA3\x7D\x6F\xAB\xB7\x29\x4D\xA6\xE9\xA5\x11\x83\xA7\x39\x73\xAF\x10\x44\x92\xE6\x25\x5D\x4F\x61\xFA\xC8\x06\xBE\x4E\x4B\xEF\xFE\xF3\x31\xFE\xC6\x7C\x70\x0A\x41\x58\xDA\xE8\x99\x4B\x96\xC9\x78\xBC\x98\x7C\x02\x29\xED\x09\x80\xE6\x0A\x3A\x82\x02\x2A\xE2\xC9\x2F\xC8\x56\x19\x26\xEE\x78\x1C\x23\xFD\xF7\x93\x65\x4E\xE7\xF3\x98\x98\xAF\xCD\xDD\xD9\x9E\x40\x88\x31\x28\x3A\xAB\x2E\x0B\xB0\xAC\x0C\x24\xFA\x7A\x26\x98\xF3\x12\x61\x10\xF4\x5D\x17\xF7\x7E\xE2\x78\x97\x54\xE2\x8C\xE8\x29\xBA\x8C\x10\x32\xBD\xDD\x33\x6B\x38\x86\x7E\x39\x3D\x0E\x03\x72\xA7\x5D\x79\x8F\x45\x8A\x59\xAE\x5B\x21\x6E\x31\x46\xD5\x59\x8D\xCF\x15\x5F\xDD\x31\x25\xCF\xDB\x60\xD6\x81\x44\x72\x29\x02\x57\xF6\x96\xD4\xD6\xFF\xEA\x29\xDB\x39\xC5\xB8\x2C\x8A\x1A\x8D\xCE\xCB\xE7\x42\x31\x86\x05\x68\x0E\x9E\x14\xDD\x00\x90\xBA\x69\x45\x08\xDB\x6E\x90\x81\x86\xA7\x2A\x05\x3F\xE6\x84\x39\xF8\xB7\xF9\x57\x5F\x4C\xA4\x79\x5A\x10\x0C\x5E\xD5\x6B\xFF\x35\x5F\x05\x51\x1E\x6C\xA3\x75\xA9\xCF\x50\x83\xD3\x7C\xF4\x66\xF7\x82\x8D\x3D\x0C\x7D\xE8\xDF\x7B\xA8\x0E\x1B\x2C\x9C\xAE\x40\x70\x87\xDA\xED\xA7\x16\x82\x5A\xBE\x35\x6C\x20\x4E\x22\x61\xD9\xBC\x51\x7A\xCD\x7A\x61\xDC\x4B\x11\xF9\xFE\x67\x34\xCF\x2E\x04\x66\x61\x5C\x57\x97\x23\x8C\xF3\x86\x1B\x48\xDF\x2A\xAF\xA7\xC1\xFF\xD8\x8E\x3E\x03\xBB\xD8\x2A\xB0\xFA\x14\x25\xB2\x51\x6B\x86\x43\x85\x2E\x07\x23\x16\x80\x8D\x4C\xFB\xB4\x63\x3B\xCC\xC3\x74\xED\x1B\xA3\x1E\xFE\x35\x0F\x5F\x7C\x1D\x16\x86\xF5\x0E\xC3\x95\xF1\x2F\xAF\x5D\x25\x3B\x51\xE6\xD7\x76\x41\x38\xD1\x4B\x03\x39\x28\xA5\x1E\x91\x72\xD4\x7D\xAB\x97\x33\xC4\xD3\x3E\xE0\x69\xB6\x28\x79\xA0\x09\x8D\x1C\xD1\xFF\x41\x72\x48\x06\xFC\x9A\x2E\xE7\x20\xF9\x9B\xA2\xDE\x89\xED\xAE\x3C\x09\xAF\xCA\x57\xB3\x92\x89\x70\x40\xE4\x2F\x4F\xC2\x70\x83\x40\xD7\x24\x2C\x6B\xE7\x09\x1F\xD3\xD5\xC7\xC1\x08\xF4\xDB\x0E\x3B\x1C\x07\x0B\x43\x11\x84\x21\x86\xE9\x80\xD4\x75\xD8\xAB\xF1\x02\x62\xC1\xB1\x7E\x55\x61\xCF\x13\xD7\x26\xB0\xD7\x9C\xCB\x29\x8B\x38\x4A\x0B\x0E\x90\x8D\xBA\xA1",
 	["CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB"] = "\x30\x82\x05\xD8\x30\x82\x03\xC0\xA0\x03\x02\x01\x02\x02\x10\x4C\xAA\xF9\xCA\xDB\x63\x6F\xE0\x1F\xF7\x4E\xD8\x5B\x03\x86\x9D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x43\x4F\x4D\x4F\x44\x4F\x20\x52\x53\x41\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x31\x30\x30\x31\x31\x39\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x85\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x42\x31\x1B\x30\x19\x06\x03\x55\x04\x08\x13\x12\x47\x72\x65\x61\x74\x65\x72\x20\x4D\x61\x6E\x63\x68\x65\x73\x74\x65\x72\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x13\x07\x53\x61\x6C\x66\x6F\x72\x64\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x43\x4F\x4D\x4F\x44\x4F\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2B\x30\x29\x06\x03\x55\x04\x03\x13\x22\x43\x4F\x4D\x4F\x44\x4F\x20\x52\x53\x41\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x91\xE8\x54\x92\xD2\x0A\x56\xB1\xAC\x0D\x24\xDD\xC5\xCF\x44\x67\x74\x99\x2B\x37\xA3\x7D\x23\x70\x00\x71\xBC\x53\xDF\xC4\xFA\x2A\x12\x8F\x4B\x7F\x10\x56\xBD\x9F\x70\x72\xB7\x61\x7F\xC9\x4B\x0F\x17\xA7\x3D\xE3\xB0\x04\x61\xEE\xFF\x11\x97\xC7\xF4\x86\x3E\x0A\xFA\x3E\x5C\xF9\x93\xE6\x34\x7A\xD9\x14\x6B\xE7\x9C\xB3\x85\xA0\x82\x7A\x76\xAF\x71\x90\xD7\xEC\xFD\x0D\xFA\x9C\x6C\xFA\xDF\xB0\x82\xF4\x14\x7E\xF9\xBE\xC4\xA6\x2F\x4F\x7F\x99\x7F\xB5\xFC\x67\x43\x72\xBD\x0C\x00\xD6\x89\xEB\x6B\x2C\xD3\xED\x8F\x98\x1C\x14\xAB\x7E\xE5\xE3\x6E\xFC\xD8\xA8\xE4\x92\x24\xDA\x43\x6B\x62\xB8\x55\xFD\xEA\xC1\xBC\x6C\xB6\x8B\xF3\x0E\x8D\x9A\xE4\x9B\x6C\x69\x99\xF8\x78\x48\x30\x45\xD5\xAD\xE1\x0D\x3C\x45\x60\xFC\x32\x96\x51\x27\xBC\x67\xC3\xCA\x2E\xB6\x6B\xEA\x46\xC7\xC7\x20\xA0\xB1\x1F\x65\xDE\x48\x08\xBA\xA4\x4E\xA9\xF2\x83\x46\x37\x84\xEB\xE8\xCC\x81\x48\x43\x67\x4E\x72\x2A\x9B\x5C\xBD\x4C\x1B\x28\x8A\x5C\x22\x7B\xB4\xAB\x98\xD9\xEE\xE0\x51\x83\xC3\x09\x46\x4E\x6D\x3E\x99\xFA\x95\x17\xDA\x7C\x33\x57\x41\x3C\x8D\x51\xED\x0B\xB6\x5C\xAF\x2C\x63\x1A\xDF\x57\xC8\x3F\xBC\xE9\x5D\xC4\x9B\xAF\x45\x99\xE2\xA3\x5A\x24\xB4\xBA\xA9\x56\x3D\xCF\x6F\xAA\xFF\x49\x58\xBE\xF0\xA8\xFF\xF4\xB8\xAD\xE9\x37\xFB\xBA\xB8\xF4\x0B\x3A\xF9\xE8\x43\x42\x1E\x89\xD8\x84\xCB\x13\xF1\xD9\xBB\xE1\x89\x60\xB8\x8C\x28\x56\xAC\x14\x1D\x9C\x0A\xE7\x71\xEB\xCF\x0E\xDD\x3D\xA9\x96\xA1\x48\xBD\x3C\xF7\xAF\xB5\x0D\x22\x4C\xC0\x11\x81\xEC\x56\x3B\xF6\xD3\xA2\xE2\x5B\xB7\xB2\x04\x22\x52\x95\x80\x93\x69\xE8\x8E\x4C\x65\xF1\x91\x03\x2D\x70\x74\x02\xEA\x8B\x67\x15\x29\x69\x52\x02\xBB\xD7\xDF\x50\x6A\x55\x46\xBF\xA0\xA3\x28\x61\x7F\x70\xD0\xC3\xA2\xAA\x2C\x21\xAA\x47\xCE\x28\x9C\x06\x45\x76\xBF\x82\x18\x27\xB4\xD5\xAE\xB4\xCB\x50\xE6\x6B\xF4\x4C\x86\x71\x30\xE9\xA6\xDF\x16\x86\xE0\xD8\xFF\x40\xDD\xFB\xD0\x42\x88\x7F\xA3\x33\x3A\x2E\x5C\x1E\x41\x11\x81\x63\xCE\x18\x71\x6B\x2B\xEC\xA6\x8A\xB7\x31\x5C\x3A\x6A\x47\xE0\xC3\x79\x59\xD6\x20\x1A\xAF\xF2\x6A\x98\xAA\x72\xBC\x57\x4A\xD2\x4B\x9D\xBB\x10\xFC\xB0\x4C\x41\xE5\xED\x1D\x3D\x5E\x28\x9D\x9C\xCC\xBF\xB3\x51\xDA\xA7\x47\xE5\x84\x53\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xBB\xAF\x7E\x02\x3D\xFA\xA6\xF1\x3C\x84\x8E\xAD\xEE\x38\x98\xEC\xD9\x32\x32\xD4\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x03\x82\x02\x01\x00\x0A\xF1\xD5\x46\x84\xB7\xAE\x51\xBB\x6C\xB2\x4D\x41\x14\x00\x93\x4C\x9C\xCB\xE5\xC0\x54\xCF\xA0\x25\x8E\x02\xF9\xFD\xB0\xA2\x0D\xF5\x20\x98\x3C\x13\x2D\xAC\x56\xA2\xB0\xD6\x7E\x11\x92\xE9\x2E\xBA\x9E\x2E\x9A\x72\xB1\xBD\x19\x44\x6C\x61\x35\xA2\x9A\xB4\x16\x12\x69\x5A\x8C\xE1\xD7\x3E\xA4\x1A\xE8\x2F\x03\xF4\xAE\x61\x1D\x10\x1B\x2A\xA4\x8B\x7A\xC5\xFE\x05\xA6\xE1\xC0\xD6\xC8\xFE\x9E\xAE\x8F\x2B\xBA\x3D\x99\xF8\xD8\x73\x09\x58\x46\x6E\xA6\x9C\xF4\xD7\x27\xD3\x95\xDA\x37\x83\x72\x1C\xD3\x73\xE0\xA2\x47\x99\x03\x38\x5D\xD5\x49\x79\x00\x29\x1C\xC7\xEC\x9B\x20\x1C\x07\x24\x69\x57\x78\xB2\x39\xFC\x3A\x84\xA0\xB5\x9C\x7C\x8D\xBF\x2E\x93\x62\x27\xB7\x39\xDA\x17\x18\xAE\xBD\x3C\x09\x68\xFF\x84\x9B\x3C\xD5\xD6\x0B\x03\xE3\x57\x9E\x14\xF7\xD1\xEB\x4F\xC8\xBD\x87\x23\xB7\xB6\x49\x43\x79\x85\x5C\xBA\xEB\x92\x0B\xA1\xC6\xE8\x68\xA8\x4C\x16\xB1\x1A\x99\x0A\xE8\x53\x2C\x92\xBB\xA1\x09\x18\x75\x0C\x65\xA8\x7B\xCB\x23\xB7\x1A\xC2\x28\x85\xC3\x1B\xFF\xD0\x2B\x62\xEF\xA4\x7B\x09\x91\x98\x67\x8C\x14\x01\xCD\x68\x06\x6A\x63\x21\x75\x03\x80\x88\x8A\x6E\x81\xC6\x85\xF2\xA9\xA4\x2D\xE7\xF4\xA5\x24\x10\x47\x83\xCA\xCD\xF4\x8D\x79\x58\xB1\x06\x9B\xE7\x1A\x2A\xD9\x9D\x01\xD7\x94\x7D\xED\x03\x4A\xCA\xF0\xDB\xE8\xA9\x01\x3E\xF5\x56\x99\xC9\x1E\x8E\x49\x3D\xBB\xE5\x09\xB9\xE0\x4F\x49\x92\x3D\x16\x82\x40\xCC\xCC\x59\xC6\xE6\x3A\xED\x12\x2E\x69\x3C\x6C\x95\xB1\xFD\xAA\x1D\x7B\x7F\x86\xBE\x1E\x0E\x32\x46\xFB\xFB\x13\x8F\x75\x7F\x4C\x8B\x4B\x46\x63\xFE\x00\x34\x40\x70\xC1\xC3\xB9\xA1\xDD\xA6\x70\xE2\x04\xB3\x41\xBC\xE9\x80\x91\xEA\x64\x9C\x7A\xE1\x22\x03\xA9\x9C\x6E\x6F\x0E\x65\x4F\x6C\x87\x87\x5E\xF3\x6E\xA0\xF9\x75\xA5\x9B\x40\xE8\x53\xB2\x27\x9D\x4A\xB9\xC0\x77\x21\x8D\xFF\x87\xF2\xDE\xBC\x8C\xEF\x17\xDF\xB7\x49\x0B\xD1\xF2\x6E\x30\x0B\x1A\x0E\x4E\x76\xED\x11\xFC\xF5\xE9\x56\xB2\x7D\xBF\xC7\x6D\x0A\x93\x8C\xA5\xD0\xC0\xB6\x1D\xBE\x3A\x4E\x94\xA2\xD7\x6E\x6C\x0B\xC2\x8A\x7C\xFA\x20\xF3\xC4\xE4\xE5\xCD\x0D\xA8\xCB\x91\x92\xB1\x7C\x85\xEC\xB5\x14\x69\x66\x0E\x82\xE7\xCD\xCE\xC8\x2D\xA6\x51\x7F\x21\xC1\x35\x53\x85\x06\x4A\x5D\x9F\xAD\xBB\x1B\x5F\x74",
 	["CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US"] = "\x30\x82\x05\xDE\x30\x82\x03\xC6\xA0\x03\x02\x01\x02\x02\x10\x01\xFD\x6D\x30\xFC\xA3\xCA\x51\xA8\x1B\xBC\x64\x0E\x35\x03\x2D\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x30\x81\x88\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x13\x30\x11\x06\x03\x55\x04\x08\x13\x0A\x4E\x65\x77\x20\x4A\x65\x72\x73\x65\x79\x31\x14\x30\x12\x06\x03\x55\x04\x07\x13\x0B\x4A\x65\x72\x73\x65\x79\x20\x43\x69\x74\x79\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x54\x68\x65\x20\x55\x53\x45\x52\x54\x52\x55\x53\x54\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x2E\x30\x2C\x06\x03\x55\x04\x03\x13\x25\x55\x53\x45\x52\x54\x72\x75\x73\x74\x20\x52\x53\x41\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x31\x30\x30\x32\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x88\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x13\x30\x11\x06\x03\x55\x04\x08\x13\x0A\x4E\x65\x77\x20\x4A\x65\x72\x73\x65\x79\x31\x14\x30\x12\x06\x03\x55\x04\x07\x13\x0B\x4A\x65\x72\x73\x65\x79\x20\x43\x69\x74\x79\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x54\x68\x65\x20\x55\x53\x45\x52\x54\x52\x55\x53\x54\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x2E\x30\x2C\x06\x03\x55\x04\x03\x13\x25\x55\x53\x45\x52\x54\x72\x75\x73\x74\x20\x52\x53\x41\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x80\x12\x65\x17\x36\x0E\xC3\xDB\x08\xB3\xD0\xAC\x57\x0D\x76\xED\xCD\x27\xD3\x4C\xAD\x50\x83\x61\xE2\xAA\x20\x4D\x09\x2D\x64\x09\xDC\xCE\x89\x9F\xCC\x3D\xA9\xEC\xF6\xCF\xC1\xDC\xF1\xD3\xB1\xD6\x7B\x37\x28\x11\x2B\x47\xDA\x39\xC6\xBC\x3A\x19\xB4\x5F\xA6\xBD\x7D\x9D\xA3\x63\x42\xB6\x76\xF2\xA9\x3B\x2B\x91\xF8\xE2\x6F\xD0\xEC\x16\x20\x90\x09\x3E\xE2\xE8\x74\xC9\x18\xB4\x91\xD4\x62\x64\xDB\x7F\xA3\x06\xF1\x88\x18\x6A\x90\x22\x3C\xBC\xFE\x13\xF0\x87\x14\x7B\xF6\xE4\x1F\x8E\xD4\xE4\x51\xC6\x11\x67\x46\x08\x51\xCB\x86\x14\x54\x3F\xBC\x33\xFE\x7E\x6C\x9C\xFF\x16\x9D\x18\xBD\x51\x8E\x35\xA6\xA7\x66\xC8\x72\x67\xDB\x21\x66\xB1\xD4\x9B\x78\x03\xC0\x50\x3A\xE8\xCC\xF0\xDC\xBC\x9E\x4C\xFE\xAF\x05\x96\x35\x1F\x57\x5A\xB7\xFF\xCE\xF9\x3D\xB7\x2C\xB6\xF6\x54\xDD\xC8\xE7\x12\x3A\x4D\xAE\x4C\x8A\xB7\x5C\x9A\xB4\xB7\x20\x3D\xCA\x7F\x22\x34\xAE\x7E\x3B\x68\x66\x01\x44\xE7\x01\x4E\x46\x53\x9B\x33\x60\xF7\x94\xBE\x53\x37\x90\x73\x43\xF3\x32\xC3\x53\xEF\xDB\xAA\xFE\x74\x4E\x69\xC7\x6B\x8C\x60\x93\xDE\xC4\xC7\x0C\xDF\xE1\x32\xAE\xCC\x93\x3B\x51\x78\x95\x67\x8B\xEE\x3D\x56\xFE\x0C\xD0\x69\x0F\x1B\x0F\xF3\x25\x26\x6B\x33\x6D\xF7\x6E\x47\xFA\x73\x43\xE5\x7E\x0E\xA5\x66\xB1\x29\x7C\x32\x84\x63\x55\x89\xC4\x0D\xC1\x93\x54\x30\x19\x13\xAC\xD3\x7D\x37\xA7\xEB\x5D\x3A\x6C\x35\x5C\xDB\x41\xD7\x12\xDA\xA9\x49\x0B\xDF\xD8\x80\x8A\x09\x93\x62\x8E\xB5\x66\xCF\x25\x88\xCD\x84\xB8\xB1\x3F\xA4\x39\x0F\xD9\x02\x9E\xEB\x12\x4C\x95\x7C\xF3\x6B\x05\xA9\x5E\x16\x83\xCC\xB8\x67\xE2\xE8\x13\x9D\xCC\x5B\x82\xD3\x4C\xB3\xED\x5B\xFF\xDE\xE5\x73\xAC\x23\x3B\x2D\x00\xBF\x35\x55\x74\x09\x49\xD8\x49\x58\x1A\x7F\x92\x36\xE6\x51\x92\x0E\xF3\x26\x7D\x1C\x4D\x17\xBC\xC9\xEC\x43\x26\xD0\xBF\x41\x5F\x40\xA9\x44\x44\xF4\x99\xE7\x57\x87\x9E\x50\x1F\x57\x54\xA8\x3E\xFD\x74\x63\x2F\xB1\x50\x65\x09\xE6\x58\x42\x2E\x43\x1A\x4C\xB4\xF0\x25\x47\x59\xFA\x04\x1E\x93\xD4\x26\x46\x4A\x50\x81\xB2\xDE\xBE\x78\xB7\xFC\x67\x15\xE1\xC9\x57\x84\x1E\x0F\x63\xD6\xE9\x62\xBA\xD6\x5F\x55\x2E\xEA\x5C\xC6\x28\x08\x04\x25\x39\xB8\x0E\x2B\xA9\xF2\x4C\x97\x1C\x07\x3F\x0D\x52\xF5\xED\xEF\x2F\x82\x0F\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x53\x79\xBF\x5A\xAA\x2B\x4A\xCF\x54\x80\xE1\xD8\x9B\xC0\x9D\xF2\xB2\x03\x66\xCB\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x03\x82\x02\x01\x00\x5C\xD4\x7C\x0D\xCF\xF7\x01\x7D\x41\x99\x65\x0C\x73\xC5\x52\x9F\xCB\xF8\xCF\x99\x06\x7F\x1B\xDA\x43\x15\x9F\x9E\x02\x55\x57\x96\x14\xF1\x52\x3C\x27\x87\x94\x28\xED\x1F\x3A\x01\x37\xA2\x76\xFC\x53\x50\xC0\x84\x9B\xC6\x6B\x4E\xBA\x8C\x21\x4F\xA2\x8E\x55\x62\x91\xF3\x69\x15\xD8\xBC\x88\xE3\xC4\xAA\x0B\xFD\xEF\xA8\xE9\x4B\x55\x2A\x06\x20\x6D\x55\x78\x29\x19\xEE\x5F\x30\x5C\x4B\x24\x11\x55\xFF\x24\x9A\x6E\x5E\x2A\x2B\xEE\x0B\x4D\x9F\x7F\xF7\x01\x38\x94\x14\x95\x43\x07\x09\xFB\x60\xA9\xEE\x1C\xAB\x12\x8C\xA0\x9A\x5E\xA7\x98\x6A\x59\x6D\x8B\x3F\x08\xFB\xC8\xD1\x45\xAF\x18\x15\x64\x90\x12\x0F\x73\x28\x2E\xC5\xE2\x24\x4E\xFC\x58\xEC\xF0\xF4\x45\xFE\x22\xB3\xEB\x2F\x8E\xD2\xD9\x45\x61\x05\xC1\x97\x6F\xA8\x76\x72\x8F\x8B\x8C\x36\xAF\xBF\x0D\x05\xCE\x71\x8D\xE6\xA6\x6F\x1F\x6C\xA6\x71\x62\xC5\xD8\xD0\x83\x72\x0C\xF1\x67\x11\x89\x0C\x9C\x13\x4C\x72\x34\xDF\xBC\xD5\x71\xDF\xAA\x71\xDD\xE1\xB9\x6C\x8C\x3C\x12\x5D\x65\xDA\xBD\x57\x12\xB6\x43\x6B\xFF\xE5\xDE\x4D\x66\x11\x51\xCF\x99\xAE\xEC\x17\xB6\xE8\x71\x91\x8C\xDE\x49\xFE\xDD\x35\x71\xA2\x15\x27\x94\x1C\xCF\x61\xE3\x26\xBB\x6F\xA3\x67\x25\x21\x5D\xE6\xDD\x1D\x0B\x2E\x68\x1B\x3B\x82\xAF\xEC\x83\x67\x85\xD4\x98\x51\x74\xB1\xB9\x99\x80\x89\xFF\x7F\x78\x19\x5C\x79\x4A\x60\x2E\x92\x40\xAE\x4C\x37\x2A\x2C\xC9\xC7\x62\xC8\x0E\x5D\xF7\x36\x5B\xCA\xE0\x25\x25\x01\xB4\xDD\x1A\x07\x9C\x77\x00\x3F\xD0\xDC\xD5\xEC\x3D\xD4\xFA\xBB\x3F\xCC\x85\xD6\x6F\x7F\xA9\x2D\xDF\xB9\x02\xF7\xF5\x97\x9A\xB5\x35\xDA\xC3\x67\xB0\x87\x4A\xA9\x28\x9E\x23\x8E\xFF\x5C\x27\x6B\xE1\xB0\x4F\xF3\x07\xEE\x00\x2E\xD4\x59\x87\xCB\x52\x41\x95\xEA\xF4\x47\xD7\xEE\x64\x41\x55\x7C\x8D\x59\x02\x95\xDD\x62\x9D\xC2\xB9\xEE\x5A\x28\x74\x84\xA5\x9B\xB7\x90\xC7\x0C\x07\xDF\xF5\x89\x36\x74\x32\xD6\x28\xC1\xB0\xB0\x0B\xE0\x9C\x4C\xC3\x1C\xD6\xFC\xE3\x69\xB5\x47\x46\x81\x2F\xA2\x82\xAB\xD3\x63\x44\x70\xC4\x8D\xFF\x2D\x33\xBA\xAD\x8F\x7B\xB5\x70\x88\xAE\x3E\x19\xCF\x40\x28\xD8\xFC\xC8\x90\xBB\x5D\x99\x22\xF5\x52\xE6\x58\xC5\x1F\x88\x31\x43\xEE\x88\x1D\xD7\xC6\x8E\x3C\x43\x6A\x1D\xA7\x18\xDE\x7D\x3D\x16\xF1\x62\xF9\xCA\x90\xA8\xFD",
 	["CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US"] = "\x30\x82\x02\x8F\x30\x82\x02\x15\xA0\x03\x02\x01\x02\x02\x10\x5C\x8B\x99\xC5\x5A\x94\xC5\xD2\x71\x56\xDE\xCD\x89\x80\xCC\x26\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x81\x88\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x13\x30\x11\x06\x03\x55\x04\x08\x13\x0A\x4E\x65\x77\x20\x4A\x65\x72\x73\x65\x79\x31\x14\x30\x12\x06\x03\x55\x04\x07\x13\x0B\x4A\x65\x72\x73\x65\x79\x20\x43\x69\x74\x79\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x54\x68\x65\x20\x55\x53\x45\x52\x54\x52\x55\x53\x54\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x2E\x30\x2C\x06\x03\x55\x04\x03\x13\x25\x55\x53\x45\x52\x54\x72\x75\x73\x74\x20\x45\x43\x43\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x31\x30\x30\x32\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x38\x32\x33\x35\x39\x35\x39\x5A\x30\x81\x88\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x13\x30\x11\x06\x03\x55\x04\x08\x13\x0A\x4E\x65\x77\x20\x4A\x65\x72\x73\x65\x79\x31\x14\x30\x12\x06\x03\x55\x04\x07\x13\x0B\x4A\x65\x72\x73\x65\x79\x20\x43\x69\x74\x79\x31\x1E\x30\x1C\x06\x03\x55\x04\x0A\x13\x15\x54\x68\x65\x20\x55\x53\x45\x52\x54\x52\x55\x53\x54\x20\x4E\x65\x74\x77\x6F\x72\x6B\x31\x2E\x30\x2C\x06\x03\x55\x04\x03\x13\x25\x55\x53\x45\x52\x54\x72\x75\x73\x74\x20\x45\x43\x43\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x1A\xAC\x54\x5A\xA9\xF9\x68\x23\xE7\x7A\xD5\x24\x6F\x53\xC6\x5A\xD8\x4B\xAB\xC6\xD5\xB6\xD1\xE6\x73\x71\xAE\xDD\x9C\xD6\x0C\x61\xFD\xDB\xA0\x89\x03\xB8\x05\x14\xEC\x57\xCE\xEE\x5D\x3F\xE2\x21\xB3\xCE\xF7\xD4\x8A\x79\xE0\xA3\x83\x7E\x2D\x97\xD0\x61\xC4\xF1\x99\xDC\x25\x91\x63\xAB\x7F\x30\xA3\xB4\x70\xE2\xC7\xA1\x33\x9C\xF3\xBF\x2E\x5C\x53\xB1\x5F\xB3\x7D\x32\x7F\x8A\x34\xE3\x79\x79\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x3A\xE1\x09\x86\xD4\xCF\x19\xC2\x96\x76\x74\x49\x76\xDC\xE0\x35\xC6\x63\x63\x9A\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x30\x36\x67\xA1\x16\x08\xDC\xE4\x97\x00\x41\x1D\x4E\xBE\xE1\x63\x01\xCF\x3B\xAA\x42\x11\x64\xA0\x9D\x94\x39\x02\x11\x79\x5C\x7B\x1D\xFA\x64\xB9\xEE\x16\x42\xB3\xBF\x8A\xC2\x09\xC4\xEC\xE4\xB1\x4D\x02\x31\x00\xE9\x2A\x61\x47\x8C\x52\x4A\x4B\x4E\x18\x70\xF6\xD6\x44\xD6\x6E\xF5\x83\xBA\x6D\x58\xBD\x24\xD9\x56\x48\xEA\xEF\xC4\xA2\x46\x81\x88\x6A\x3A\x46\xD1\xA9\x9B\x4D\xC9\x61\xDA\xD1\x5D\x57\x6A\x18",
@@ -153,11 +117,8 @@ redef root_certs += {
 	["CN=Entrust Root Certification Authority - EC1,OU=(c) 2012 Entrust\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\, Inc.,C=US"] = "\x30\x82\x02\xF9\x30\x82\x02\x80\xA0\x03\x02\x01\x02\x02\x0D\x00\xA6\x8B\x79\x29\x00\x00\x00\x00\x50\xD0\x91\xF9\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x81\xBF\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x53\x65\x65\x20\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x6C\x65\x67\x61\x6C\x2D\x74\x65\x72\x6D\x73\x31\x39\x30\x37\x06\x03\x55\x04\x0B\x13\x30\x28\x63\x29\x20\x32\x30\x31\x32\x20\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x66\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x33\x30\x31\x06\x03\x55\x04\x03\x13\x2A\x45\x6E\x74\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x45\x43\x31\x30\x1E\x17\x0D\x31\x32\x31\x32\x31\x38\x31\x35\x32\x35\x33\x36\x5A\x17\x0D\x33\x37\x31\x32\x31\x38\x31\x35\x35\x35\x33\x36\x5A\x30\x81\xBF\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x13\x0D\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x31\x28\x30\x26\x06\x03\x55\x04\x0B\x13\x1F\x53\x65\x65\x20\x77\x77\x77\x2E\x65\x6E\x74\x72\x75\x73\x74\x2E\x6E\x65\x74\x2F\x6C\x65\x67\x61\x6C\x2D\x74\x65\x72\x6D\x73\x31\x39\x30\x37\x06\x03\x55\x04\x0B\x13\x30\x28\x63\x29\x20\x32\x30\x31\x32\x20\x45\x6E\x74\x72\x75\x73\x74\x2C\x20\x49\x6E\x63\x2E\x20\x2D\x20\x66\x6F\x72\x20\x61\x75\x74\x68\x6F\x72\x69\x7A\x65\x64\x20\x75\x73\x65\x20\x6F\x6E\x6C\x79\x31\x33\x30\x31\x06\x03\x55\x04\x03\x13\x2A\x45\x6E\x74\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x2D\x20\x45\x43\x31\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x84\x13\xC9\xD0\xBA\x6D\x41\x7B\xE2\x6C\xD0\xEB\x55\x5F\x66\x02\x1A\x24\xF4\x5B\x89\x69\x47\xE3\xB8\xC2\x7D\xF1\xF2\x02\xC5\x9F\xA0\xF6\x5B\xD5\x8B\x06\x19\x86\x4F\x53\x10\x6D\x07\x24\x27\xA1\xA0\xF8\xD5\x47\x19\x61\x4C\x7D\xCA\x93\x27\xEA\x74\x0C\xEF\x6F\x96\x09\xFE\x63\xEC\x70\x5D\x36\xAD\x67\x77\xAE\xC9\x9D\x7C\x55\x44\x3A\xA2\x63\x51\x1F\xF5\xE3\x62\xD4\xA9\x47\x07\x3E\xCC\x20\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB7\x63\xE7\x1A\xDD\x8D\xE9\x08\xA6\x55\x83\xA4\xE0\x6A\x50\x41\x65\x11\x42\x49\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x67\x00\x30\x64\x02\x30\x61\x79\xD8\xE5\x42\x47\xDF\x1C\xAE\x53\x99\x17\xB6\x6F\x1C\x7D\xE1\xBF\x11\x94\xD1\x03\x88\x75\xE4\x8D\x89\xA4\x8A\x77\x46\xDE\x6D\x61\xEF\x02\xF5\xFB\xB5\xDF\xCC\xFE\x4E\xFF\xFE\xA9\xE6\xA7\x02\x30\x5B\x99\xD7\x85\x37\x06\xB5\x7B\x08\xFD\xEB\x27\x8B\x4A\x94\xF9\xE1\xFA\xA7\x8E\x26\x08\xE8\x7C\x92\x68\x6D\x73\xD8\x6F\x26\xAC\x21\x02\xB8\x99\xB7\x26\x41\x5B\x25\x60\xAE\xD0\x48\x1A\xEE\x06",
 	["CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN"] = "\x30\x82\x05\x8D\x30\x82\x03\x75\xA0\x03\x02\x01\x02\x02\x04\x18\x4A\xCC\xD6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x56\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x30\x30\x2E\x06\x03\x55\x04\x0A\x0C\x27\x43\x68\x69\x6E\x61\x20\x46\x69\x6E\x61\x6E\x63\x69\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x15\x30\x13\x06\x03\x55\x04\x03\x0C\x0C\x43\x46\x43\x41\x20\x45\x56\x20\x52\x4F\x4F\x54\x30\x1E\x17\x0D\x31\x32\x30\x38\x30\x38\x30\x33\x30\x37\x30\x31\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x30\x33\x30\x37\x30\x31\x5A\x30\x56\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x30\x30\x2E\x06\x03\x55\x04\x0A\x0C\x27\x43\x68\x69\x6E\x61\x20\x46\x69\x6E\x61\x6E\x63\x69\x61\x6C\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x15\x30\x13\x06\x03\x55\x04\x03\x0C\x0C\x43\x46\x43\x41\x20\x45\x56\x20\x52\x4F\x4F\x54\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xD7\x5D\x6B\xCD\x10\x3F\x1F\x05\x59\xD5\x05\x4D\x37\xB1\x0E\xEC\x98\x2B\x8E\x15\x1D\xFA\x93\x4B\x17\x82\x21\x71\x10\x52\xD7\x51\x64\x70\x16\xC2\x55\x69\x4D\x8E\x15\x6D\x9F\xBF\x0C\x1B\xC2\xE0\xA3\x67\xD6\x0C\xAC\xCF\x22\xAE\xAF\x77\x54\x2A\x4B\x4C\x8A\x53\x52\x7A\xC3\xEE\x2E\xDE\xB3\x71\x25\xC1\xE9\x5D\x3D\xEE\xA1\x2F\xA3\xF7\x2A\x3C\xC9\x23\x1D\x6A\xAB\x1D\xA1\xA7\xF1\xF3\xEC\xA0\xD5\x44\xCF\x15\xCF\x72\x2F\x1D\x63\x97\xE8\x99\xF9\xFD\x93\xA4\x54\x80\x4C\x52\xD4\x52\xAB\x2E\x49\xDF\x90\xCD\xB8\x5F\xBE\x3F\xDE\xA1\xCA\x4D\x20\xD4\x25\xE8\x84\x29\x53\xB7\xB1\x88\x1F\xFF\xFA\xDA\x90\x9F\x0A\xA9\x2D\x41\x3F\xB1\xF1\x18\x29\xEE\x16\x59\x2C\x34\x49\x1A\xA8\x06\xD7\xA8\x88\xD2\x03\x72\x7A\x32\xE2\xEA\x68\x4D\x6E\x2C\x96\x65\x7B\xCA\x59\xFA\xF2\xE2\xDD\xEE\x30\x2C\xFB\xCC\x46\xAC\xC4\x63\xEB\x6F\x7F\x36\x2B\x34\x73\x12\x94\x7F\xDF\xCC\x26\x9E\xF1\x72\x5D\x50\x65\x59\x8F\x69\xB3\x87\x5E\x32\x6F\xC3\x18\x8A\xB5\x95\x8F\xB0\x7A\x37\xDE\x5A\x45\x3B\xC7\x36\xE1\xEF\x67\xD1\x39\xD3\x97\x5B\x73\x62\x19\x48\x2D\x87\x1C\x06\xFB\x74\x98\x20\x49\x73\xF0\x05\xD2\x1B\xB1\xA0\xA3\xB7\x1B\x70\xD3\x88\x69\xB9\x5A\xD6\x38\xF4\x62\xDC\x25\x8B\x78\xBF\xF8\xE8\x7E\xB8\x5C\xC9\x95\x4F\x5F\xA7\x2D\xB9\x20\x6B\xCF\x6B\xDD\xF5\x0D\xF4\x82\xB7\xF4\xB2\x66\x2E\x10\x28\xF6\x97\x5A\x7B\x96\x16\x8F\x01\x19\x2D\x6C\x6E\x7F\x39\x58\x06\x64\x83\x01\x83\x83\xC3\x4D\x92\xDD\x32\xC6\x87\xA4\x37\xE9\x16\xCE\xAA\x2D\x68\xAF\x0A\x81\x65\x3A\x70\xC1\x9B\xAD\x4D\x6D\x54\xCA\x2A\x2D\x4B\x85\x1B\xB3\x80\xE6\x70\x45\x0D\x6B\x5E\x35\xF0\x7F\x3B\xB8\x9C\xE4\x04\x70\x89\x12\x25\x93\xDA\x0A\x99\x22\x60\x6A\x63\x60\x4E\x76\x06\x98\x4E\xBD\x83\xAD\x1D\x58\x8A\x25\x85\xD2\xC7\x65\x1E\x2D\x8E\xC6\xDF\xB6\xC6\xE1\x7F\x8A\x04\x21\x15\x29\x74\xF0\x3E\x9C\x90\x9D\x0C\x2E\xF1\x8A\x3E\x5A\xAA\x0C\x09\x1E\xC7\xD5\x3C\xA3\xED\x97\xC3\x1E\x34\xFA\x38\xF9\x08\x0E\xE3\xC0\x5D\x2B\x83\xD1\x56\x6A\xC9\xB6\xA8\x54\x53\x2E\x78\x32\x67\x3D\x82\x7F\x74\xD0\xFB\xE1\xB6\x05\x60\xB9\x70\xDB\x8E\x0B\xF9\x13\x58\x6F\x71\x60\x10\x52\x10\xB9\xC1\x41\x09\xEF\x72\x1F\x67\x31\x78\xFF\x96\x05\x8D\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xE3\xFE\x2D\xFD\x28\xD0\x0B\xB5\xBA\xB6\xA2\xC4\xBF\x06\xAA\x05\x8C\x93\xFB\x2F\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE3\xFE\x2D\xFD\x28\xD0\x0B\xB5\xBA\xB6\xA2\xC4\xBF\x06\xAA\x05\x8C\x93\xFB\x2F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x25\xC6\xBA\x6B\xEB\x87\xCB\xDE\x82\x39\x96\x3D\xF0\x44\xA7\x6B\x84\x73\x03\xDE\x9D\x2B\x4F\xBA\x20\x7F\xBC\x78\xB2\xCF\x97\xB0\x1B\x9C\xF3\xD7\x79\x2E\xF5\x48\xB6\xD2\xFB\x17\x88\xE6\xD3\x7A\x3F\xED\x53\x13\xD0\xE2\x2F\x6A\x79\xCB\x00\x23\x28\xE6\x1E\x37\x57\x35\x89\x84\xC2\x76\x4F\x34\x36\xAD\x67\xC3\xCE\x41\x06\x88\xC5\xF7\xEE\xD8\x1A\xB8\xD6\x0B\x7F\x50\xFF\x93\xAA\x17\x4B\x8C\xEC\xED\x52\x60\xB2\xA4\x06\xEA\x4E\xEB\xF4\x6B\x19\xFD\xEB\xF5\x1A\xE0\x25\x2A\x9A\xDC\xC7\x41\x36\xF7\xC8\x74\x05\x84\x39\x95\x39\xD6\x0B\x3B\xA4\x27\xFA\x08\xD8\x5C\x1E\xF8\x04\x60\x52\x11\x28\x28\x03\xFF\xEF\x53\x66\x00\xA5\x4A\x34\x16\x66\x7C\xFD\x09\xA4\xAE\x9E\x67\x1A\x6F\x41\x0B\x6B\x06\x13\x9B\x8F\x86\x71\x05\xB4\x2F\x8D\x89\x66\x33\x29\x76\x54\x9A\x11\xF8\x27\xFA\xB2\x3F\x91\xE0\xCE\x0D\x1B\xF3\x30\x1A\xAD\xBF\x22\x5D\x1B\xD3\xBF\x25\x05\x4D\xE1\x92\x1A\x7F\x99\x9F\x3C\x44\x93\xCA\xD4\x40\x49\x6C\x80\x87\xD7\x04\x3A\xC3\x32\x52\x35\x0E\x56\xF8\xA5\xDD\x7D\xC4\x8B\x0D\x11\x1F\x53\xCB\x1E\xB2\x17\xB6\x68\x77\x5A\xE0\xD4\xCB\xC8\x07\xAE\xF5\x3A\x2E\x8E\x37\xB7\xD0\x01\x4B\x43\x29\x77\x8C\x39\x97\x8F\x82\x5A\xF8\x51\xE5\x89\xA0\x18\xE7\x68\x7F\x5D\x0A\x2E\xFB\xA3\x47\x0E\x3D\xA6\x23\x7A\xC6\x01\xC7\x8F\xC8\x5E\xBF\x6D\x80\x56\xBE\x8A\x24\xBA\x33\xEA\x9F\xE1\x32\x11\x9E\xF1\xD2\x4F\x80\xF6\x1B\x40\xAF\x38\x9E\x11\x50\x79\x73\x12\x12\xCD\xE6\x6C\x9D\x2C\x88\x72\x3C\x30\x81\x06\x91\x22\xEA\x59\xAD\xDA\x19\x2E\x22\xC2\x8D\xB9\x8C\x87\xE0\x66\xBC\x73\x23\x5F\x21\x64\x63\x80\x48\xF5\xA0\x3C\x18\x3D\x94\xC8\x48\x41\x1D\x40\xBA\x5E\xFE\xFE\x56\x39\xA1\xC8\xCF\x5E\x9E\x19\x64\x46\x10\xDA\x17\x91\xB7\x05\x80\xAC\x8B\x99\x92\x7D\xE7\xA2\xD8\x07\x0B\x36\x27\xE7\x48\x79\x60\x8A\xC3\xD7\x13\x5C\xF8\x72\x40\xDF\x4A\xCB\xCF\x99\x00\x0A\x00\x0B\x11\x95\xDA\x56\x45\x03\x88\x0A\x9F\x67\xD0\xD5\x79\xB1\xA8\x8D\x40\x6D\x0D\xC2\x7A\x40\xFA\xF3\x5F\x64\x47\x92\xCB\x53\xB9\xBB\x59\xCE\x4F\xFD\xD0\x15\x53\x01\xD8\xDF\xEB\xD9\xE6\x76\xEF\xD0\x23\xBB\x3B\xA9\x79\xB3\xD5\x02\x29\xCD\x89\xA3\x96\x0F\x4A\x35\xE7\x4E\x42\xC0\x75\xCD\x07\xCF\xE6\x2C\xEB\x7B\x2E",
 	["CN=T\C3\9CRKTRUST Elektronik Sertifika Hizmet Sa\C4\9Flay\C4\B1c\C4\B1s\C4\B1 H5,O=T\C3\9CRKTRUST Bilgi \C4\B0leti\C5\9Fim ve Bili\C5\9Fim G\C3\BCvenli\C4\9Fi Hizmetleri A.\C5\9E.,L=Ankara,C=TR"] = "\x30\x82\x04\x27\x30\x82\x03\x0F\xA0\x03\x02\x01\x02\x02\x07\x00\x8E\x17\xFE\x24\x20\x81\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\xB1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x0C\x06\x41\x6E\x6B\x61\x72\x61\x31\x4D\x30\x4B\x06\x03\x55\x04\x0A\x0C\x44\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x42\x69\x6C\x67\x69\x20\xC4\xB0\x6C\x65\x74\x69\xC5\x9F\x69\x6D\x20\x76\x65\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x47\xC3\xBC\x76\x65\x6E\x6C\x69\xC4\x9F\x69\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x31\x42\x30\x40\x06\x03\x55\x04\x03\x0C\x39\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x20\x48\x35\x30\x1E\x17\x0D\x31\x33\x30\x34\x33\x30\x30\x38\x30\x37\x30\x31\x5A\x17\x0D\x32\x33\x30\x34\x32\x38\x30\x38\x30\x37\x30\x31\x5A\x30\x81\xB1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x0C\x06\x41\x6E\x6B\x61\x72\x61\x31\x4D\x30\x4B\x06\x03\x55\x04\x0A\x0C\x44\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x42\x69\x6C\x67\x69\x20\xC4\xB0\x6C\x65\x74\x69\xC5\x9F\x69\x6D\x20\x76\x65\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x47\xC3\xBC\x76\x65\x6E\x6C\x69\xC4\x9F\x69\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x31\x42\x30\x40\x06\x03\x55\x04\x03\x0C\x39\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x20\x48\x35\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xA4\x25\x19\xE1\x65\x9E\xEB\x48\x21\x50\x4A\x08\xE5\x11\xF0\x5A\xBA\x26\xFF\x83\x59\xCE\x44\x2A\x2F\xFE\xE1\xCE\x60\x03\xFC\x8D\x03\xA5\xED\xFF\x6B\xA8\xBA\xCC\x34\x06\x9F\x59\x35\xF6\xEC\x2C\xBB\x9D\xFB\x8D\x52\x69\xE3\x9C\x27\x10\x53\xF3\xA4\x02\xC5\xA7\xF9\x11\x1A\x69\x75\x6E\xC3\x1D\x8B\xD1\x98\x8D\x93\x87\xA7\x71\x97\x0D\x21\xC7\x99\xF9\x52\xD3\x2C\x63\x5D\x55\xBC\xE8\x1F\x01\x48\xB9\x60\xFE\x42\x4A\xF6\xC8\x80\xAE\xCD\x66\x7A\x9E\x45\x8A\x68\x77\xE2\x48\x68\x9F\xA2\xDA\xF1\xE1\xC1\x10\x9F\xEB\x3C\x29\x81\xA7\xE1\x32\x08\xD4\xA0\x05\xB1\x8C\xFB\x8D\x96\x00\x0E\x3E\x25\xDF\x53\x86\x22\x3B\xFC\xF4\xBD\xF3\x09\x7E\x77\xEC\x86\xEB\x0F\x33\xE5\x43\x4F\xF4\x54\x75\x6D\x29\x99\x2E\x66\x5A\x43\xDF\xCB\x5C\xCA\xC8\xE5\x38\xF1\x7E\x3B\x35\x9D\x0F\xF4\xC5\x5A\xA1\xCC\xF3\x20\x80\x24\xD3\x57\xEC\x15\xBA\x75\x25\x9B\xE8\x64\x4B\xB3\x34\x84\xEF\x04\xB8\xF6\xC9\x6C\xAA\x02\x3E\xB6\x55\xE2\x32\x37\x5F\xFC\x66\x97\x5F\xCD\xD6\x9E\xC7\x20\xBF\x4D\xC6\xAC\x3F\x75\x5F\x1C\xED\x32\x9C\x7C\x69\x00\x69\x91\xE3\x23\x18\x53\xE9\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x56\x99\x07\x1E\xD3\xAC\x0C\x69\x64\xB4\x0C\x50\x47\xDE\x43\x2C\xBE\x20\xC0\xFB\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x9E\x45\x76\x7B\x17\x48\x32\xF2\x38\x8B\x29\xBD\xEE\x96\x4A\x4E\x81\x18\xB1\x51\x47\x20\xCD\xD0\x64\xB1\x0E\xC9\xD9\x01\xD9\x09\xCE\xC8\x99\xDC\x68\x25\x13\xD4\x5C\xF2\xA3\xE8\x04\xFE\x72\x09\xC7\x0B\xAA\x1D\x25\x55\x7E\x96\x9A\x57\xB7\xBA\xC5\x11\x7A\x19\xE6\xA7\x7E\x3D\x85\x0E\xF5\xF9\x2E\x29\x2F\xE7\xF9\x6C\x58\x16\x57\x50\x25\xF6\x3E\x2E\x3E\xAA\xED\x77\x71\xAA\xAA\x99\x96\x46\x0A\xAE\x8E\xEC\x2A\x51\x16\xB0\x5E\xCD\xEA\x67\x04\x1C\x58\x30\xF5\x60\x8A\xBD\xA6\xBD\x4D\xE5\x96\xB4\xFC\x42\x89\x01\x6B\xF6\x70\xC8\x50\x39\x0C\x2D\xD5\x66\xD9\xC8\xD2\xB3\x32\xB7\x1B\x19\x6D\xCB\x33\xF9\xDF\xA5\xE6\x15\x84\x37\xF0\xC2\xF2\x65\x96\x92\x90\x77\xF0\xAD\xF4\x90\xE9\x11\x78\xD7\x93\x89\xC0\x3D\x0B\xBA\x29\xF4\xE8\x99\x9D\x72\x8E\xED\x9D\x2F\xEE\x92\x7D\xA1\xF1\xFF\x5D\xBA\x33\x60\x85\x62\xFE\x07\x02\xA1\x84\x56\x46\xBE\x96\x0A\x9A\x13\xD7\x21\x4C\xB7\x7C\x07\x9F\x4E\x4E\x3F\x91\x74\xFB\x27\x9D\x11\xCC\xDD\xE6\xB1\xCA\x71\x4D\x13\x17\x39\x26\xC5\x29\x21\x2B\x93\x29\x6A\x96\xFA\xAB\x41\xE1\x4B\xB6\x35\x0B\xC0\x9B\x15",
-	["CN=T\C3\9CRKTRUST Elektronik Sertifika Hizmet Sa\C4\9Flay\C4\B1c\C4\B1s\C4\B1 H6,O=T\C3\9CRKTRUST Bilgi \C4\B0leti\C5\9Fim ve Bili\C5\9Fim G\C3\BCvenli\C4\9Fi Hizmetleri A.\C5\9E.,L=Ankara,C=TR"] = "\x30\x82\x04\x26\x30\x82\x03\x0E\xA0\x03\x02\x01\x02\x02\x06\x7D\xA1\xF2\x65\xEC\x8A\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\xB1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x0C\x06\x41\x6E\x6B\x61\x72\x61\x31\x4D\x30\x4B\x06\x03\x55\x04\x0A\x0C\x44\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x42\x69\x6C\x67\x69\x20\xC4\xB0\x6C\x65\x74\x69\xC5\x9F\x69\x6D\x20\x76\x65\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x47\xC3\xBC\x76\x65\x6E\x6C\x69\xC4\x9F\x69\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x31\x42\x30\x40\x06\x03\x55\x04\x03\x0C\x39\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x20\x48\x36\x30\x1E\x17\x0D\x31\x33\x31\x32\x31\x38\x30\x39\x30\x34\x31\x30\x5A\x17\x0D\x32\x33\x31\x32\x31\x36\x30\x39\x30\x34\x31\x30\x5A\x30\x81\xB1\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x0C\x06\x41\x6E\x6B\x61\x72\x61\x31\x4D\x30\x4B\x06\x03\x55\x04\x0A\x0C\x44\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x42\x69\x6C\x67\x69\x20\xC4\xB0\x6C\x65\x74\x69\xC5\x9F\x69\x6D\x20\x76\x65\x20\x42\x69\x6C\x69\xC5\x9F\x69\x6D\x20\x47\xC3\xBC\x76\x65\x6E\x6C\x69\xC4\x9F\x69\x20\x48\x69\x7A\x6D\x65\x74\x6C\x65\x72\x69\x20\x41\x2E\xC5\x9E\x2E\x31\x42\x30\x40\x06\x03\x55\x04\x03\x0C\x39\x54\xC3\x9C\x52\x4B\x54\x52\x55\x53\x54\x20\x45\x6C\x65\x6B\x74\x72\x6F\x6E\x69\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x20\x48\x69\x7A\x6D\x65\x74\x20\x53\x61\xC4\x9F\x6C\x61\x79\xC4\xB1\x63\xC4\xB1\x73\xC4\xB1\x20\x48\x36\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\x9D\xB0\x68\xD6\xE8\xBD\x14\x96\xA3\x00\x0A\x9A\xF1\xF4\xC7\xCC\x91\x4D\x71\x78\x77\xB9\xF7\x21\x26\x15\x73\x51\x16\x94\x09\x47\x05\xE2\x33\xF5\x68\x9A\x35\xFF\xDC\x4B\x2F\x32\xC7\xB0\xED\xE2\x82\xE5\x6F\xDA\xDA\xEA\xAC\xC6\x06\xCF\x25\x0D\x41\x81\xF6\xC1\x38\x22\xBD\xF9\xB1\xA5\xA6\xB3\x01\xBC\x3F\x50\x17\x2B\xF6\xE9\x66\x55\xD4\x33\xB3\x5C\xF8\x43\x20\x78\x93\x55\x16\x70\x19\x32\xE6\x89\xD7\x64\xEB\xBD\x48\x50\xFD\xF6\xD0\x41\x03\xC2\x74\xB7\xFD\xF6\x80\xCF\x5B\xC5\xAB\xA4\xD6\x95\x12\x9B\xE7\x97\x13\x32\x03\xE9\xD4\xAB\x43\x5B\x16\xED\x33\x22\x64\x29\xB6\xD2\x93\xAD\x2F\x6C\xD8\x3D\xB6\xF6\x1D\x0E\x34\xEE\xD2\x7D\xA9\x55\x0F\x20\xF4\xFD\x29\xBB\x91\x5B\x1C\x7D\xC6\x42\x38\x6D\x42\x28\x6D\xD4\x01\xFB\xCD\x88\x97\x49\x7E\xB8\xF3\x83\xF8\xB5\x98\x2F\xB3\x27\x0B\x48\x5E\x56\xE7\x4E\xA3\x33\xB3\x44\xD6\xA5\xF2\x18\x94\xED\x1C\x1E\xA9\x95\x5C\x62\x4A\xF8\x0D\x67\x51\xA9\xAF\x21\xD5\xF8\x32\x9D\x79\xBA\x1A\x5F\xE5\x04\x55\x4D\x13\x46\xFF\xF2\xCF\x74\xC7\x1A\x63\x6D\xC3\x1F\x17\x12\xC3\x1E\x10\x3E\x60\x08\xB3\x31\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xDD\x55\x17\x13\xF6\xAC\xE8\x48\x21\xCA\xEF\xB5\xAF\xD1\x00\x32\xED\x9E\x8C\xB5\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x6F\x58\x0D\x97\x43\xAA\x16\x54\x3E\xBF\xA9\xDF\x92\x45\x3F\x85\x0B\xBB\x56\xD3\x0C\x52\xCC\xC8\xBF\x76\x67\x5E\xE6\xAA\xB3\xA7\xEF\xB9\xAC\xB4\x10\x14\x0D\x74\x7E\x3D\x6D\xAD\xD1\x7D\xD0\x9A\xA9\xA5\xCA\x18\x3B\x02\x40\x2E\x2A\x9C\x50\x14\x8B\xFE\x57\x7E\x57\x5C\x11\x09\x4B\x36\x45\x52\xF7\x3D\xAC\x14\xFD\x44\xDF\x8B\x97\x23\xD4\xC3\xC1\xEE\xD4\x53\x95\xFE\x2C\x4A\xFE\x0D\x70\xAA\xBB\x8B\x2F\x2D\xCB\x32\xA3\x82\xF2\x54\xDF\xD8\xF2\xDD\xD7\x48\x72\xEE\x4A\xA3\x29\x96\xC3\x44\xCE\x6E\xB5\x92\x87\x76\xA4\xBB\xF4\x92\x6C\xCE\x2C\x14\x09\x66\x8E\x8D\xAD\x16\xB5\xC7\x1B\x09\x61\x3B\xE3\x20\xA2\x03\x80\x8E\xAD\x7E\x51\x00\x4E\xC7\x96\x86\xFB\x43\x98\x77\x7D\x28\xC7\x8F\xD8\x2A\x6E\xE7\x84\x6F\x97\x41\x29\x00\x16\x5E\x4D\xE2\x13\xEA\x59\xC0\x63\x67\x3A\x44\xFB\x98\xFC\x04\xD3\x30\x72\xA6\xF6\x87\x09\x57\xAD\x76\xA6\x1D\x63\x9A\xFD\xD7\x65\xC8\x78\x83\x2B\x75\x3B\xA5\x5B\xB8\x0D\x5D\x7F\xBE\x23\xAE\x56\x55\x94\x58\xEF\x1F\x81\x8C\x2A\xB2\xCD\xE6\x9B\x63\x9E\x18\xBC\xE5\x6B\x06\xB4\x0B\x98\x4B\x28\x5E\xAF\x88\x58\xCB",
 	["CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR"] = "\x30\x82\x05\x92\x30\x82\x03\x7A\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x31\x17\x30\x15\x06\x03\x55\x04\x0B\x13\x0E\x30\x30\x30\x32\x20\x34\x33\x33\x39\x39\x38\x39\x30\x33\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x13\x14\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x20\x2D\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x31\x33\x31\x30\x32\x31\x30\x39\x31\x37\x31\x38\x5A\x17\x0D\x33\x33\x31\x30\x32\x31\x30\x39\x31\x37\x31\x38\x5A\x30\x5A\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x13\x30\x11\x06\x03\x55\x04\x0A\x13\x0A\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x31\x17\x30\x15\x06\x03\x55\x04\x0B\x13\x0E\x30\x30\x30\x32\x20\x34\x33\x33\x39\x39\x38\x39\x30\x33\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x13\x14\x43\x65\x72\x74\x69\x6E\x6F\x6D\x69\x73\x20\x2D\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xD4\xCC\x09\x0A\x2C\x3F\x92\xF6\x7F\x14\x9E\x0B\x9C\x9A\x6A\x1D\x40\x30\x64\xFD\xAA\xDF\x0E\x1E\x06\x5B\x9F\x50\x85\xEA\xCD\x8D\xAB\x43\x67\xDE\xB0\xFA\x7E\x80\x96\x9E\x84\x78\x92\x48\xD6\xE3\x39\xEE\xCE\xE4\x59\x58\x97\xE5\x2E\x27\x98\xEA\x93\xA8\x77\x9B\x4A\xF0\xEF\x74\x80\x2D\xEB\x30\x1F\xB5\xD9\xC7\x80\x9C\x62\x27\x91\x88\xF0\x4A\x89\xDD\xDC\x88\xE6\x14\xF9\xD5\x03\x2F\xFF\x95\xDB\xBD\x9F\xEC\x2C\xFA\x14\x15\x59\x95\x0A\xC6\x47\x7C\x69\x18\xB9\xA7\x03\xF9\xCA\x76\xA9\xCF\xC7\x6F\xB4\x5E\x05\xFE\xEE\xC1\x52\xB2\x75\x32\x87\xEC\xED\x29\x66\x3B\xF3\x4A\x16\x82\xF6\xD6\x9A\xDB\x72\x98\xE9\xDE\xF0\xC5\x4C\xA5\xAB\xB5\xEA\x01\xE2\x8C\x2E\x64\x7F\x64\x6F\xFD\xA3\x25\x93\x8B\xC8\xA2\x0E\x49\x8D\x34\xF0\x1F\xEC\x58\x45\x2E\x34\xAA\x84\x50\xBD\xE7\xB2\x4A\x13\xB8\xB0\x0F\xAE\x38\x5D\xB0\xA9\x1B\xE6\x73\xC9\x5A\xA1\xD9\x66\x40\xAA\xA9\x4D\xA6\x34\x02\xAD\x84\x7E\xB2\x23\xC1\xFB\x2A\xC6\x67\xF4\x34\xB6\xB0\x95\x6A\x33\x4F\x71\x44\xB5\xAD\xC0\x79\x33\x88\xE0\xBF\xED\xA3\xA0\x14\xB4\x9C\x09\xB0\x0A\xE3\x60\xBE\xF8\xF8\x66\x88\xCD\x5B\xF1\x77\x05\xE0\xB5\x73\x6E\xC1\x7D\x46\x2E\x8E\x4B\x27\xA6\xCD\x35\x0A\xFD\xE5\x4D\x7D\xAA\x2A\xA3\x29\xC7\x5A\x68\x04\xE8\xE5\xD6\x93\xA4\x62\xC2\xC5\xE6\xF4\x4F\xC6\xF9\x9F\x1A\x8D\x82\x49\x19\x8A\xCA\x59\x43\x3A\xE8\x0D\x32\xC1\xF4\x4C\x13\x03\x6F\x6E\xA6\x3F\x91\x73\xCB\xCA\x73\x6F\x12\x20\x8B\xEE\xC0\x82\x78\xDE\x4B\x2E\xC2\x49\xC3\x1D\xED\x16\xF6\x24\xF4\x27\x1B\x5C\x57\x31\xDC\x55\xEE\xA8\x1E\x6F\x6C\xAC\xE2\x45\xCC\x57\x57\x8A\x75\x57\x19\xE0\xB5\x58\x99\x49\x36\x31\x3C\x33\x01\x6D\x16\x4A\xCD\xB8\x2A\x83\x84\x86\x9B\xF9\x60\xD2\x1F\x6D\x91\x03\xD3\x60\xA6\xD5\x3D\x9A\xDD\x77\x90\x3D\x35\xA4\x9F\x0F\x5E\xF5\x52\x44\x69\xB9\xC0\xBA\xDC\xCF\x7D\xDF\x7C\xD9\xC4\xAC\x86\x22\x32\xBC\x7B\x6B\x91\xEF\x7A\xF8\x17\x68\xB0\xE2\x53\x55\x60\x2D\xAF\x3E\xC2\x83\xD8\xD9\x09\x2B\xF0\xC0\x64\xDB\x87\x8B\x91\xCC\x91\xEB\x04\xFD\x76\xB4\x95\x9A\xE6\x14\x06\x1B\xD5\x34\x1D\xBE\xD8\xFF\x74\x1C\x53\x85\x99\xE0\x59\x52\x4A\x61\xED\x88\x9E\x6B\x49\x89\x46\x7E\x20\x5A\xD9\xE7\x4A\xE5\x6A\xEE\xD2\x65\x11\x43\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xEF\x91\x4C\xF5\xA5\xC3\x30\xE8\x2F\x08\xEA\xD3\x71\x22\xA4\x92\x68\x78\x74\xD9\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xEF\x91\x4C\xF5\xA5\xC3\x30\xE8\x2F\x08\xEA\xD3\x71\x22\xA4\x92\x68\x78\x74\xD9\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x7E\x3D\x54\xDA\x22\x5D\x1A\x58\x3E\x3B\x54\x27\xBA\xBA\xCC\xC8\xE3\x1A\x6A\xEA\x3E\xF9\x12\xEB\x56\x5F\x3D\x50\xCE\xE0\xEA\x48\x26\x26\xCF\x79\x56\x7E\x91\x1C\x99\x3F\xD0\xA1\x91\x1C\x2C\x0F\x4F\x98\x95\x59\x53\xBD\xD0\x22\xD8\x88\x5D\x9C\x37\xFC\xFB\x64\xC1\x78\x8C\x8B\x9A\x60\x09\xEA\xD5\xFA\x21\x5F\xD0\x74\x65\xE7\x50\xC5\xBF\x2E\xB9\x0B\x0B\xAD\xB5\xB0\x17\xA6\x12\x8C\xD4\x62\x78\xEA\x56\x6A\xEC\x0A\xD2\x40\xC3\x3C\x05\x30\x3E\x4D\x94\xB7\x9F\x4A\x03\xD3\x7D\x27\x4B\xB6\xFE\x44\xCE\xFA\x19\x33\x1A\x6D\xA4\x42\xD1\xDD\xCC\xC8\xC8\xD7\x16\x52\x83\x4F\x35\x94\xB3\x12\x55\x7D\xE5\xE2\x42\xEB\xE4\x9C\x93\x09\xC0\x4C\x5B\x07\xAB\xC7\x6D\x11\xA0\x50\x17\x94\x23\xA8\xB5\x0A\x92\x0F\xB2\x7A\xC1\x60\x2C\x38\xCC\x1A\xA6\x5B\xFF\xF2\x0C\xE3\xAA\x1F\x1C\xDC\xB8\xA0\x93\x27\xDE\x63\xE3\x7F\x21\x9F\x3A\xE5\x9E\xFA\xE0\x13\x6A\x75\xEB\x96\x5C\x62\x91\x94\x8E\x67\x53\xB6\x89\xF8\x12\x09\xCB\x6F\x52\x5B\x03\x72\x86\x50\x95\x08\xD4\x8D\x87\x86\x15\x1F\x95\x24\xD8\xA4\x6F\x9A\xCE\xA4\x9D\x9B\x6D\xD2\xB2\x76\x06\x86\xC6\x56\x08\xC5\xEB\x09\xDA\x36\xC2\x1B\x5B\x41\xBE\x61\x2A\xE3\x70\xE6\xB8\xA6\xF8\xB6\x5A\xC4\xBD\x21\xF7\xFF\xAA\x5F\xA1\x6C\x76\x39\x66\xD6\xEA\x4C\x55\xE1\x00\x33\x9B\x13\x98\x63\xC9\x6F\xD0\x01\x20\x09\x37\x52\xE7\x0C\x4F\x3E\xCD\xBC\xF5\x5F\x96\x27\xA7\x20\x02\x95\xE0\x2E\xE8\x07\x41\x05\x1F\x15\x6E\xD6\xB0\xE4\x19\xE0\x0F\x02\x93\x00\x27\x72\xC5\x8B\xD1\x54\x1F\x5D\x4A\xC3\x40\x97\x7E\x55\xA6\x7C\xC1\x33\x04\x14\x01\x1D\x49\x20\x69\x0B\x19\x93\x9D\x6E\x58\x22\xF7\x40\x0C\x46\x0C\x23\x63\xF3\x39\xD2\x7F\x76\x51\xA7\xF4\xC8\xA1\xF1\x0C\x76\x22\x23\x46\x52\x29\x2D\xE2\xA3\x41\x07\x56\x69\x98\xD2\x05\x09\xBC\x69\xC7\x5A\x61\xCD\x8F\x81\x60\x15\x4D\x80\xDD\x90\xE2\x7D\xC4\x50\xF2\x8C\x3B\x6E\x4A\xC7\xC6\xE6\x80\x2B\x3C\x81\xBC\x11\x80\x16\x10\x27\xD7\xF0\xCD\x3F\x79\xCC\x73\x2A\xC3\x7E\x53\x91\xD6\x6E\xF8\xF5\xF3\xC7\xD0\x51\x4D\x8E\x4B\xA5\x5B\xE6\x19\x17\x3B\xD6\x81\x09\xDC\x22\xDC\xEE\x8E\xB9\xC4\x8F\x53\xE1\x67\xBB\x33\xB8\x88\x15\x46\xCF\xED\x69\x35\xFF\x75\x0D\x46\xF3\xCE\x71\xE1\xC5\x6B\x86\x42\x06\xB9\x41",
 	["CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH"] = "\x30\x82\x03\xB5\x30\x82\x02\x9D\xA0\x03\x02\x01\x02\x02\x10\x76\xB1\x20\x52\x74\xF0\x85\x87\x46\xB3\xF8\x23\x1A\xF6\xC2\xC0\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x6D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x57\x49\x53\x65\x4B\x65\x79\x31\x22\x30\x20\x06\x03\x55\x04\x0B\x13\x19\x4F\x49\x53\x54\x45\x20\x46\x6F\x75\x6E\x64\x61\x74\x69\x6F\x6E\x20\x45\x6E\x64\x6F\x72\x73\x65\x64\x31\x28\x30\x26\x06\x03\x55\x04\x03\x13\x1F\x4F\x49\x53\x54\x45\x20\x57\x49\x53\x65\x4B\x65\x79\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x47\x42\x20\x43\x41\x30\x1E\x17\x0D\x31\x34\x31\x32\x30\x31\x31\x35\x30\x30\x33\x32\x5A\x17\x0D\x33\x39\x31\x32\x30\x31\x31\x35\x31\x30\x33\x31\x5A\x30\x6D\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x10\x30\x0E\x06\x03\x55\x04\x0A\x13\x07\x57\x49\x53\x65\x4B\x65\x79\x31\x22\x30\x20\x06\x03\x55\x04\x0B\x13\x19\x4F\x49\x53\x54\x45\x20\x46\x6F\x75\x6E\x64\x61\x74\x69\x6F\x6E\x20\x45\x6E\x64\x6F\x72\x73\x65\x64\x31\x28\x30\x26\x06\x03\x55\x04\x03\x13\x1F\x4F\x49\x53\x54\x45\x20\x57\x49\x53\x65\x4B\x65\x79\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x47\x42\x20\x43\x41\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xD8\x17\xB7\x1C\x4A\x24\x2A\xD6\x97\xB1\xCA\xE2\x1E\xFB\x7D\x38\xEF\x98\xF5\xB2\x39\x98\x4E\x27\xB8\x11\x5D\x7B\xD2\x25\x94\x88\x82\x15\x26\x6A\x1B\x31\xBB\xA8\x5B\x21\x21\x2B\xD8\x0F\x4E\x9F\x5A\xF1\xB1\x5A\xE4\x79\xD6\x32\x23\x2B\xE1\x53\xCC\x99\x45\x5C\x7B\x4F\xAD\xBC\xBF\x87\x4A\x0B\x4B\x97\x5A\xA8\xF6\x48\xEC\x7D\x7B\x0D\xCD\x21\x06\xDF\x9E\x15\xFD\x41\x8A\x48\xB7\x20\xF4\xA1\x7A\x1B\x57\xD4\x5D\x50\xFF\xBA\x67\xD8\x23\x99\x1F\xC8\x3F\xE3\xDE\xFF\x6F\x5B\x77\xB1\x6B\x6E\xB8\xC9\x64\xF7\xE1\xCA\x41\x46\x0E\x29\x71\xD0\xB9\x23\xFC\xC9\x81\x5F\x4E\xF7\x6F\xDF\xBF\x84\xAD\x73\x64\xBB\xB7\x42\x8E\x69\xF6\xD4\x76\x1D\x7E\x9D\xA7\xB8\x57\x8A\x51\x67\x72\xD7\xD4\xA8\xB8\x95\x54\x40\x73\x03\xF6\xEA\xF4\xEB\xFE\x28\x42\x77\x3F\x9D\x23\x1B\xB2\xB6\x3D\x80\x14\x07\x4C\x2E\x4F\xF7\xD5\x0A\x16\x0D\xBD\x66\x43\x37\x7E\x23\x43\x79\xC3\x40\x86\xF5\x4C\x29\xDA\x8E\x9A\xAD\x0D\xA5\x04\x87\x88\x1E\x85\xE3\xE9\x53\xD5\x9B\xC8\x8B\x03\x63\x78\xEB\xE0\x19\x4A\x6E\xBB\x2F\x6B\x33\x64\x58\x93\xAD\x69\xBF\x8F\x1B\xEF\x82\x48\xC7\x02\x03\x01\x00\x01\xA3\x51\x30\x4F\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x01\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x35\x0F\xC8\x36\x63\x5E\xE2\xA3\xEC\xF9\x3B\x66\x15\xCE\x51\x52\xE3\x91\x9A\x3D\x30\x10\x06\x09\x2B\x06\x01\x04\x01\x82\x37\x15\x01\x04\x03\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x40\x4C\xFB\x87\xB2\x99\x81\x90\x7E\x9D\xC5\xB0\xB0\x26\xCD\x88\x7B\x2B\x32\x8D\x6E\xB8\x21\x71\x58\x97\x7D\xAE\x37\x14\xAF\x3E\xE7\xF7\x9A\xE2\x7D\xF6\x71\x98\x99\x04\xAA\x43\x74\x78\xA3\xE3\x49\x61\x3E\x73\x8C\x4D\x94\xE0\xF9\x71\xC4\xB6\x16\x0E\x53\x78\x1F\xD6\xA2\x87\x2F\x02\x39\x81\x29\x3C\xAF\x15\x98\x21\x30\xFE\x28\x90\x00\x8C\xD1\xE1\xCB\xFA\x5E\xC8\xFD\xF8\x10\x46\x3B\xA2\x78\x42\x91\x17\x74\x55\x0A\xDE\x50\x67\x4D\x66\xD1\xA7\xFF\xFD\xD9\xC0\xB5\xA8\xA3\x8A\xCE\x66\xF5\x0F\x43\xCD\xA7\x2B\x57\x7B\x63\x46\x6A\xAA\x2E\x52\xD8\xF4\xED\xE1\x6D\xAD\x29\x90\x78\x48\xBA\xE1\x23\xAA\xA3\x89\xEC\xB5\xAB\x96\xC0\xB4\x4B\xA2\x1D\x97\x9E\x7A\xF2\x6E\x40\x71\xDF\x68\xF1\x65\x4D\xCE\x7C\x05\xDF\x53\x65\xA9\xA5\xF0\xB1\x97\x04\x70\x15\x46\x03\x98\xD4\xD2\xBF\x54\xB4\xA0\x58\x7D\x52\x6F\xDA\x56\x26\x62\xD4\xD8\xDB\x89\x31\x6F\x1C\xF0\x22\xC2\xD3\x62\x1C\x35\xCD\x4C\x69\x15\x54\x1A\x90\x98\xDE\xEB\x1E\x5F\xCA\x77\xC7\xCB\x8E\x3D\x43\x69\x9C\x9A\x58\xD0\x24\x3B\xDF\x1B\x40\x96\x7E\x35\xAD\x81\xC7\x4E\x71\xBA\x88\x13",
-	["CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN"] = "\x30\x82\x03\x7C\x30\x82\x02\x64\xA0\x03\x02\x01\x02\x02\x10\x6B\x25\xDA\x8A\x88\x9D\x7C\xBC\x0F\x05\xB3\xB1\x7A\x61\x45\x44\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x58\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x6F\x66\x20\x57\x6F\x53\x69\x67\x6E\x20\x47\x32\x30\x1E\x17\x0D\x31\x34\x31\x31\x30\x38\x30\x30\x35\x38\x35\x38\x5A\x17\x0D\x34\x34\x31\x31\x30\x38\x30\x30\x35\x38\x35\x38\x5A\x30\x58\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2D\x30\x2B\x06\x03\x55\x04\x03\x13\x24\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x6F\x66\x20\x57\x6F\x53\x69\x67\x6E\x20\x47\x32\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBE\xC5\xC4\xA0\x22\x80\x49\x4F\xBF\xD9\x87\x11\xC6\x53\xE1\xBB\x0F\xBD\x60\x7F\xAF\xF6\x82\x0E\x1F\xDC\xB0\x8E\x3D\x97\xE0\x50\x3C\x8F\x3A\xEF\x66\x3B\x45\x07\x9B\x20\xF8\xE3\xD7\x25\x86\x35\x90\x16\xA2\x5D\x6F\x30\x19\x08\x87\x0B\x7F\x06\xB2\x9D\x62\x8F\xDE\xAF\x92\xA5\x60\xD4\x2B\x80\x9A\x52\x3F\xF5\x9A\x83\xE9\x34\x5A\xCB\xD9\xD5\x62\x5C\xE6\x0E\xE0\xDF\x06\x98\x0E\x80\x7C\xCA\xB4\x1D\x13\x88\x6B\x0E\xA8\x24\x77\x03\xD0\xEE\x5B\xF3\xCA\x69\x91\x35\x39\x56\xC5\x6D\xE3\xF7\x3D\x4F\x5E\x93\x38\x24\xCA\x18\xE9\x24\xCB\x92\x03\xDD\xCC\x1C\x3D\x09\x70\xE4\x20\xE4\xF1\xAE\xAC\xBB\x73\x69\xA3\x63\x3A\x0F\x45\x0F\xA1\x4A\x9A\xC2\xD1\x63\xAC\xCB\x10\xF8\x3D\xE6\x4E\x28\xB7\xEB\xC4\x95\xB1\xAC\xFD\x5E\xAB\xFA\x41\xCB\x5D\x9D\x4B\xDC\xF4\x7C\x76\xEF\x67\x7F\x00\x7A\x8D\xD2\xA0\x1A\x5C\x4D\x22\xE1\xB5\xDA\xDD\x76\xB3\xD4\x76\xDF\x5E\xB8\x8B\x98\xC8\x14\x54\xCC\x6B\x17\x92\xB7\xE0\x4A\xBF\x49\x94\x61\x0B\x38\x90\x8F\x5D\x24\x6C\x25\x7B\x3B\x79\xD9\xE2\x7E\x9D\xAD\x9F\x98\xA1\x06\xFC\x78\x14\x60\x57\xF8\xEE\x80\x77\xB1\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xFA\x60\xA9\xEB\x65\xC5\xDD\x16\x14\x08\x4E\x0C\x0F\x8D\x9B\xE0\xF7\x64\xAF\x67\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x57\xC3\x7A\x36\x82\x9C\x8D\x98\xE2\xAB\x40\xAA\x47\x8F\xC7\xA7\x5B\xED\x7C\xE7\x3D\x66\x5A\x3B\x31\xBB\xDF\xF3\x16\x33\x91\xFC\x7C\x7B\xA5\xC2\xA6\x66\xE3\xAA\xB0\xB7\x27\x98\x3F\x49\xD7\x60\x67\x67\x3F\x36\x4F\x4A\xCB\xF1\x14\xFA\x5A\x87\x28\x1C\xED\x8F\x41\x32\xC6\x95\xF9\x7D\xDA\xBD\x7B\x5B\xC2\xB0\x21\xE3\x8F\x46\xDC\x21\x38\x43\x74\x4C\xFB\x30\xF8\x17\x72\xC1\x32\xFC\xC8\x91\x17\xC4\xCC\x58\x37\x4E\x0B\xCC\x5A\xF7\x21\x35\x28\x83\x6C\x60\x2D\x44\xEB\x52\x8C\x50\x3D\xB5\x6C\x12\xD7\xFA\x09\xBB\x6C\xB2\x4A\xB1\xC5\x89\xE4\xFC\xD3\x52\xD8\x61\x17\xFE\x7A\x94\x84\x8F\x79\xB6\x33\x59\xBA\x0F\xC4\x0B\xE2\x70\xA0\x4B\x78\x2E\xFA\xC8\x9F\xFD\xAF\x91\x65\x0A\x78\x38\x15\xE5\x97\x17\x14\xDD\xF9\xE0\x2C\x34\xF8\x38\xD0\x84\x22\x00\xC0\x14\x51\x18\x2B\x02\xDC\x30\x5A\xF0\xE8\x01\x7C\x35\x3A\x23\xAF\x08\xE4\xAF\xAA\x8E\x28\x42\x49\x2E\xF0\xF5\x99\x34\xBE\xED\x0F\x4B\x18\xE1\xD2\x24\x3C\xBB\x5D\x47\xB7\x21\xF2\x8D\xD1\x0A\x99\x8E\xE3\x6E\x3E\xAD\x70\xE0\x8F\xB9\xCA\xCC\x6E\x81\x31\xF6\x7B\x9C\x7A\x79\xE4\x67\x71\x18",
-	["CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN"] = "\x30\x82\x02\x09\x30\x82\x01\x8F\xA0\x03\x02\x01\x02\x02\x10\x68\x4A\x58\x70\x80\x6B\xF0\x8F\x02\xFA\xF6\xDE\xE8\xB0\x90\x90\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x46\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x43\x41\x20\x57\x6F\x53\x69\x67\x6E\x20\x45\x43\x43\x20\x52\x6F\x6F\x74\x30\x1E\x17\x0D\x31\x34\x31\x31\x30\x38\x30\x30\x35\x38\x35\x38\x5A\x17\x0D\x34\x34\x31\x31\x30\x38\x30\x30\x35\x38\x35\x38\x5A\x30\x46\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x43\x41\x20\x57\x6F\x53\x69\x67\x6E\x20\x45\x43\x43\x20\x52\x6F\x6F\x74\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\xE1\xFD\x8E\xB8\x43\x24\xAB\x96\x7B\x85\xC2\xBA\x0B\xAD\x8D\xE0\x3A\xE3\x24\xB9\xD2\xB1\xBE\x88\x3A\xCA\xBF\x4A\xB8\xF9\xEF\x2C\x2F\xAF\x51\x50\x3C\x47\x75\x6C\xF8\x94\xB7\x9B\xFC\x28\x1E\xC5\x54\xCC\x63\x9D\x16\x4B\x53\xC1\xE7\x20\xAB\xCD\xAC\x25\xD2\x7F\x8F\xC2\xC1\x5A\x82\x5E\x30\x8B\x7A\x54\xCE\x03\xB5\x91\x7F\xAA\x94\xD0\xD1\x8A\x48\xCC\x82\x05\x26\xA1\xD5\x51\x12\xD6\x7B\x36\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xAA\xFD\xD5\x5A\xA3\xF6\x87\x8B\x32\x85\xFD\xD1\x32\x5B\x80\x45\x93\xF3\x03\xB8\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x31\x00\xE4\xA4\x84\xB0\x81\xD5\x3D\xB0\x74\xAC\x94\xA4\xE8\x0E\x3D\x00\x74\x4C\xA1\x97\x6B\xF9\x0D\x51\x3C\xA1\xD9\x3B\xF4\x0D\xAB\xA9\x9F\xBE\x4E\x72\xCA\x85\xD4\xD9\xEC\xB5\x32\x45\x18\x6F\xAB\xAD\x02\x30\x7D\xC7\xF7\x69\x63\x2F\xA1\xE1\x98\xEF\x13\x10\xD1\x79\x3F\xD1\xFE\xEA\x3B\x7F\xDE\x56\xF4\x90\xB1\x15\x11\xD8\xB2\x22\x15\xD0\x2F\xC3\x26\x2E\x6B\xF1\x91\xB2\x90\x65\xF4\x9A\xE6\x90\xEE\x4A",
 	["CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL"] = "\x30\x82\x03\x72\x30\x82\x02\x5A\xA0\x03\x02\x01\x02\x02\x14\x3E\x8A\x5D\x07\xEC\x55\xD2\x32\xD5\xB7\xE3\xB6\x5F\x01\xEB\x2D\xDC\xE4\xD6\xE4\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x51\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x28\x30\x26\x06\x03\x55\x04\x0A\x0C\x1F\x4B\x72\x61\x6A\x6F\x77\x61\x20\x49\x7A\x62\x61\x20\x52\x6F\x7A\x6C\x69\x63\x7A\x65\x6E\x69\x6F\x77\x61\x20\x53\x2E\x41\x2E\x31\x18\x30\x16\x06\x03\x55\x04\x03\x0C\x0F\x53\x5A\x41\x46\x49\x52\x20\x52\x4F\x4F\x54\x20\x43\x41\x32\x30\x1E\x17\x0D\x31\x35\x31\x30\x31\x39\x30\x37\x34\x33\x33\x30\x5A\x17\x0D\x33\x35\x31\x30\x31\x39\x30\x37\x34\x33\x33\x30\x5A\x30\x51\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x28\x30\x26\x06\x03\x55\x04\x0A\x0C\x1F\x4B\x72\x61\x6A\x6F\x77\x61\x20\x49\x7A\x62\x61\x20\x52\x6F\x7A\x6C\x69\x63\x7A\x65\x6E\x69\x6F\x77\x61\x20\x53\x2E\x41\x2E\x31\x18\x30\x16\x06\x03\x55\x04\x03\x0C\x0F\x53\x5A\x41\x46\x49\x52\x20\x52\x4F\x4F\x54\x20\x43\x41\x32\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB7\xBC\x3E\x50\xA8\x4B\xCD\x40\xB5\xCE\x61\xE7\x96\xCA\xB4\xA1\xDA\x0C\x22\xB0\xFA\xB5\x7B\x76\x00\x77\x8C\x0B\xCF\x7D\xA8\x86\xCC\x26\x51\xE4\x20\x3D\x85\x0C\xD6\x58\xE3\xE7\xF4\x2A\x18\x9D\xDA\xD1\xAE\x26\xEE\xEB\x53\xDC\xF4\x90\xD6\x13\x4A\x0C\x90\x3C\xC3\xF4\xDA\xD2\x8E\x0D\x92\x3A\xDC\xB1\xB1\xFF\x38\xDE\xC3\xBA\x2D\x5F\x80\xB9\x02\xBD\x4A\x9D\x1B\x0F\xB4\xC3\xC2\xC1\x67\x03\xDD\xDC\x1B\x9C\x3D\xB3\xB0\xDE\x00\x1E\xA8\x34\x47\xBB\x9A\xEB\xFE\x0B\x14\xBD\x36\x84\xDA\x0D\x20\xBF\xFA\x5B\xCB\xA9\x16\x20\xAD\x39\x60\xEE\x2F\x75\xB6\xE7\x97\x9C\xF9\x3E\xFD\x7E\x4D\x6F\x4D\x2F\xEF\x88\x0D\x6A\xFA\xDD\xF1\x3D\x6E\x20\xA5\xA0\x12\xB4\x4D\x70\xB9\xCE\xD7\x72\x3B\x89\x93\xA7\x80\x84\x1C\x27\x49\x72\x49\xB5\xFF\x3B\x95\x9E\xC1\xCC\xC8\x01\xEC\xE8\x0E\x8A\x0A\x96\xE7\xB3\xA6\x87\xE5\xD6\xF9\x05\x2B\x0D\x97\x40\x70\x3C\xBA\xAC\x75\x5A\x9C\xD5\x4D\x9D\x02\x0A\xD2\x4B\x9B\x66\x4B\x46\x07\x17\x65\xAD\x9F\x6C\x88\x00\xDC\x22\x89\xE0\xE1\x64\xD4\x67\xBC\x31\x79\x61\x3C\xBB\xCA\x41\xCD\x5C\x6A\x00\xC8\x3C\x38\x8E\x58\xAF\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x2E\x16\xA9\x4A\x18\xB5\xCB\xCC\xF5\x6F\x50\xF3\x23\x5F\xF8\x5D\xE7\xAC\xF0\xC8\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\xB5\x73\xF8\x03\xDC\x59\x5B\x1D\x76\xE9\xA3\x2A\x7B\x90\x28\xB2\x4D\xC0\x33\x4F\xAA\x9A\xB1\xD4\xB8\xE4\x27\xFF\xA9\x96\x99\xCE\x46\xE0\x6D\x7C\x4C\xA2\x38\xA4\x06\x70\xF0\xF4\x41\x11\xEC\x3F\x47\x8D\x3F\x72\x87\xF9\x3B\xFD\xA4\x6F\x2B\x53\x00\xE0\xFF\x39\xB9\x6A\x07\x0E\xEB\x1D\x1C\xF6\xA2\x72\x90\xCB\x82\x3D\x11\x82\x8B\xD2\xBB\x9F\x2A\xAF\x21\xE6\x63\x86\x9D\x79\x19\xEF\xF7\xBB\x0C\x35\x90\xC3\x8A\xED\x4F\x0F\xF5\xCC\x12\xD9\xA4\x3E\xBB\xA0\xFC\x20\x95\x5F\x4F\x26\x2F\x11\x23\x83\x4E\x75\x07\x0F\xBF\x9B\xD1\xB4\x1D\xE9\x10\x04\xFE\xCA\x60\x8F\xA2\x4C\xB8\xAD\xCF\xE1\x90\x0F\xCD\xAE\x0A\xC7\x5D\x7B\xB7\x50\xD2\xD4\x61\xFA\xD5\x15\xDB\xD7\x9F\x87\x51\x54\xEB\xA5\xE3\xEB\xC9\x85\xA0\x25\x20\x37\xFB\x8E\xCE\x0C\x34\x84\xE1\x3C\x81\xB2\x77\x4E\x43\xA5\x88\x5F\x86\x67\xA1\x3D\xE6\xB4\x5C\x61\xB6\x3E\xDB\xFE\xB7\x28\xC5\xA2\x07\xAE\xB5\xCA\xCA\x8D\x2A\x12\xEF\x97\xED\xC2\x30\xA4\xC9\x2A\x7A\xFB\xF3\x4D\x23\x1B\x99\x33\x34\xA0\x2E\xF5\xA9\x0B\x3F\xD4\x5D\xE1\xCF\x84\x9F\xE2\x19\xC2\x5F\x8A\xD6\x20\x1E\xE3\x73\xB7",
 	["CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL"] = "\x30\x82\x05\xD2\x30\x82\x03\xBA\xA0\x03\x02\x01\x02\x02\x10\x21\xD6\xD0\x4A\x4F\x25\x0F\xC9\x32\x37\xFC\xAA\x5E\x12\x8D\xE9\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0D\x05\x00\x30\x81\x80\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x13\x19\x55\x6E\x69\x7A\x65\x74\x6F\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x20\x53\x2E\x41\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x43\x65\x72\x74\x75\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x43\x65\x72\x74\x75\x6D\x20\x54\x72\x75\x73\x74\x65\x64\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x43\x41\x20\x32\x30\x22\x18\x0F\x32\x30\x31\x31\x31\x30\x30\x36\x30\x38\x33\x39\x35\x36\x5A\x18\x0F\x32\x30\x34\x36\x31\x30\x30\x36\x30\x38\x33\x39\x35\x36\x5A\x30\x81\x80\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x4C\x31\x22\x30\x20\x06\x03\x55\x04\x0A\x13\x19\x55\x6E\x69\x7A\x65\x74\x6F\x20\x54\x65\x63\x68\x6E\x6F\x6C\x6F\x67\x69\x65\x73\x20\x53\x2E\x41\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x43\x65\x72\x74\x75\x6D\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x24\x30\x22\x06\x03\x55\x04\x03\x13\x1B\x43\x65\x72\x74\x75\x6D\x20\x54\x72\x75\x73\x74\x65\x64\x20\x4E\x65\x74\x77\x6F\x72\x6B\x20\x43\x41\x20\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xBD\xF9\x78\xF8\xE6\xD5\x80\x0C\x64\x9D\x86\x1B\x96\x64\x67\x3F\x22\x3A\x1E\x75\x01\x7D\xEF\xFB\x5C\x67\x8C\xC9\xCC\x5C\x6B\xA9\x91\xE6\xB9\x42\xE5\x20\x4B\x9B\xDA\x9B\x7B\xB9\x99\x5D\xD9\x9B\x80\x4B\xD7\x84\x40\x2B\x27\xD3\xE8\xBA\x30\xBB\x3E\x09\x1A\xA7\x49\x95\xEF\x2B\x40\x24\xC2\x97\xC7\xA7\xEE\x9B\x25\xEF\xA8\x0A\x00\x97\x85\x5A\xAA\x9D\xDC\x29\xC9\xE2\x35\x07\xEB\x70\x4D\x4A\xD6\xC1\xB3\x56\xB8\xA1\x41\x38\x9B\xD1\xFB\x31\x7F\x8F\xE0\x5F\xE1\xB1\x3F\x0F\x8E\x16\x49\x60\xD7\x06\x8D\x18\xF9\xAA\x26\x10\xAB\x2A\xD3\xD0\xD1\x67\x8D\x1B\x46\xBE\x47\x30\xD5\x2E\x72\xD1\xC5\x63\xDA\xE7\x63\x79\x44\x7E\x4B\x63\x24\x89\x86\x2E\x34\x3F\x29\x4C\x52\x8B\x2A\xA7\xC0\xE2\x91\x28\x89\xB9\xC0\x5B\xF9\x1D\xD9\xE7\x27\xAD\xFF\x9A\x02\x97\xC1\xC6\x50\x92\x9B\x02\x2C\xBD\xA9\xB9\x34\x59\x0A\xBF\x84\x4A\xFF\xDF\xFE\xB3\x9F\xEB\xD9\x9E\xE0\x98\x23\xEC\xA6\x6B\x77\x16\x2A\xDB\xCC\xAD\x3B\x1C\xA4\x87\xDC\x46\x73\x5E\x19\x62\x68\x45\x57\xE4\x90\x82\x42\xBB\x42\xD6\xF0\x61\xE0\xC1\xA3\x3D\x66\xA3\x5D\xF4\x18\xEE\x88\xC9\x8D\x17\x45\x29\x99\x32\x75\x02\x31\xEE\x29\x26\xC8\x6B\x02\xE6\xB5\x62\x45\x7F\x37\x15\x5A\x23\x68\x89\xD4\x3E\xDE\x4E\x27\xB0\xF0\x40\x0C\xBC\x4D\x17\xCB\x4D\xA2\xB3\x1E\xD0\x06\x5A\xDD\xF6\x93\xCF\x57\x75\x99\xF5\xFA\x86\x1A\x67\x78\xB3\xBF\x96\xFE\x34\xDC\xBD\xE7\x52\x56\xE5\xB3\xE5\x75\x7B\xD7\x41\x91\x05\xDC\x5D\x69\xE3\x95\x0D\x43\xB9\xFC\x83\x96\x39\x95\x7B\x6C\x80\x5A\x4F\x13\x72\xC6\xD7\x7D\x29\x7A\x44\xBA\x52\xA4\x2A\xD5\x41\x46\x09\x20\xFE\x22\xA0\xB6\x5B\x30\x8D\xBC\x89\x0C\xD5\xD7\x70\xF8\x87\x52\xFD\xDA\xEF\xAC\x51\x2E\x07\xB3\x4E\xFE\xD0\x09\xDA\x70\xEF\x98\xFA\x56\xE6\x6D\xDB\xB5\x57\x4B\xDC\xE5\x2C\x25\x15\xC8\x9E\x2E\x78\x4E\xF8\xDA\x9C\x9E\x86\x2C\xCA\x57\xF3\x1A\xE5\xC8\x92\x8B\x1A\x82\x96\x7A\xC3\xBC\x50\x12\x69\xD8\x0E\x5A\x46\x8B\x3A\xEB\x26\xFA\x23\xC9\xB6\xB0\x81\xBE\x42\x00\xA4\xF8\xD6\xFE\x30\x2E\xC7\xD2\x46\xF6\xE5\x8E\x75\xFD\xF2\xCC\xB9\xD0\x87\x5B\xCC\x06\x10\x60\xBB\x83\x35\xB7\x5E\x67\xDE\x47\xEC\x99\x48\xF1\xA4\xA1\x15\xFE\xAD\x8C\x62\x8E\x39\x55\x4F\x39\x16\xB9\xB1\x63\x9D\xFF\xB7\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB6\xA1\x54\x39\x02\xC3\xA0\x3F\x8E\x8A\xBC\xFA\xD4\xF8\x1C\xA6\xD1\x3A\x0E\xFD\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0D\x05\x00\x03\x82\x02\x01\x00\x71\xA5\x0E\xCE\xE4\xE9\xBF\x3F\x38\xD5\x89\x5A\xC4\x02\x61\xFB\x4C\xC5\x14\x17\x2D\x8B\x4F\x53\x6B\x10\x17\xFC\x65\x84\xC7\x10\x49\x90\xDE\xDB\xC7\x26\x93\x88\x26\x6F\x70\xD6\x02\x5E\x39\xA0\xF7\x8F\xAB\x96\xB5\xA5\x13\x5C\x81\x14\x6D\x0E\x81\x82\x11\x1B\x8A\x4E\xC6\x4F\xA5\xDD\x62\x1E\x44\xDF\x09\x59\xF4\x5B\x77\x0B\x37\xE9\x8B\x20\xC6\xF8\x0A\x4E\x2E\x58\x1C\xEB\x33\xD0\xCF\x86\x60\xC9\xDA\xFB\x80\x2F\x9E\x4C\x60\x84\x78\x3D\x21\x64\xD6\xFB\x41\x1F\x18\x0F\xE7\xC9\x75\x71\xBD\xBD\x5C\xDE\x34\x87\x3E\x41\xB0\x0E\xF6\xB9\xD6\x3F\x09\x13\x96\x14\x2F\xDE\x9A\x1D\x5A\xB9\x56\xCE\x35\x3A\xB0\x5F\x70\x4D\x5E\xE3\x29\xF1\x23\x28\x72\x59\xB6\xAB\xC2\x8C\x66\x26\x1C\x77\x2C\x26\x76\x35\x8B\x28\xA7\x69\xA0\xF9\x3B\xF5\x23\xDD\x85\x10\x74\xC9\x90\x03\x56\x91\xE7\xAF\xBA\x47\xD4\x12\x97\x11\x22\xE3\xA2\x49\x94\x6C\xE7\xB7\x94\x4B\xBA\x2D\xA4\xDA\x33\x8B\x4C\xA6\x44\xFF\x5A\x3C\xC6\x1D\x64\xD8\xB5\x31\xE4\xA6\x3C\x7A\xA8\x57\x0B\xDB\xED\x61\x1A\xCB\xF1\xCE\x73\x77\x63\xA4\x87\x6F\x4C\x51\x38\xD6\xE4\x5F\xC7\x9F\xB6\x81\x2A\xE4\x85\x48\x79\x58\x5E\x3B\xF8\xDB\x02\x82\x67\xC1\x39\xDB\xC3\x74\x4B\x3D\x36\x1E\xF9\x29\x93\x88\x68\x5B\xA8\x44\x19\x21\xF0\xA7\xE8\x81\x0D\x2C\xE8\x93\x36\xB4\x37\xB2\xCA\xB0\x1B\x26\x7A\x9A\x25\x1F\x9A\x9A\x80\x9E\x4B\x2A\x3F\xFB\xA3\x9A\xFE\x73\x32\x71\xC2\x9E\xC6\x72\xE1\x8A\x68\x27\xF1\xE4\x0F\xB4\xC4\x4C\xA5\x61\x93\xF8\x97\x10\x07\x2A\x30\x25\xA9\xB9\xC8\x71\xB8\xEF\x68\xCC\x2D\x7E\xF5\xE0\x7E\x0F\x82\xA8\x6F\xB6\xBA\x6C\x83\x43\x77\xCD\x8A\x92\x17\xA1\x9E\x5B\x78\x16\x3D\x45\xE2\x33\x72\xDD\xE1\x66\xCA\x99\xD3\xC9\xC5\x26\xFD\x0D\x68\x04\x46\xAE\xB6\xD9\x9B\x8C\xBE\x19\xBE\xB1\xC6\xF2\x19\xE3\x5C\x02\xCA\x2C\xD8\x6F\x4A\x07\xD9\xC9\x35\xDA\x40\x75\xF2\xC4\xA7\x19\x6F\x9E\x42\x10\x98\x75\xE6\x95\x8B\x60\xBC\xED\xC5\x12\xD7\x8A\xCE\xD5\x98\x5C\x56\x96\x03\xC5\xEE\x77\x06\x35\xFF\xCF\xE4\xEE\x3F\x13\x61\xEE\xDB\xDA\x2D\x85\xF0\xCD\xAE\x9D\xB2\x18\x09\x45\xC3\x92\xA1\x72\x17\xFC\x47\xB6\xA0\x0B\x2C\xF1\xC4\xDE\x43\x68\x08\x6A\x5F\x3B\xF0\x76\x63\xFB\xCC\x06\x2C\xA6\xC6\xE2\x0E\xB5\xB9\xBE\x24\x8F",
 	["CN=Hellenic Academic and Research Institutions RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR"] = "\x30\x82\x06\x0B\x30\x82\x03\xF3\xA0\x03\x02\x01\x02\x02\x01\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\xA6\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x13\x06\x41\x74\x68\x65\x6E\x73\x31\x44\x30\x42\x06\x03\x55\x04\x0A\x13\x3B\x48\x65\x6C\x6C\x65\x6E\x69\x63\x20\x41\x63\x61\x64\x65\x6D\x69\x63\x20\x61\x6E\x64\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x69\x6F\x6E\x73\x20\x43\x65\x72\x74\x2E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x40\x30\x3E\x06\x03\x55\x04\x03\x13\x37\x48\x65\x6C\x6C\x65\x6E\x69\x63\x20\x41\x63\x61\x64\x65\x6D\x69\x63\x20\x61\x6E\x64\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x69\x6F\x6E\x73\x20\x52\x6F\x6F\x74\x43\x41\x20\x32\x30\x31\x35\x30\x1E\x17\x0D\x31\x35\x30\x37\x30\x37\x31\x30\x31\x31\x32\x31\x5A\x17\x0D\x34\x30\x30\x36\x33\x30\x31\x30\x31\x31\x32\x31\x5A\x30\x81\xA6\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x47\x52\x31\x0F\x30\x0D\x06\x03\x55\x04\x07\x13\x06\x41\x74\x68\x65\x6E\x73\x31\x44\x30\x42\x06\x03\x55\x04\x0A\x13\x3B\x48\x65\x6C\x6C\x65\x6E\x69\x63\x20\x41\x63\x61\x64\x65\x6D\x69\x63\x20\x61\x6E\x64\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x69\x6F\x6E\x73\x20\x43\x65\x72\x74\x2E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x40\x30\x3E\x06\x03\x55\x04\x03\x13\x37\x48\x65\x6C\x6C\x65\x6E\x69\x63\x20\x41\x63\x61\x64\x65\x6D\x69\x63\x20\x61\x6E\x64\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x49\x6E\x73\x74\x69\x74\x75\x74\x69\x6F\x6E\x73\x20\x52\x6F\x6F\x74\x43\x41\x20\x32\x30\x31\x35\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xC2\xF8\xA9\x3F\x1B\x89\xFC\x3C\x3C\x04\x5D\x3D\x90\x36\xB0\x91\x3A\x79\x3C\x66\x5A\xEF\x6D\x39\x01\x49\x1A\xB4\xB7\xCF\x7F\x4D\x23\x53\xB7\x90\x00\xE3\x13\x2A\x28\xA6\x31\xF1\x91\x00\xE3\x28\xEC\xAE\x21\x41\xCE\x1F\xDA\xFD\x7D\x12\x5B\x01\x83\x0F\xB9\xB0\x5F\x99\xE1\xF2\x12\x83\x80\x4D\x06\x3E\xDF\xAC\xAF\xE7\xA1\x88\x6B\x31\xAF\xF0\x8B\xD0\x18\x33\xB8\xDB\x45\x6A\x34\xF4\x02\x80\x24\x28\x0A\x02\x15\x95\x5E\x76\x2A\x0D\x99\x3A\x14\x5B\xF6\xCB\xCB\x53\xBC\x13\x4D\x01\x88\x37\x94\x25\x1B\x42\xBC\x22\xD8\x8E\xA3\x96\x5E\x3A\xD9\x32\xDB\x3E\xE8\xF0\x10\x65\xED\x74\xE1\x2F\xA7\x7C\xAF\x27\x34\xBB\x29\x7D\x9B\xB6\xCF\x09\xC8\xE5\xD3\x0A\xFC\x88\x65\x65\x74\x0A\xDC\x73\x1C\x5C\xCD\x40\xB1\x1C\xD4\xB6\x84\x8C\x4C\x50\xCF\x68\x8E\xA8\x59\xAE\xC2\x27\x4E\x82\xA2\x35\xDD\x14\xF4\x1F\xFF\xB2\x77\xD5\x87\x2F\xAA\x6E\x7D\x24\x27\xE7\xC6\xCB\x26\xE6\xE5\xFE\x67\x07\x63\xD8\x45\x0D\xDD\x3A\x59\x65\x39\x58\x7A\x92\x99\x72\x3D\x9C\x84\x5E\x88\x21\xB8\xD5\xF4\x2C\xFC\xD9\x70\x52\x4F\x78\xB8\xBD\x3C\x2B\x8B\x95\x98\xF5\xB3\xD1\x68\xCF\x20\x14\x7E\x4C\x5C\x5F\xE7\x8B\xE5\xF5\x35\x81\x19\x37\xD7\x11\x08\xB7\x66\xBE\xD3\x4A\xCE\x83\x57\x00\x3A\xC3\x81\xF8\x17\xCB\x92\x36\x5D\xD1\xA3\xD8\x75\x1B\xE1\x8B\x27\xEA\x7A\x48\x41\xFD\x45\x19\x06\xAD\x27\x99\x4E\xC1\x70\x47\xDD\xB5\x9F\x81\x53\x12\xE5\xB1\x8C\x48\x5D\x31\x43\x17\xE3\x8C\xC6\x7A\x63\x96\x4B\x29\x30\x4E\x84\x4E\x62\x19\x5E\x3C\xCE\x97\x90\xA5\x7F\x01\xEB\x9D\xE0\xF8\x8B\x89\xDD\x25\x98\x3D\x92\xB6\x7E\xEF\xD9\xF1\x51\x51\x7D\x2D\x26\xC8\x69\x59\x61\xE0\xAC\x6A\xB8\x2A\x36\x11\x04\x7A\x50\xBD\x32\x84\xBE\x2F\xDC\x72\xD5\xD7\x1D\x16\x47\xE4\x47\x66\x20\x3F\xF4\x96\xC5\xAF\x8E\x01\x7A\xA5\x0F\x7A\x64\xF5\x0D\x18\x87\xD9\xAE\x88\xD5\xFA\x84\xC1\x3A\xC0\x69\x28\x2D\xF2\x0D\x68\x51\xAA\xE3\xA5\x77\xC6\xA4\x90\x0E\xA1\x37\x8B\x31\x23\x47\xC1\x09\x08\xEB\x6E\xF7\x78\x9B\xD7\x82\xFC\x84\x20\x99\x49\x19\xB6\x12\x46\xB1\xFB\x45\x55\x16\xA9\xA3\x65\xAC\x9C\x07\x0F\xEA\x6B\xDC\x1F\x2E\x06\x72\xEC\x86\x88\x12\xE4\x2D\xDB\x5F\x05\x2F\xE4\xF0\x03\xD3\x26\x33\xE7\x80\xC2\xCD\x42\xA1\x17\x34\x0B\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x71\x15\x67\xC8\xC8\xC9\xBD\x75\x5D\x72\xD0\x38\x18\x6A\x9D\xF3\x71\x24\x54\x0B\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x75\xBB\x6D\x54\x4B\xAA\x10\x58\x46\x34\xF2\x62\xD7\x16\x36\x5D\x08\x5E\xD5\x6C\xC8\x87\xBD\xB4\x2E\x46\xF2\x31\xF8\x7C\xEA\x42\xB5\x93\x16\x55\xDC\xA1\x0C\x12\xA0\xDA\x61\x7E\x0F\x58\x58\x73\x64\x72\xC7\xE8\x45\x8E\xDC\xA9\xF2\x26\x3F\xC6\x79\x8C\xB1\x53\x08\x33\x81\xB0\x56\x13\xBE\xE6\x51\x5C\xD8\x9B\x0A\x4F\x4B\x9C\x56\x53\x02\xE9\x4F\xF6\x0D\x60\xEA\x4D\x42\x55\xE8\x7C\x1B\x21\x21\xD3\x1B\x3A\xCC\x77\xF2\xB8\x90\xF1\x68\xC7\xF9\x5A\xFE\xFA\x2D\xF4\xBF\xC9\xF5\x45\x1B\xCE\x38\x10\x2A\x37\x8A\x79\xA3\xB4\xE3\x09\x6C\x85\x86\x93\xFF\x89\x96\x27\x78\x81\x8F\x67\xE3\x46\x74\x54\x8E\xD9\x0D\x69\xE2\x4A\xF4\x4D\x74\x03\xFF\xB2\x77\xED\x95\x67\x97\xE4\xB1\xC5\xAB\xBF\x6A\x23\xE8\xD4\x94\xE2\x44\x28\x62\xC4\x4B\xE2\xF0\xD8\xE2\x29\x6B\x1A\x70\x7E\x24\x61\x93\x7B\x4F\x03\x32\x25\x0D\x45\x24\x2B\x96\xB4\x46\x6A\xBF\x4A\x0B\xF7\x9A\x8F\xC1\xAC\x1A\xC5\x67\xF3\x6F\x34\xD2\xFA\x73\x63\x8C\xEF\x16\xB0\xA8\xA4\x46\x2A\xF8\xEB\x12\xEC\x72\xB4\xEF\xF8\x2B\x7E\x8C\x52\xC0\x8B\x84\x54\xF9\x2F\x3E\xE3\x55\xA8\xDC\x66\xB1\xD9\xE1\x5F\xD8\xB3\x8C\x59\x34\x59\xA4\xAB\x4F\x6C\xBB\x1F\x18\xDB\x75\xAB\xD8\xCB\x92\xCD\x94\x38\x61\x0E\x07\x06\x1F\x4B\x46\x10\xF1\x15\xBE\x8D\x85\x5C\x3B\x4A\x2B\x81\x79\x0F\xB4\x69\x9F\x49\x50\x97\x4D\xF7\x0E\x56\x5D\xC0\x95\x6A\xC2\x36\xC3\x1B\x68\xC9\xF5\x2A\xDC\x47\x9A\xBE\xB2\xCE\xC5\x25\xE8\xFA\x03\xB9\xDA\xF9\x16\x6E\x91\x84\xF5\x1C\x28\xC8\xFC\x26\xCC\xD7\x1C\x90\x56\xA7\x5F\x6F\x3A\x04\xBC\xCD\x78\x89\x0B\x8E\x0F\x2F\xA3\xAA\x4F\xA2\x1B\x12\x3D\x16\x08\x40\x0F\xF1\x46\x4C\xD7\xAA\x7B\x08\xC1\x0A\xF5\x6D\x27\xDE\x02\x8F\xCA\xC3\xB5\x2B\xCA\xE9\xEB\xC8\x21\x53\x38\xA5\xCC\x3B\xD8\x77\x37\x30\xA2\x4F\xD9\x6F\xD1\xF2\x40\xAD\x41\x7A\x17\xC5\xD6\x4A\x35\x89\xB7\x41\xD5\x7C\x86\x7F\x55\x4D\x83\x4A\xA5\x73\x20\xC0\x3A\xAF\x90\xF1\x9A\x24\x8E\xD9\x8E\x71\xCA\x7B\xB8\x86\xDA\xB2\x8F\x99\x3E\x1D\x13\x0D\x12\x11\xEE\xD4\xAB\xF0\xE9\x15\x76\x02\xE4\xE0\xDF\xAA\x20\x1E\x5B\x61\x85\x64\x40\xA9\x90\x97\x0D\xAD\x53\xD2\x5A\x1D\x87\x6A\x00\x97\x65\x62\xB4\xBE\x6F\x6A\xA7\xF5\x2C\x42\xED\x32\xAD\xB6\x21\x9E\xBE\xBC",
@@ -168,4 +129,19 @@ redef root_certs += {
 	["CN=OpenTrust Root CA G2,O=OpenTrust,C=FR"] = "\x30\x82\x05\x6F\x30\x82\x03\x57\xA0\x03\x02\x01\x02\x02\x12\x11\x20\xA1\x69\x1B\xBF\xBD\xB9\xBD\x52\x96\x8F\x23\xE8\x48\xBF\x26\x11\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0D\x05\x00\x30\x40\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x4F\x70\x65\x6E\x54\x72\x75\x73\x74\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x0C\x14\x4F\x70\x65\x6E\x54\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x47\x32\x30\x1E\x17\x0D\x31\x34\x30\x35\x32\x36\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x35\x30\x30\x30\x30\x30\x30\x5A\x30\x40\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x4F\x70\x65\x6E\x54\x72\x75\x73\x74\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x0C\x14\x4F\x70\x65\x6E\x54\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x47\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xCC\xB6\x57\xA5\x33\x94\x10\x81\x32\x53\xDF\x61\x7E\x0F\x76\x39\xCF\x5C\xC2\x53\x75\x1D\x49\x7A\x96\x38\xDD\xA2\x73\x6A\xF1\x6F\xDE\x5E\xA2\x5A\xB9\x71\x21\xBE\x36\xD9\xA1\xFC\xBC\xEE\x6C\xA8\x7C\x34\x1A\x71\x1A\xE8\x1A\xD8\x5F\x0E\x44\x06\xED\xA7\xE0\xF3\xD2\x61\x0B\xE0\x32\xA2\x96\xD1\x38\xF0\xC2\xDA\x01\x17\xFC\xE4\xAC\x4F\xE8\xEE\x89\x1E\x74\xAB\x4F\xBF\x1E\x09\xB6\x36\x6A\x56\xF3\xE1\xEE\x96\x89\x66\x24\x06\xE4\xCD\x42\x3A\x4A\xDD\xE0\x9A\xB0\xC4\x82\x45\xB3\xFE\xC9\xAB\x5C\x7C\x3E\xC9\xEB\x17\x2F\x0C\x7D\x6E\xAE\xA5\x8F\xC8\xAC\x25\x0A\x6F\xFA\xD5\x45\x98\xD2\x35\x09\xF6\x03\x43\x94\xFE\xD9\xBF\x20\x95\x79\x80\x98\x8A\xD9\x89\x35\xBB\x51\x1B\xA4\x37\x7D\xFC\x99\x3B\xAB\xFF\xBF\xAC\x0D\x8F\x43\xB1\x99\x7B\x16\x10\x7E\x1D\x6F\x47\xC4\x15\x8F\x04\x96\x08\x06\x42\x04\xF8\x84\xD6\x1D\xBC\x91\xA6\x42\xBE\x49\xD5\x6A\x88\x3F\xBC\x2D\x51\xD1\x9E\x8D\xE0\x52\xCC\x57\xDD\x35\x35\x58\xDB\xB4\x8F\x24\x88\xE4\x8B\xDF\xDC\x6B\x54\xD2\x81\x2B\xB2\xCE\x92\x4B\x1C\x1F\x46\xFA\x1D\xD8\x92\xCB\x76\x67\xB5\x09\x99\x09\xE5\xAC\x17\x14\x55\x70\xC6\x3C\xA0\x56\x0A\x03\xB3\xDC\x62\x19\xDF\xC8\xB5\x30\x7F\xF5\x3C\x26\x75\x11\xBD\xD7\x1B\xB3\x87\x9E\x07\xAF\x65\x71\xE5\xA0\xCF\x1A\xA7\x09\x10\x1D\x93\x89\x66\x5B\xE8\x3C\x62\x32\xB5\xB5\x3A\x6E\xE9\x85\x01\x8B\x9E\x43\x8C\x67\x73\x28\x59\x5B\xEB\xE3\xDC\x2C\xCC\xA5\x26\x72\x62\x12\xB4\xE6\x9C\x83\x44\xF6\x51\xA4\xE2\xC0\x7A\x24\x57\xCA\x0E\xA5\x3F\x3A\xB5\x3B\x8B\xE5\x76\xEE\x70\xE6\x92\xDE\x16\x5C\x28\x5B\x97\x19\x27\x92\xFE\x7A\x92\x54\xCE\x93\x39\x0A\x16\x87\xBC\x63\xB3\xF5\xB1\x93\x5C\xE0\x6E\xB7\xD0\xEA\xF9\x62\x32\x88\x44\xFB\xBF\x27\x28\xB6\x30\x95\x5D\x12\x28\xB9\x95\xBE\x8F\x53\x18\xE5\xA2\x18\x16\xE2\x56\xA4\xB2\x2C\x10\xF5\x1D\x37\xA6\xF8\xB7\xF6\xD0\x59\x5C\x89\xF7\xC2\xD5\xB5\x94\x74\xD1\xD5\xFE\x1B\xB6\xF0\xE6\xD6\x1E\x7B\xD2\x3C\xCB\xA8\xE3\xF5\x18\xF3\x21\x1F\x6E\xEF\x4D\x68\x06\x7B\x2D\x5D\x6E\x43\x89\xA6\xC0\xF9\xA0\xBF\x82\x1E\xCF\x53\x7F\xB4\xEB\x2C\xDB\x5D\xF6\x6A\x7D\x40\x24\x05\x72\x89\x38\x01\x93\xCB\x71\xC2\x39\x5D\x06\x11\xF6\x6F\x78\xF8\x37\x0D\x39\x84\x27\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x6A\x39\xFA\x42\x22\xF7\xE6\x89\x00\x4D\x5E\x7D\x33\x83\xCB\xB8\x6E\x77\x86\xAF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x6A\x39\xFA\x42\x22\xF7\xE6\x89\x00\x4D\x5E\x7D\x33\x83\xCB\xB8\x6E\x77\x86\xAF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0D\x05\x00\x03\x82\x02\x01\x00\x98\xCB\xAB\x40\x3C\xE5\x33\x02\x97\x7F\x2D\x87\xA6\x8F\xD4\x5E\x4A\xAF\xB8\x1E\xE7\xBB\x71\xFB\x80\x64\x25\xA9\xB3\x1A\x3E\x68\x5D\x27\x26\xA7\xBA\x2A\xE1\xF0\x57\x83\x0A\x64\x4F\x1E\x22\x74\x1B\xE9\x90\x5F\xF0\xAC\xCF\xFF\x4F\x68\x7A\x38\xA4\x10\x6C\x0D\xB1\xC7\xA4\x77\x80\x18\xB6\xA2\x28\x44\x76\xA7\x34\x9D\x71\x84\x2F\xCA\x59\xD2\x47\x88\x99\x41\x22\xC9\x30\x98\x61\x6E\x3D\xA8\xA8\x05\x6D\xD1\x1F\xC0\x51\x44\x56\x7F\x27\x35\x02\xDD\x5E\x98\x0A\x42\xEB\x30\xBF\x8D\xA1\x9B\x51\xAA\x3B\xEA\x93\x46\x64\xC5\x00\x79\xDE\x21\x6B\xF6\x57\xA0\x86\xD7\x06\x72\xEC\x70\x46\x4B\x8B\x73\xDD\xA0\x21\x75\x3E\xDC\x1D\xC0\x8F\xD3\x4F\x73\x1C\x85\xD9\xFE\x7F\x62\xC8\x95\x6F\xB6\xD3\x7B\x8C\xBA\x53\xC2\x6F\x9B\x44\x4C\x79\xD0\x1D\x70\xB3\xD7\x9F\x02\xF4\xB2\x07\xB0\xC7\xE5\xF8\xAD\x23\x0E\xA6\x56\xC9\x29\x12\x77\x48\xD9\x2F\x46\xFD\x3B\xF0\xFC\x74\x70\x92\xA5\x8E\x38\x08\x1F\x64\x30\xB6\xB7\x4B\xFB\x36\xAC\x10\x8E\xA0\x52\x33\x63\x9D\x03\x35\x56\xC5\x69\xBD\xC6\x23\x5A\x27\x94\xF6\xA4\x12\xF8\x2D\x33\x3C\xA1\x56\xA5\x5F\xD6\x19\xE9\xED\x7C\x08\xBD\x77\xCD\x27\x64\xCC\x94\xDA\x4E\x46\x50\x87\xE0\xF9\xC1\x53\x80\x1E\xBB\xAD\xFB\x47\x52\x8B\x1B\xFD\xA2\xF9\xDE\x0E\x22\xB7\x3D\x33\x59\x6C\xD4\xDE\xF5\x95\x06\x32\x0D\x51\x19\x41\x5C\x3E\x4F\x06\xF7\xB9\x2B\x80\x27\xF6\xA3\xAA\x7A\x7C\x06\xE1\x43\xC3\x13\x39\x62\x1A\x36\xBD\xE0\x28\x2E\x94\x02\xE4\x29\x2E\x60\x55\xAE\x40\x3D\xB0\x74\x92\x5E\xF0\x20\x64\x96\x3F\x5F\x45\x5D\x88\xB5\x8A\xDA\x02\xA0\x5B\x45\x54\xDE\x38\x3D\x09\xC0\xA8\x4A\x65\x46\x16\xFC\xAA\xBF\x54\x4E\x4D\x5B\xBE\x38\x43\xB7\x28\xCA\x8B\x33\xAA\x1A\x25\xBA\x25\x5C\x29\x2F\x5B\x4A\x6E\x8C\xEA\x2D\x9C\x2A\xF6\x05\x76\xE0\x77\x97\x80\x88\xDD\x67\x13\x6F\x1D\x68\x24\x8B\x4F\xB7\x74\x81\xE5\xF4\x60\x9F\x7A\x55\xD7\x3E\x37\xDA\x16\x6B\x3E\x77\xAC\xAE\x18\x70\x95\x08\x79\x29\x03\x8A\xFE\xC1\x3B\xB3\x3F\x1A\x0F\xA4\x3B\x5E\x1F\x58\xA1\x95\xC9\xAB\x2F\x73\x4A\xD0\x2D\x6E\x9A\x59\x0F\x55\x18\x78\x2D\x3C\x51\xA6\x97\x8B\xE6\xBB\xB2\x70\xAA\x4C\x11\xDE\xFF\x7C\x2B\x37\xD4\x7A\xD1\x77\x34\x8F\xE7\xF9\x42\xF7\x3C\x81\x0C\x4B\x52\x0A",
 	["CN=OpenTrust Root CA G3,O=OpenTrust,C=FR"] = "\x30\x82\x02\x21\x30\x82\x01\xA6\xA0\x03\x02\x01\x02\x02\x12\x11\x20\xE6\xF8\x4C\xFC\x24\xB0\xBE\x05\x40\xAC\xDA\x83\x1B\x34\x60\x3F\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x40\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x4F\x70\x65\x6E\x54\x72\x75\x73\x74\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x0C\x14\x4F\x70\x65\x6E\x54\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x47\x33\x30\x1E\x17\x0D\x31\x34\x30\x35\x32\x36\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x35\x30\x30\x30\x30\x30\x30\x5A\x30\x40\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x46\x52\x31\x12\x30\x10\x06\x03\x55\x04\x0A\x0C\x09\x4F\x70\x65\x6E\x54\x72\x75\x73\x74\x31\x1D\x30\x1B\x06\x03\x55\x04\x03\x0C\x14\x4F\x70\x65\x6E\x54\x72\x75\x73\x74\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x47\x33\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x4A\xEE\x58\xAE\x4D\xCA\x66\xDE\x06\x3A\xA3\x11\xFC\xE0\x18\xF0\x6E\x1C\xBA\x2D\x30\x0C\x89\xD9\xD6\xEE\x9B\x73\x83\xA9\x23\x15\x8C\x2F\x59\x8A\x5A\xDD\x14\xEA\x9D\x59\x2B\x43\xB7\x06\xEC\x32\xB6\xBA\xEE\x41\xB5\xAD\x5D\xA1\x85\xCC\xEA\x1D\x14\x66\xA3\x67\x7E\x46\xE2\x94\xF3\xE7\xB6\x56\xA1\x15\x59\xA1\x4F\x37\x97\xB9\x22\x1E\xBD\x11\xEB\xF4\xB2\x1F\x5E\xC3\x14\x9A\xE5\xD9\x97\x99\xA3\x63\x30\x61\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x47\x77\xC3\x14\x8B\x62\x39\x0C\xC9\x6F\xE1\x50\x4D\xD0\x10\x58\xDC\x95\x88\x6D\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x47\x77\xC3\x14\x8B\x62\x39\x0C\xC9\x6F\xE1\x50\x4D\xD0\x10\x58\xDC\x95\x88\x6D\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x69\x00\x30\x66\x02\x31\x00\x8F\xA8\xDC\x9D\xBA\x0C\x04\x17\xFA\x15\xE9\x3D\x2F\x29\x01\x97\xBF\x81\x16\x33\x40\x93\x6C\xFC\xF9\xED\x80\x70\x6F\xAA\x8F\xDB\x84\xC2\x8B\xF5\x35\xCA\x06\xDC\x64\x6F\x68\x16\xE1\x8F\x91\xB9\x02\x31\x00\xD8\x4B\xA5\xCB\xC2\xD0\x08\x6C\xE9\x18\xFB\x5A\xDD\x4D\x5F\x24\x0B\xB0\x00\x21\x25\xEF\x8F\xA7\x04\x26\x71\xE2\x7C\x69\xE5\x5D\x9A\xF8\x41\x1F\x3B\x39\x93\x93\x9D\x55\xEA\xCD\x8D\xF1\xFB\xC1",
 	["CN=ISRG Root X1,O=Internet Security Research Group,C=US"] = "\x30\x82\x05\x6B\x30\x82\x03\x53\xA0\x03\x02\x01\x02\x02\x11\x00\x82\x10\xCF\xB0\xD2\x40\xE3\x59\x44\x63\xE0\xBB\x63\x82\x8B\x00\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x4F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x29\x30\x27\x06\x03\x55\x04\x0A\x13\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x47\x72\x6F\x75\x70\x31\x15\x30\x13\x06\x03\x55\x04\x03\x13\x0C\x49\x53\x52\x47\x20\x52\x6F\x6F\x74\x20\x58\x31\x30\x1E\x17\x0D\x31\x35\x30\x36\x30\x34\x31\x31\x30\x34\x33\x38\x5A\x17\x0D\x33\x35\x30\x36\x30\x34\x31\x31\x30\x34\x33\x38\x5A\x30\x4F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x29\x30\x27\x06\x03\x55\x04\x0A\x13\x20\x49\x6E\x74\x65\x72\x6E\x65\x74\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x52\x65\x73\x65\x61\x72\x63\x68\x20\x47\x72\x6F\x75\x70\x31\x15\x30\x13\x06\x03\x55\x04\x03\x13\x0C\x49\x53\x52\x47\x20\x52\x6F\x6F\x74\x20\x58\x31\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xAD\xE8\x24\x73\xF4\x14\x37\xF3\x9B\x9E\x2B\x57\x28\x1C\x87\xBE\xDC\xB7\xDF\x38\x90\x8C\x6E\x3C\xE6\x57\xA0\x78\xF7\x75\xC2\xA2\xFE\xF5\x6A\x6E\xF6\x00\x4F\x28\xDB\xDE\x68\x86\x6C\x44\x93\xB6\xB1\x63\xFD\x14\x12\x6B\xBF\x1F\xD2\xEA\x31\x9B\x21\x7E\xD1\x33\x3C\xBA\x48\xF5\xDD\x79\xDF\xB3\xB8\xFF\x12\xF1\x21\x9A\x4B\xC1\x8A\x86\x71\x69\x4A\x66\x66\x6C\x8F\x7E\x3C\x70\xBF\xAD\x29\x22\x06\xF3\xE4\xC0\xE6\x80\xAE\xE2\x4B\x8F\xB7\x99\x7E\x94\x03\x9F\xD3\x47\x97\x7C\x99\x48\x23\x53\xE8\x38\xAE\x4F\x0A\x6F\x83\x2E\xD1\x49\x57\x8C\x80\x74\xB6\xDA\x2F\xD0\x38\x8D\x7B\x03\x70\x21\x1B\x75\xF2\x30\x3C\xFA\x8F\xAE\xDD\xDA\x63\xAB\xEB\x16\x4F\xC2\x8E\x11\x4B\x7E\xCF\x0B\xE8\xFF\xB5\x77\x2E\xF4\xB2\x7B\x4A\xE0\x4C\x12\x25\x0C\x70\x8D\x03\x29\xA0\xE1\x53\x24\xEC\x13\xD9\xEE\x19\xBF\x10\xB3\x4A\x8C\x3F\x89\xA3\x61\x51\xDE\xAC\x87\x07\x94\xF4\x63\x71\xEC\x2E\xE2\x6F\x5B\x98\x81\xE1\x89\x5C\x34\x79\x6C\x76\xEF\x3B\x90\x62\x79\xE6\xDB\xA4\x9A\x2F\x26\xC5\xD0\x10\xE1\x0E\xDE\xD9\x10\x8E\x16\xFB\xB7\xF7\xA8\xF7\xC7\xE5\x02\x07\x98\x8F\x36\x08\x95\xE7\xE2\x37\x96\x0D\x36\x75\x9E\xFB\x0E\x72\xB1\x1D\x9B\xBC\x03\xF9\x49\x05\xD8\x81\xDD\x05\xB4\x2A\xD6\x41\xE9\xAC\x01\x76\x95\x0A\x0F\xD8\xDF\xD5\xBD\x12\x1F\x35\x2F\x28\x17\x6C\xD2\x98\xC1\xA8\x09\x64\x77\x6E\x47\x37\xBA\xCE\xAC\x59\x5E\x68\x9D\x7F\x72\xD6\x89\xC5\x06\x41\x29\x3E\x59\x3E\xDD\x26\xF5\x24\xC9\x11\xA7\x5A\xA3\x4C\x40\x1F\x46\xA1\x99\xB5\xA7\x3A\x51\x6E\x86\x3B\x9E\x7D\x72\xA7\x12\x05\x78\x59\xED\x3E\x51\x78\x15\x0B\x03\x8F\x8D\xD0\x2F\x05\xB2\x3E\x7B\x4A\x1C\x4B\x73\x05\x12\xFC\xC6\xEA\xE0\x50\x13\x7C\x43\x93\x74\xB3\xCA\x74\xE7\x8E\x1F\x01\x08\xD0\x30\xD4\x5B\x71\x36\xB4\x07\xBA\xC1\x30\x30\x5C\x48\xB7\x82\x3B\x98\xA6\x7D\x60\x8A\xA2\xA3\x29\x82\xCC\xBA\xBD\x83\x04\x1B\xA2\x83\x03\x41\xA1\xD6\x05\xF1\x1B\xC2\xB6\xF0\xA8\x7C\x86\x3B\x46\xA8\x48\x2A\x88\xDC\x76\x9A\x76\xBF\x1F\x6A\xA5\x3D\x19\x8F\xEB\x38\xF3\x64\xDE\xC8\x2B\x0D\x0A\x28\xFF\xF7\xDB\xE2\x15\x42\xD4\x22\xD0\x27\x5D\xE1\x79\xFE\x18\xE7\x70\x88\xAD\x4E\xE6\xD9\x8B\x3A\xC6\xDD\x27\x51\x6E\xFF\xBC\x64\xF5\x33\x43\x4F\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x79\xB4\x59\xE6\x7B\xB6\xE5\xE4\x01\x73\x80\x08\x88\xC8\x1A\x58\xF6\xE9\x9B\x6E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x55\x1F\x58\xA9\xBC\xB2\xA8\x50\xD0\x0C\xB1\xD8\x1A\x69\x20\x27\x29\x08\xAC\x61\x75\x5C\x8A\x6E\xF8\x82\xE5\x69\x2F\xD5\xF6\x56\x4B\xB9\xB8\x73\x10\x59\xD3\x21\x97\x7E\xE7\x4C\x71\xFB\xB2\xD2\x60\xAD\x39\xA8\x0B\xEA\x17\x21\x56\x85\xF1\x50\x0E\x59\xEB\xCE\xE0\x59\xE9\xBA\xC9\x15\xEF\x86\x9D\x8F\x84\x80\xF6\xE4\xE9\x91\x90\xDC\x17\x9B\x62\x1B\x45\xF0\x66\x95\xD2\x7C\x6F\xC2\xEA\x3B\xEF\x1F\xCF\xCB\xD6\xAE\x27\xF1\xA9\xB0\xC8\xAE\xFD\x7D\x7E\x9A\xFA\x22\x04\xEB\xFF\xD9\x7F\xEA\x91\x2B\x22\xB1\x17\x0E\x8F\xF2\x8A\x34\x5B\x58\xD8\xFC\x01\xC9\x54\xB9\xB8\x26\xCC\x8A\x88\x33\x89\x4C\x2D\x84\x3C\x82\xDF\xEE\x96\x57\x05\xBA\x2C\xBB\xF7\xC4\xB7\xC7\x4E\x3B\x82\xBE\x31\xC8\x22\x73\x73\x92\xD1\xC2\x80\xA4\x39\x39\x10\x33\x23\x82\x4C\x3C\x9F\x86\xB2\x55\x98\x1D\xBE\x29\x86\x8C\x22\x9B\x9E\xE2\x6B\x3B\x57\x3A\x82\x70\x4D\xDC\x09\xC7\x89\xCB\x0A\x07\x4D\x6C\xE8\x5D\x8E\xC9\xEF\xCE\xAB\xC7\xBB\xB5\x2B\x4E\x45\xD6\x4A\xD0\x26\xCC\xE5\x72\xCA\x08\x6A\xA5\x95\xE3\x15\xA1\xF7\xA4\xED\xC9\x2C\x5F\xA5\xFB\xFF\xAC\x28\x02\x2E\xBE\xD7\x7B\xBB\xE3\x71\x7B\x90\x16\xD3\x07\x5E\x46\x53\x7C\x37\x07\x42\x8C\xD3\xC4\x96\x9C\xD5\x99\xB5\x2A\xE0\x95\x1A\x80\x48\xAE\x4C\x39\x07\xCE\xCC\x47\xA4\x52\x95\x2B\xBA\xB8\xFB\xAD\xD2\x33\x53\x7D\xE5\x1D\x4D\x6D\xD5\xA1\xB1\xC7\x42\x6F\xE6\x40\x27\x35\x5C\xA3\x28\xB7\x07\x8D\xE7\x8D\x33\x90\xE7\x23\x9F\xFB\x50\x9C\x79\x6C\x46\xD5\xB4\x15\xB3\x96\x6E\x7E\x9B\x0C\x96\x3A\xB8\x52\x2D\x3F\xD6\x5B\xE1\xFB\x08\xC2\x84\xFE\x24\xA8\xA3\x89\xDA\xAC\x6A\xE1\x18\x2A\xB1\xA8\x43\x61\x5B\xD3\x1F\xDC\x3B\x8D\x76\xF2\x2D\xE8\x8D\x75\xDF\x17\x33\x6C\x3D\x53\xFB\x7B\xCB\x41\x5F\xFF\xDC\xA2\xD0\x61\x38\xE1\x96\xB8\xAC\x5D\x8B\x37\xD7\x75\xD5\x33\xC0\x99\x11\xAE\x9D\x41\xC1\x72\x75\x84\xBE\x02\x41\x42\x5F\x67\x24\x48\x94\xD1\x9B\x27\xBE\x07\x3F\xB9\xB8\x4F\x81\x74\x51\xE1\x7A\xB7\xED\x9D\x23\xE2\xBE\xE0\xD5\x28\x04\x13\x3C\x31\x03\x9E\xDD\x7A\x6C\x8F\xC6\x07\x18\xC6\x7F\xDE\x47\x8E\x3F\x28\x9E\x04\x06\xCF\xA5\x54\x34\x77\xBD\xEC\x89\x9B\xE9\x17\x43\xDF\x5B\xDB\x5F\xFE\x8E\x1E\x57\xA2\xCD\x40\x9D\x7E\x62\x22\xDA\xDE\x18\x27",
+	["OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES"] = "\x30\x82\x05\x83\x30\x82\x03\x6B\xA0\x03\x02\x01\x02\x02\x0F\x5D\x93\x8D\x30\x67\x36\xC8\x06\x1D\x1A\xC7\x54\x84\x69\x07\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x3B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x0C\x08\x46\x4E\x4D\x54\x2D\x52\x43\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x0C\x10\x41\x43\x20\x52\x41\x49\x5A\x20\x46\x4E\x4D\x54\x2D\x52\x43\x4D\x30\x1E\x17\x0D\x30\x38\x31\x30\x32\x39\x31\x35\x35\x39\x35\x36\x5A\x17\x0D\x33\x30\x30\x31\x30\x31\x30\x30\x30\x30\x30\x30\x5A\x30\x3B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x45\x53\x31\x11\x30\x0F\x06\x03\x55\x04\x0A\x0C\x08\x46\x4E\x4D\x54\x2D\x52\x43\x4D\x31\x19\x30\x17\x06\x03\x55\x04\x0B\x0C\x10\x41\x43\x20\x52\x41\x49\x5A\x20\x46\x4E\x4D\x54\x2D\x52\x43\x4D\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xBA\x71\x80\x7A\x4C\x86\x6E\x7F\xC8\x13\x6D\xC0\xC6\x7D\x1C\x00\x97\x8F\x2C\x0C\x23\xBB\x10\x9A\x40\xA9\x1A\xB7\x87\x88\xF8\x9B\x56\x6A\xFB\xE6\x7B\x8E\x8B\x92\x8E\xA7\x25\x5D\x59\x11\xDB\x36\x2E\xB7\x51\x17\x1F\xA9\x08\x1F\x04\x17\x24\x58\xAA\x37\x4A\x18\xDF\xE5\x39\xD4\x57\xFD\xD7\xC1\x2C\x91\x01\x91\xE2\x22\xD4\x03\xC0\x58\xFC\x77\x47\xEC\x8F\x3E\x74\x43\xBA\xAC\x34\x8D\x4D\x38\x76\x67\x8E\xB0\xC8\x6F\x30\x33\x58\x71\x5C\xB4\xF5\x6B\x6E\xD4\x01\x50\xB8\x13\x7E\x6C\x4A\xA3\x49\xD1\x20\x19\xEE\xBC\xC0\x29\x18\x65\xA7\xDE\xFE\xEF\xDD\x0A\x90\x21\xE7\x1A\x67\x92\x42\x10\x98\x5F\x4F\x30\xBC\x3E\x1C\x45\xB4\x10\xD7\x68\x40\x14\xC0\x40\xFA\xE7\x77\x17\x7A\xE6\x0B\x8F\x65\x5B\x3C\xD9\x9A\x52\xDB\xB5\xBD\x9E\x46\xCF\x3D\xEB\x91\x05\x02\xC0\x96\xB2\x76\x4C\x4D\x10\x96\x3B\x92\xFA\x9C\x7F\x0F\x99\xDF\xBE\x23\x35\x45\x1E\x02\x5C\xFE\xB5\xA8\x9B\x99\x25\xDA\x5E\xF3\x22\xC3\x39\xF5\xE4\x2A\x2E\xD3\xC6\x1F\xC4\x6C\xAA\xC5\x1C\x6A\x01\x05\x4A\x2F\xD2\xC5\xC1\xA8\x34\x26\x5D\x66\xA5\xD2\x02\x21\xF9\x18\xB7\x06\xF5\x4E\x99\x6F\xA8\xAB\x4C\x51\xE8\xCF\x50\x18\xC5\x77\xC8\x39\x09\x2C\x49\x92\x32\x99\xA8\xBB\x17\x17\x79\xB0\x5A\xC5\xE6\xA3\xC4\x59\x65\x47\x35\x83\x5E\xA9\xE8\x35\x0B\x99\xBB\xE4\xCD\x20\xC6\x9B\x4A\x06\x39\xB5\x68\xFC\x22\xBA\xEE\x55\x8C\x2B\x4E\xEA\xF3\xB1\xE3\xFC\xB6\x99\x9A\xD5\x42\xFA\x71\x4D\x08\xCF\x87\x1E\x6A\x71\x7D\xF9\xD3\xB4\xE9\xA5\x71\x81\x7B\xC2\x4E\x47\x96\xA5\xF6\x76\x85\xA3\x28\x8F\xE9\x80\x6E\x81\x53\xA5\x6D\x5F\xB8\x48\xF9\xC2\xF9\x36\xA6\x2E\x49\xFF\xB8\x96\xC2\x8C\x07\xB3\x9B\x88\x58\xFC\xEB\x1B\x1C\xDE\x2D\x70\xE2\x97\x92\x30\xA1\x89\xE3\xBC\x55\xA8\x27\xD6\x4B\xED\x90\xAD\x8B\xFA\x63\x25\x59\x2D\xA8\x35\xDD\xCA\x97\x33\xBC\xE5\xCD\xC7\x9D\xD1\xEC\xEF\x5E\x0E\x4A\x90\x06\x26\x63\xAD\xB9\xD9\x35\x2D\x07\xBA\x76\x65\x2C\xAC\x57\x8F\x7D\xF4\x07\x94\xD7\x81\x02\x96\x5D\xA3\x07\x49\xD5\x7A\xD0\x57\xF9\x1B\xE7\x53\x46\x75\xAA\xB0\x79\x42\xCB\x68\x71\x08\xE9\x60\xBD\x39\x69\xCE\xF4\xAF\xC3\x56\x40\xC7\xAD\x52\xA2\x09\xE4\x6F\x86\x47\x8A\x1F\xEB\x28\x27\x5D\x83\x20\xAF\x04\xC9\x6C\x56\x9A\x8B\x46\xF5\x02\x03\x01\x00\x01\xA3\x81\x83\x30\x81\x80\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xF7\x7D\xC5\xFD\xC4\xE8\x9A\x1B\x77\x64\xA7\xF5\x1D\xA0\xCC\xBF\x87\x60\x9A\x6D\x30\x3E\x06\x03\x55\x1D\x20\x04\x37\x30\x35\x30\x33\x06\x04\x55\x1D\x20\x00\x30\x2B\x30\x29\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x1D\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x63\x65\x72\x74\x2E\x66\x6E\x6D\x74\x2E\x65\x73\x2F\x64\x70\x63\x73\x2F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x07\x90\x4A\xDF\xF3\x23\x4E\xF0\xC3\x9C\x51\x65\x9B\x9C\x22\xA2\x8A\x0C\x85\xF3\x73\x29\x6B\x4D\xFE\x01\xE2\xA9\x0C\x63\x01\xBF\x04\x67\xA5\x9D\x98\x5F\xFD\x01\x13\xFA\xEC\x9A\x62\xE9\x86\xFE\xB6\x62\xD2\x6E\x4C\x94\xFB\xC0\x75\x45\x7C\x65\x0C\xF8\xB2\x37\xCF\xAC\x0F\xCF\x8D\x6F\xF9\x19\xF7\x8F\xEC\x1E\xF2\x70\x9E\xF0\xCA\xB8\xEF\xB7\xFF\x76\x37\x76\x5B\xF6\x6E\x88\xF3\xAF\x62\x32\x22\x93\x0D\x3A\x6A\x8E\x14\x66\x0C\x2D\x53\x74\x57\x65\x1E\xD5\xB2\xDD\x23\x81\x3B\xA5\x66\x23\x27\x67\x09\x8F\xE1\x77\xAA\x43\xCD\x65\x51\x08\xED\x51\x58\xFE\xE6\x39\xF9\xCB\x47\x84\xA4\x15\xF1\x76\xBB\xA4\xEE\xA4\x3B\xC4\x5F\xEF\xB2\x33\x96\x11\x18\xB7\xC9\x65\xBE\x18\xE1\xA3\xA4\xDC\xFA\x18\xF9\xD3\xBC\x13\x9B\x39\x7A\x34\xBA\xD3\x41\xFB\xFA\x32\x8A\x2A\xB7\x2B\x86\x0B\x69\x83\x38\xBE\xCD\x8A\x2E\x0B\x70\xAD\x8D\x26\x92\xEE\x1E\xF5\x01\x2B\x0A\xD9\xD6\x97\x9B\x6E\xE0\xA8\x19\x1C\x3A\x21\x8B\x0C\x1E\x40\xAD\x03\xE7\xDD\x66\x7E\xF5\xB9\x20\x0D\x03\xE8\x96\xF9\x82\x45\xD4\x39\xE0\xA0\x00\x5D\xD7\x98\xE6\x7D\x9E\x67\x73\xC3\x9A\x2A\xF7\xAB\x8B\xA1\x3A\x14\xEF\x34\xBC\x52\x0E\x89\x98\x9A\x04\x40\x84\x1D\x7E\x45\x69\x93\x57\xCE\xEB\xCE\xF8\x50\x7C\x4F\x1C\x6E\x04\x43\x9B\xF9\xD6\x3B\x23\x18\xE9\xEA\x8E\xD1\x4D\x46\x8D\xF1\x3B\xE4\x6A\xCA\xBA\xFB\x23\xB7\x9B\xFA\x99\x01\x29\x5A\x58\x5A\x2D\xE3\xF9\xD4\x6D\x0E\x26\xAD\xC1\x6E\x34\xBC\x32\xF8\x0C\x05\xFA\x65\xA3\xDB\x3B\x37\x83\x22\xE9\xD6\xDC\x72\x33\xFD\x5D\xF2\x20\xBD\x76\x3C\x23\xDA\x28\xF7\xF9\x1B\xEB\x59\x64\xD5\xDC\x5F\x72\x7E\x20\xFC\xCD\x89\xB5\x90\x67\x4D\x62\x7A\x3F\x4E\xAD\x1D\xC3\x39\xFE\x7A\xF4\x28\x16\xDF\x41\xF6\x48\x80\x05\xD7\x0F\x51\x79\xAC\x10\xAB\xD4\xEC\x03\x66\xE6\x6A\xB0\xBA\x31\x92\x42\x40\x6A\xBE\x3A\xD3\x72\xE1\x6A\x37\x55\xBC\xAC\x1D\x95\xB7\x69\x61\xF2\x43\x91\x74\xE6\xA0\xD3\x0A\x24\x46\xA1\x08\xAF\xD6\xDA\x45\x19\x96\xD4\x53\x1D\x5B\x84\x79\xF0\xC0\xF7\x47\xEF\x8B\x8F\xC5\x06\xAE\x9D\x4C\x62\x9D\xFF\x46\x04\xF8\xD3\xC9\xB6\x10\x25\x40\x75\xFE\x16\xAA\xC9\x4A\x60\x86\x2F\xBA\xEF\x30\x77\xE4\x54\xE2\xB8\x84\x99\x58\x80\xAA\x13\x8B\x51\x3A\x4F\x48\xF6\x8B\xB6\xB3",
+	["CN=Amazon Root CA 1,O=Amazon,C=US"] = "\x30\x82\x03\x41\x30\x82\x02\x29\xA0\x03\x02\x01\x02\x02\x13\x06\x6C\x9F\xCF\x99\xBF\x8C\x0A\x39\xE2\xF0\x78\x8A\x43\xE6\x96\x36\x5B\xCA\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x41\x6D\x61\x7A\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x41\x6D\x61\x7A\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x1E\x17\x0D\x31\x35\x30\x35\x32\x36\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x33\x38\x30\x31\x31\x37\x30\x30\x30\x30\x30\x30\x5A\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x41\x6D\x61\x7A\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x41\x6D\x61\x7A\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xB2\x78\x80\x71\xCA\x78\xD5\xE3\x71\xAF\x47\x80\x50\x74\x7D\x6E\xD8\xD7\x88\x76\xF4\x99\x68\xF7\x58\x21\x60\xF9\x74\x84\x01\x2F\xAC\x02\x2D\x86\xD3\xA0\x43\x7A\x4E\xB2\xA4\xD0\x36\xBA\x01\xBE\x8D\xDB\x48\xC8\x07\x17\x36\x4C\xF4\xEE\x88\x23\xC7\x3E\xEB\x37\xF5\xB5\x19\xF8\x49\x68\xB0\xDE\xD7\xB9\x76\x38\x1D\x61\x9E\xA4\xFE\x82\x36\xA5\xE5\x4A\x56\xE4\x45\xE1\xF9\xFD\xB4\x16\xFA\x74\xDA\x9C\x9B\x35\x39\x2F\xFA\xB0\x20\x50\x06\x6C\x7A\xD0\x80\xB2\xA6\xF9\xAF\xEC\x47\x19\x8F\x50\x38\x07\xDC\xA2\x87\x39\x58\xF8\xBA\xD5\xA9\xF9\x48\x67\x30\x96\xEE\x94\x78\x5E\x6F\x89\xA3\x51\xC0\x30\x86\x66\xA1\x45\x66\xBA\x54\xEB\xA3\xC3\x91\xF9\x48\xDC\xFF\xD1\xE8\x30\x2D\x7D\x2D\x74\x70\x35\xD7\x88\x24\xF7\x9E\xC4\x59\x6E\xBB\x73\x87\x17\xF2\x32\x46\x28\xB8\x43\xFA\xB7\x1D\xAA\xCA\xB4\xF2\x9F\x24\x0E\x2D\x4B\xF7\x71\x5C\x5E\x69\xFF\xEA\x95\x02\xCB\x38\x8A\xAE\x50\x38\x6F\xDB\xFB\x2D\x62\x1B\xC5\xC7\x1E\x54\xE1\x77\xE0\x67\xC8\x0F\x9C\x87\x23\xD6\x3F\x40\x20\x7F\x20\x80\xC4\x80\x4C\x3E\x3B\x24\x26\x8E\x04\xAE\x6C\x9A\xC8\xAA\x0D\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x84\x18\xCC\x85\x34\xEC\xBC\x0C\x94\x94\x2E\x08\x59\x9C\xC7\xB2\x10\x4E\x0A\x08\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x98\xF2\x37\x5A\x41\x90\xA1\x1A\xC5\x76\x51\x28\x20\x36\x23\x0E\xAE\xE6\x28\xBB\xAA\xF8\x94\xAE\x48\xA4\x30\x7F\x1B\xFC\x24\x8D\x4B\xB4\xC8\xA1\x97\xF6\xB6\xF1\x7A\x70\xC8\x53\x93\xCC\x08\x28\xE3\x98\x25\xCF\x23\xA4\xF9\xDE\x21\xD3\x7C\x85\x09\xAD\x4E\x9A\x75\x3A\xC2\x0B\x6A\x89\x78\x76\x44\x47\x18\x65\x6C\x8D\x41\x8E\x3B\x7F\x9A\xCB\xF4\xB5\xA7\x50\xD7\x05\x2C\x37\xE8\x03\x4B\xAD\xE9\x61\xA0\x02\x6E\xF5\xF2\xF0\xC5\xB2\xED\x5B\xB7\xDC\xFA\x94\x5C\x77\x9E\x13\xA5\x7F\x52\xAD\x95\xF2\xF8\x93\x3B\xDE\x8B\x5C\x5B\xCA\x5A\x52\x5B\x60\xAF\x14\xF7\x4B\xEF\xA3\xFB\x9F\x40\x95\x6D\x31\x54\xFC\x42\xD3\xC7\x46\x1F\x23\xAD\xD9\x0F\x48\x70\x9A\xD9\x75\x78\x71\xD1\x72\x43\x34\x75\x6E\x57\x59\xC2\x02\x5C\x26\x60\x29\xCF\x23\x19\x16\x8E\x88\x43\xA5\xD4\xE4\xCB\x08\xFB\x23\x11\x43\xE8\x43\x29\x72\x62\xA1\xA9\x5D\x5E\x08\xD4\x90\xAE\xB8\xD8\xCE\x14\xC2\xD0\x55\xF2\x86\xF6\xC4\x93\x43\x77\x66\x61\xC0\xB9\xE8\x41\xD7\x97\x78\x60\x03\x6E\x4A\x72\xAE\xA5\xD1\x7D\xBA\x10\x9E\x86\x6C\x1B\x8A\xB9\x59\x33\xF8\xEB\xC4\x90\xBE\xF1\xB9",
+	["CN=Amazon Root CA 2,O=Amazon,C=US"] = "\x30\x82\x05\x41\x30\x82\x03\x29\xA0\x03\x02\x01\x02\x02\x13\x06\x6C\x9F\xD2\x96\x35\x86\x9F\x0A\x0F\xE5\x86\x78\xF8\x5B\x26\xBB\x8A\x37\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x41\x6D\x61\x7A\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x41\x6D\x61\x7A\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x1E\x17\x0D\x31\x35\x30\x35\x32\x36\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x34\x30\x30\x35\x32\x36\x30\x30\x30\x30\x30\x30\x5A\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x41\x6D\x61\x7A\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x41\x6D\x61\x7A\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xAD\x96\x9F\x2D\x9C\x4A\x4C\x4A\x81\x79\x51\x99\xEC\x8A\xCB\x6B\x60\x51\x13\xBC\x4D\x6D\x06\xFC\xB0\x08\x8D\xDD\x19\x10\x6A\xC7\x26\x0C\x35\xD8\xC0\x6F\x20\x84\xE9\x94\xB1\x9B\x85\x03\xC3\x5B\xDB\x4A\xE8\xC8\xF8\x90\x76\xD9\x5B\x4F\xE3\x4C\xE8\x06\x36\x4D\xCC\x9A\xAC\x3D\x0C\x90\x2B\x92\xD4\x06\x19\x60\xAC\x37\x44\x79\x85\x81\x82\xAD\x5A\x37\xE0\x0D\xCC\x9D\xA6\x4C\x52\x76\xEA\x43\x9D\xB7\x04\xD1\x50\xF6\x55\xE0\xD5\xD2\xA6\x49\x85\xE9\x37\xE9\xCA\x7E\xAE\x5C\x95\x4D\x48\x9A\x3F\xAE\x20\x5A\x6D\x88\x95\xD9\x34\xB8\x52\x1A\x43\x90\xB0\xBF\x6C\x05\xB9\xB6\x78\xB7\xEA\xD0\xE4\x3A\x3C\x12\x53\x62\xFF\x4A\xF2\x7B\xBE\x35\x05\xA9\x12\x34\xE3\xF3\x64\x74\x62\x2C\x3D\x00\x49\x5A\x28\xFE\x32\x44\xBB\x87\xDD\x65\x27\x02\x71\x3B\xDA\x4A\xF7\x1F\xDA\xCD\xF7\x21\x55\x90\x4F\x0F\xEC\xAE\x82\xE1\x9F\x6B\xD9\x45\xD3\xBB\xF0\x5F\x87\xED\x3C\x2C\x39\x86\xDA\x3F\xDE\xEC\x72\x55\xEB\x79\xA3\xAD\xDB\xDD\x7C\xB0\xBA\x1C\xCE\xFC\xDE\x4F\x35\x76\xCF\x0F\xF8\x78\x1F\x6A\x36\x51\x46\x27\x61\x5B\xE9\x9E\xCF\xF0\xA2\x55\x7D\x7C\x25\x8A\x6F\x2F\xB4\xC5\xCF\x84\x2E\x2B\xFD\x0D\x51\x10\x6C\xFB\x5F\x1B\xBC\x1B\x7E\xC5\xAE\x3B\x98\x01\x31\x92\xFF\x0B\x57\xF4\x9A\xB2\xB9\x57\xE9\xAB\xEF\x0D\x76\xD1\xF0\xEE\xF4\xCE\x86\xA7\xE0\x6E\xE9\xB4\x69\xA1\xDF\x69\xF6\x33\xC6\x69\x2E\x97\x13\x9E\xA5\x87\xB0\x57\x10\x81\x37\xC9\x53\xB3\xBB\x7F\xF6\x92\xD1\x9C\xD0\x18\xF4\x92\x6E\xDA\x83\x4F\xA6\x63\x99\x4C\xA5\xFB\x5E\xEF\x21\x64\x7A\x20\x5F\x6C\x64\x85\x15\xCB\x37\xE9\x62\x0C\x0B\x2A\x16\xDC\x01\x2E\x32\xDA\x3E\x4B\xF5\x9E\x3A\xF6\x17\x40\x94\xEF\x9E\x91\x08\x86\xFA\xBE\x63\xA8\x5A\x33\xEC\xCB\x74\x43\x95\xF9\x6C\x69\x52\x36\xC7\x29\x6F\xFC\x55\x03\x5C\x1F\xFB\x9F\xBD\x47\xEB\xE7\x49\x47\x95\x0B\x4E\x89\x22\x09\x49\xE0\xF5\x61\x1E\xF1\xBF\x2E\x8A\x72\x6E\x80\x59\xFF\x57\x3A\xF9\x75\x32\xA3\x4E\x5F\xEC\xED\x28\x62\xD9\x4D\x73\xF2\xCC\x81\x17\x60\xED\xCD\xEB\xDC\xDB\xA7\xCA\xC5\x7E\x02\xBD\xF2\x54\x08\x54\xFD\xB4\x2D\x09\x2C\x17\x54\x4A\x98\xD1\x54\xE1\x51\x67\x08\xD2\xED\x6E\x7E\x6F\x3F\xD2\x2D\x81\x59\x29\x66\xCB\x90\x39\x95\x11\x1E\x74\x27\xFE\xDD\xEB\xAF\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xB0\x0C\xF0\x4C\x30\xF4\x05\x58\x02\x48\xFD\x33\xE5\x52\xAF\x4B\x84\xE3\x66\x52\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0C\x05\x00\x03\x82\x02\x01\x00\xAA\xA8\x80\x8F\x0E\x78\xA3\xE0\xA2\xD4\xCD\xE6\xF5\x98\x7A\x3B\xEA\x00\x03\xB0\x97\x0E\x93\xBC\x5A\xA8\xF6\x2C\x8C\x72\x87\xA9\xB1\xFC\x7F\x73\xFD\x63\x71\x78\xA5\x87\x59\xCF\x30\xE1\x0D\x10\xB2\x13\x5A\x6D\x82\xF5\x6A\xE6\x80\x9F\xA0\x05\x0B\x68\xE4\x47\x6B\xC7\x6A\xDF\xB6\xFD\x77\x32\x72\xE5\x18\xFA\x09\xF4\xA0\x93\x2C\x5D\xD2\x8C\x75\x85\x76\x65\x90\x0C\x03\x79\xB7\x31\x23\x63\xAD\x78\x83\x09\x86\x68\x84\xCA\xFF\xF9\xCF\x26\x9A\x92\x79\xE7\xCD\x4B\xC5\xE7\x61\xA7\x17\xCB\xF3\xA9\x12\x93\x93\x6B\xA7\xE8\x2F\x53\x92\xC4\x60\x58\xB0\xCC\x02\x51\x18\x5B\x85\x8D\x62\x59\x63\xB6\xAD\xB4\xDE\x9A\xFB\x26\xF7\x00\x27\xC0\x5D\x55\x37\x74\x99\xC9\x50\x7F\xE3\x59\x2E\x44\xE3\x2C\x25\xEE\xEC\x4C\x32\x77\xB4\x9F\x1A\xE9\x4B\x5D\x20\xC5\xDA\xFD\x1C\x87\x16\xC6\x43\xE8\xD4\xBB\x26\x9A\x45\x70\x5E\xA9\x0B\x37\x53\xE2\x46\x7B\x27\xFD\xE0\x46\xF2\x89\xB7\xCC\x42\xB6\xCB\x28\x26\x6E\xD9\xA5\xC9\x3A\xC8\x41\x13\x60\xF7\x50\x8C\x15\xAE\xB2\x6D\x1A\x15\x1A\x57\x78\xE6\x92\x2A\xD9\x65\x90\x82\x3F\x6C\x02\xAF\xAE\x12\x3A\x27\x96\x36\x04\xD7\x1D\xA2\x80\x63\xA9\x9B\xF1\xE5\xBA\xB4\x7C\x14\xB0\x4E\xC9\xB1\x1F\x74\x5F\x38\xF6\x51\xEA\x9B\xFA\x2C\xA2\x11\xD4\xA9\x2D\x27\x1A\x45\xB1\xAF\xB2\x4E\x71\x0D\xC0\x58\x46\xD6\x69\x06\xCB\x53\xCB\xB3\xFE\x6B\x41\xCD\x41\x7E\x7D\x4C\x0F\x7C\x72\x79\x7A\x59\xCD\x5E\x4A\x0E\xAC\x9B\xA9\x98\x73\x79\x7C\xB4\xF4\xCC\xB9\xB8\x07\x0C\xB2\x74\x5C\xB8\xC7\x6F\x88\xA1\x90\xA7\xF4\xAA\xF9\xBF\x67\x3A\xF4\x1A\x15\x62\x1E\xB7\x9F\xBE\x3D\xB1\x29\xAF\x67\xA1\x12\xF2\x58\x10\x19\x53\x03\x30\x1B\xB8\x1A\x89\xF6\x9C\xBD\x97\x03\x8E\xA3\x09\xF3\x1D\x8B\x21\xF1\xB4\xDF\xE4\x1C\xD1\x9F\x65\x02\x06\xEA\x5C\xD6\x13\xB3\x84\xEF\xA2\xA5\x5C\x8C\x77\x29\xA7\x68\xC0\x6B\xAE\x40\xD2\xA8\xB4\xEA\xCD\xF0\x8D\x4B\x38\x9C\x19\x9A\x1B\x28\x54\xB8\x89\x90\xEF\xCA\x75\x81\x3E\x1E\xF2\x64\x24\xC7\x18\xAF\x4E\xFF\x47\x9E\x07\xF6\x35\x65\xA4\xD3\x0A\x56\xFF\xF5\x17\x64\x6C\xEF\xA8\x22\x25\x49\x93\xB6\xDF\x00\x17\xDA\x58\x7E\x5D\xEE\xC5\x1B\xB0\xD1\xD1\x5F\x21\x10\xC7\xF9\xF3\xBA\x02\x0A\x27\x07\xC5\xF1\xD6\xC7\xD3\xE0\xFB\x09\x60\x6C",
+	["CN=Amazon Root CA 3,O=Amazon,C=US"] = "\x30\x82\x01\xB6\x30\x82\x01\x5B\xA0\x03\x02\x01\x02\x02\x13\x06\x6C\x9F\xD5\x74\x97\x36\x66\x3F\x3B\x0B\x9A\xD9\xE8\x9E\x76\x03\xF2\x4A\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x02\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x41\x6D\x61\x7A\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x41\x6D\x61\x7A\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x33\x30\x1E\x17\x0D\x31\x35\x30\x35\x32\x36\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x34\x30\x30\x35\x32\x36\x30\x30\x30\x30\x30\x30\x5A\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x41\x6D\x61\x7A\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x41\x6D\x61\x7A\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x33\x30\x59\x30\x13\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x08\x2A\x86\x48\xCE\x3D\x03\x01\x07\x03\x42\x00\x04\x29\x97\xA7\xC6\x41\x7F\xC0\x0D\x9B\xE8\x01\x1B\x56\xC6\xF2\x52\xA5\xBA\x2D\xB2\x12\xE8\xD2\x2E\xD7\xFA\xC9\xC5\xD8\xAA\x6D\x1F\x73\x81\x3B\x3B\x98\x6B\x39\x7C\x33\xA5\xC5\x4E\x86\x8E\x80\x17\x68\x62\x45\x57\x7D\x44\x58\x1D\xB3\x37\xE5\x67\x08\xEB\x66\xDE\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xAB\xB6\xDB\xD7\x06\x9E\x37\xAC\x30\x86\x07\x91\x70\xC7\x9C\xC4\x19\xB1\x78\xC0\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x02\x03\x49\x00\x30\x46\x02\x21\x00\xE0\x85\x92\xA3\x17\xB7\x8D\xF9\x2B\x06\xA5\x93\xAC\x1A\x98\x68\x61\x72\xFA\xE1\xA1\xD0\xFB\x1C\x78\x60\xA6\x43\x99\xC5\xB8\xC4\x02\x21\x00\x9C\x02\xEF\xF1\x94\x9C\xB3\x96\xF9\xEB\xC6\x2A\xF8\xB6\x2C\xFE\x3A\x90\x14\x16\xD7\x8C\x63\x24\x48\x1C\xDF\x30\x7D\xD5\x68\x3B",
+	["CN=Amazon Root CA 4,O=Amazon,C=US"] = "\x30\x82\x01\xF2\x30\x82\x01\x78\xA0\x03\x02\x01\x02\x02\x13\x06\x6C\x9F\xD7\xC1\xBB\x10\x4C\x29\x43\xE5\x71\x7B\x7B\x2C\xC8\x1A\xC1\x0E\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x41\x6D\x61\x7A\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x41\x6D\x61\x7A\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x34\x30\x1E\x17\x0D\x31\x35\x30\x35\x32\x36\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x34\x30\x30\x35\x32\x36\x30\x30\x30\x30\x30\x30\x5A\x30\x39\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0F\x30\x0D\x06\x03\x55\x04\x0A\x13\x06\x41\x6D\x61\x7A\x6F\x6E\x31\x19\x30\x17\x06\x03\x55\x04\x03\x13\x10\x41\x6D\x61\x7A\x6F\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x20\x34\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\xD2\xAB\x8A\x37\x4F\xA3\x53\x0D\xFE\xC1\x8A\x7B\x4B\xA8\x7B\x46\x4B\x63\xB0\x62\xF6\x2D\x1B\xDB\x08\x71\x21\xD2\x00\xE8\x63\xBD\x9A\x27\xFB\xF0\x39\x6E\x5D\xEA\x3D\xA5\xC9\x81\xAA\xA3\x5B\x20\x98\x45\x5D\x16\xDB\xFD\xE8\x10\x6D\xE3\x9C\xE0\xE3\xBD\x5F\x84\x62\xF3\x70\x64\x33\xA0\xCB\x24\x2F\x70\xBA\x88\xA1\x2A\xA0\x75\xF8\x81\xAE\x62\x06\xC4\x81\xDB\x39\x6E\x29\xB0\x1E\xFA\x2E\x5C\xA3\x42\x30\x40\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xD3\xEC\xC7\x3A\x65\x6E\xCC\xE1\xDA\x76\x9A\x56\xFB\x9C\xF3\x86\x6D\x57\xE5\x81\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x03\x03\x68\x00\x30\x65\x02\x30\x3A\x8B\x21\xF1\xBD\x7E\x11\xAD\xD0\xEF\x58\x96\x2F\xD6\xEB\x9D\x7E\x90\x8D\x2B\xCF\x66\x55\xC3\x2C\xE3\x28\xA9\x70\x0A\x47\x0E\xF0\x37\x59\x12\xFF\x2D\x99\x94\x28\x4E\x2A\x4F\x35\x4D\x33\x5A\x02\x31\x00\xEA\x75\x00\x4E\x3B\xC4\x3A\x94\x12\x91\xC9\x58\x46\x9D\x21\x13\x72\xA7\x88\x9C\x8A\xE4\x4C\x4A\xDB\x96\xD4\xAC\x8B\x6B\x6B\x49\x12\x53\x33\xAD\xD7\xE4\xBE\x24\xFC\xB5\x0A\x76\xD4\xA5\xBC\x10",
+	["CN=LuxTrust Global Root 2,O=LuxTrust S.A.,C=LU"] = "\x30\x82\x05\xC3\x30\x82\x03\xAB\xA0\x03\x02\x01\x02\x02\x14\x0A\x7E\xA6\xDF\x4B\x44\x9E\xDA\x6A\x24\x85\x9E\xE6\xB8\x15\xD3\x16\x7F\xBB\xB1\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x46\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4C\x55\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x0C\x0D\x4C\x75\x78\x54\x72\x75\x73\x74\x20\x53\x2E\x41\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x4C\x75\x78\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x32\x30\x1E\x17\x0D\x31\x35\x30\x33\x30\x35\x31\x33\x32\x31\x35\x37\x5A\x17\x0D\x33\x35\x30\x33\x30\x35\x31\x33\x32\x31\x35\x37\x5A\x30\x46\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4C\x55\x31\x16\x30\x14\x06\x03\x55\x04\x0A\x0C\x0D\x4C\x75\x78\x54\x72\x75\x73\x74\x20\x53\x2E\x41\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x4C\x75\x78\x54\x72\x75\x73\x74\x20\x47\x6C\x6F\x62\x61\x6C\x20\x52\x6F\x6F\x74\x20\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xD7\x85\x97\xBF\x11\x98\xE9\xF0\x62\x83\x4C\x3C\x87\xF9\x53\x6A\x37\x0B\xF2\x0F\x3C\x87\xCE\x6F\xDC\x26\x29\xBD\xC5\x89\xBA\xC9\x83\x3D\xF7\xEE\xCA\x5B\xC6\x6D\x49\x73\xB4\xC9\x46\xA3\x1B\x34\x13\x3F\xC1\x89\x45\x57\xF4\xD9\xB1\xFB\x36\x65\x4B\xFB\x08\xE2\x48\x71\x11\xC8\x6E\x3B\x9E\x9D\xDF\x89\x65\x37\xA6\x85\xF6\x3B\x44\x18\xB6\xC6\x37\x30\x62\x44\x92\x97\x69\x7D\x42\x30\x24\xE4\x0D\x0C\x89\x6B\x63\xDE\xC5\xE1\xDF\x4E\xA9\x14\x6C\x53\xE0\x61\xCE\xF6\x17\x2F\x1D\x3C\xBD\xE6\x22\x4C\x1D\x93\xF5\x10\xC4\xA1\x76\xEC\x6A\xDE\xC5\x6C\xDF\x96\xB4\x56\x40\x42\xC0\x62\x92\x30\xA1\x2D\x15\x94\xA0\xD2\x20\x06\x09\x6E\x6A\x6D\xE5\xEB\xB7\xBE\xD4\xF0\xF1\x15\x7C\x8B\xE6\x4E\xBA\x13\xCC\x4B\x27\x5E\x99\x3C\x17\x5D\x8F\x81\x7F\x33\x3D\x4F\xD3\x3F\x1B\xEC\x5C\x3F\xF0\x3C\x4C\x75\x6E\xF2\xA6\xD5\x9D\xDA\x2D\x07\x63\x02\xC6\x72\xE9\x94\xBC\x4C\x49\x95\x4F\x88\x52\xC8\xDB\xE8\x69\x82\xF8\xCC\x34\x5B\x22\xF0\x86\xA7\x89\xBD\x48\x0A\x6D\x66\x81\x6D\xC8\xC8\x64\xFB\x01\xE1\xF4\xE1\xDE\xD9\x9E\xDD\xDB\x5B\xD4\x2A\x99\x26\x15\x1B\x1E\x4C\x92\x29\x82\x9E\xD5\x92\x81\x92\x41\x70\x19\xF7\xA4\xE5\x93\x4B\xBC\x77\x67\x31\xDD\x1C\xFD\x31\x70\x0D\x17\x99\x0C\xF9\x0C\x39\x19\x2A\x17\xB5\x30\x71\x55\xD5\x0F\xAE\x58\xE1\x3D\x2F\x34\x9B\xCF\x9F\xF6\x78\x85\xC2\x93\x7A\x72\x3E\x66\x8F\x9C\x16\x11\x60\x8F\x9E\x89\x6F\x67\xBE\xE0\x47\x5A\x3B\x0C\x9A\x67\x8B\xCF\x46\xC6\xAE\x38\xA3\xF2\xA7\xBC\xE6\xD6\x85\x6B\x33\x24\x70\x22\x4B\xCB\x08\x9B\xBB\xC8\xF8\x02\x29\x1D\xBE\x20\x0C\x46\xBF\x6B\x87\x9B\xB3\x2A\x66\x42\x35\x46\x6C\xAA\xBA\xAD\xF9\x98\x7B\xE9\x50\x55\x14\x31\xBF\xB1\xDA\x2D\xED\x80\xAD\x68\x24\xFB\x69\xAB\xD8\x71\x13\x30\xE6\x67\xB3\x87\x40\xFD\x89\x7E\xF2\x43\xD1\x11\xDF\x2F\x65\x2F\x64\xCE\x5F\x14\xB9\xB1\xBF\x31\xBD\x87\x78\x5A\x59\x65\x88\xAA\xFC\x59\x32\x48\x86\xD6\x4C\xB9\x29\x4B\x95\xD3\x76\xF3\x77\x25\x6D\x42\x1C\x38\x83\x4D\xFD\xA3\x5F\x9B\x7F\x2D\xAC\x79\x1B\x0E\x42\x31\x97\x63\xA4\xFB\x8A\x69\xD5\x22\x0D\x34\x90\x30\x2E\xA8\xB4\xE0\x6D\xB6\x94\xAC\xBC\x8B\x4E\xD7\x70\xFC\xC5\x38\x8E\x64\x25\xE1\x4D\x39\x90\xCE\xC9\x87\x84\x58\x71\x02\x03\x01\x00\x01\xA3\x81\xA8\x30\x81\xA5\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x42\x06\x03\x55\x1D\x20\x04\x3B\x30\x39\x30\x37\x06\x07\x2B\x81\x2B\x01\x01\x01\x0A\x30\x2C\x30\x2A\x06\x08\x2B\x06\x01\x05\x05\x07\x02\x01\x16\x1E\x68\x74\x74\x70\x73\x3A\x2F\x2F\x72\x65\x70\x6F\x73\x69\x74\x6F\x72\x79\x2E\x6C\x75\x78\x74\x72\x75\x73\x74\x2E\x6C\x75\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xFF\x18\x28\x76\xF9\x48\x05\x2C\xA1\xAE\xF1\x2B\x1B\x2B\xB2\x53\xF8\x4B\x7C\xB3\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xFF\x18\x28\x76\xF9\x48\x05\x2C\xA1\xAE\xF1\x2B\x1B\x2B\xB2\x53\xF8\x4B\x7C\xB3\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x6A\x19\x14\xED\x6E\x79\xC1\x2C\x87\xD4\x0D\x70\x7E\xD7\xF6\x78\xC9\x0B\x04\x4E\xC4\xB1\xCE\x93\x70\xFE\xB0\x54\xC0\x32\xCD\x99\x30\x64\x17\xBF\x0F\xE5\xE2\x33\xFD\x07\x36\x40\x72\x0E\x1A\xB6\x6A\x59\xD6\x00\xE5\x68\x20\xDD\x2E\x72\x0D\x1F\x6A\x64\x31\x20\x84\x7D\x49\xA6\x5A\x37\xEB\x45\xC9\x85\xF5\xD4\xC7\x17\x99\x07\xE6\x9B\x55\xE4\x0C\xE8\xA9\xB4\xCE\x8C\x5B\xB5\x11\x5C\xCF\x8A\x0E\x0D\xD6\xAC\x77\x81\xFE\x32\x9C\x24\x9E\x72\xCE\x54\xF3\xD0\x6F\xA2\x56\xD6\xEC\xC3\x37\x2C\x65\x58\xBE\x57\x00\x1A\xF2\x35\xFA\xEB\x7B\x31\x5D\xC2\xC1\x12\x3D\x96\x81\x88\x96\x89\xC1\x59\x5C\x7A\xE6\x7F\x70\x34\xE7\x83\xE2\xB1\xE1\xE1\xB8\x58\xEF\xD4\x95\xE4\x60\x9C\xF0\x96\x97\x72\x8C\xEB\x84\x02\x2E\x65\x8F\xA4\xB7\xD2\x7F\x67\xDD\xC8\xD3\x9E\x5C\xAA\xA9\xA4\xA0\x25\x14\x06\x9B\xEC\x4F\x7E\x2D\x0B\x7F\x1D\x75\xF1\x33\xD8\xED\xCE\xB8\x75\x6D\x3E\x5B\xB9\x98\x1D\x31\x0D\x56\xD8\x43\x0F\x30\x91\xB2\x04\x6B\xDD\x56\xBE\x95\x80\x55\x67\xBE\xD8\xCD\x83\xD9\x18\xEE\x2E\x0F\x86\x2D\x92\x9E\x70\x13\xEC\xDE\x51\xC9\x43\x78\x02\xA5\x4D\xC8\xF9\x5F\xC4\x91\x58\x46\x16\x77\x5A\x74\xAA\x40\xBC\x07\x9F\x30\xB9\xB1\xF7\x12\x17\xDD\xE3\xFF\x24\x40\x1D\x7A\x6A\xD1\x4F\x18\x0A\xAA\x90\x1D\xEB\x40\x1E\xDF\xA1\x1E\x44\x92\x10\x9A\xF2\x8D\xE1\xD1\x4B\x46\x9E\xE8\x45\x42\x97\xEA\x45\x99\xF3\xEC\x66\xD5\x02\xFA\xF2\xA6\x4A\x24\xAA\xDE\xCE\xB9\xCA\xF9\x3F\x93\x6F\xF9\xA3\xBA\xEA\xA5\x3E\x99\xAD\xFD\xFF\x7B\x99\xF5\x65\xEE\xF0\x59\x28\x67\xD7\x90\x95\xA4\x13\x84\xA9\x84\xC1\xE8\xCE\xCE\x75\x93\x63\x1A\xBC\x3C\xEA\xD5\x64\x1F\x2D\x2A\x12\x39\xC6\xC3\x5A\x32\xED\x47\x91\x16\x0E\xBC\x38\xC1\x50\xDE\x8F\xCA\x2A\x90\x34\x1C\xEE\x41\x94\x9C\x5E\x19\x2E\xF8\x45\x49\x99\x74\x91\xB0\x04\x6F\xE3\x04\x5A\xB1\xAB\x2A\xAB\xFE\xC7\xD0\x96\xB6\xDA\xE1\x4A\x64\x06\x6E\x60\x4D\xBD\x42\x4E\xFF\x78\xDA\x24\xCA\x1B\xB4\xD7\x96\x39\x6C\xAE\xF1\x0E\xAA\xA7\x7D\x48\x8B\x20\x4C\xCF\x64\xD6\xB8\x97\x46\xB0\x4E\xD1\x2A\x56\x3A\xA0\x93\xBD\xAF\x80\x24\xE0\x0A\x7E\xE7\xCA\xD5\xCA\xE8\x85\x55\xDC\x36\x2A\xE1\x94\x68\x93\xC7\x66\x72\x44\x0F\x80\x21\x32\x6C\x25\xC7\x23\x80\x83\x0A\xEB",
+	["CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1,OU=Kamu Sertifikasyon Merkezi - Kamu SM,O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK,L=Gebze - Kocaeli,C=TR"] = "\x30\x82\x04\x63\x30\x82\x03\x4B\xA0\x03\x02\x01\x02\x02\x01\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\xD2\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x18\x30\x16\x06\x03\x55\x04\x07\x13\x0F\x47\x65\x62\x7A\x65\x20\x2D\x20\x4B\x6F\x63\x61\x65\x6C\x69\x31\x42\x30\x40\x06\x03\x55\x04\x0A\x13\x39\x54\x75\x72\x6B\x69\x79\x65\x20\x42\x69\x6C\x69\x6D\x73\x65\x6C\x20\x76\x65\x20\x54\x65\x6B\x6E\x6F\x6C\x6F\x6A\x69\x6B\x20\x41\x72\x61\x73\x74\x69\x72\x6D\x61\x20\x4B\x75\x72\x75\x6D\x75\x20\x2D\x20\x54\x55\x42\x49\x54\x41\x4B\x31\x2D\x30\x2B\x06\x03\x55\x04\x0B\x13\x24\x4B\x61\x6D\x75\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x73\x79\x6F\x6E\x20\x4D\x65\x72\x6B\x65\x7A\x69\x20\x2D\x20\x4B\x61\x6D\x75\x20\x53\x4D\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2D\x54\x55\x42\x49\x54\x41\x4B\x20\x4B\x61\x6D\x75\x20\x53\x4D\x20\x53\x53\x4C\x20\x4B\x6F\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x73\x69\x20\x2D\x20\x53\x75\x72\x75\x6D\x20\x31\x30\x1E\x17\x0D\x31\x33\x31\x31\x32\x35\x30\x38\x32\x35\x35\x35\x5A\x17\x0D\x34\x33\x31\x30\x32\x35\x30\x38\x32\x35\x35\x35\x5A\x30\x81\xD2\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x54\x52\x31\x18\x30\x16\x06\x03\x55\x04\x07\x13\x0F\x47\x65\x62\x7A\x65\x20\x2D\x20\x4B\x6F\x63\x61\x65\x6C\x69\x31\x42\x30\x40\x06\x03\x55\x04\x0A\x13\x39\x54\x75\x72\x6B\x69\x79\x65\x20\x42\x69\x6C\x69\x6D\x73\x65\x6C\x20\x76\x65\x20\x54\x65\x6B\x6E\x6F\x6C\x6F\x6A\x69\x6B\x20\x41\x72\x61\x73\x74\x69\x72\x6D\x61\x20\x4B\x75\x72\x75\x6D\x75\x20\x2D\x20\x54\x55\x42\x49\x54\x41\x4B\x31\x2D\x30\x2B\x06\x03\x55\x04\x0B\x13\x24\x4B\x61\x6D\x75\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x73\x79\x6F\x6E\x20\x4D\x65\x72\x6B\x65\x7A\x69\x20\x2D\x20\x4B\x61\x6D\x75\x20\x53\x4D\x31\x36\x30\x34\x06\x03\x55\x04\x03\x13\x2D\x54\x55\x42\x49\x54\x41\x4B\x20\x4B\x61\x6D\x75\x20\x53\x4D\x20\x53\x53\x4C\x20\x4B\x6F\x6B\x20\x53\x65\x72\x74\x69\x66\x69\x6B\x61\x73\x69\x20\x2D\x20\x53\x75\x72\x75\x6D\x20\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAF\x75\x30\x33\xAA\xBB\x6B\xD3\x99\x2C\x12\x37\x84\xD9\x8D\x7B\x97\x80\xD3\x6E\xE7\xFF\x9B\x50\x95\x3E\x90\x95\x56\x42\xD7\x19\x7C\x26\x84\x8D\x92\xFA\x01\x1D\x3A\x0F\xE2\x64\x38\xB7\x8C\xBC\xE8\x88\xF9\x8B\x24\xAB\x2E\xA3\xF5\x37\xE4\x40\x8E\x18\x25\x79\x83\x75\x1F\x3B\xFF\x6C\xA8\xC5\xC6\x56\xF8\xB4\xED\x8A\x44\xA3\xAB\x6C\x4C\xFC\x1D\xD0\xDC\xEF\x68\xBD\xCF\xE4\xAA\xCE\xF0\x55\xF7\xA2\x34\xD4\x83\x6B\x37\x7C\x1C\xC2\xFE\xB5\x03\xEC\x57\xCE\xBC\xB4\xB5\xC5\xED\x00\x0F\x53\x37\x2A\x4D\xF4\x4F\x0C\x83\xFB\x86\xCF\xCB\xFE\x8C\x4E\xBD\x87\xF9\xA7\x8B\x21\x57\x9C\x7A\xDF\x03\x67\x89\x2C\x9D\x97\x61\xA7\x10\xB8\x55\x90\x7F\x0E\x2D\x27\x38\x74\xDF\xE7\xFD\xDA\x4E\x12\xE3\x4D\x15\x22\x02\xC8\xE0\xE0\xFC\x0F\xAD\x8A\xD7\xC9\x54\x50\xCC\x3B\x0F\xCA\x16\x80\x84\xD0\x51\x56\xC3\x8E\x56\x7F\x89\x22\x33\x2F\xE6\x85\x0A\xBD\xA5\xA8\x1B\x36\xDE\xD3\xDC\x2C\x6D\x3B\xC7\x13\xBD\x59\x23\x2C\xE6\xE5\xA4\xF7\xD8\x0B\xED\xEA\x90\x40\x44\xA8\x95\xBB\x93\xD5\xD0\x80\x34\xB6\x46\x78\x0E\x1F\x00\x93\x46\xE1\xEE\xE9\xF9\xEC\x4F\x17\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x65\x3F\xC7\x8A\x86\xC6\x3C\xDD\x3C\x54\x5C\x35\xF8\x3A\xED\x52\x0C\x47\x57\xC8\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x2A\x3F\xE1\xF1\x32\x8E\xAE\xE1\x98\x5C\x4B\x5E\xCF\x6B\x1E\x6A\x09\xD2\x22\xA9\x12\xC7\x5E\x57\x7D\x73\x56\x64\x80\x84\x7A\x93\xE4\x09\xB9\x10\xCD\x9F\x2A\x27\xE1\x00\x77\xBE\x48\xC8\x35\xA8\x81\x9F\xE4\xB8\x2C\xC9\x7F\x0E\xB0\xD2\x4B\x37\x5D\xEA\xB9\xD5\x0B\x5E\x34\xBD\xF4\x73\x29\xC3\xED\x26\x15\x9C\x7E\x08\x53\x8A\x58\x8D\xD0\x4B\x28\xDF\xC1\xB3\xDF\x20\xF3\xF9\xE3\xE3\x3A\xDF\xCC\x9C\x94\xD8\x4E\x4F\xC3\x6B\x17\xB7\xF7\x72\xE8\xAD\x66\x33\xB5\x25\x53\xAB\xE0\xF8\x4C\xA9\x9D\xFD\xF2\x0D\xBA\xAE\xB9\xD9\xAA\xC6\x6B\xF9\x93\xBB\xAE\xAB\xB8\x97\x3C\x03\x1A\xBA\x43\xC6\x96\xB9\x45\x72\x38\xB3\xA7\xA1\x96\x3D\x91\x7B\x7E\xC0\x21\x53\x4C\x87\xED\xF2\x0B\x54\x95\x51\x93\xD5\x22\xA5\x0D\x8A\xF1\x93\x0E\x3E\x54\x0E\xB0\xD8\xC9\x4E\xDC\xF2\x31\x32\x56\xEA\x64\xF9\xEA\xB5\x9D\x16\x66\x42\x72\xF3\x7F\xD3\xB1\x31\x43\xFC\xA4\x8E\x17\xF1\x6D\x23\xAB\x94\x66\xF8\xAD\xFB\x0F\x08\x6E\x26\x2D\x7F\x17\x07\x09\xB2\x8C\xFB\x50\xC0\x9F\x96\x8D\xCF\xB6\xFD\x00\x9D\x5A\x14\x9A\xBF\x02\x44\xF5\xC1\xC2\x9F\x22\x5E\xA2\x0F\xA1\xE3",
+	["CN=GDCA TrustAUTH R5 ROOT,O=GUANG DONG CERTIFICATE AUTHORITY CO.\,LTD.,C=CN"] = "\x30\x82\x05\x88\x30\x82\x03\x70\xA0\x03\x02\x01\x02\x02\x08\x7D\x09\x97\xFE\xF0\x47\xEA\x7A\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x62\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x32\x30\x30\x06\x03\x55\x04\x0A\x0C\x29\x47\x55\x41\x4E\x47\x20\x44\x4F\x4E\x47\x20\x43\x45\x52\x54\x49\x46\x49\x43\x41\x54\x45\x20\x41\x55\x54\x48\x4F\x52\x49\x54\x59\x20\x43\x4F\x2E\x2C\x4C\x54\x44\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x47\x44\x43\x41\x20\x54\x72\x75\x73\x74\x41\x55\x54\x48\x20\x52\x35\x20\x52\x4F\x4F\x54\x30\x1E\x17\x0D\x31\x34\x31\x31\x32\x36\x30\x35\x31\x33\x31\x35\x5A\x17\x0D\x34\x30\x31\x32\x33\x31\x31\x35\x35\x39\x35\x39\x5A\x30\x62\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x32\x30\x30\x06\x03\x55\x04\x0A\x0C\x29\x47\x55\x41\x4E\x47\x20\x44\x4F\x4E\x47\x20\x43\x45\x52\x54\x49\x46\x49\x43\x41\x54\x45\x20\x41\x55\x54\x48\x4F\x52\x49\x54\x59\x20\x43\x4F\x2E\x2C\x4C\x54\x44\x2E\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x47\x44\x43\x41\x20\x54\x72\x75\x73\x74\x41\x55\x54\x48\x20\x52\x35\x20\x52\x4F\x4F\x54\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xD9\xA3\x16\xF0\xC8\x74\x74\x77\x9B\xEF\x33\x0D\x3B\x06\x7E\x55\xFC\xB5\x60\x8F\x76\x86\x12\x42\x7D\x56\x66\x3E\x88\x82\xED\x72\x63\x0E\x9E\x8B\xDD\x34\x2C\x02\x51\x51\xC3\x19\xFD\x59\x54\x84\xC9\xF1\x6B\xB3\x4C\xB0\xE9\xE8\x46\x5D\x38\xC6\xA2\xA7\x2E\x11\x57\xBA\x82\x15\xA2\x9C\x8F\x6D\xB0\x99\x4A\x0A\xF2\xEB\x89\x70\x63\x4E\x79\xC4\xB7\x5B\xBD\xA2\x5D\xB1\xF2\x41\x02\x2B\xAD\xA9\x3A\xA3\xEC\x79\x0A\xEC\x5F\x3A\xE3\xFD\xEF\x80\x3C\xAD\x34\x9B\x1A\xAB\x88\x26\x7B\x56\xA2\x82\x86\x1F\xEB\x35\x89\x83\x7F\x5F\xAE\x29\x4E\x3D\xB6\x6E\xEC\xAE\xC1\xF0\x27\x9B\xAE\xE3\xF4\xEC\xEF\xAE\x7F\xF7\x86\x3D\x72\x7A\xEB\xA5\xFB\x59\x4E\xA7\xEB\x95\x8C\x22\x39\x79\xE1\x2D\x08\x8F\xCC\xBC\x91\xB8\x41\xF7\x14\xC1\x23\xA9\xC3\xAD\x9A\x45\x44\xB3\xB2\xD7\x2C\xCD\xC6\x29\xE2\x50\x10\xAE\x5C\xCB\x82\x8E\x17\x18\x36\x7D\x97\xE6\x88\x9A\xB0\x4D\x34\x09\xF4\x2C\xB9\x5A\x66\x2A\xB0\x17\x9B\x9E\x1E\x76\x9D\x4A\x66\x31\x41\xDF\x3F\xFB\xC5\x06\xEF\x1B\xB6\x7E\x1A\x46\x36\xF7\x64\x63\x3B\xE3\x39\x18\x23\xE7\x67\x75\x14\xD5\x75\x57\x92\x37\xBD\xBE\x6A\x1B\x26\x50\xF2\x36\x26\x06\x90\xC5\x70\x01\x64\x6D\x76\x66\xE1\x91\xDB\x6E\x07\xC0\x61\x80\x2E\xB2\x2E\x2F\x8C\x70\xA7\xD1\x3B\x3C\xB3\x91\xE4\x6E\xB6\xC4\x3B\x70\xF2\x6C\x92\x97\x09\xCD\x47\x7D\x18\xC0\xF3\xBB\x9E\x0F\xD6\x8B\xAE\x07\xB6\x5A\x0F\xCE\x0B\x0C\x47\xA7\xE5\x3E\xB8\xBD\x7D\xC7\x9B\x35\xA0\x61\x97\x3A\x41\x75\x17\xCC\x2B\x96\x77\x2A\x92\x21\x1E\xD9\x95\x76\x20\x67\x68\xCF\x0D\xBD\xDF\xD6\x1F\x09\x6A\x9A\xE2\xCC\x73\x71\xA4\x2F\x7D\x12\x80\xB7\x53\x30\x46\x5E\x4B\x54\x99\x0F\x67\xC9\xA5\xC8\xF2\x20\xC1\x82\xEC\x9D\x11\xDF\xC2\x02\xFB\x1A\x3B\xD1\xED\x20\x9A\xEF\x65\x64\x92\x10\x0D\x2A\xE2\xDE\x70\xF1\x18\x67\x82\x8C\x61\xDE\xB8\xBC\xD1\x2F\x9C\xFB\x0F\xD0\x2B\xED\x1B\x76\xB9\xE4\x39\x55\xF8\xF8\xA1\x1D\xB8\xAA\x80\x00\x4C\x82\xE7\xB2\x7F\x09\xB8\xBC\x30\xA0\x2F\x0D\xF5\x52\x9E\x8E\xF7\x92\xB3\x0A\x00\x1D\x00\x54\x97\x06\xE0\xB1\x07\xD9\xC7\x0F\x5C\x65\x7D\x3C\x6D\x59\x57\xE4\xED\xA5\x8D\xE9\x40\x53\x9F\x15\x4B\xA0\x71\xF6\x1A\x21\xE3\xDA\x70\x06\x21\x58\x14\x87\x85\x77\x79\xAA\x82\x79\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE2\xC9\x40\x9F\x4D\xCE\xE8\x9A\xA1\x7C\xCF\x0E\x3F\x65\xC5\x29\x88\x6A\x19\x51\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\xD1\x49\x57\xE0\xA7\xCC\x68\x58\xBA\x01\x0F\x2B\x19\xCD\x8D\xB0\x61\x45\xAC\x11\xED\x63\x50\x69\xF8\x1F\x7F\xBE\x16\x8F\xFD\x9D\xEB\x0B\xAA\x32\x47\x76\xD2\x67\x24\xED\xBD\x7C\x33\x32\x97\x2A\xC7\x05\x86\x66\x0D\x17\x7D\x14\x15\x1B\xD4\xEB\xFD\x1F\x9A\xF6\x5E\x97\x69\xB7\x1A\x25\xA4\x0A\xB3\x91\x3F\x5F\x36\xAC\x8B\xEC\x57\xA8\x3E\xE7\x81\x8A\x18\x57\x39\x85\x74\x1A\x42\xC7\xE9\x5B\x13\x5F\x8F\xF9\x08\xE9\x92\x74\x8D\xF5\x47\xD2\xAB\x3B\xD6\xFB\x78\x66\x4E\x36\x7D\xF9\xE9\x92\xE9\x04\xDE\xFD\x49\x63\xFC\x6D\xFB\x14\x71\x93\x67\x2F\x47\x4A\xB7\xB9\xFF\x1E\x2A\x73\x70\x46\x30\xBF\x5A\xF2\x2F\x79\xA5\xE1\x8D\x0C\xD9\xF9\xB2\x63\x37\x8C\x37\x65\x85\x70\x6A\x5C\x5B\x09\x72\xB9\xAD\x63\x3C\xB1\xDD\xF8\xFC\x32\xBF\x37\x86\xE4\xBB\x8E\x98\x27\x7E\xBA\x1F\x16\xE1\x70\x11\xF2\x03\xDF\x25\x62\x32\x27\x26\x18\x32\x84\x9F\xFF\x00\x3A\x13\xBA\x9A\x4D\xF4\x4F\xB8\x14\x70\x22\xB1\xCA\x2B\x90\xCE\x29\xC1\x70\xF4\x2F\x9D\x7F\xF2\x90\x1E\xD6\x5A\xDF\xB7\x46\xFC\xE6\x86\xFA\xCB\xE0\x20\x76\x7A\xBA\xA6\xCB\xF5\x7C\xDE\x62\xA5\xB1\x8B\xEE\xDE\x82\x66\x8A\x4E\x3A\x30\x1F\x3F\x80\xCB\xAD\x27\xBA\x0C\x5E\xD7\xD0\xB1\x56\xCA\x77\x71\xB2\xB5\x75\xA1\x50\xA9\x40\x43\x17\xC2\x28\xD9\xCF\x52\x8B\x5B\xC8\x63\xD4\x42\x3E\xA0\x33\x7A\x46\x2E\xF7\x0A\x20\x46\x54\x7E\x6A\x4F\x31\xF1\x81\x7E\x42\x74\x38\x65\x73\x27\xEE\xC6\x7C\xB8\x8E\xD7\xA5\x3A\xD7\x98\xA1\x9C\x8C\x10\x55\xD3\xDB\x4B\xEC\x40\x90\xF2\xCD\x6E\x57\xD2\x62\x0E\x7C\x57\x93\xB1\xA7\x6D\xCD\x9D\x83\xBB\x2A\xE7\xE5\xB6\x3B\x71\x58\xAD\xFD\xD1\x45\xBC\x5A\x91\xEE\x53\x15\x6F\xD3\x45\x09\x75\x6E\xBA\x90\x5D\x1E\x04\xCF\x37\xDF\x1E\xA8\x66\xB1\x8C\xE6\x20\x6A\xEF\xFC\x48\x4E\x74\x98\x42\xAF\x29\x6F\x2E\x6A\xC7\xFB\x7D\xD1\x66\x31\x22\xCC\x86\x00\x7E\x66\x83\x0C\x42\xF4\xBD\x34\x92\xC3\x1A\xEA\x4F\xCA\x7E\x72\x4D\x0B\x70\x8C\xA6\x48\xBB\xA6\xA1\x14\xF6\xFB\x58\x44\x99\x14\xAE\xAA\x0B\x93\x69\xA0\x29\x25\x4A\xA5\xCB\x2B\xDD\x8A\x66\x07\x16\x78\x15\x57\x71\x1B\xEC\xF5\x47\x84\xF3\x9E\x31\x37\x7A\xD5\x7F\x24\xAD\xE4\xBC\xFD\xFD\xCC\x6E\x83\xE8\x0C\xA8\xB7\x41\x6C\x07\xDD\xBD\x3C\x86\x97\x2F\xD2",
+	["CN=TrustCor RootCert CA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA"] = "\x30\x82\x04\x30\x30\x82\x03\x18\xA0\x03\x02\x01\x02\x02\x09\x00\xDA\x9B\xEC\x71\xF3\x03\xB0\x19\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\xA4\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x41\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x0C\x06\x50\x61\x6E\x61\x6D\x61\x31\x14\x30\x12\x06\x03\x55\x04\x07\x0C\x0B\x50\x61\x6E\x61\x6D\x61\x20\x43\x69\x74\x79\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x0C\x1B\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x53\x2E\x20\x64\x65\x20\x52\x2E\x4C\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x0C\x1E\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x52\x6F\x6F\x74\x43\x65\x72\x74\x20\x43\x41\x2D\x31\x30\x1E\x17\x0D\x31\x36\x30\x32\x30\x34\x31\x32\x33\x32\x31\x36\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x31\x37\x32\x33\x31\x36\x5A\x30\x81\xA4\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x41\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x0C\x06\x50\x61\x6E\x61\x6D\x61\x31\x14\x30\x12\x06\x03\x55\x04\x07\x0C\x0B\x50\x61\x6E\x61\x6D\x61\x20\x43\x69\x74\x79\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x0C\x1B\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x53\x2E\x20\x64\x65\x20\x52\x2E\x4C\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x0C\x1E\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x52\x6F\x6F\x74\x43\x65\x72\x74\x20\x43\x41\x2D\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBF\x8E\xB7\x95\xE2\xC2\x26\x12\x6B\x33\x19\xC7\x40\x58\x0A\xAB\x59\xAA\x8D\x00\xA3\xFC\x80\xC7\x50\x7B\x8E\xD4\x20\x26\xBA\x32\x12\xD8\x23\x54\x49\x25\x10\x22\x98\x9D\x46\xD2\xC1\xC9\x9E\x4E\x1B\x2E\x2C\x0E\x38\xF3\x1A\x25\x68\x1C\xA6\x5A\x05\xE6\x1E\x8B\x48\xBF\x98\x96\x74\x3E\x69\xCA\xE9\xB5\x78\xA5\x06\xBC\xD5\x00\x5E\x09\x0A\xF2\x27\x7A\x52\xFC\x2D\xD5\xB1\xEA\xB4\x89\x61\x24\xF3\x1A\x13\xDB\xA9\xCF\x52\xED\x0C\x24\xBA\xB9\x9E\xEC\x7E\x00\x74\xFA\x93\xAD\x6C\x29\x92\xAE\x51\xB4\xBB\xD3\x57\xBF\xB3\xF3\xA8\x8D\x9C\xF4\x24\x4B\x2A\xD6\x99\x9E\xF4\x9E\xFE\xC0\x7E\x42\x3A\xE7\x0B\x95\x53\xDA\xB7\x68\x0E\x90\x4C\xFB\x70\x3F\x8F\x4A\x2C\x94\xF3\x26\xDD\x63\x69\xA9\x94\xD8\x10\x4E\xC5\x47\x08\x90\x99\x1B\x17\x4D\xB9\x6C\x6E\xEF\x60\x95\x11\x8E\x21\x80\xB5\xBD\xA0\x73\xD8\xD0\xB2\x77\xC4\x45\xEA\x5A\x26\xFB\x66\x76\x76\xF8\x06\x1F\x61\x6D\x0F\x55\xC5\x83\xB7\x10\x56\x72\x06\x07\xA5\xF3\xB1\x1A\x03\x05\x64\x0E\x9D\x5A\x8A\xD6\x86\x70\x1B\x24\xDE\xFE\x28\x8A\x2B\xD0\x6A\xB0\xFC\x7A\xA2\xDC\xB2\x79\x0E\x8B\x65\x0F\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xEE\x6B\x49\x3C\x7A\x3F\x0D\xE3\xB1\x09\xB7\x8A\xC8\xAB\x19\x9F\x73\x33\x50\xE7\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xEE\x6B\x49\x3C\x7A\x3F\x0D\xE3\xB1\x09\xB7\x8A\xC8\xAB\x19\x9F\x73\x33\x50\xE7\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x25\x18\xD4\x91\x8F\x13\xEE\x8F\x1E\x1D\x11\x53\xDA\x2D\x44\x29\x19\xA0\x1E\x6B\x31\x9E\x4D\x0E\x9E\xAD\x3D\x5C\x41\x6F\x95\x2B\x24\xA1\x79\x98\x3A\x38\x36\xFB\xBB\x66\x9E\x48\xFF\x90\x90\xEF\x3D\xD4\xB8\x9B\xB4\x87\x75\x3F\x20\x9B\xCE\x72\xCF\xA1\x55\xC1\x4D\x64\xA2\x19\x06\xA1\x07\x33\x0C\x0B\x29\xE5\xF1\xEA\xAB\xA3\xEC\xB5\x0A\x74\x90\xC7\x7D\x72\xF2\xD7\x5C\x9F\x91\xEF\x91\x8B\xB7\xDC\xED\x66\xA2\xCF\x8E\x66\x3B\xBC\x9F\x3A\x02\xE0\x27\xDD\x16\x98\xC0\x95\xD4\x0A\xA4\xE4\x81\x9A\x75\x94\x35\x9C\x90\x5F\x88\x37\x06\xAD\x59\x95\x0A\xB0\xD1\x67\xD3\x19\xCA\x89\xE7\x32\x5A\x36\x1C\x3E\x82\xA8\x5A\x93\xBE\xC6\xD0\x64\x91\xB6\xCF\xD9\xB6\x18\xCF\xDB\x7E\xD2\x65\xA3\xA6\xC4\x8E\x17\x31\xC1\xFB\x7E\x76\xDB\xD3\x85\xE3\x58\xB2\x77\x7A\x76\x3B\x6C\x2F\x50\x1C\xE7\xDB\xF6\x67\x79\x1F\xF5\x82\x95\x9A\x07\xA7\x14\xAF\x8F\xDC\x28\x21\x67\x09\xD2\xD6\x4D\x5A\x1C\x19\x1C\x8E\x77\x5C\xC3\x94\x24\x3D\x32\x6B\x4B\x7E\xD4\x78\x94\x83\xBE\x37\x4D\xCE\x5F\xC7\x1E\x4E\x3C\xE0\x89\x33\x95\x0B\x0F\xA5\x32\xD6\x3C\x5A\x79\x2C\x19",
+	["CN=TrustCor RootCert CA-2,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA"] = "\x30\x82\x06\x2F\x30\x82\x04\x17\xA0\x03\x02\x01\x02\x02\x08\x25\xA1\xDF\xCA\x33\xCB\x59\x02\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\xA4\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x41\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x0C\x06\x50\x61\x6E\x61\x6D\x61\x31\x14\x30\x12\x06\x03\x55\x04\x07\x0C\x0B\x50\x61\x6E\x61\x6D\x61\x20\x43\x69\x74\x79\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x0C\x1B\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x53\x2E\x20\x64\x65\x20\x52\x2E\x4C\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x0C\x1E\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x52\x6F\x6F\x74\x43\x65\x72\x74\x20\x43\x41\x2D\x32\x30\x1E\x17\x0D\x31\x36\x30\x32\x30\x34\x31\x32\x33\x32\x32\x33\x5A\x17\x0D\x33\x34\x31\x32\x33\x31\x31\x37\x32\x36\x33\x39\x5A\x30\x81\xA4\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x41\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x0C\x06\x50\x61\x6E\x61\x6D\x61\x31\x14\x30\x12\x06\x03\x55\x04\x07\x0C\x0B\x50\x61\x6E\x61\x6D\x61\x20\x43\x69\x74\x79\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x0C\x1B\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x53\x2E\x20\x64\x65\x20\x52\x2E\x4C\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x0C\x1E\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x1F\x30\x1D\x06\x03\x55\x04\x03\x0C\x16\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x52\x6F\x6F\x74\x43\x65\x72\x74\x20\x43\x41\x2D\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xA7\x20\x6E\xC2\x2A\xA2\x62\x24\x95\x90\x76\xC8\x38\x7E\x80\xD2\xAB\xC1\x9B\x65\x05\x94\xF4\xC1\x0A\x10\xD5\x02\xAC\xED\x9F\x93\xC7\x87\xC8\xB0\x27\x2B\x42\x0C\x3D\x0A\x3E\x41\x5A\x9E\x75\xDD\x8D\xCA\xE0\x9B\xEC\x68\x32\xA4\x69\x92\x68\x8C\x0B\x81\x0E\x56\xA0\x3E\x1A\xDD\x2C\x25\x14\x82\x2F\x97\xD3\x64\x46\xF4\x54\xA9\xDC\x3A\x54\x2D\x31\x2B\x99\x82\xF2\xD9\x2A\xD7\xEF\x71\x00\xB8\x31\xA4\xBE\x7A\x24\x07\xC3\x42\x20\xF2\x8A\xD4\x92\x04\x1B\x65\x56\x4C\x6C\xD4\xFB\xB6\x61\x5A\x47\x23\xB4\xD8\x69\xB4\xB7\x3A\xD0\x74\x3C\x0C\x75\xA1\x8C\x4E\x76\xA1\xE9\xDB\x2A\xA5\x3B\xFA\xCE\xB0\xFF\x7E\x6A\x28\xFD\x27\x1C\xC8\xB1\xE9\x29\xF1\x57\x6E\x64\xB4\xD0\xC1\x15\x6D\x0E\xBE\x2E\x0E\x46\xC8\x5E\xF4\x51\xFE\xEF\x0E\x63\x3A\x3B\x71\xBA\xCF\x6F\x59\xCA\x0C\xE3\x9B\x5D\x49\xB8\x4C\xE2\x57\xB1\x98\x8A\x42\x57\x9C\x76\xEF\xEF\xBD\xD1\x68\xA8\xD2\xF4\x09\xBB\x77\x35\xBE\x25\x82\x08\xC4\x16\x2C\x44\x20\x56\xA9\x44\x11\x77\xEF\x5D\xB4\x1D\xAA\x5E\x6B\x3E\x8B\x32\xF6\x07\x2F\x57\x04\x92\xCA\xF5\xFE\x9D\xC2\xE9\xE8\xB3\x8E\x4C\x4B\x02\x31\xD9\xE4\x3C\x48\x82\x27\xF7\x18\x82\x76\x48\x3A\x71\xB1\x13\xA1\x39\xD5\x2E\xC5\x34\xC2\x1D\x62\x85\xDF\x03\xFE\x4D\xF4\xAF\x3D\xDF\x5C\x5B\x8D\xFA\x70\xE1\xA5\x7E\x27\xC7\x86\x2E\x6A\x8F\x12\xC6\x84\x5E\x43\x51\x50\x9C\x19\x9B\x78\xE6\xFC\xF6\xED\x47\x7E\x7B\x3D\x66\xEF\x13\x13\x88\x5F\x3C\xA1\x63\xFB\xF9\xAC\x87\x35\x9F\xF3\x82\x9E\xA4\x3F\x0A\x9C\x31\x69\x8B\x99\xA4\x88\x4A\x8E\x6E\x66\x4D\xEF\x16\xC4\x0F\x79\x28\x21\x60\x0D\x85\x16\x7D\xD7\x54\x38\xF1\x92\x56\xFD\xB5\x33\x4C\x83\xDC\xD7\x10\x9F\x4B\xFD\xC6\xF8\x42\xBD\xBA\x7C\x73\x02\xE0\xFF\x7D\xCD\x5B\xE1\xD4\xAC\x61\x7B\x57\xD5\x4A\x7B\x5B\xD4\x85\x58\x27\x5D\xBF\xF8\x2B\x60\xAC\xA0\x26\xAE\x14\x21\x27\xC6\x77\x9A\x33\x80\x3C\x5E\x46\x3F\xF7\xC3\xB1\xA3\x86\x33\xC6\xE8\x5E\x0D\xB9\x35\x2C\xAA\x46\xC1\x85\x02\x75\x80\xA0\xEB\x24\xFB\x15\xAA\xE4\x67\x7F\x6E\x77\x3F\xF4\x04\x8A\x2F\x7C\x7B\xE3\x17\x61\xF0\xDD\x09\xA9\x20\xC8\xBE\x09\xA4\xD0\x7E\x44\xC3\xB2\x30\x4A\x38\xAA\xA9\xEC\x18\x9A\x07\x82\x2B\xDB\xB8\x9C\x18\xAD\xDA\xE0\x46\x17\xAC\xCF\x5D\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xD9\xFE\x21\x40\x6E\x94\x9E\xBC\x9B\x3D\x9C\x7D\x98\x20\x19\xE5\x8C\x30\x62\xB2\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xD9\xFE\x21\x40\x6E\x94\x9E\xBC\x9B\x3D\x9C\x7D\x98\x20\x19\xE5\x8C\x30\x62\xB2\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x9E\x45\x9E\x0C\x3B\xB6\xEF\xE1\x3A\xC8\x7C\xD1\x00\x3D\xCF\xE2\xEA\x06\xB5\xB2\x3A\xBB\x06\x4B\x68\x7A\xD0\x23\x97\x74\xA7\x2C\xF0\x08\xD8\x79\x5A\xD7\x5A\x84\x8A\xD8\x12\x9A\x1B\xD9\x7D\x5C\x4D\x70\xC5\xA5\xF9\xAB\xE5\xA3\x89\x89\xDD\x01\xFA\xEC\xDD\xF9\xE9\x92\x97\xDB\xB0\x46\x42\xF3\xD3\x62\xAA\x95\xFE\x31\x67\x14\x69\x58\x90\x0A\xAA\x0B\xEE\x37\x23\xC7\x50\x51\xB4\xF5\x7E\x9E\xE3\x7B\xF7\xE4\xCC\x42\x32\x2D\x49\x0C\xCB\xFF\x49\x0C\x9B\x1E\x34\xFD\x6E\x6E\x96\x8A\x79\x03\xB6\x6F\xDB\x09\xCB\xFD\x5F\x65\x14\x37\xE1\x38\xF5\xF3\x61\x16\x58\xE4\xB5\x6D\x0D\x0B\x04\x1B\x3F\x50\x2D\x7F\xB3\xC7\x7A\x1A\x16\x80\x60\xF8\x8A\x1F\xE9\x1B\x2A\xC6\xF9\xBA\x01\x1A\x69\xBF\xD2\x58\xC7\x54\x57\x08\x8F\xE1\x39\x60\x77\x4B\xAC\x59\x84\x1A\x88\xF1\xDD\xCB\x4F\x78\xD7\xE7\xE1\x33\x2D\xFC\xEE\x41\xFA\x20\xB0\xBE\xCB\xF7\x38\x94\xC0\xE1\xD0\x85\x0F\xBB\xED\x2C\x73\xAB\xED\xFE\x92\x76\x1A\x64\x7F\x5B\x0D\x33\x09\x07\x33\x7B\x06\x3F\x11\xA4\x5C\x70\x3C\x85\xC0\xCF\xE3\x90\xA8\x83\x77\xFA\xDB\xE6\xC5\x8C\x68\x67\x10\x67\xA5\x52\x2D\xF0\xC4\x99\x8F\x7F\xBF\xD1\x6B\xE2\xB5\x47\xD6\xD9\xD0\x85\x99\x4D\x94\x9B\x0F\x4B\x8D\xEE\x00\x5A\x47\x1D\x11\x03\xAC\x41\x18\xAF\x87\xB7\x6F\x0C\x3A\x8F\xCA\xCF\xDC\x03\xC1\xA2\x09\xC8\xE5\xFD\x80\x5E\xC8\x60\x42\x01\x1B\x1A\x53\x5A\xBB\x37\xA6\xB7\xBC\xBA\x84\xE9\x1E\x6C\x1A\xD4\x64\xDA\xD4\x43\xFE\x93\x8B\x4B\xF2\x2C\x79\x16\x10\xD4\x93\x0B\x88\x8F\xA1\xD8\x86\x14\x46\x91\x47\x9B\x28\x24\xEF\x57\x52\x4E\x5C\x42\x9C\xAA\xF7\x49\xEC\x27\xE8\x40\x1E\xB3\xA6\x89\x22\x72\x9C\xF5\x0D\x33\xB4\x58\xA3\x30\x3B\xDD\xD4\x6A\x54\x93\xBE\x1A\x4D\xF3\x93\x94\xF7\xFC\x84\x0B\x3F\x84\x20\x5C\x34\x03\x44\xC5\xDA\xAD\xBC\x0A\xC1\x02\xCF\x1E\xE5\x94\xD9\xF3\x8E\x5B\xD8\x4C\xF0\x9D\xEC\x61\x17\xBB\x14\x32\x54\x0C\x02\x29\x93\x1E\x92\x86\xF6\x7F\xEF\xE7\x92\x05\x0E\x59\xDD\x99\x08\x2E\x2E\xFA\x9C\x00\x52\xD3\xC5\x66\x29\xE4\xA7\x97\x44\xA4\x0E\x28\x81\x13\x35\xC5\xF6\x6F\x64\xE6\x41\xC4\xD5\x2F\xCC\x34\x45\x25\xCF\x41\x00\x96\x3D\x4A\x2E\xC2\x96\x98\x4F\x4E\x4A\x9C\x97\xB7\xDB\x1F\x92\x32\xC8\xFF\x0F\x51\x6E\xD6\xEC\x09",
+	["CN=TrustCor ECA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA"] = "\x30\x82\x04\x20\x30\x82\x03\x08\xA0\x03\x02\x01\x02\x02\x09\x00\x84\x82\x2C\x5F\x1C\x62\xD0\x40\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\x9C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x41\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x0C\x06\x50\x61\x6E\x61\x6D\x61\x31\x14\x30\x12\x06\x03\x55\x04\x07\x0C\x0B\x50\x61\x6E\x61\x6D\x61\x20\x43\x69\x74\x79\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x0C\x1B\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x53\x2E\x20\x64\x65\x20\x52\x2E\x4C\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x0C\x1E\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x17\x30\x15\x06\x03\x55\x04\x03\x0C\x0E\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x45\x43\x41\x2D\x31\x30\x1E\x17\x0D\x31\x36\x30\x32\x30\x34\x31\x32\x33\x32\x33\x33\x5A\x17\x0D\x32\x39\x31\x32\x33\x31\x31\x37\x32\x38\x30\x37\x5A\x30\x81\x9C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x50\x41\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x0C\x06\x50\x61\x6E\x61\x6D\x61\x31\x14\x30\x12\x06\x03\x55\x04\x07\x0C\x0B\x50\x61\x6E\x61\x6D\x61\x20\x43\x69\x74\x79\x31\x24\x30\x22\x06\x03\x55\x04\x0A\x0C\x1B\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x53\x79\x73\x74\x65\x6D\x73\x20\x53\x2E\x20\x64\x65\x20\x52\x2E\x4C\x2E\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x0C\x1E\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x17\x30\x15\x06\x03\x55\x04\x03\x0C\x0E\x54\x72\x75\x73\x74\x43\x6F\x72\x20\x45\x43\x41\x2D\x31\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xCF\x8F\xE0\x11\xB5\x9F\xA8\x76\x76\xDB\xDF\x0F\x54\xEF\x73\x63\x29\x82\xAD\x47\xC6\xA3\x6B\xED\xFE\x5F\x33\xF8\x43\x51\xE9\x1A\x33\x91\x31\x17\xA0\x74\xC4\xD4\xA7\x01\xE6\xB2\x92\x3E\x6A\x9D\xED\x0E\xF9\x74\x98\x40\xD3\x3F\x03\x80\x06\x82\x40\xE8\xB1\xE2\xA7\x51\xA7\x1D\x83\x26\x6B\xAB\xDE\xFA\x17\x91\x2B\xD8\xC6\xAC\x1E\xB1\x9E\x19\x01\xD5\x97\xA6\xEA\x0D\xB7\xC4\x55\x1F\x27\x7C\xD2\x08\xD5\x76\x1F\x29\x15\x87\x40\x39\xDD\x38\x45\x11\x75\xD0\x9A\xA7\x34\xE0\xBF\xCD\xC8\x52\x1D\xB9\x47\x7E\x0D\xB8\xBB\xC6\x0C\xF6\x73\x57\x16\x5A\x7E\x43\x91\x1F\x55\x3A\xC6\x6D\x44\x04\xAA\x9C\xA9\x9C\xA7\x4C\x89\x17\x83\xAE\xA3\x04\x5E\x52\x80\x8B\x1E\x12\x25\x11\x19\xD7\x0C\x7D\x7D\x31\x44\x41\xEA\xDB\xAF\xB0\x1C\xEF\x81\xD0\x2C\xC5\x9A\x21\x9B\x3D\xED\x42\x3B\x50\x26\xF2\xEC\xCE\x71\x61\x06\x62\x21\x54\x4E\x7F\xC1\x9D\x3E\x7F\x20\x8C\x80\xCB\x2A\xD8\x97\x62\xC8\x83\x33\x91\x7D\xB0\xA2\x5A\x0F\x57\xE8\x3B\xCC\xF2\x25\xB2\xD4\x7C\x2F\xEC\x4D\xC6\xA1\x3A\x15\x7A\xE7\xB6\x5D\x35\xF5\xF6\x48\x4A\x36\x45\x66\xD4\xBA\x98\x58\xC1\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x44\x9E\x48\xF5\xCC\x6D\x48\xD4\xA0\x4B\x7F\xFE\x59\x24\x2F\x83\x97\x99\x9A\x86\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x44\x9E\x48\xF5\xCC\x6D\x48\xD4\xA0\x4B\x7F\xFE\x59\x24\x2F\x83\x97\x99\x9A\x86\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x05\x3E\x35\x5C\x15\x70\x9B\xC9\xC7\x73\x61\x6F\x72\x2B\xD4\xC2\x8F\xF2\x43\x5D\x02\xCE\xC4\x94\xB9\x94\x11\x83\x67\x5D\xE2\x67\x6C\x75\x76\xBF\xBB\x0C\xAA\x36\xC6\xAD\x47\x93\x63\xDC\x1E\x7E\xD6\xDE\x2E\xFE\xE9\x19\x32\x38\x03\x7F\x14\xF6\x00\x73\x2C\x59\xB1\x21\x06\xE1\xFB\xAC\x18\x95\x0C\xA3\xFF\x99\x96\xF7\x2B\x27\x9B\xD5\x24\xCC\x1D\xDD\xC1\x3A\xE0\x98\x44\xB0\xC4\xE4\x3E\x77\xB1\x73\xA9\x64\x2C\xF6\x1C\x01\x7C\x3F\x5D\x45\x85\xC0\x85\xE7\x25\x8F\x95\xDC\x17\xF3\x3C\x9F\x1A\x6E\xB0\xCA\xE3\x1D\x2A\xE9\x4C\x63\xFA\x24\x61\x62\xD6\xDA\x7E\xB6\x1C\x6C\xF5\x02\x1D\xD4\x2A\xDD\x55\x90\xEB\x2A\x11\x47\x3C\x2E\x5E\x74\xB2\x82\x22\xA5\x7D\x53\x1F\x45\xEC\x27\x91\x7D\xE7\x22\x16\xE8\xC0\x68\x36\xD8\xC6\xF1\x4F\x80\x44\x32\xF9\xE1\xD1\xD1\x1D\xAA\xDE\xA8\xAB\x9C\x04\xAF\xAD\x20\x0E\x64\x98\x4D\xA5\x6B\xC0\x48\x58\x96\x69\x4D\xDC\x07\x8C\x51\x93\xA2\xDF\x9F\x0F\x3D\x8B\x60\xB4\x82\x8D\xAA\x08\x4E\x62\x45\xE0\xF9\x0B\xD2\xE0\xE0\x3C\x5B\xDE\x5C\x71\x27\x25\xC2\xE6\x03\x81\x8B\x10\x53\xE3\xC7\x55\xA2\xB4\x9F\xD7\xE6",
+	["CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US"] = "\x30\x82\x05\xDD\x30\x82\x03\xC5\xA0\x03\x02\x01\x02\x02\x08\x7B\x2C\x9B\xD3\x16\x80\x32\x99\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x7C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0E\x30\x0C\x06\x03\x55\x04\x08\x0C\x05\x54\x65\x78\x61\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x48\x6F\x75\x73\x74\x6F\x6E\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x0C\x0F\x53\x53\x4C\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x31\x30\x2F\x06\x03\x55\x04\x03\x0C\x28\x53\x53\x4C\x2E\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x52\x53\x41\x30\x1E\x17\x0D\x31\x36\x30\x32\x31\x32\x31\x37\x33\x39\x33\x39\x5A\x17\x0D\x34\x31\x30\x32\x31\x32\x31\x37\x33\x39\x33\x39\x5A\x30\x7C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0E\x30\x0C\x06\x03\x55\x04\x08\x0C\x05\x54\x65\x78\x61\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x48\x6F\x75\x73\x74\x6F\x6E\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x0C\x0F\x53\x53\x4C\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x31\x30\x2F\x06\x03\x55\x04\x03\x0C\x28\x53\x53\x4C\x2E\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x52\x53\x41\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xF9\x0F\xDD\xA3\x2B\x7D\xCB\xD0\x2A\xFE\xEC\x67\x85\xA6\xE7\x2E\x1B\xBA\x77\xE1\xE3\xF5\xAF\xA4\xEC\xFA\x4A\x5D\x91\xC4\x57\x47\x6B\x18\x77\x6B\x76\xF2\xFD\x93\xE4\x3D\x0F\xC2\x16\x9E\x0B\x66\xC3\x56\x94\x9E\x17\x83\x85\xCE\x56\xEF\xF2\x16\xFD\x00\x62\xF5\x22\x09\x54\xE8\x65\x17\x4E\x41\xB9\xE0\x4F\x46\x97\xAA\x1B\xC8\xB8\x6E\x62\x5E\x69\xB1\x5F\xDB\x2A\x02\x7E\xFC\x6C\xCA\xF3\x41\xD8\xED\xD0\xE8\xFC\x3F\x61\x48\xED\xB0\x03\x14\x1D\x10\x0E\x4B\x19\xE0\xBB\x4E\xEC\x86\x65\xFF\x36\xF3\x5E\x67\x02\x0B\x9D\x86\x55\x61\xFD\x7A\x38\xED\xFE\xE2\x19\x00\xB7\x6F\xA1\x50\x62\x75\x74\x3C\xA0\xFA\xC8\x25\x92\xB4\x6E\x7A\x22\xC7\xF8\x1E\xA1\xE3\xB2\xDD\x91\x31\xAB\x2B\x1D\x04\xFF\xA5\x4A\x04\x37\xE9\x85\xA4\x33\x2B\xFD\xE2\xD6\x55\x34\x7C\x19\xA4\x4A\x68\xC7\xB2\xA8\xD3\xB7\xCA\xA1\x93\x88\xEB\xC1\x97\xBC\x8C\xF9\x1D\xD9\x22\x84\x24\x74\xC7\x04\x3D\x6A\xA9\x29\x93\xCC\xEB\xB8\x5B\xE1\xFE\x5F\x25\xAA\x34\x58\xC8\xC1\x23\x54\x9D\x1B\x98\x11\xC3\x38\x9C\x7E\x3D\x86\x6C\xA5\x0F\x40\x86\x7C\x02\xF4\x5C\x02\x4F\x28\xCB\xAE\x71\x9F\x0F\x3A\xC8\x33\xFE\x11\x25\x35\xEA\xFC\xBA\xC5\x60\x3D\xD9\x7C\x18\xD5\xB2\xA9\xD3\x75\x78\x03\x72\x22\xCA\x3A\xC3\x1F\xEF\x2C\xE5\x2E\xA9\xFA\x9E\x2C\xB6\x51\x46\xFD\xAF\x03\xD6\xEA\x60\x68\xEA\x85\x16\x36\x6B\x85\xE9\x1E\xC0\xB3\xDD\xC4\x24\xDC\x80\x2A\x81\x41\x6D\x94\x3E\xC8\xE0\xC9\x81\x41\x00\x9E\x5E\xBF\x7F\xC5\x08\x98\xA2\x18\x2C\x42\x40\xB3\xF9\x6F\x38\x27\x4B\x4E\x80\xF4\x3D\x81\x47\xE0\x88\x7C\xEA\x1C\xCE\xB5\x75\x5C\x51\x2E\x1C\x2B\x7F\x1A\x72\x28\xE7\x00\xB5\xD1\x74\xC6\xD7\xE4\x9F\xAD\x07\x93\xB6\x53\x35\x35\xFC\x37\xE4\xC3\xF6\x5D\x16\xBE\x21\x73\xDE\x92\x0A\xF8\xA0\x63\x6A\xBC\x96\x92\x6A\x3E\xF8\xBC\x65\x55\x9B\xDE\xF5\x0D\x89\x26\x04\xFC\x25\x1A\xA6\x25\x69\xCB\xC2\x6D\xCA\x7C\xE2\x59\x5F\x97\xAC\xEB\xEF\x2E\xC8\xBC\xD7\x1B\x59\x3C\x2B\xCC\xF2\x19\xC8\x93\x6B\x27\x63\x19\xCF\xFC\xE9\x26\xF8\xCA\x71\x9B\x7F\x93\xFE\x34\x67\x84\x4E\x99\xEB\xFC\xB3\x78\x09\x33\x70\xBA\x66\xA6\x76\xED\x1B\x73\xEB\x1A\xA5\x0D\xC4\x22\x13\x20\x94\x56\x0A\x4E\x2C\x6C\x4E\xB1\xFD\xCF\x9C\x09\xBA\xA2\x33\xED\x87\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xDD\x04\x09\x07\xA2\xF5\x7A\x7D\x52\x53\x12\x92\x95\xEE\x38\x80\x25\x0D\xA6\x59\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xDD\x04\x09\x07\xA2\xF5\x7A\x7D\x52\x53\x12\x92\x95\xEE\x38\x80\x25\x0D\xA6\x59\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x20\x18\x11\x94\x29\xFB\x26\x9D\x1C\x1E\x1E\x70\x61\xF1\x95\x72\x93\x71\x24\xAD\x68\x93\x58\x8E\x32\xAF\x1B\xB3\x70\x03\xFC\x25\x2B\x74\x85\x90\x3D\x78\x6A\xF4\xB9\x8B\xA5\x97\x3B\xB5\x18\x91\xBB\x1E\xA7\xF9\x40\x5B\x91\xF9\x55\x99\xAF\x1E\x11\xD0\x5C\x1D\xA7\x66\xE3\xB1\x94\x07\x0C\x32\x39\xA6\xEA\x1B\xB0\x79\xD8\x1D\x9C\x70\x44\xE3\x8A\xDD\xC4\xF9\x95\x1F\x8A\x38\x43\x3F\x01\x85\xA5\x47\xA7\x3D\x46\xB2\xBC\xE5\x22\x68\xF7\x7B\x9C\xD8\x2C\x3E\x0A\x21\xC8\x2D\x33\xAC\xBF\xC5\x81\x99\x31\x74\xC1\x75\x71\xC5\xBE\xB1\xF0\x23\x45\xF4\x9D\x6B\xFC\x19\x63\x9D\xA3\xBC\x04\xC6\x18\x0B\x25\xBB\x53\x89\x0F\xB3\x80\x50\xDE\x45\xEE\x44\x7F\xAB\x94\x78\x64\x98\xD3\xF6\x28\xDD\x87\xD8\x70\x65\x74\xFB\x0E\xB9\x13\xEB\xA7\x0F\x61\xA9\x32\x96\xCC\xDE\xBB\xED\x63\x4C\x18\xBB\xA9\x40\xF7\xA0\x54\x6E\x20\x88\x71\x75\x18\xEA\x7A\xB4\x34\x72\xE0\x23\x27\x77\x5C\xB6\x90\xEA\x86\x25\x40\xAB\xEF\x33\x0F\xCB\x9F\x82\xBE\xA2\x20\xFB\xF6\xB5\x2D\x1A\xE6\xC2\x85\xB1\x74\x0F\xFB\xC8\x65\x02\xA4\x52\x01\x47\xDD\x49\x22\xC1\xBF\xD8\xEB\x6B\xAC\x7E\xDE\xEC\x63\x33\x15\xB7\x23\x08\x8F\xC6\x0F\x8D\x41\x5A\xDD\x8E\xC5\xB9\x8F\xE5\x45\x3F\x78\xDB\xBA\xD2\x1B\x40\xB1\xFE\x71\x4D\x3F\xE0\x81\xA2\xBA\x5E\xB4\xEC\x15\xE0\x93\xDD\x08\x1F\x7E\xE1\x55\x99\x0B\x21\xDE\x93\x9E\x0A\xFB\xE6\xA3\x49\xBD\x36\x30\xFE\xE7\x77\xB2\xA0\x75\x97\xB5\x2D\x81\x88\x17\x65\x20\xF7\xDA\x90\x00\x9F\xC9\x52\xCC\x32\xCA\x35\x7C\xF5\x3D\x0F\xD8\x2B\xD7\xF5\x26\x6C\xC9\x06\x34\x96\x16\xEA\x70\x59\x1A\x32\x79\x79\x0B\xB6\x88\x7F\x0F\x52\x48\x3D\xBF\x6C\xD8\xA2\x44\x2E\xD1\x4E\xB7\x72\x58\xD3\x89\x13\x95\xFE\x44\xAB\xF8\xD7\x8B\x1B\x6E\x9C\xBC\x2C\xA0\x5B\xD5\x6A\x00\xAF\x5F\x37\xE1\xD5\xFA\x10\x0B\x98\x9C\x86\xE7\x26\x8F\xCE\xF0\xEC\x6E\x8A\x57\x0B\x80\xE3\x4E\xB2\xC0\xA0\x63\x61\x90\xBA\x55\x68\x37\x74\x6A\xB6\x92\xDB\x9F\xA1\x86\x22\xB6\x65\x27\x0E\xEC\xB6\x9F\x42\x60\xE4\x67\xC2\xB5\xDA\x41\x0B\xC4\xD3\x8B\x61\x1B\xBC\xFA\x1F\x91\x2B\xD7\x44\x07\x5E\xBA\x29\xAC\xD9\xC5\xE9\xEF\x53\x48\x5A\xEB\x80\xF1\x28\x58\x21\xCD\xB0\x06\x55\xFB\x27\x3F\x53\x90\x70\xA9\x04\x1E\x57\x27\xB9",
+	["CN=SSL.com Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US"] = "\x30\x82\x02\x8D\x30\x82\x02\x14\xA0\x03\x02\x01\x02\x02\x08\x75\xE6\xDF\xCB\xC1\x68\x5B\xA8\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x02\x30\x7C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0E\x30\x0C\x06\x03\x55\x04\x08\x0C\x05\x54\x65\x78\x61\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x48\x6F\x75\x73\x74\x6F\x6E\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x0C\x0F\x53\x53\x4C\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x31\x30\x2F\x06\x03\x55\x04\x03\x0C\x28\x53\x53\x4C\x2E\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x45\x43\x43\x30\x1E\x17\x0D\x31\x36\x30\x32\x31\x32\x31\x38\x31\x34\x30\x33\x5A\x17\x0D\x34\x31\x30\x32\x31\x32\x31\x38\x31\x34\x30\x33\x5A\x30\x7C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0E\x30\x0C\x06\x03\x55\x04\x08\x0C\x05\x54\x65\x78\x61\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x48\x6F\x75\x73\x74\x6F\x6E\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x0C\x0F\x53\x53\x4C\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x31\x30\x2F\x06\x03\x55\x04\x03\x0C\x28\x53\x53\x4C\x2E\x63\x6F\x6D\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x45\x43\x43\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\x45\x6E\xA9\x50\xC4\xA6\x23\x36\x9E\x5F\x28\x8D\x17\xCB\x96\x22\x64\x3F\xDC\x7A\x8E\x1D\xCC\x08\xB3\xA2\x71\x24\xBA\x8E\x49\xB9\x04\x1B\x47\x96\x58\xAB\x2D\x95\xC8\xED\x9E\x08\x35\xC8\x27\xEB\x89\x8C\x53\x58\xEB\x62\x8A\xFE\xF0\x5B\x0F\x6B\x31\x52\x63\x41\x3B\x89\xCD\xEC\xEC\xB6\x8D\x19\xD3\x34\x07\xDC\xBB\xC6\x06\x7F\xC2\x45\x95\xEC\xCB\x7F\xA8\x23\xE0\x09\xE9\x81\xFA\xF3\x47\xD3\xA3\x63\x30\x61\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x82\xD1\x85\x73\x30\xE7\x35\x04\xD3\x8E\x02\x92\xFB\xE5\xA4\xD1\xC4\x21\xE8\xCD\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x82\xD1\x85\x73\x30\xE7\x35\x04\xD3\x8E\x02\x92\xFB\xE5\xA4\xD1\xC4\x21\xE8\xCD\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x02\x03\x67\x00\x30\x64\x02\x30\x6F\xE7\xEB\x59\x11\xA4\x60\xCF\x61\xB0\x96\x7B\xED\x05\xF9\x2F\x13\x91\xDC\xED\xE5\xFC\x50\x6B\x11\x46\x46\xB3\x1C\x21\x00\x62\xBB\xBE\xC3\xE7\xE8\xCD\x07\x99\xF9\x0D\x0B\x5D\x72\x3E\xC4\xAA\x02\x30\x1F\xBC\xBA\x0B\xE2\x30\x24\xFB\x7C\x6D\x80\x55\x0A\x99\x3E\x80\x0D\x33\xE5\x66\xA3\xB3\xA3\xBB\xA5\xD5\x8B\x8F\x09\x2C\xA6\x5D\x7E\xE2\xF0\x07\x08\x68\x6D\xD2\x7C\x69\x6E\x5F\xDF\xE5\x6A\x65",
+	["CN=SSL.com EV Root Certification Authority RSA R2,O=SSL Corporation,L=Houston,ST=Texas,C=US"] = "\x30\x82\x05\xEB\x30\x82\x03\xD3\xA0\x03\x02\x01\x02\x02\x08\x56\xB6\x29\xCD\x34\xBC\x78\xF6\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0E\x30\x0C\x06\x03\x55\x04\x08\x0C\x05\x54\x65\x78\x61\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x48\x6F\x75\x73\x74\x6F\x6E\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x0C\x0F\x53\x53\x4C\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x37\x30\x35\x06\x03\x55\x04\x03\x0C\x2E\x53\x53\x4C\x2E\x63\x6F\x6D\x20\x45\x56\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x52\x53\x41\x20\x52\x32\x30\x1E\x17\x0D\x31\x37\x30\x35\x33\x31\x31\x38\x31\x34\x33\x37\x5A\x17\x0D\x34\x32\x30\x35\x33\x30\x31\x38\x31\x34\x33\x37\x5A\x30\x81\x82\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0E\x30\x0C\x06\x03\x55\x04\x08\x0C\x05\x54\x65\x78\x61\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x48\x6F\x75\x73\x74\x6F\x6E\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x0C\x0F\x53\x53\x4C\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x37\x30\x35\x06\x03\x55\x04\x03\x0C\x2E\x53\x53\x4C\x2E\x63\x6F\x6D\x20\x45\x56\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x52\x53\x41\x20\x52\x32\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\x8F\x36\x65\x40\xE1\xD6\x4D\xC0\xD7\xB4\xE9\x46\xDA\x6B\xEA\x33\x47\xCD\x4C\xF9\x7D\x7D\xBE\xBD\x2D\x3D\xF0\xDB\x78\xE1\x86\xA5\xD9\xBA\x09\x57\x68\xED\x57\x3E\xA0\xD0\x08\x41\x83\xE7\x28\x41\x24\x1F\xE3\x72\x15\xD0\x01\x1A\xFB\x5E\x70\x23\xB2\xCB\x9F\x39\xE3\xCF\xC5\x4E\xC6\x92\x6D\x26\xC6\x7B\xBB\xB3\xDA\x27\x9D\x0A\x86\xE9\x81\x37\x05\xFE\xF0\x71\x71\xEC\xC3\x1C\xE9\x63\xA2\x17\x14\x9D\xEF\x1B\x67\xD3\x85\x55\x02\x02\xD6\x49\xC9\xCC\x5A\xE1\xB1\xF7\x6F\x32\x9F\xC9\xD4\x3B\x88\x41\xA8\x9C\xBD\xCB\xAB\xDB\x6D\x7B\x09\x1F\xA2\x4C\x72\x90\xDA\x2B\x08\xFC\xCF\x3C\x54\xCE\x67\x0F\xA8\xCF\x5D\x96\x19\x0B\xC4\xE3\x72\xEB\xAD\xD1\x7D\x1D\x27\xEF\x92\xEB\x10\xBF\x5B\xEB\x3B\xAF\xCF\x80\xDD\xC1\xD2\x96\x04\x5B\x7A\x7E\xA4\xA9\x3C\x38\x76\xA4\x62\x8E\xA0\x39\x5E\xEA\x77\xCF\x5D\x00\x59\x8F\x66\x2C\x3E\x07\xA2\xA3\x05\x26\x11\x69\x97\xEA\x85\xB7\x0F\x96\x0B\x4B\xC8\x40\xE1\x50\xBA\x2E\x8A\xCB\xF7\x0F\x9A\x22\xE7\x7F\x9A\x37\x13\xCD\xF2\x4D\x13\x6B\x21\xD1\xC0\xCC\x22\xF2\xA1\x46\xF6\x44\x69\x9C\xCA\x61\x35\x07\x00\x6F\xD6\x61\x08\x11\xEA\xBA\xB8\xF6\xE9\xB3\x60\xE5\x4D\xB9\xEC\x9F\x14\x66\xC9\x57\x58\xDB\xCD\x87\x69\xF8\x8A\x86\x12\x03\x47\xBF\x66\x13\x76\xAC\x77\x7D\x34\x24\x85\x83\xCD\xD7\xAA\x9C\x90\x1A\x9F\x21\x2C\x7F\x78\xB7\x64\xB8\xD8\xE8\xA6\xF4\x78\xB3\x55\xCB\x84\xD2\x32\xC4\x78\xAE\xA3\x8F\x61\xDD\xCE\x08\x53\xAD\xEC\x88\xFC\x15\xE4\x9A\x0D\xE6\x9F\x1A\x77\xCE\x4C\x8F\xB8\x14\x15\x3D\x62\x9C\x86\x38\x06\x00\x66\x12\xE4\x59\x76\x5A\x53\xC0\x02\x98\xA2\x10\x2B\x68\x44\x7B\x8E\x79\xCE\x33\x4A\x76\xAA\x5B\x81\x16\x1B\xB5\x8A\xD8\xD0\x00\x7B\x5E\x62\xB4\x09\xD6\x86\x63\x0E\xA6\x05\x95\x49\xBA\x28\x8B\x88\x93\xB2\x34\x1C\xD8\xA4\x55\x6E\xB7\x1C\xD0\xDE\x99\x55\x3B\x23\xF4\x22\xE0\xF9\x29\x66\x26\xEC\x20\x50\x77\xDB\x4A\x0B\x8F\xBE\xE5\x02\x60\x70\x41\x5E\xD4\xAE\x50\x39\x22\x14\x26\xCB\xB2\x3B\x73\x74\x55\x47\x07\x79\x81\x39\xA8\x30\x13\x44\xE5\x04\x8A\xAE\x96\x13\x25\x42\x0F\xB9\x53\xC4\x9B\xFC\xCD\xE4\x1C\xDE\x3C\xFA\xAB\xD6\x06\x4A\x1F\x67\xA6\x98\x30\x1C\xDD\x2C\xDB\xDC\x18\x95\x57\x66\xC6\xFF\x5C\x8B\x56\xF5\x77\x02\x03\x01\x00\x01\xA3\x63\x30\x61\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xF9\x60\xBB\xD4\xE3\xD5\x34\xF6\xB8\xF5\x06\x80\x25\xA7\x73\xDB\x46\x69\xA8\x9E\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xF9\x60\xBB\xD4\xE3\xD5\x34\xF6\xB8\xF5\x06\x80\x25\xA7\x73\xDB\x46\x69\xA8\x9E\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x02\x01\x00\x56\xB3\x8E\xCB\x0A\x9D\x49\x8E\xBF\xA4\xC4\x91\xBB\x66\x17\x05\x51\x98\x75\xFB\xE5\x50\x2C\x7A\x9E\xF1\x14\xFA\xAB\xD3\x8A\x3E\xFF\x91\x29\x8F\x63\x8B\xD8\xB4\xA9\x54\x01\x0D\xBE\x93\x86\x2F\xF9\x4A\x6D\xC7\x5E\xF5\x57\xF9\xCA\x55\x1C\x12\xBE\x47\x0F\x36\xC5\xDF\x6A\xB7\xDB\x75\xC2\x47\x25\x7F\xB9\xF1\x63\xF8\x68\x2D\x55\x04\xD1\xF2\x8D\xB0\xA4\xCF\xBC\x3C\x5E\x1F\x78\xE7\xA5\xA0\x20\x70\xB0\x04\xC5\xB7\xF7\x72\xA7\xDE\x22\x0D\xBD\x33\x25\x46\x8C\x64\x92\x26\xE3\x3E\x2E\x63\x96\xDA\x9B\x8C\x3D\xF8\x18\x09\xD7\x03\xCC\x7D\x86\x82\xE0\xCA\x04\x07\x51\x50\xD7\xFF\x92\xD5\x0C\xEF\xDA\x86\x9F\x99\xD7\xEB\xB7\xAF\x68\xE2\x39\x26\x94\xBA\x68\xB7\xBF\x83\xD3\xEA\x7A\x67\x3D\x62\x67\xAE\x25\xE5\x72\xE8\xE2\xE4\xEC\xAE\x12\xF6\x4B\x2B\x3C\x9F\xE9\xB0\x40\xF3\x38\x54\xB3\xFD\xB7\x68\xC8\xDA\xC6\x8F\x51\x3C\xB2\xFB\x91\xDC\x1C\xE7\x9B\x9D\xE1\xB7\x0D\x72\x8F\xE2\xA4\xC4\xA9\x78\xF9\xEB\x14\xAC\xC6\x43\x05\xC2\x65\x39\x28\x18\x02\xC3\x82\xB2\x9D\x05\xBE\x65\xED\x96\x5F\x65\x74\x3C\xFB\x09\x35\x2E\x7B\x9C\x13\xFD\x1B\x0F\x5D\xC7\x6D\x81\x3A\x56\x0F\xCC\x3B\xE1\xAF\x02\x2F\x22\xAC\x46\xCA\x46\x3C\xA0\x1C\x4C\xD6\x44\xB4\x5E\x2E\x5C\x15\x66\x09\xE1\x26\x29\xFE\xC6\x52\x61\xBA\xB1\x73\xFF\xC3\x0C\x9C\xE5\x6C\x6A\x94\x3F\x14\xCA\x40\x16\x95\x84\xF3\x59\xA9\xAC\x5F\x4C\x61\x93\x6D\xD1\x3B\xCC\xA2\x95\x0C\x22\xA6\x67\x67\x44\x2E\xB9\xD9\xD2\x8A\x41\xB3\x66\x0B\x5A\xFB\x7D\x23\xA5\xF2\x1A\xB0\xFF\xDE\x9B\x83\x94\x2E\xD1\x3F\xDF\x92\xB7\x91\xAF\x05\x3B\x65\xC7\xA0\x6C\xB1\xCD\x62\x12\xC3\x90\x1B\xE3\x25\xCE\x34\xBC\x6F\x77\x76\xB1\x10\xC3\xF7\x05\x1A\xC0\xD6\xAF\x74\x62\x48\x17\x77\x92\x69\x90\x61\x1C\xDE\x95\x80\x74\x54\x8F\x18\x1C\xC3\xF3\x03\xD0\xBF\xA4\x43\x75\x86\x53\x18\x7A\x0A\x2E\x09\x1C\x36\x9F\x91\xFD\x82\x8A\x22\x4B\xD1\x0E\x50\x25\xDD\xCB\x03\x0C\x17\xC9\x83\x00\x08\x4E\x35\x4D\x8A\x8B\xED\xF0\x02\x94\x66\x2C\x44\x7F\xCB\x95\x27\x96\x17\xAD\x09\x30\xAC\xB6\x71\x17\x6E\x8B\x17\xF6\x1C\x09\xD4\x2D\x3B\x98\xA5\x71\xD3\x54\x13\xD9\x60\xF3\xF5\x4B\x66\x4F\xFA\xF1\xEE\x20\x12\x8D\xB4\xAC\x57\xB1\x45\x63\xA1\xAC\x76\xA9\xC2\xFB",
+	["CN=SSL.com EV Root Certification Authority ECC,O=SSL Corporation,L=Houston,ST=Texas,C=US"] = "\x30\x82\x02\x94\x30\x82\x02\x1A\xA0\x03\x02\x01\x02\x02\x08\x2C\x29\x9C\x5B\x16\xED\x05\x95\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x02\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0E\x30\x0C\x06\x03\x55\x04\x08\x0C\x05\x54\x65\x78\x61\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x48\x6F\x75\x73\x74\x6F\x6E\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x0C\x0F\x53\x53\x4C\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x34\x30\x32\x06\x03\x55\x04\x03\x0C\x2B\x53\x53\x4C\x2E\x63\x6F\x6D\x20\x45\x56\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x45\x43\x43\x30\x1E\x17\x0D\x31\x36\x30\x32\x31\x32\x31\x38\x31\x35\x32\x33\x5A\x17\x0D\x34\x31\x30\x32\x31\x32\x31\x38\x31\x35\x32\x33\x5A\x30\x7F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x0E\x30\x0C\x06\x03\x55\x04\x08\x0C\x05\x54\x65\x78\x61\x73\x31\x10\x30\x0E\x06\x03\x55\x04\x07\x0C\x07\x48\x6F\x75\x73\x74\x6F\x6E\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x0C\x0F\x53\x53\x4C\x20\x43\x6F\x72\x70\x6F\x72\x61\x74\x69\x6F\x6E\x31\x34\x30\x32\x06\x03\x55\x04\x03\x0C\x2B\x53\x53\x4C\x2E\x63\x6F\x6D\x20\x45\x56\x20\x52\x6F\x6F\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x45\x43\x43\x30\x76\x30\x10\x06\x07\x2A\x86\x48\xCE\x3D\x02\x01\x06\x05\x2B\x81\x04\x00\x22\x03\x62\x00\x04\xAA\x12\x47\x90\x98\x1B\xFB\xEF\xC3\x40\x07\x83\x20\x4E\xF1\x30\x82\xA2\x06\xD1\xF2\x92\x86\x61\xF2\xF6\x21\x68\xCA\x00\xC4\xC7\xEA\x43\x00\x54\x86\xDC\xFD\x1F\xDF\x00\xB8\x41\x62\x5C\xDC\x70\x16\x32\xDE\x1F\x99\xD4\xCC\xC5\x07\xC8\x08\x1F\x61\x16\x07\x51\x3D\x7D\x5C\x07\x53\xE3\x35\x38\x8C\xDF\xCD\x9F\xD9\x2E\x0D\x4A\xB6\x19\x2E\x5A\x70\x5A\x06\xED\xBE\xF0\xA1\xB0\xCA\xD0\x09\x29\xA3\x63\x30\x61\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x5B\xCA\x5E\xE5\xDE\xD2\x81\xAA\xCD\xA8\x2D\x64\x51\xB6\xD9\x72\x9B\x97\xE6\x4F\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\x5B\xCA\x5E\xE5\xDE\xD2\x81\xAA\xCD\xA8\x2D\x64\x51\xB6\xD9\x72\x9B\x97\xE6\x4F\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x86\x30\x0A\x06\x08\x2A\x86\x48\xCE\x3D\x04\x03\x02\x03\x68\x00\x30\x65\x02\x31\x00\x8A\xE6\x40\x89\x37\xEB\xE9\xD5\x13\xD9\xCA\xD4\x6B\x24\xF3\xB0\x3D\x87\x46\x58\x1A\xEC\xB1\xDF\x6F\xFB\x56\xBA\x70\x6B\xC7\x38\xCC\xE8\xB1\x8C\x4F\x0F\xF7\xF1\x67\x76\x0E\x83\xD0\x1E\x51\x8F\x02\x30\x3D\xF6\x23\x28\x26\x4C\xC6\x60\x87\x93\x26\x9B\xB2\x35\x1E\xBA\xD6\xF7\x3C\xD1\x1C\xCE\xFA\x25\x3C\xA6\x1A\x81\x15\x5B\xF3\x12\x0F\x6C\xEE\x65\x8A\xC9\x87\xA8\xF9\x07\xE0\x62\x9A\x8C\x5C\x4A",
 };
diff --git a/scripts/base/utils/addrs.bro b/scripts/base/utils/addrs.bro
index e8fd746e5e..9d165936ef 100644
--- a/scripts/base/utils/addrs.bro
+++ b/scripts/base/utils/addrs.bro
@@ -118,7 +118,7 @@ function extract_ip_addresses(input: string): string_vec
 	for ( i in parts )
 		{
 		if ( i % 2 == 1 && is_valid_ip(parts[i]) )
-			output[|output|] = parts[i];
+			output += parts[i];
 		}
 	return output;
 	}
diff --git a/scripts/base/utils/email.bro b/scripts/base/utils/email.bro
index 08e8db8500..4feed351b4 100644
--- a/scripts/base/utils/email.bro
+++ b/scripts/base/utils/email.bro
@@ -10,7 +10,7 @@ function extract_email_addrs_vec(str: string): string_vec
 
 	local raw_addrs = find_all(str, /(^|[<,:[:blank:]])[^<,:[:blank:]@]+"@"[^>,;[:blank:]]+([>,;[:blank:]]|$)/);
 	for ( raw_addr in raw_addrs )
-		addrs[|addrs|] = gsub(raw_addr, /[<>,:;[:blank:]]/, "");
+		addrs += gsub(raw_addr, /[<>,:;[:blank:]]/, "");
 
 	return addrs;
 	}
diff --git a/scripts/base/utils/exec.bro b/scripts/base/utils/exec.bro
index a926775bda..61488a1249 100644
--- a/scripts/base/utils/exec.bro
+++ b/scripts/base/utils/exec.bro
@@ -69,14 +69,14 @@ event Exec::line(description: Input::EventDescription, tpe: Input::Event, s: str
 		if ( ! result?$stderr )
 			result$stderr = vector(s);
 		else
-			result$stderr[|result$stderr|] = s;
+			result$stderr += s;
 		}
 	else
 		{
 		if ( ! result?$stdout )
 			result$stdout = vector(s);
 		else
-			result$stdout[|result$stdout|] = s;
+			result$stdout += s;
 		}
 	}
 
@@ -93,7 +93,7 @@ event Exec::file_line(description: Input::EventDescription, tpe: Input::Event, s
 	if ( track_file !in result$files )
 		result$files[track_file] = vector(s);
 	else
-		result$files[track_file][|result$files[track_file]|] = s;
+		result$files[track_file] += s;
 	}
 
 event Input::end_of_data(orig_name: string, source:string)
diff --git a/scripts/base/utils/hash_hrw.bro b/scripts/base/utils/hash_hrw.bro
new file mode 100644
index 0000000000..ab5491f2c3
--- /dev/null
+++ b/scripts/base/utils/hash_hrw.bro
@@ -0,0 +1,76 @@
+##! An implementation of highest random weight (HRW) hashing, also called
+##! rendezvous hashing. See
+##! `<https://en.wikipedia.org/wiki/Rendezvous_hashing>`_.
+
+module HashHRW;
+
+export {
+	## A site/node is a unique location to which you want a subset of keys
+	## to be distributed.
+	type Site: record {
+		## A unique identifier for the site, should not exceed what
+		## can be contained in a 32-bit integer.
+		id: count;
+		## Other data to associate with the site.
+		user_data: any &optional;
+	};
+
+	## A table of sites, indexed by their id.
+	type SiteTable: table[count] of Site;
+
+	## A collection of sites to distribute keys across.
+	type Pool: record {
+		sites: SiteTable &default=SiteTable();
+	};
+
+	## Add a site to a pool.
+	##
+	## Returns: F is the site is already in the pool, else T.
+	global add_site: function(pool: Pool, site: Site): bool;
+
+	## Remove a site from a pool.
+	##
+	## Returns: F if the site is not in the pool, else T.
+	global rem_site: function(pool: Pool, site: Site): bool;
+
+	## Returns: the site to which the key maps.
+	global get_site: function(pool: Pool, key: any): Site;
+}
+
+function add_site(pool: Pool, site: Site): bool
+	{
+	if ( site$id in pool$sites )
+		return F;
+
+	pool$sites[site$id] = site;
+	return T;
+	}
+
+function rem_site(pool: Pool, site: Site): bool
+	{
+	if ( site$id !in pool$sites )
+		return F;
+
+	delete pool$sites[site$id];
+	return T;
+	}
+
+function get_site(pool: Pool, key: any): Site
+	{
+    local best_site_id = 0;
+    local best_weight = -1;
+    local d = fnv1a32(key);
+
+    for ( site_id in pool$sites )
+        {
+        local w = hrw_weight(d, site_id);
+
+        if ( w > best_weight || (w == best_weight && site_id > best_site_id) )
+            {
+            best_weight = w;
+            best_site_id = site_id;
+            }
+        }
+
+    return pool$sites[best_site_id];
+	}
diff --git a/scripts/base/utils/json.bro b/scripts/base/utils/json.bro
index b6d0093b58..45248e3ea2 100644
--- a/scripts/base/utils/json.bro
+++ b/scripts/base/utils/json.bro
@@ -25,6 +25,10 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p
 		case "port":
 		return cat(port_to_count(to_port(cat(v))));
 
+		case "enum":
+		fallthrough;
+		case "interval":
+		fallthrough;
 		case "addr":
 		fallthrough;
 		case "subnet":
@@ -35,14 +39,15 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p
 		case "count":
 		fallthrough;
 		case "time":
-		fallthrough;
-		case "double":
-		fallthrough;
-		case "bool":
-		fallthrough;
-		case "enum":
 		return cat(v);
 
+		case "double":
+		return fmt("%.16g", v);
+
+		case "bool":
+		local bval: bool = v;
+		return bval ? "true" : "false";
+
 		default:
 		break;
 		}
@@ -61,7 +66,7 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p
 			if ( field_desc?$value && (!only_loggable || field_desc$log) )
 				{
 				local onepart = cat("\"", field, "\": ", to_json(field_desc$value, only_loggable));
-				rec_parts[|rec_parts|] = onepart;
+				rec_parts += onepart;
 				}
 			}
 			return cat("{", join_string_vec(rec_parts, ", "), "}");
@@ -74,7 +79,7 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p
 		local sa: set[bool] = v;
 		for ( sv in sa )
 			{
-			set_parts[|set_parts|] = to_json(sv, only_loggable);
+			set_parts += to_json(sv, only_loggable);
 			}
 		return cat("[", join_string_vec(set_parts, ", "), "]");
 		}
@@ -86,7 +91,7 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p
 			{
 			local ts = to_json(ti);
 			local if_quotes = (ts[0] == "\"") ? "" : "\"";
-			tab_parts[|tab_parts|] = cat(if_quotes, ts, if_quotes, ": ", to_json(ta[ti], only_loggable));
+			tab_parts += cat(if_quotes, ts, if_quotes, ": ", to_json(ta[ti], only_loggable));
 			}
 		return cat("{", join_string_vec(tab_parts, ", "), "}");
 		}
@@ -96,7 +101,7 @@ function to_json(v: any, only_loggable: bool &default=F, field_escape_pattern: p
 		local va: vector of any = v;
 		for ( vi in va )
 			{
-			vec_parts[|vec_parts|] = to_json(va[vi], only_loggable);
+			vec_parts += to_json(va[vi], only_loggable);
 			}
 		return cat("[", join_string_vec(vec_parts, ", "), "]");
 		}
diff --git a/scripts/broxygen/__load__.bro b/scripts/broxygen/__load__.bro
index 3b78ba8619..dbc175c2a8 100644
--- a/scripts/broxygen/__load__.bro
+++ b/scripts/broxygen/__load__.bro
@@ -2,7 +2,6 @@
 
 # Scripts which are commented out in test-all-policy.bro.
 @load protocols/ssl/notary.bro
-@load frameworks/communication/listen.bro
 @load frameworks/control/controllee.bro
 @load frameworks/control/controller.bro
 @load frameworks/files/extract-all-files.bro
diff --git a/scripts/policy/files/x509/log-ocsp.bro b/scripts/policy/files/x509/log-ocsp.bro
new file mode 100644
index 0000000000..e416535dd4
--- /dev/null
+++ b/scripts/policy/files/x509/log-ocsp.bro
@@ -0,0 +1,62 @@
+##! Enable logging of OCSP responses.
+#
+# This script is in policy and not loaded by default because OCSP logging
+# does not provide a lot of interesting information in most environments.
+
+module OCSP;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	## The record type which contains the fields of the OCSP log.
+	type Info: record {
+		## Time when the OCSP reply was encountered.
+		ts: time &log;
+		## File id of the OCSP reply.
+		id: string &log;
+		## Hash algorithm used to generate issuerNameHash and issuerKeyHash.
+		hashAlgorithm: string &log;
+		## Hash of the issuer's distingueshed name.
+		issuerNameHash: string &log;
+		## Hash of the issuer's public key.
+		issuerKeyHash: string &log;
+		## Serial number of the affected certificate.
+		serialNumber: string &log;
+		## Status of the affected certificate.
+		certStatus: string &log;
+		## Time at which the certificate was revoked.
+		revoketime: time &log &optional;
+		## Reason for which the certificate was revoked.
+		revokereason: string &log &optional;
+		## The time at which the status being shows is known to have been correct.
+		thisUpdate: time &log;
+		## The latest time at which new information about the status of the certificate will be available.
+		nextUpdate: time &log &optional;
+	};
+
+	## Event that can be handled to access the OCSP record
+	## as it is sent to the logging framework.
+	global log_ocsp: event(rec: Info);
+}
+
+event bro_init()
+	{
+	Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]);
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	local wr = OCSP::Info($ts=f$info$ts, $id=f$id, $hashAlgorithm=hashAlgorithm, $issuerNameHash=issuerNameHash,
+			      $issuerKeyHash=issuerKeyHash, $serialNumber=serialNumber, $certStatus=certStatus,
+			      $thisUpdate=thisUpdate);
+
+	if ( revokereason != "" )
+		wr$revokereason = revokereason;
+	if ( time_to_double(revoketime) != 0 )
+		wr$revoketime = revoketime;
+	if ( time_to_double(nextUpdate) != 0 )
+		wr$nextUpdate = nextUpdate;
+
+	Log::write(LOG, wr);
+	}
diff --git a/scripts/policy/frameworks/communication/listen.bro b/scripts/policy/frameworks/communication/listen.bro
deleted file mode 100644
index 111bc64a23..0000000000
--- a/scripts/policy/frameworks/communication/listen.bro
+++ /dev/null
@@ -1,13 +0,0 @@
-##! Loading this script will make the Bro instance listen for remote 
-##! Bro instances to connect.
-
-@load base/frameworks/communication
-
-module Communication;
-
-event bro_init() &priority=-10
-	{
-	enable_communication();
-	listen(listen_interface, listen_port, listen_ssl, listen_ipv6,
-	       listen_ipv6_zone_id, listen_retry);
-	}
diff --git a/scripts/policy/frameworks/control/controllee.bro b/scripts/policy/frameworks/control/controllee.bro
index 9646d100ab..01937f27db 100644
--- a/scripts/policy/frameworks/control/controllee.bro
+++ b/scripts/policy/frameworks/control/controllee.bro
@@ -8,12 +8,28 @@
 ##!     bro <scripts> frameworks/control/controllee
 
 @load base/frameworks/control
-# If an instance is a controllee, it implicitly needs to listen for remote
-# connections.
-@load frameworks/communication/listen
+@load base/frameworks/broker
 
 module Control;
 
+event bro_init() &priority=-10
+	{
+	Broker::subscribe(Control::topic_prefix);
+	Broker::auto_publish(Control::topic_prefix + "/id_value_response",
+		                 Control::id_value_response);
+	Broker::auto_publish(Control::topic_prefix + "/peer_status_response",
+		                 Control::peer_status_response);
+	Broker::auto_publish(Control::topic_prefix + "/net_stats_response",
+		                 Control::net_stats_response);
+	Broker::auto_publish(Control::topic_prefix + "/configuration_update_response",
+		                 Control::configuration_update_response);
+	Broker::auto_publish(Control::topic_prefix + "/shutdown_response",
+		                 Control::shutdown_response);
+
+	if ( Control::controllee_listen )
+		Broker::listen();
+	}
+
 event Control::id_value_request(id: string)
 	{
 	local val = lookup_ID(id);
@@ -23,14 +39,18 @@ event Control::id_value_request(id: string)
 event Control::peer_status_request()
 	{
 	local status = "";
-	for ( p in Communication::nodes )
-		{
-		local peer = Communication::nodes[p];
-		if ( ! peer$connected )
-			next;
 
-		status += fmt("%.6f peer=%s host=%s\n",
-			      network_time(), peer$peer$descr, peer$host);
+	# @todo: need to expose broker::endpoint::peers and broker::peer_status
+	local peers = Broker::peers();
+
+	for ( i in peers )
+		{
+		local bpeer = peers[i];
+		status += fmt("%.6f peer=%s host=%s status=%s\n",
+			          network_time(),
+			          bpeer$peer$id,
+			          bpeer$peer$network$address,
+			          bpeer$status);
 		}
 
 	event Control::peer_status_response(status);
@@ -61,5 +81,5 @@ event Control::shutdown_request()
 	# Send the acknowledgement event.
 	event Control::shutdown_response();
 	# Schedule the shutdown to let the current event queue flush itself first.
-	event terminate_event();
+	schedule 1sec { terminate_event() };
 	}
diff --git a/scripts/policy/frameworks/control/controller.bro b/scripts/policy/frameworks/control/controller.bro
index edef4149f9..4897005dfb 100644
--- a/scripts/policy/frameworks/control/controller.bro
+++ b/scripts/policy/frameworks/control/controller.bro
@@ -7,7 +7,7 @@
 ##!     bro <scripts> frameworks/control/controller Control::host=<host_addr> Control::host_port=<host_port> Control::cmd=<command> [Control::arg=<arg>]
 
 @load base/frameworks/control
-@load base/frameworks/communication
+@load base/frameworks/broker
 
 module Control;
 
@@ -19,18 +19,23 @@ event bro_init() &priority=5
 	# shutdown.
 	if ( cmd !in commands )
 		{
-		# TODO: do an actual error here.  Maybe through the reporter events?
-		print fmt("The '%s' control command is unknown.", cmd);
+		Reporter::error(fmt("The '%s' control command is unknown.", cmd));
 		terminate();
 		}
-	
-	# Establish the communication configuration and only request response
-	# messages.
-	Communication::nodes["control"] = [$host=host, $zone_id=zone_id,
-	                                   $p=host_port, $sync=F, $connect=T,
-	                                   $class="control", $events=Control::controllee_events];
-	}
 
+	Broker::auto_publish(Control::topic_prefix + "/id_value_request",
+		                 Control::id_value_request);
+	Broker::auto_publish(Control::topic_prefix + "/peer_status_request",
+		                 Control::peer_status_request);
+	Broker::auto_publish(Control::topic_prefix + "/net_stats_request",
+		                 Control::net_stats_request);
+	Broker::auto_publish(Control::topic_prefix + "/configuration_update_request",
+		                 Control::configuration_update_request);
+	Broker::auto_publish(Control::topic_prefix + "/shutdown_request",
+                         Control::shutdown_request);
+	Broker::subscribe(Control::topic_prefix);
+	Broker::peer(cat(host), host_port);
+	}
 
 event Control::id_value_response(id: string, val: string) &priority=-10
 	{
@@ -56,12 +61,12 @@ event Control::shutdown_response() &priority=-10
 	{
 	event terminate_event();
 	}
-	
-function configuration_update_func(p: event_peer)
+
+function configurable_ids(): id_table
 	{
-	# Send all &redef'able consts to the peer.
+	local rval: id_table = table();
 	local globals = global_ids();
-    local cnt = 0;
+
 	for ( id in globals )
 		{
         if ( id in ignore_ids )
@@ -77,39 +82,62 @@ function configuration_update_func(p: event_peer)
 		# NOTE: functions are currently not fully supported for serialization and hence
 		# aren't sent.
 		if ( t$constant && t$redefinable && t$type_name != "func" )
-			{
-			send_id(p, id);
-			++cnt;
-			}
+			rval[id] = t;
 		}
 
-	print fmt("sent %d IDs", cnt);
-	event terminate_event();
+	return rval;
 	}
 
-event remote_connection_handshake_done(p: event_peer) &priority=-10
+function send_control_request()
 	{
-	if ( cmd == "id_value" )
-		{
-		if ( arg != "" )
-			event Control::id_value_request(arg);
-		else
-			{
-			# TODO: do an actual error here.  Maybe through the reporter events?
-			print "The id_value command requires that Control::arg have some value.";
-			terminate();
-			}
-		}
-	else if ( cmd == "peer_status" )
+	switch ( cmd ) {
+	case "id_value":
+		if ( arg == "" )
+			Reporter::fatal("The Control::id_value command requires that Control::arg also has some value.");
+
+		event Control::id_value_request(arg);
+		break;
+
+	case "peer_status":
 		event Control::peer_status_request();
-	else if ( cmd == "net_stats" )
+		break;
+
+	case "net_stats":
 		event Control::net_stats_request();
-	else if ( cmd == "shutdown" )
+		break;
+
+	case "shutdown":
 		event Control::shutdown_request();
-	else if ( cmd == "configuration_update" )
-		{
-		configuration_update_func(p);
-		# Signal configuration update to peer.
+		break;
+
+	case "configuration_update":
 		event Control::configuration_update_request();
-		}
+		break;
+
+	default:
+		Reporter::fatal(fmt("unhandled Control::cmd, %s", cmd));
+		break;
+	}
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string) &priority=-10
+	{
+	if ( cmd == "configuration_update" )
+		{
+		# Send all &redef'able consts to the peer.
+		local ids = configurable_ids();
+		local publish_count = 0;
+
+		for ( id in ids )
+			{
+			local topic = fmt("%s/id/%s", Control::topic_prefix, id);
+
+			if ( Broker::publish_id(topic, id) )
+				++publish_count;
+			}
+
+		Reporter::info(fmt("Control framework sent %d IDs", publish_count));
+		}
+
+	send_control_request();
 	}
diff --git a/scripts/policy/frameworks/intel/seen/x509.bro b/scripts/policy/frameworks/intel/seen/x509.bro
index c4f487947e..ba90a9610a 100644
--- a/scripts/policy/frameworks/intel/seen/x509.bro
+++ b/scripts/policy/frameworks/intel/seen/x509.bro
@@ -2,9 +2,16 @@
 @load base/files/x509
 @load ./where-locations
 
+module Intel;
+
+export {
+        ## Enables the extraction of subject alternate names from the X509 SAN DNS field
+        const enable_x509_ext_subject_alternative_name = T &redef;
+}
+
 event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName)
 	{
-	if ( ext?$dns )
+	if ( enable_x509_ext_subject_alternative_name && ext?$dns )
 		{
 		for ( i in ext$dns )
 			Intel::seen([$indicator=ext$dns[i],
diff --git a/scripts/policy/frameworks/notice/__load__.bro b/scripts/policy/frameworks/notice/__load__.bro
new file mode 100644
index 0000000000..fef1dc894e
--- /dev/null
+++ b/scripts/policy/frameworks/notice/__load__.bro
@@ -0,0 +1,3 @@
+# There shouldn't be any default overhead from loading these since they
+# *should* only do anything when notices have the ACTION_EMAIL action applied.
+@load ./extend-email/hostnames
diff --git a/scripts/base/frameworks/notice/extend-email/hostnames.bro b/scripts/policy/frameworks/notice/extend-email/hostnames.bro
similarity index 87%
rename from scripts/base/frameworks/notice/extend-email/hostnames.bro
rename to scripts/policy/frameworks/notice/extend-email/hostnames.bro
index 18442f453d..9ee58d3e0b 100644
--- a/scripts/base/frameworks/notice/extend-email/hostnames.bro
+++ b/scripts/policy/frameworks/notice/extend-email/hostnames.bro
@@ -3,7 +3,7 @@
 ##! :bro:type:`Notice::Info`'s *src* and *dst* fields as determined by a
 ##! DNS lookup.
 
-@load ../main
+@load base/frameworks/notice/main
 
 module Notice;
 
@@ -35,7 +35,7 @@ hook notice(n: Notice::Info) &priority=10
 		when ( local src_name = lookup_addr(n$src) )
 			{
 			output = string_cat("orig/src hostname: ", src_name, "\n");
-			tmp_notice_storage[uid]$email_body_sections[|tmp_notice_storage[uid]$email_body_sections|] = output;
+			tmp_notice_storage[uid]$email_body_sections += output;
 			delete tmp_notice_storage[uid]$email_delay_tokens["hostnames-src"];
 			}
 		}
@@ -45,7 +45,7 @@ hook notice(n: Notice::Info) &priority=10
 		when ( local dst_name = lookup_addr(n$dst) )
 			{
 			output = string_cat("resp/dst hostname: ", dst_name, "\n");
-			tmp_notice_storage[uid]$email_body_sections[|tmp_notice_storage[uid]$email_body_sections|] = output;
+			tmp_notice_storage[uid]$email_body_sections += output;
 			delete tmp_notice_storage[uid]$email_delay_tokens["hostnames-dst"];
 			}
 		}
diff --git a/scripts/policy/frameworks/software/version-changes.bro b/scripts/policy/frameworks/software/version-changes.bro
index 73bb72e01b..5494f14bca 100644
--- a/scripts/policy/frameworks/software/version-changes.bro
+++ b/scripts/policy/frameworks/software/version-changes.bro
@@ -22,23 +22,16 @@ export {
 	const interesting_version_changes: set[string] = { } &redef;
 }
 
-event log_software(rec: Info)
+event Software::version_change(old: Software::Info, new: Software::Info)
 	{
-	local ts = tracked[rec$host];
-	
-	if ( rec$name in ts )
-		{
-		local old = ts[rec$name];
-	
-		# Is it a potentially interesting version change?
-		if ( rec$name in interesting_version_changes )
-			{
-			local msg = fmt("%.6f %s switched from %s to %s (%s)",
-					network_time(), rec$software_type,
-					software_fmt_version(old$version),
-					software_fmt(rec), rec$software_type);
-			NOTICE([$note=Software_Version_Change, $src=rec$host,
-			        $msg=msg, $sub=software_fmt(rec)]);
-			}
-		}
+	if ( old$name !in interesting_version_changes )
+		return;
+
+	local msg = fmt("%.6f %s '%s' version changed from %s to %s",
+	                network_time(), old$software_type, old$name,
+	                software_fmt_version(old$version),
+                	software_fmt_version(new$version));
+
+	NOTICE([$note=Software_Version_Change, $src=new$host,
+	        $msg=msg, $sub=software_fmt(new)]);
 	}
diff --git a/scripts/policy/frameworks/software/windows-version-detection.bro b/scripts/policy/frameworks/software/windows-version-detection.bro
index 7ed1ab359e..50177b2e9b 100644
--- a/scripts/policy/frameworks/software/windows-version-detection.bro
+++ b/scripts/policy/frameworks/software/windows-version-detection.bro
@@ -48,6 +48,7 @@ export {
                 ["Microsoft-CryptoAPI/6.2"]             = [$name="Windows", $version=[$major=6, $minor=2, $addl="8 or Server 2012"]],
                 ["Microsoft-CryptoAPI/6.3"]             = [$name="Windows", $version=[$major=6, $minor=3, $addl="8.1 or Server 2012 R2"]],
                 ["Microsoft-CryptoAPI/6.4"]             = [$name="Windows", $version=[$major=6, $minor=4, $addl="10 Technical Preview"]],
+                ["Microsoft-CryptoAPI/10.0"]            = [$name="Windows", $version=[$major=10, $minor=0]],
         } &redef;
 }
 
diff --git a/scripts/policy/misc/known-devices.bro b/scripts/policy/misc/known-devices.bro
deleted file mode 100644
index 2f1f81524f..0000000000
--- a/scripts/policy/misc/known-devices.bro
+++ /dev/null
@@ -1,42 +0,0 @@
-##! This script provides infrastructure for logging devices for which Bro has
-##! been able to determine the MAC address, and it logs them once per day (by
-##! default).  The log that is output provides an easy way to determine a count
-##! of the devices in use on a network per day.
-##!
-##! .. note::
-##!
-##!     This script will not generate any logs on its own, it needs to be
-##!     supplied with information from elsewhere, such as
-##!     :doc:`/scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro`.
-
-module Known;
-
-export {
-	## The known-hosts logging stream identifier.
-	redef enum Log::ID += { DEVICES_LOG };
-
-	## The record type which contains the column fields of the known-devices
-	## log.
-	type DevicesInfo: record {
-		## The timestamp at which the host was detected.
-		ts:      time &log;
-		## The MAC address that was detected.
-		mac:     string &log;
-	};
-
-	## The set of all known MAC addresses. It can accessed from other
-	## scripts to add, and check for, addresses seen in use.
-	##
-	## We maintain each entry for 24 hours by default so that the existence
-	## of individual addresses is logged each day.
-	global known_devices: set[string] &create_expire=1day &synchronized &redef;
-
-	## An event that can be handled to access the :bro:type:`Known::DevicesInfo`
-	## record as it is sent on to the logging framework.
-	global log_known_devices: event(rec: DevicesInfo);
-}
-
-event bro_init()
-	{
-	Log::create_stream(Known::DEVICES_LOG, [$columns=DevicesInfo, $ev=log_known_devices, $path="known_devices"]);
-	}
diff --git a/scripts/policy/misc/load-balancing.bro b/scripts/policy/misc/load-balancing.bro
index ba770ae1af..40bbe238ca 100644
--- a/scripts/policy/misc/load-balancing.bro
+++ b/scripts/policy/misc/load-balancing.bro
@@ -12,22 +12,11 @@ export {
 		## Apply BPF filters to each worker in a way that causes them to
 		## automatically flow balance traffic between them.
 		AUTO_BPF,
-		# Load balance traffic across the workers by making each one apply
-		# a restrict filter to only listen to a single MAC address.  This
-		# is a somewhat common deployment option for sites doing network
-		# based load balancing with MAC address rewriting and passing the
-		# traffic to a single interface.  Multiple MAC addresses will show
-		# up on the same interface and need filtered to a single address.
-		#MAC_ADDR_BPF,
 	};
 
 	## Defines the method of load balancing to use.
 	const method = AUTO_BPF &redef;
 
-	# Configure the cluster framework to enable the load balancing filter configuration.
-	#global send_filter: event(for_node: string, filter: string);
-	#global confirm_filter_installation: event(success: bool);
-
 	redef record Cluster::Node += {
 		## A BPF filter for load balancing traffic sniffed on a single
 		## interface across a number of processes.  In normal uses, this
@@ -37,97 +26,86 @@ export {
 	};
 }
 
-#redef Cluster::manager2worker_events += /LoadBalancing::send_filter/;
-#redef Cluster::worker2manager_events += /LoadBalancing::confirm_filter_installation/;
-
 @if ( Cluster::is_enabled() )
 
-@if ( Cluster::local_node_type() == Cluster::MANAGER )
-
 event bro_init() &priority=5
 	{
 	if ( method != AUTO_BPF )
 		return;
 
 	local worker_ip_interface: table[addr, string] of count = table();
-	for ( n in Cluster::nodes )
-		{
-		local this_node = Cluster::nodes[n];
+	local sorted_node_names: vector of string = vector();
+	local node: Cluster::Node;
+	local name: string;
 
-		# Only workers!
-		if ( this_node$node_type != Cluster::WORKER ||
-		     ! this_node?$interface )
+	# Sort nodes list so that every node iterates over it in same order.
+	for ( name in Cluster::nodes )
+		sorted_node_names += name;
+
+	sort(sorted_node_names, strcmp);
+
+	for ( idx in sorted_node_names )
+		{
+		name = sorted_node_names[idx];
+		node = Cluster::nodes[name];
+
+		if ( node$node_type != Cluster::WORKER )
 			next;
 
-		if ( [this_node$ip, this_node$interface] !in worker_ip_interface )
-			worker_ip_interface[this_node$ip, this_node$interface] = 0;
-		++worker_ip_interface[this_node$ip, this_node$interface];
+		if ( ! node?$interface )
+			next;
+
+		if ( [node$ip, node$interface] !in worker_ip_interface )
+			worker_ip_interface[node$ip, node$interface] = 0;
+
+		++worker_ip_interface[node$ip, node$interface];
 		}
 
-	# Now that we've counted up how many processes are running on an interface
-	# let's create the filters for each worker.
+	# Now that we've counted up how many processes are running per
+	# interface, let's create the filters for each worker.
 	local lb_proc_track: table[addr, string] of count = table();
-	for ( no in Cluster::nodes )
+
+	for ( idx in sorted_node_names )
 		{
-		local that_node = Cluster::nodes[no];
-		if ( that_node$node_type == Cluster::WORKER &&
-		     that_node?$interface && [that_node$ip, that_node$interface] in worker_ip_interface )
-			{
-			if ( [that_node$ip, that_node$interface] !in lb_proc_track )
-				lb_proc_track[that_node$ip, that_node$interface] = 0;
+		name = sorted_node_names[idx];
+		node = Cluster::nodes[name];
 
-			local this_lb_proc = lb_proc_track[that_node$ip, that_node$interface];
-			local total_lb_procs = worker_ip_interface[that_node$ip, that_node$interface];
+		if ( node$node_type != Cluster::WORKER )
+			next;
 
-			++lb_proc_track[that_node$ip, that_node$interface];
-			if ( total_lb_procs > 1 )
-				{
-				that_node$lb_filter = PacketFilter::sampling_filter(total_lb_procs, this_lb_proc);
-				Communication::nodes[no]$capture_filter = that_node$lb_filter;
-				}
-			}
+		if ( ! node?$interface )
+			next;
+
+		if ( [node$ip, node$interface] !in worker_ip_interface )
+			next;
+
+		if ( [node$ip, node$interface] !in lb_proc_track )
+			lb_proc_track[node$ip, node$interface] = 0;
+
+		local this_lb_proc = lb_proc_track[node$ip, node$interface];
+		local total_lb_procs = worker_ip_interface[node$ip, node$interface];
+		++lb_proc_track[node$ip, node$interface];
+
+		if ( total_lb_procs > 1 )
+			node$lb_filter = PacketFilter::sampling_filter(total_lb_procs,
+			                                               this_lb_proc);
+		}
+
+	# Finally, install filter for the current node if it needs one.
+	for ( idx in sorted_node_names )
+		{
+		name = sorted_node_names[idx];
+		node = Cluster::nodes[name];
+
+		if ( name != Cluster::node )
+			next;
+
+		if ( ! node?$lb_filter )
+			next;
+
+		restrict_filters["lb_filter"] = node$lb_filter;
+		PacketFilter::install();
 		}
 	}
 
-#event remote_connection_established(p: event_peer) &priority=-5
-#	{
-#	if ( is_remote_event() )
-#		return;
-#
-#	local for_node = p$descr;
-#	# Send the filter to the peer.
-#	if ( for_node in Cluster::nodes &&
-#	     Cluster::nodes[for_node]?$lb_filter )
-#		{
-#		local filter = Cluster::nodes[for_node]$lb_filter;
-#		event LoadBalancing::send_filter(for_node, filter);
-#		}
-#	}
-
-#event LoadBalancing::confirm_filter_installation(success: bool)
-#	{
-#	# This doesn't really matter yet since we aren't getting back a meaningful success response.
-#	}
-
-@endif
-
-
-@if ( Cluster::local_node_type() == Cluster::WORKER )
-
-#event LoadBalancing::send_filter(for_node: string, filter: string)
-event remote_capture_filter(p: event_peer, filter: string)
-	{
-	#if ( for_node !in Cluster::nodes )
-	#	return;
-	#
-	#if ( Cluster::node == for_node )
-	#	{
-		restrict_filters["lb_filter"] = filter;
-		PacketFilter::install();
-		#event LoadBalancing::confirm_filter_installation(T);
-	#	}
-	}
-
-@endif
-
 @endif
diff --git a/scripts/policy/protocols/conn/known-hosts.bro b/scripts/policy/protocols/conn/known-hosts.bro
index a539885dd1..410ed9edfe 100644
--- a/scripts/policy/protocols/conn/known-hosts.bro
+++ b/scripts/policy/protocols/conn/known-hosts.bro
@@ -4,6 +4,7 @@
 ##! use on a network per day.
 
 @load base/utils/directions-and-hosts
+@load base/frameworks/cluster
 
 module Known;
 
@@ -19,23 +20,131 @@ export {
 		## TCP connection.
 		host:    addr &log;
 	};
+
+	## Toggles between different implementations of this script.
+	## When true, use a Broker data store, else use a regular Bro set
+	## with keys uniformly distributed over proxy nodes in cluster
+	## operation.
+	const use_host_store = T &redef;
 	
 	## The hosts whose existence should be logged and tracked.
 	## See :bro:type:`Host` for possible choices.
 	const host_tracking = LOCAL_HOSTS &redef;
 	
+	## Holds the set of all known hosts.  Keys in the store are addresses
+	## and their associated value will always be the "true" boolean.
+	global host_store: Cluster::StoreInfo;
+
+	## The Broker topic name to use for :bro:see:`Known::host_store`.
+	const host_store_name = "bro/known/hosts" &redef;
+
+	## The expiry interval of new entries in :bro:see:`Known::host_store`.
+	## This also changes the interval at which hosts get logged.
+	const host_store_expiry = 1day &redef;
+
+	## The timeout interval to use for operations against
+	## :bro:see:`Known::host_store`.
+	const host_store_timeout = 15sec &redef;
+
 	## The set of all known addresses to store for preventing duplicate 
 	## logging of addresses.  It can also be used from other scripts to 
 	## inspect if an address has been seen in use.
 	## Maintain the list of known hosts for 24 hours so that the existence
 	## of each individual address is logged each day.
-	global known_hosts: set[addr] &create_expire=1day &synchronized &redef;
+	##
+	## In cluster operation, this set is distributed uniformly across
+	## proxy nodes.
+	global hosts: set[addr] &create_expire=1day &redef;
 
 	## An event that can be handled to access the :bro:type:`Known::HostsInfo`
 	## record as it is sent on to the logging framework.
 	global log_known_hosts: event(rec: HostsInfo);
 }
 
+event bro_init()
+	{
+	if ( ! Known::use_host_store )
+		return;
+
+	Known::host_store = Cluster::create_store(Known::host_store_name);
+	}
+
+event Known::host_found(info: HostsInfo)
+	{
+	if ( ! Known::use_host_store )
+		return;
+
+	when ( local r = Broker::put_unique(Known::host_store$store, info$host,
+	                                    T, Known::host_store_expiry) )
+		{
+		if ( r$status == Broker::SUCCESS )
+			{
+			if ( r$result as bool )
+				Log::write(Known::HOSTS_LOG, info);
+			}
+		else
+			Reporter::error(fmt("%s: data store put_unique failure",
+			                    Known::host_store_name));
+		}
+	timeout Known::host_store_timeout
+		{
+		# Can't really tell if master store ended up inserting a key.
+		Log::write(Known::HOSTS_LOG, info);
+		}
+	}
+
+event known_host_add(info: HostsInfo)
+	{
+	if ( use_host_store )
+		return;
+
+	if ( info$host in Known::hosts )
+		return;
+
+	add Known::hosts[info$host];
+
+	@if ( ! Cluster::is_enabled() ||
+	      Cluster::local_node_type() == Cluster::PROXY )
+		Log::write(Known::HOSTS_LOG, info);
+	@endif
+	}
+
+event Cluster::node_up(name: string, id: string)
+	{
+	if ( use_host_store )
+		return;
+
+	if ( Cluster::local_node_type() != Cluster::WORKER )
+		return;
+
+	# Drop local suppression cache on workers to force HRW key repartitioning.
+	Known::hosts = set();
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( use_host_store )
+		return;
+
+	if ( Cluster::local_node_type() != Cluster::WORKER )
+		return;
+
+	# Drop local suppression cache on workers to force HRW key repartitioning.
+	Known::hosts = set();
+	}
+
+event Known::host_found(info: HostsInfo)
+	{
+	if ( use_host_store )
+		return;
+
+	if ( info$host in Known::hosts )
+		return;
+
+	Cluster::publish_hrw(Cluster::proxy_pool, info$host, known_host_add, info);
+	event known_host_add(info);
+	}
+
 event bro_init()
 	{
 	Log::create_stream(Known::HOSTS_LOG, [$columns=HostsInfo, $ev=log_known_hosts, $path="known_hosts"]);
@@ -43,17 +152,15 @@ event bro_init()
 
 event connection_established(c: connection) &priority=5
 	{
+	if ( c$orig$state != TCP_ESTABLISHED )
+		return;
+
+	if ( c$resp$state != TCP_ESTABLISHED )
+		return;
+
 	local id = c$id;
-	
+
 	for ( host in set(id$orig_h, id$resp_h) )
-		{
-		if ( host !in known_hosts && 
-		     c$orig$state == TCP_ESTABLISHED &&
-		     c$resp$state == TCP_ESTABLISHED &&
-		     addr_matches_host(host, host_tracking) )
-			{
-			add known_hosts[host];
-			Log::write(Known::HOSTS_LOG, [$ts=network_time(), $host=host]);
-			}
-		}
+		if ( addr_matches_host(host, host_tracking) )
+			event Known::host_found([$ts = network_time(), $host = host]);
 	}
diff --git a/scripts/policy/protocols/conn/known-services.bro b/scripts/policy/protocols/conn/known-services.bro
index 0c79db84f5..7a829214c1 100644
--- a/scripts/policy/protocols/conn/known-services.bro
+++ b/scripts/policy/protocols/conn/known-services.bro
@@ -4,6 +4,7 @@
 ##! during the session, the protocol will also be logged.
 
 @load base/utils/directions-and-hosts
+@load base/frameworks/cluster
 
 module Known;
 
@@ -25,15 +26,47 @@ export {
 		## A set of protocols that match the service's connection payloads.
 		service:        set[string]     &log;
 	};
+
+	## Toggles between different implementations of this script.
+	## When true, use a Broker data store, else use a regular Bro set
+	## with keys uniformly distributed over proxy nodes in cluster
+	## operation.
+	const use_service_store = T &redef;
 	
 	## The hosts whose services should be tracked and logged.
 	## See :bro:type:`Host` for possible choices.
 	const service_tracking = LOCAL_HOSTS &redef;
 
+	type AddrPortPair: record {
+		host: addr;
+		p: port;
+	};
+
+	## Holds the set of all known services.  Keys in the store are
+	## :bro:type:`Known::AddrPortPair` and their associated value is
+	## always the boolean value of "true".
+	global service_store: Cluster::StoreInfo;
+
+	## The Broker topic name to use for :bro:see:`Known::service_store`.
+	const service_store_name = "bro/known/services" &redef;
+
+	## The expiry interval of new entries in :bro:see:`Known::service_store`.
+	## This also changes the interval at which services get logged.
+	const service_store_expiry = 1day &redef;
+
+	## The timeout interval to use for operations against
+	## :bro:see:`Known::service_store`.
+	const service_store_timeout = 15sec &redef;
+
 	## Tracks the set of daily-detected services for preventing the logging
 	## of duplicates, but can also be inspected by other scripts for
 	## different purposes.
-	global known_services: set[addr, port] &create_expire=1day &synchronized;
+	##
+	## In cluster operation, this set is uniformly distributed across
+	## proxy nodes.
+	##
+	## This set is automatically populated and shouldn't be directly modified.
+	global services: set[addr, port] &create_expire=1day;
 
 	## Event that can be handled to access the :bro:type:`Known::ServicesInfo`
 	## record as it is sent on to the logging framework.
@@ -46,46 +79,124 @@ redef record connection += {
 	known_services_done: bool &default=F;
 };
 
-event bro_init() &priority=5
+
+event bro_init()
 	{
-	Log::create_stream(Known::SERVICES_LOG, [$columns=ServicesInfo,
-	                                         $ev=log_known_services,
-	                                         $path="known_services"]);
+	if ( ! Known::use_service_store )
+		return;
+
+	Known::service_store = Cluster::create_store(Known::service_store_name);
 	}
-	
-event log_it(ts: time, a: addr, p: port, services: set[string])
+
+event service_info_commit(info: ServicesInfo)
+                          
 	{
-	if ( [a, p] !in known_services )
+	if ( ! Known::use_service_store )
+		return;
+
+	local key = AddrPortPair($host = info$host, $p = info$port_num);
+
+	when ( local r = Broker::put_unique(Known::service_store$store, key,
+	                                    T, Known::service_store_expiry) )
 		{
-		add known_services[a, p];
-	
-		local i: ServicesInfo;
-		i$ts=ts;
-		i$host=a;
-		i$port_num=p;
-		i$port_proto=get_port_transport_proto(p);
-		i$service=services;
-		Log::write(Known::SERVICES_LOG, i);
+		if ( r$status == Broker::SUCCESS )
+			{
+			if ( r$result as bool )
+				Log::write(Known::SERVICES_LOG, info);
+			}
+		else
+			Reporter::error(fmt("%s: data store put_unique failure",
+			                    Known::service_store_name));
+		}
+	timeout Known::service_store_timeout
+		{
+		Log::write(Known::SERVICES_LOG, info);
 		}
 	}
-	
+
+event known_service_add(info: ServicesInfo)
+	{
+	if ( Known::use_service_store )
+		return;
+
+	if ( [info$host, info$port_num] in Known::services )
+		return;
+
+	add Known::services[info$host, info$port_num];
+
+	@if ( ! Cluster::is_enabled() ||
+	      Cluster::local_node_type() == Cluster::PROXY )
+		Log::write(Known::SERVICES_LOG, info);
+	@endif
+	}
+
+event Cluster::node_up(name: string, id: string)
+	{
+	if ( Known::use_service_store )
+		return;
+
+	if ( Cluster::local_node_type() != Cluster::WORKER )
+		return;
+
+	# Drop local suppression cache on workers to force HRW key repartitioning.
+	Known::services = set();
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( Known::use_service_store )
+		return;
+
+	if ( Cluster::local_node_type() != Cluster::WORKER )
+		return;
+
+	# Drop local suppression cache on workers to force HRW key repartitioning.
+	Known::services = set();
+	}
+
+event service_info_commit(info: ServicesInfo)
+	{
+	if ( Known::use_service_store )
+		return;
+
+	if ( [info$host, info$port_num] in Known::services )
+		return;
+
+	local key = cat(info$host, info$port_num);
+	Cluster::publish_hrw(Cluster::proxy_pool, key, known_service_add, info);
+	event known_service_add(info);
+	}
+
 function known_services_done(c: connection)
 	{
 	local id = c$id;
 	c$known_services_done = T;
-	
-	if ( ! addr_matches_host(id$resp_h, service_tracking) ||
-	     "ftp-data" in c$service || # don't include ftp data sessions
-	     ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks.
+
+	if ( ! addr_matches_host(id$resp_h, service_tracking) )
 		return;
-	
-	# If no protocol was detected, wait a short
-	# time before attempting to log in case a protocol is detected
-	# on another connection.
+
+	if ( |c$service| == 1 )
+		{
+		if ( "ftp-data" in c$service )
+			# Don't include ftp data sessions.
+			return;
+
+		if ( "DNS" in c$service && c$resp$size == 0 )
+			# For dns, require that the server talks.
+			return;
+		}
+
+	local info = ServicesInfo($ts = network_time(), $host = id$resp_h,
+	                          $port_num = id$resp_p,
+	                          $port_proto = get_port_transport_proto(id$resp_p),
+	                          $service = c$service);
+
+	# If no protocol was detected, wait a short time before attempting to log
+	# in case a protocol is detected on another connection.
 	if ( |c$service| == 0 )
-		schedule 5min { log_it(network_time(), id$resp_h, id$resp_p, c$service) };
+		schedule 5min { service_info_commit(info) };
 	else 
-		event log_it(network_time(), id$resp_h, id$resp_p, c$service);
+		event service_info_commit(info);
 	}
 	
 event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=-5
@@ -96,6 +207,19 @@ event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &pr
 # Handle the connection ending in case no protocol was ever detected.
 event connection_state_remove(c: connection) &priority=-5
 	{
-	if ( ! c$known_services_done && c$resp$state == TCP_ESTABLISHED )
-		known_services_done(c);
+	if ( c$known_services_done )
+		return;
+
+	if ( c$resp$state != TCP_ESTABLISHED )
+		return;
+
+	known_services_done(c);
 	}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Known::SERVICES_LOG, [$columns=ServicesInfo,
+	                                         $ev=log_known_services,
+	                                         $path="known_services"]);
+	}
+
diff --git a/scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro b/scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro
deleted file mode 100644
index 63b794cb9f..0000000000
--- a/scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro
+++ /dev/null
@@ -1,37 +0,0 @@
-##! Tracks MAC address with hostnames seen in DHCP traffic. They are logged into
-##! ``devices.log``.
-
-@load policy/misc/known-devices
-
-module Known;
-
-export {
-	redef record DevicesInfo += {
-		## The value of the DHCP host name option, if seen.
-		dhcp_host_name:	string		&log &optional;
-	};
-}
-
-event dhcp_request(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string)
-	{
-	if ( msg$h_addr == "" )
-		return;
-
-	if ( msg$h_addr !in known_devices )
-		{
-		add known_devices[msg$h_addr];
-		Log::write(Known::DEVICES_LOG, [$ts=network_time(), $mac=msg$h_addr, $dhcp_host_name=host_name]);
-		}
-	}
-
-event dhcp_inform(c: connection, msg: dhcp_msg, host_name: string)
-	{
-	if ( msg$h_addr == "" )
-		return;
-
-	if ( msg$h_addr !in known_devices )
-		{
-		add known_devices[msg$h_addr];
-		Log::write(Known::DEVICES_LOG, [$ts=network_time(), $mac=msg$h_addr, $dhcp_host_name=host_name]);
-		}
-	}
diff --git a/scripts/policy/protocols/dhcp/msg-orig.bro b/scripts/policy/protocols/dhcp/msg-orig.bro
new file mode 100644
index 0000000000..d2350192b5
--- /dev/null
+++ b/scripts/policy/protocols/dhcp/msg-orig.bro
@@ -0,0 +1,21 @@
+##! Add a field that logs the order of hosts sending messages
+##! using the same DHCP transaction ID.  This information is
+##! occasionally needed on some networks to fully explain the
+##! DHCP sequence.
+
+@load base/protocols/dhcp
+
+module DHCP;
+
+export {
+	redef record DHCP::Info += {
+		## The address that originated each message from the
+		## `msg_types` field.
+		msg_orig: vector of addr &log &default=addr_vec();
+	};
+}
+
+event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options) &priority=3
+	{
+	log_info$msg_orig += is_orig ? id$orig_h : id$resp_h;
+	}
diff --git a/scripts/policy/protocols/dhcp/software.bro b/scripts/policy/protocols/dhcp/software.bro
new file mode 100644
index 0000000000..111de0bfd8
--- /dev/null
+++ b/scripts/policy/protocols/dhcp/software.bro
@@ -0,0 +1,64 @@
+##! Software identification and extraction for DHCP traffic.
+
+@load base/protocols/dhcp
+@load base/frameworks/software
+
+module DHCP;
+
+export {
+	redef enum Software::Type += {
+		## Identifier for web servers in the software framework.
+		DHCP::SERVER,
+		## Identifier for web browsers in the software framework.
+		DHCP::CLIENT,
+	};
+
+	redef record DHCP::Info += {
+		## Software reported by the client in the `vendor_class` option.
+		client_software: string &log &optional;
+		## Software reported by the server in the `vendor_class` option.
+		server_software: string &log &optional;
+	};
+}
+
+event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options) &priority=5
+	{
+	if ( options?$vendor_class )
+		{
+		if ( is_orig )
+			log_info$client_software = options$vendor_class;
+		else
+			{
+			log_info$server_software = options$vendor_class;
+			Software::found(id, [$unparsed_version=options$vendor_class,
+			                     $host=id$resp_h,
+			                     $software_type=DHCP::SERVER]);
+			}
+		}
+	}
+
+event DHCP::log_dhcp(rec: DHCP::Info)
+	{
+	if ( rec?$assigned_addr && rec?$server_addr &&
+	     (rec?$client_software || rec?$server_software) )
+		{
+		local id: conn_id = [$orig_h=rec$assigned_addr,
+		                     $orig_p=rec$client_port,
+		                     $resp_h=rec$server_addr,
+		                     $resp_p=rec$server_port];
+
+		if ( rec?$client_software && rec$assigned_addr != 255.255.255.255 )
+			{
+			Software::found(id, [$unparsed_version=rec$client_software,
+			                     $host=rec$assigned_addr, $host_p=id$orig_p,
+			                     $software_type=DHCP::CLIENT]);
+			}
+
+		if ( rec?$server_software )
+			{
+			Software::found(id, [$unparsed_version=rec$server_software,
+			                     $host=rec$server_addr, $host_p=id$resp_p,
+			                     $software_type=DHCP::SERVER]);
+			}
+		}
+	}
diff --git a/scripts/policy/protocols/dhcp/sub-opts.bro b/scripts/policy/protocols/dhcp/sub-opts.bro
new file mode 100644
index 0000000000..43b6942fab
--- /dev/null
+++ b/scripts/policy/protocols/dhcp/sub-opts.bro
@@ -0,0 +1,45 @@
+
+@load base/protocols/dhcp
+
+module DHCP;
+
+export {
+	redef record DHCP::Info += {
+		## Added by DHCP relay agents which terminate switched or
+		## permanent circuits.  It encodes an agent-local identifier
+		## of the circuit from which a DHCP client-to-server packet was
+		## received.  Typically it should represent a router or switch
+		## interface number.
+		circuit_id:      string &log &optional;
+
+		## A globally unique identifier added by relay agents to identify
+		## the remote host end of the circuit.
+		agent_remote_id: string &log &optional;
+
+		## The subscriber ID is a value independent of the physical
+		## network configuration so that a customer's DHCP configuration
+		## can be given to them correctly no matter where they are
+		## physically connected.
+		subscriber_id:   string &log &optional;
+	};
+}
+
+event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)
+	{
+	if ( options?$sub_opt )
+		{
+		for ( i in options$sub_opt )
+			{
+			local sub_opt = options$sub_opt[i];
+
+			if ( sub_opt$code == 1 )
+				DHCP::log_info$circuit_id = sub_opt$value;
+
+			else if ( sub_opt$code == 2 )
+				DHCP::log_info$agent_remote_id = sub_opt$value;
+
+			else if ( sub_opt$code == 6 )
+				DHCP::log_info$subscriber_id = sub_opt$value;
+			}
+		}
+	}
diff --git a/scripts/policy/protocols/http/detect-webapps.bro b/scripts/policy/protocols/http/detect-webapps.bro
index 53d7109468..29adbc6580 100644
--- a/scripts/policy/protocols/http/detect-webapps.bro
+++ b/scripts/policy/protocols/http/detect-webapps.bro
@@ -31,25 +31,40 @@ event signature_match(state: signature_state, msg: string, data: string) &priori
 	local si: Software::Info;
 	si = [$name=msg, $unparsed_version=msg, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=WEB_APPLICATION];
 	si$url = build_url_http(c$http);
-	if ( c$id$resp_h in Software::tracked &&
-	     si$name in Software::tracked[c$id$resp_h] )
-		{
-		# If the new url is a substring of an existing, known url then let's
-		# use that as the new url for the software.
-		# PROBLEM: different version of the same software on the same server with a shared root path
-		local is_substring = 0;
-		if ( Software::tracked[c$id$resp_h][si$name]?$url &&
-		     |si$url| <= |Software::tracked[c$id$resp_h][si$name]$url| )
-			is_substring = strstr(Software::tracked[c$id$resp_h][si$name]$url, si$url);
-		
-		if ( is_substring == 1 )
-			{
-			Software::tracked[c$id$resp_h][si$name]$url = si$url;
-			# Force the software to be logged because it indicates a URL
-			# closer to the root of the site.
-			si$force_log = T;
-			}
-		}
-	
 	Software::found(c$id, si);
 	}
+
+event Software::register(info: Software::Info) &priority=5
+	{
+	if ( info$host !in Software::tracked )
+		return;
+
+	local ss = Software::tracked[info$host];
+
+	if ( info$name !in ss )
+		return;
+
+	local old_info = ss[info$name];
+
+	if ( ! old_info?$url )
+		return;
+
+	if ( ! info?$url )
+		return;
+
+	# If the new url is a substring of an existing, known url then let's
+	# use that as the new url for the software.
+	# PROBLEM: different version of the same software on the same server with a shared root path
+	local is_substring = 0;
+
+	if ( |info$url| <= |old_info$url| )
+		is_substring = strstr(old_info$url, info$url);
+
+	if ( is_substring != 1 )
+		return;
+
+	old_info$url = info$url;
+	# Force the software to be logged because it indicates a URL
+	# closer to the root of the site.
+	info$force_log = T;
+	}
diff --git a/scripts/policy/protocols/http/header-names.bro b/scripts/policy/protocols/http/header-names.bro
index ed3f9380a7..1b256226dd 100644
--- a/scripts/policy/protocols/http/header-names.bro
+++ b/scripts/policy/protocols/http/header-names.bro
@@ -35,7 +35,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 			{
 			if ( ! c$http?$client_header_names )
 				c$http$client_header_names = vector();
-			c$http$client_header_names[|c$http$client_header_names|] = name;
+			c$http$client_header_names += name;
 			}
 		}
 	else
@@ -44,7 +44,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 			{
 			if ( ! c$http?$server_header_names )
 				c$http$server_header_names = vector();
-			c$http$server_header_names[|c$http$server_header_names|] = name;
+			c$http$server_header_names += name;
 			}
 		}
 	}
diff --git a/scripts/policy/protocols/krb/ticket-logging.bro b/scripts/policy/protocols/krb/ticket-logging.bro
new file mode 100644
index 0000000000..22fd3c810b
--- /dev/null
+++ b/scripts/policy/protocols/krb/ticket-logging.bro
@@ -0,0 +1,33 @@
+##! Add Kerberos ticket hashes to the krb.log
+
+@load base/protocols/krb
+
+module KRB;
+
+redef record Info += {
+	## Hash of ticket used to authorize request/transaction
+	auth_ticket: string &log &optional;
+	## Hash of ticket returned by the KDC
+	new_ticket:  string &log &optional;
+};
+
+event krb_ap_request(c: connection, ticket: KRB::Ticket, opts: KRB::AP_Options)
+	{
+	# Will be overwritten when request is a TGS
+	c$krb$request_type = "AP";
+
+	if ( ticket?$ciphertext )
+		c$krb$auth_ticket = md5_hash(ticket$ciphertext);
+	}
+
+event krb_as_response(c: connection, msg: KDC_Response)
+	{
+	if ( msg$ticket?$ciphertext )
+		c$krb$new_ticket = md5_hash(msg$ticket$ciphertext);
+	}
+
+event krb_tgs_response(c: connection, msg: KDC_Response)
+	{
+	if ( msg$ticket?$ciphertext )
+		c$krb$new_ticket = md5_hash(msg$ticket$ciphertext);
+	}
diff --git a/scripts/policy/protocols/smb/README b/scripts/policy/protocols/smb/README
deleted file mode 100644
index d10322faad..0000000000
--- a/scripts/policy/protocols/smb/README
+++ /dev/null
@@ -1 +0,0 @@
-Support for SMB protocol analysis.
diff --git a/scripts/policy/protocols/smb/__load__.bro b/scripts/policy/protocols/smb/__load__.bro
deleted file mode 100644
index 31c8469c60..0000000000
--- a/scripts/policy/protocols/smb/__load__.bro
+++ /dev/null
@@ -1,8 +0,0 @@
-@load base/protocols/smb
-
-@load ./main
-@load ./smb1-main
-@load ./smb2-main
-@load ./files
-
-@load-sigs ./dpd.sig
diff --git a/scripts/policy/protocols/smb/log-cmds.bro b/scripts/policy/protocols/smb/log-cmds.bro
new file mode 100644
index 0000000000..6890535c3b
--- /dev/null
+++ b/scripts/policy/protocols/smb/log-cmds.bro
@@ -0,0 +1,82 @@
+##! Load this script to generate an SMB command log, smb_cmd.log.
+##! This is primarily useful for debugging.
+
+@load base/protocols/smb
+
+module SMB;
+
+export {
+	redef enum Log::ID += {
+		CMD_LOG,
+	};
+
+	## The server response statuses which are *not* logged.
+	const ignored_command_statuses: set[string] = {
+		"MORE_PROCESSING_REQUIRED",
+	} &redef;
+}
+
+## Internal use only.
+## Some commands shouldn't be logged by the smb1_message event.
+const deferred_logging_cmds: set[string] = {
+	"NEGOTIATE",
+	"READ_ANDX",
+	"SESSION_SETUP_ANDX",
+	"TREE_CONNECT_ANDX",
+};
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo, $path="smb_cmd"]);
+	}
+
+event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=-5
+	{
+	if ( is_orig )
+		return;
+
+	if ( c$smb_state$current_cmd$status in SMB::ignored_command_statuses )
+		return;
+	
+	if ( c$smb_state$current_cmd$command in SMB::deferred_logging_cmds )
+		return;
+
+	Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
+	}
+
+event smb1_error(c: connection, hdr: SMB1::Header, is_orig: bool)
+	{
+	if ( is_orig )
+		return;
+
+	# This is for deferred commands only.
+	# The more specific messages won't fire for errors
+
+	if ( c$smb_state$current_cmd$status in SMB::ignored_command_statuses )
+		return;
+
+	if ( c$smb_state$current_cmd$command !in SMB::deferred_logging_cmds )
+		return;
+
+	Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
+	}
+
+event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=-5
+	{
+	if ( is_orig )
+		return;
+
+	# If the command that is being looked at right now was
+	# marked as PENDING, then we'll skip all of this and wait
+	# for a reply that isn't marked pending.
+	if ( c$smb_state$current_cmd$status == "PENDING" )
+		return;
+
+	if ( c$smb_state$current_cmd$status in SMB::ignored_command_statuses )
+		return;
+
+	if ( c$smb_state$current_cmd$command in SMB::deferred_logging_cmds )
+		return;
+
+	Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
+	}
diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index e94451d6eb..6ffbcd23a5 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -50,33 +50,33 @@ event bro_init()
 	# Minimum length a heartbeat packet must have for different cipher suites.
 	# Note - tls 1.1f and 1.0 have different lengths :(
 	# This should be all cipher suites usually supported by vulnerable servers.
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_AES_256_GCM_SHA384$/, $min_length=43];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_AES_128_GCM_SHA256$/, $min_length=43];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_256_CBC_SHA384$/, $min_length=96];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_256_CBC_SHA256$/, $min_length=80];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_256_CBC_SHA$/, $min_length=64];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_128_CBC_SHA256$/, $min_length=80];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_128_CBC_SHA$/, $min_length=64];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_3DES_EDE_CBC_SHA$/, $min_length=48];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_SEED_CBC_SHA$/, $min_length=64];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_IDEA_CBC_SHA$/, $min_length=48];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_DES_CBC_SHA$/, $min_length=48];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_DES40_CBC_SHA$/, $min_length=48];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_RC4_128_SHA$/, $min_length=39];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_RC4_128_MD5$/, $min_length=35];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_RC4_40_MD5$/, $min_length=35];
-	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_RC2_CBC_40_MD5$/, $min_length=48];
-	min_lengths[|min_lengths|] = [$cipher=/_256_CBC_SHA$/, $min_length=48];
-	min_lengths[|min_lengths|] = [$cipher=/_128_CBC_SHA$/, $min_length=48];
-	min_lengths[|min_lengths|] = [$cipher=/_3DES_EDE_CBC_SHA$/, $min_length=40];
-	min_lengths[|min_lengths|] = [$cipher=/_SEED_CBC_SHA$/, $min_length=48];
-	min_lengths[|min_lengths|] = [$cipher=/_IDEA_CBC_SHA$/, $min_length=40];
-	min_lengths[|min_lengths|] = [$cipher=/_DES_CBC_SHA$/, $min_length=40];
-	min_lengths[|min_lengths|] = [$cipher=/_DES40_CBC_SHA$/, $min_length=40];
-	min_lengths[|min_lengths|] = [$cipher=/_RC4_128_SHA$/, $min_length=39];
-	min_lengths[|min_lengths|] = [$cipher=/_RC4_128_MD5$/, $min_length=35];
-	min_lengths[|min_lengths|] = [$cipher=/_RC4_40_MD5$/, $min_length=35];
-	min_lengths[|min_lengths|] = [$cipher=/_RC2_CBC_40_MD5$/, $min_length=40];
+	min_lengths_tls11 += [$cipher=/_AES_256_GCM_SHA384$/, $min_length=43];
+	min_lengths_tls11 += [$cipher=/_AES_128_GCM_SHA256$/, $min_length=43];
+	min_lengths_tls11 += [$cipher=/_256_CBC_SHA384$/, $min_length=96];
+	min_lengths_tls11 += [$cipher=/_256_CBC_SHA256$/, $min_length=80];
+	min_lengths_tls11 += [$cipher=/_256_CBC_SHA$/, $min_length=64];
+	min_lengths_tls11 += [$cipher=/_128_CBC_SHA256$/, $min_length=80];
+	min_lengths_tls11 += [$cipher=/_128_CBC_SHA$/, $min_length=64];
+	min_lengths_tls11 += [$cipher=/_3DES_EDE_CBC_SHA$/, $min_length=48];
+	min_lengths_tls11 += [$cipher=/_SEED_CBC_SHA$/, $min_length=64];
+	min_lengths_tls11 += [$cipher=/_IDEA_CBC_SHA$/, $min_length=48];
+	min_lengths_tls11 += [$cipher=/_DES_CBC_SHA$/, $min_length=48];
+	min_lengths_tls11 += [$cipher=/_DES40_CBC_SHA$/, $min_length=48];
+	min_lengths_tls11 += [$cipher=/_RC4_128_SHA$/, $min_length=39];
+	min_lengths_tls11 += [$cipher=/_RC4_128_MD5$/, $min_length=35];
+	min_lengths_tls11 += [$cipher=/_RC4_40_MD5$/, $min_length=35];
+	min_lengths_tls11 += [$cipher=/_RC2_CBC_40_MD5$/, $min_length=48];
+	min_lengths += [$cipher=/_256_CBC_SHA$/, $min_length=48];
+	min_lengths += [$cipher=/_128_CBC_SHA$/, $min_length=48];
+	min_lengths += [$cipher=/_3DES_EDE_CBC_SHA$/, $min_length=40];
+	min_lengths += [$cipher=/_SEED_CBC_SHA$/, $min_length=48];
+	min_lengths += [$cipher=/_IDEA_CBC_SHA$/, $min_length=40];
+	min_lengths += [$cipher=/_DES_CBC_SHA$/, $min_length=40];
+	min_lengths += [$cipher=/_DES40_CBC_SHA$/, $min_length=40];
+	min_lengths += [$cipher=/_RC4_128_SHA$/, $min_length=39];
+	min_lengths += [$cipher=/_RC4_128_MD5$/, $min_length=35];
+	min_lengths += [$cipher=/_RC4_40_MD5$/, $min_length=35];
+	min_lengths += [$cipher=/_RC2_CBC_40_MD5$/, $min_length=40];
 	}
 
 event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)
diff --git a/scripts/policy/protocols/ssl/known-certs.bro b/scripts/policy/protocols/ssl/known-certs.bro
index 1f27521e46..e45a243dfd 100644
--- a/scripts/policy/protocols/ssl/known-certs.bro
+++ b/scripts/policy/protocols/ssl/known-certs.bro
@@ -4,6 +4,7 @@
 @load base/utils/directions-and-hosts
 @load base/protocols/ssl
 @load base/files/x509
+@load base/frameworks/cluster
 
 module Known;
 
@@ -29,27 +30,144 @@ export {
 	## The certificates whose existence should be logged and tracked.
 	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
 	const cert_tracking = LOCAL_HOSTS &redef;
+
+	## Toggles between different implementations of this script.
+	## When true, use a Broker data store, else use a regular Bro set
+	## with keys uniformly distributed over proxy nodes in cluster
+	## operation.
+	const use_cert_store = T &redef;
 	
+	type AddrCertHashPair: record {
+		host: addr;
+		hash: string;
+	};
+
+	## Holds the set of all known certificates.  Keys in the store are of
+	## type :bro:type:`Known::AddrCertHashPair` and their associated value is
+	## always the boolean value of "true".
+	global cert_store: Cluster::StoreInfo;
+
+	## The Broker topic name to use for :bro:see:`Known::cert_store`.
+	const cert_store_name = "bro/known/certs" &redef;
+
+	## The expiry interval of new entries in :bro:see:`Known::cert_store`.
+	## This also changes the interval at which certs get logged.
+	const cert_store_expiry = 1day &redef;
+
+	## The timeout interval to use for operations against
+	## :bro:see:`Known::cert_store`.
+	const cert_store_timeout = 15sec &redef;
+
 	## The set of all known certificates to store for preventing duplicate 
 	## logging. It can also be used from other scripts to 
 	## inspect if a certificate has been seen in use. The string value 
 	## in the set is for storing the DER formatted certificate' SHA1 hash.
-	global certs: set[addr, string] &create_expire=1day &synchronized &redef;
+	##
+	## In cluster operation, this set is uniformly distributed across
+	## proxy nodes.
+	global certs: set[addr, string] &create_expire=1day &redef;
 	
 	## Event that can be handled to access the loggable record as it is sent
 	## on to the logging framework.
 	global log_known_certs: event(rec: CertsInfo);
 }
 
-event bro_init() &priority=5
+event bro_init()
 	{
-	Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs, $path="known_certs"]);
+	if ( ! Known::use_cert_store )
+		return;
+
+	Known::cert_store = Cluster::create_store(Known::cert_store_name);
+	}
+
+event Known::cert_found(info: CertsInfo, hash: string)
+    {
+	if ( ! Known::use_cert_store )
+		return;
+
+	local key = AddrCertHashPair($host = info$host, $hash = hash);
+
+	when ( local r = Broker::put_unique(Known::cert_store$store, key,
+	                                    T, Known::cert_store_expiry) )
+		{
+		if ( r$status == Broker::SUCCESS )
+			{
+			if ( r$result as bool )
+				Log::write(Known::CERTS_LOG, info);
+			}
+		else
+			Reporter::error(fmt("%s: data store put_unique failure",
+			                    Known::cert_store_name));
+		}
+	timeout Known::cert_store_timeout
+		{
+		# Can't really tell if master store ended up inserting a key.
+		Log::write(Known::CERTS_LOG, info);
+		}
+    }
+
+event known_cert_add(info: CertsInfo, hash: string)
+	{
+	if ( Known::use_cert_store )
+		return;
+
+	if ( [info$host, hash] in Known::certs )
+		return;
+
+	add Known::certs[info$host, hash];
+
+	@if ( ! Cluster::is_enabled() ||
+	      Cluster::local_node_type() == Cluster::PROXY )
+		Log::write(Known::CERTS_LOG, info);
+	@endif
+	}
+
+event Known::cert_found(info: CertsInfo, hash: string)
+	{
+	if ( Known::use_cert_store )
+		return;
+
+	if ( [info$host, hash] in Known::certs )
+		return;
+
+	local key = cat(info$host, hash);
+	Cluster::publish_hrw(Cluster::proxy_pool, key, known_cert_add, info, hash);
+	event known_cert_add(info, hash);
+	}
+
+event Cluster::node_up(name: string, id: string)
+	{
+	if ( Known::use_cert_store )
+		return;
+
+	if ( Cluster::local_node_type() != Cluster::WORKER )
+		return;
+
+	# Drop local suppression cache on workers to force HRW key repartitioning.
+	Known::certs = table();
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( Known::use_cert_store )
+		return;
+
+	if ( Cluster::local_node_type() != Cluster::WORKER )
+		return;
+
+	# Drop local suppression cache on workers to force HRW key repartitioning.
+	Known::certs = table();
 	}
 
 event ssl_established(c: connection) &priority=3
 	{
-	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| < 1 ||
-	     ! c$ssl$cert_chain[0]?$x509 )
+	if ( ! c$ssl?$cert_chain )
+		return;
+	
+	if ( |c$ssl$cert_chain| < 1 )
+		return;
+	
+	if ( ! c$ssl$cert_chain[0]?$x509 )
 		return;
 
 	local fuid = c$ssl$cert_chain_fuids[0];
@@ -61,16 +179,21 @@ event ssl_established(c: connection) &priority=3
 		return;
 		}
 
+	local host = c$id$resp_h;
+
+	if ( ! addr_matches_host(host, cert_tracking) )
+		return;
+
 	local hash = c$ssl$cert_chain[0]$sha1;
 	local cert = c$ssl$cert_chain[0]$x509$certificate;
-
-	local host = c$id$resp_h;
-	if ( [host, hash] !in certs && addr_matches_host(host, cert_tracking) )
-		{
-		add certs[host, hash];
-		Log::write(Known::CERTS_LOG, [$ts=network_time(), $host=host,
-		                              $port_num=c$id$resp_p, $subject=cert$subject,
-		                              $issuer_subject=cert$issuer,
-		                              $serial=cert$serial]);
-		}
+	local info = CertsInfo($ts = network_time(), $host = host,
+	                       $port_num = c$id$resp_p, $subject = cert$subject,
+	                       $issuer_subject = cert$issuer,
+	                       $serial = cert$serial);
+	event Known::cert_found(info, hash);
+	}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs, $path="known_certs"]);
 	}
diff --git a/scripts/policy/protocols/ssl/log-hostcerts-only.bro b/scripts/policy/protocols/ssl/log-hostcerts-only.bro
index f537616e7f..7f07c2b069 100644
--- a/scripts/policy/protocols/ssl/log-hostcerts-only.bro
+++ b/scripts/policy/protocols/ssl/log-hostcerts-only.bro
@@ -8,7 +8,7 @@ module X509;
 
 export {
 	redef record Info += {
-	# Logging is suppressed if field is set to F
+		## Logging of certificate is suppressed if set to F
 		logcert: bool &default=T;
 	};
 }
@@ -39,14 +39,29 @@ event bro_init() &priority=2
 	Log::add_filter(X509::LOG, f);
 	}
 
-event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=2
+event file_sniff(f: fa_file, meta: fa_metadata) &priority=4
 	{
-	if ( ! c?$ssl )
+	if ( |f$conns| != 1 )
 		return;
 
+	if ( ! f?$info || ! f$info?$mime_type )
+		return;
+
+	if ( ! ( f$info$mime_type == "application/x-x509-ca-cert" || f$info$mime_type == "application/x-x509-user-cert"
+		 || f$info$mime_type == "application/pkix-cert" ) )
+		return;
+
+	for ( cid in f$conns )
+		{
+		if ( ! f$conns[cid]?$ssl )
+			return;
+
+		local c = f$conns[cid];
+		}
+
 	local chain: vector of string;
 
-	if ( is_orig )
+	if ( f$is_orig )
 		chain = c$ssl$client_cert_chain_fuids;
 	else
 		chain = c$ssl$cert_chain_fuids;
diff --git a/scripts/policy/protocols/ssl/notary.bro b/scripts/policy/protocols/ssl/notary.bro
index 07f2cdebc4..4406dd9629 100644
--- a/scripts/policy/protocols/ssl/notary.bro
+++ b/scripts/policy/protocols/ssl/notary.bro
@@ -56,7 +56,7 @@ event ssl_established(c: connection) &priority=3
 	local waits_already = digest in waitlist;
 	if ( ! waits_already )
 		waitlist[digest] = vector();
-	waitlist[digest][|waitlist[digest]|] = c$ssl;
+	waitlist[digest] += c$ssl;
 	if ( waits_already )
 		return;
 
diff --git a/scripts/policy/protocols/ssl/validate-certs.bro b/scripts/policy/protocols/ssl/validate-certs.bro
index 97072e4cab..3f0d18a1c5 100644
--- a/scripts/policy/protocols/ssl/validate-certs.bro
+++ b/scripts/policy/protocols/ssl/validate-certs.bro
@@ -3,6 +3,7 @@
 # Also caches all intermediate certificates encountered so far and use them
 # for future validations.
 
+@load base/frameworks/cluster
 @load base/frameworks/notice
 @load base/protocols/ssl
 
@@ -19,12 +20,17 @@ export {
 	redef record Info += {
 		## Result of certificate validation for this connection.
 		validation_status: string &log &optional;
+		## Result of certificate validation for this connection, given
+		## as OpenSSL validation code.
+		validation_code: int &optional;
+		## Ordered chain of validated certificate, if validation succeeded.
+		valid_chain: vector of opaque of x509 &optional;
 	};
 
-	## MD5 hash values for recently validated chains along with the
+	## Result values for recently validated chains along with the
 	## validation status are kept in this table to avoid constant
 	## validation every time the same certificate chain is seen.
-	global recently_validated_certs: table[string] of string = table()
+	global recently_validated_certs: table[string] of X509::Result = table()
 		&read_expire=5mins &redef;
 
 	## Use intermediate CA certificate caching when trying to validate
@@ -39,11 +45,16 @@ export {
 	## that you encounter. Only disable if you want to find misconfigured servers.
 	global ssl_cache_intermediate_ca: bool = T &redef;
 
-	## Event from a worker to the manager that it has encountered a new
-	## valid intermediate.
+	## Store the valid chain in c$ssl$valid_chain if validation succeeds.
+	## This has a potentially high memory impact, depending on the local environment
+	## and is thus disabled by default.
+	global ssl_store_valid_chain: bool = F &redef;
+
+	## Event from a manager to workers when encountering a new, valid
+	## intermediate.
 	global intermediate_add: event(key: string, value: vector of opaque of x509);
 
-	## Event from the manager to the workers that a new intermediate chain
+	## Event from workers to the manager when a new intermediate chain
 	## is to be added.
 	global new_intermediate: event(key: string, value: vector of opaque of x509);
 }
@@ -51,12 +62,13 @@ export {
 global intermediate_cache: table[string] of vector of opaque of x509;
 
 @if ( Cluster::is_enabled() )
-@load base/frameworks/cluster
-redef Cluster::manager2worker_events += /SSL::intermediate_add/;
-redef Cluster::worker2manager_events += /SSL::new_intermediate/;
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::worker_topic, SSL::intermediate_add);
+	Broker::auto_publish(Cluster::manager_topic, SSL::new_intermediate);
+	}
 @endif
 
-
 function add_to_cache(key: string, value: vector of opaque of x509)
 	{
 	intermediate_cache[key] = value;
@@ -83,7 +95,7 @@ event SSL::new_intermediate(key: string, value: vector of opaque of x509)
 	}
 @endif
 
-function cache_validate(chain: vector of opaque of x509): string
+function cache_validate(chain: vector of opaque of x509): X509::Result
 	{
 	local chain_hash: vector of string = vector();
 
@@ -97,7 +109,10 @@ function cache_validate(chain: vector of opaque of x509): string
 		return recently_validated_certs[chain_id];
 
 	local result = x509_verify(chain, root_certs);
-	recently_validated_certs[chain_id] = result$result_string;
+	if ( ! ssl_store_valid_chain && result?$chain_certs )
+		recently_validated_certs[chain_id] = X509::Result($result=result$result, $result_string=result$result_string);
+	else
+		recently_validated_certs[chain_id] = result;
 
 	# if we have a working chain where we did not store the intermediate certs
 	# in our cache yet - do so
@@ -107,8 +122,8 @@ function cache_validate(chain: vector of opaque of x509): string
 		   |result$chain_certs| > 2 )
 		{
 		local result_chain = result$chain_certs;
-		local icert = x509_parse(result_chain[1]);
-		if ( icert$subject !in intermediate_cache )
+		local isnh = x509_subject_name_hash(result_chain[1], 4); # SHA256
+		if ( isnh !in intermediate_cache )
 			{
 			local cachechain: vector of opaque of x509;
 			for ( i in result_chain )
@@ -116,14 +131,14 @@ function cache_validate(chain: vector of opaque of x509): string
 				if ( i >=1 && i<=|result_chain|-2 )
 					cachechain[i-1] = result_chain[i];
 				}
-			add_to_cache(icert$subject, cachechain);
+			add_to_cache(isnh, cachechain);
 			}
 		}
 
-	return result$result_string;
+	return result;
 	}
 
-event ssl_established(c: connection) &priority=3
+hook ssl_finishing(c: connection) &priority=20
 	{
 	# If there aren't any certs we can't very well do certificate validation.
 	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
@@ -131,23 +146,26 @@ event ssl_established(c: connection) &priority=3
 		return;
 
 	local intermediate_chain: vector of opaque of x509 = vector();
-	local issuer = c$ssl$cert_chain[0]$x509$certificate$issuer;
+	local issuer_name_hash = x509_issuer_name_hash(c$ssl$cert_chain[0]$x509$handle, 4); # SHA256
 	local hash = c$ssl$cert_chain[0]$sha1;
-	local result: string;
+	local result: X509::Result;
 
 	# Look if we already have a working chain for the issuer of this cert.
 	# If yes, try this chain first instead of using the chain supplied from
 	# the server.
-	if ( ssl_cache_intermediate_ca && issuer in intermediate_cache )
+	if ( ssl_cache_intermediate_ca && issuer_name_hash in intermediate_cache )
 		{
 		intermediate_chain[0] = c$ssl$cert_chain[0]$x509$handle;
-		for ( i in intermediate_cache[issuer] )
-			intermediate_chain[i+1] = intermediate_cache[issuer][i];
+		for ( i in intermediate_cache[issuer_name_hash] )
+			intermediate_chain[i+1] = intermediate_cache[issuer_name_hash][i];
 
 		result = cache_validate(intermediate_chain);
-		if ( result == "ok" )
+		if ( result$result_string == "ok" )
 			{
-			c$ssl$validation_status = result;
+			c$ssl$validation_status = result$result_string;
+			c$ssl$validation_code = result$result;
+			if ( result?$chain_certs )
+				c$ssl$valid_chain = result$chain_certs;
 			return;
 			}
 		}
@@ -163,13 +181,16 @@ event ssl_established(c: connection) &priority=3
 		}
 
 	result = cache_validate(chain);
-	c$ssl$validation_status = result;
+	c$ssl$validation_status = result$result_string;
+	c$ssl$validation_code = result$result;
+	if ( result?$chain_certs )
+		c$ssl$valid_chain = result$chain_certs;
 
-	if ( result != "ok" )
+	if ( result$result_string != "ok" )
 		{
 		local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status);
 		NOTICE([$note=Invalid_Server_Cert, $msg=message,
-		        $sub=c$ssl$subject, $conn=c,
-		        $identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_status)]);
+		        $sub=c$ssl$cert_chain[0]$x509$certificate$subject, $conn=c,
+		        $identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_code)]);
 		}
 	}
diff --git a/scripts/policy/protocols/ssl/validate-ocsp.bro b/scripts/policy/protocols/ssl/validate-ocsp.bro
index 3beabbe59c..7cb8be9f0e 100644
--- a/scripts/policy/protocols/ssl/validate-ocsp.bro
+++ b/scripts/policy/protocols/ssl/validate-ocsp.bro
@@ -1,4 +1,9 @@
-##! Perform OCSP response validation.
+##! Perform validation of stapled OCSP responses.
+#!
+#! Note: this _only_ performs validation of stapled OCSP responsed. It does
+#! not validate OCSP responses that are retrieved via HTTP, because we do not
+#! have a mapping to certificates.
+
 
 @load base/frameworks/notice
 @load base/protocols/ssl
@@ -15,7 +20,6 @@ export {
 	redef record Info += {
 		## Result of ocsp validation for this connection.
 		ocsp_status: string &log &optional;
-
 		## ocsp response as string.
 		ocsp_response: string &optional;
 	};
diff --git a/scripts/policy/protocols/ssl/validate-sct.bro b/scripts/policy/protocols/ssl/validate-sct.bro
new file mode 100644
index 0000000000..0ce11b63ff
--- /dev/null
+++ b/scripts/policy/protocols/ssl/validate-sct.bro
@@ -0,0 +1,212 @@
+##! Perform validation of Signed Certificate Timestamps, as used
+##! for Certificate Transparency. See RFC6962 for more details.
+
+@load base/protocols/ssl
+@load protocols/ssl/validate-certs
+
+# We need to know issuer certificates to be able to determine the IssuerKeyHash,
+# which is required for validating certificate extensions.
+redef SSL::ssl_store_valid_chain = T;
+
+module SSL;
+
+export {
+
+	## List of the different sources for Signed Certificate Timestamp
+	type SctSource: enum {
+		## Signed Certificate Timestamp was encountered in the extension of
+		## an X.509 certificate.
+		SCT_X509_EXT,
+		## Signed Certificate Timestamp was encountered in an TLS session
+		## extension.
+		SCT_TLS_EXT,
+		## Signed Certificate Timestamp was encountered in the extension of
+		## an stapled OCSP reply.
+		SCT_OCSP_EXT
+	};
+
+	## This record is used to store information about the SCTs that are
+	## encountered in a SSL connection.
+	type SctInfo: record {
+		## The version of the encountered SCT (should always be 0 for v1).
+		version: count;
+		## The ID of the log issuing this SCT.
+		logid: string;
+		## The timestamp at which this SCT was issued measured since the
+		## epoch (January 1, 1970, 00:00), ignoring leap seconds, in
+		## milliseconds. Not converted to a Bro timestamp because we need
+		## the exact value for validation.
+		timestamp: count;
+		## The signature algorithm used for this sct.
+		sig_alg: count;
+		## The hash algorithm used for this sct.
+		hash_alg: count;
+		## The signature of this SCT.
+		signature: string;
+		## Source of this SCT.
+		source: SctSource;
+		## Validation result of this SCT.
+		valid: bool &optional;
+	};
+
+	redef record Info += {
+		## Number of valid SCTs that were encountered in the connection.
+		valid_scts: count &optional;
+		## Number of SCTs that could not be validated that were encountered in the connection.
+		invalid_scts: count &optional;
+		## Number of different Logs for which valid SCTs were encountered in the connection.
+		valid_ct_logs: count &log &optional;
+		## Number of different Log operators of which valid SCTs were encountered in the connection.
+		valid_ct_operators: count &log &optional;
+		## List of operators for which valid SCTs were encountered in the connection.
+		valid_ct_operators_list: set[string] &optional;
+		## Information about all SCTs that were encountered in the connection.
+		ct_proofs: vector of SctInfo &default=vector();
+	};
+}
+
+# Used to cache validations for 5 minutes to lessen computational load.
+global recently_validated_scts: table[string] of bool = table()
+	&read_expire=5mins &redef;
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) &priority=5
+	{
+	c$ssl$ct_proofs += SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature, $source=SCT_TLS_EXT);
+	}
+
+event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string) &priority=5
+	{
+	local src: SctSource;
+	if ( ! f?$info )
+		return;
+
+	if ( f$source == "SSL" && f$info$mime_type == "application/ocsp-response" )
+		src = SCT_OCSP_EXT;
+	else if ( f$source == "SSL" && f$info$mime_type == "application/x-x509-user-cert" )
+		src = SCT_X509_EXT;
+	else
+		return;
+
+	if ( |f$conns| != 1 )
+		return;
+
+	for ( cid in f$conns )
+		{
+		if ( ! f$conns[cid]?$ssl )
+			return;
+
+		local c = f$conns[cid];
+		}
+
+	c$ssl$ct_proofs += SctInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature, $source=src);
+	}
+
+# Priority = 19 will be handled after validation is done
+hook ssl_finishing(c: connection) &priority=19
+	{
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	local cert = c$ssl$cert_chain[0]$x509$handle;
+	local certhash = c$ssl$cert_chain[0]$sha1;
+	local issuer_name_hash = x509_issuer_name_hash(cert, 4);
+	local valid_proofs = 0;
+	local invalid_proofs = 0;
+	c$ssl$valid_ct_operators_list = string_set();
+	local valid_logs = string_set();
+	local issuer_key_hash = "";
+
+	for ( i in c$ssl$ct_proofs )
+		{
+		local proof = c$ssl$ct_proofs[i];
+		if ( proof$logid !in SSL::ct_logs )
+			{
+			# Well, if we don't know the log, there is nothing to do here...
+			proof$valid = F;
+			next;
+			}
+		local log = SSL::ct_logs[proof$logid];
+
+		local valid = F;
+		local found_cache = F;
+
+		local validatestring = cat(certhash,proof$logid,proof$timestamp,proof$hash_alg,proof$signature,proof$source);
+		if ( proof$source == SCT_X509_EXT && c$ssl?$validation_code )
+			validatestring = cat(validatestring, c$ssl$validation_code);
+		local validate_hash = sha1_hash(validatestring);
+		if ( validate_hash in recently_validated_scts )
+			{
+			valid = recently_validated_scts[validate_hash];
+			found_cache = T;
+			}
+
+		if ( found_cache == F && ( proof$source == SCT_TLS_EXT || proof$source == SCT_OCSP_EXT ) )
+			{
+			valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg);
+			}
+		else if ( found_cache == F )
+			{
+			# X.509 proof. Here things get awkward because we need information about
+			# the issuer cert... and we need to try a few times, because we have to see if we got
+			# the right issuer cert.
+			#
+			# First - Let's try if a previous round already established the correct issuer key hash.
+			if ( issuer_key_hash != "" )
+				{
+				valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);
+				}
+
+			# Second - let's see if we might already know the issuer cert through verification.
+			if ( ! valid && issuer_name_hash in intermediate_cache )
+				{
+				issuer_key_hash = x509_spki_hash(intermediate_cache[issuer_name_hash][0], 4);
+				valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);
+				}
+			if ( ! valid && c$ssl?$valid_chain && |c$ssl$valid_chain| >= 2 )
+				{
+				issuer_key_hash = x509_spki_hash(c$ssl$valid_chain[1], 4);
+				valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);
+				}
+
+			# ok, if it still did not work - let's just try with all the certs that were sent
+			# in the connection. Perhaps it will work with one of them.
+			if ( !valid )
+				for ( i in c$ssl$cert_chain )
+					{
+					if ( i == 0 ) # end-host-cert
+						next;
+					if ( ! c$ssl$cert_chain[i]?$x509 || ! c$ssl$cert_chain[i]$x509?$handle )
+						next;
+
+					issuer_key_hash = x509_spki_hash(c$ssl$cert_chain[i]$x509$handle, 4);
+					valid = sct_verify(cert, proof$logid, log$key, proof$signature, proof$timestamp, proof$hash_alg, issuer_key_hash);
+					if ( valid )
+						break;
+					}
+			}
+
+		if ( ! found_cache )
+			recently_validated_scts[validate_hash] = valid;
+
+		proof$valid = valid;
+
+		if ( valid )
+			{
+			++valid_proofs;
+			add c$ssl$valid_ct_operators_list[log$operator];
+			add valid_logs[proof$logid];
+			}
+		else
+			++invalid_proofs;
+		}
+
+	c$ssl$valid_scts = valid_proofs;
+	c$ssl$invalid_scts = invalid_proofs;
+	c$ssl$valid_ct_operators = |c$ssl$valid_ct_operators_list|;
+	c$ssl$valid_ct_logs = |valid_logs|;
+	}
diff --git a/scripts/site/local.bro b/scripts/site/local.bro
index 9f8be4bc3b..605b5ab75d 100644
--- a/scripts/site/local.bro
+++ b/scripts/site/local.bro
@@ -85,6 +85,9 @@
 # Detect SHA1 sums in Team Cymru's Malware Hash Registry.
 @load frameworks/files/detect-MHR
 
+# Extend email alerting to include hostnames
+@load policy/frameworks/notice/extend-email/hostnames
+
 # Uncomment the following line to enable detection of the heartbleed attack. Enabling
 # this might impact performance a bit.
 # @load policy/protocols/ssl/heartbleed
@@ -96,7 +99,3 @@
 # Uncomment the following line to enable logging of link-layer addresses. Enabling
 # this adds the link-layer address for each connection endpoint to the conn.log file.
 # @load policy/protocols/conn/mac-logging
-
-# Uncomment the following line to enable the SMB analyzer.  The analyzer
-# is currently considered a preview and therefore not loaded by default.
-# @load policy/protocols/smb
diff --git a/scripts/test-all-policy.bro b/scripts/test-all-policy.bro
index 8d1a9ff054..7bdd2d4997 100644
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@@ -9,7 +9,6 @@
 
 # The base/ scripts are all loaded by default and not included here.
 
-# @load frameworks/communication/listen.bro
 # @load frameworks/control/controllee.bro
 # @load frameworks/control/controller.bro
 @load frameworks/dpd/detect-protocols.bro
@@ -34,6 +33,9 @@
 @load frameworks/files/entropy-test-all-files.bro
 #@load frameworks/files/extract-all-files.bro
 @load frameworks/files/hash-all-files.bro
+@load frameworks/notice/__load__.bro
+@load frameworks/notice/extend-email/hostnames.bro
+@load files/x509/log-ocsp.bro
 @load frameworks/packet-filter/shunt.bro
 @load frameworks/software/version-changes.bro
 @load frameworks/software/vulnerable.bro
@@ -47,7 +49,6 @@
 @load misc/detect-traceroute/__load__.bro
 @load misc/detect-traceroute/main.bro
 # @load misc/dump-events.bro
-@load misc/known-devices.bro
 @load misc/load-balancing.bro
 @load misc/loaded-scripts.bro
 @load misc/profiling.bro
@@ -59,7 +60,9 @@
 @load protocols/conn/mac-logging.bro
 @load protocols/conn/vlan-logging.bro
 @load protocols/conn/weirds.bro
-@load protocols/dhcp/known-devices-and-hostnames.bro
+@load protocols/dhcp/msg-orig.bro
+@load protocols/dhcp/software.bro
+@load protocols/dhcp/sub-opts.bro
 @load protocols/dns/auth-addl.bro
 @load protocols/dns/detect-external-names.bro
 @load protocols/ftp/detect-bruteforcing.bro
@@ -72,15 +75,12 @@
 @load protocols/http/software.bro
 @load protocols/http/var-extraction-cookies.bro
 @load protocols/http/var-extraction-uri.bro
+@load protocols/krb/ticket-logging.bro
 @load protocols/modbus/known-masters-slaves.bro
 @load protocols/modbus/track-memmap.bro
 @load protocols/mysql/software.bro
 @load protocols/rdp/indicate_ssl.bro
-@load protocols/smb/__load__.bro
-@load protocols/smb/files.bro
-@load protocols/smb/main.bro
-@load protocols/smb/smb1-main.bro
-@load protocols/smb/smb2-main.bro
+@load protocols/smb/log-cmds.bro
 @load protocols/smtp/blocklists.bro
 @load protocols/smtp/detect-suspicious-orig.bro
 @load protocols/smtp/entities-excerpt.bro
@@ -97,6 +97,7 @@
 #@load protocols/ssl/notary.bro
 @load protocols/ssl/validate-certs.bro
 @load protocols/ssl/validate-ocsp.bro
+@load protocols/ssl/validate-sct.bro
 @load protocols/ssl/weak-keys.bro
 @load tuning/__load__.bro
 @load tuning/defaults/__load__.bro
diff --git a/src/3rdparty b/src/3rdparty
index 5d03436d9d..6cdefdd1d4 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit 5d03436d9db8a6cbaee1f459d654f977ce722467
+Subproject commit 6cdefdd1d45465ca09aba9e05c7ca12e1484ccc0
diff --git a/src/Anon.cc b/src/Anon.cc
index 87791501a4..a2afc489ca 100644
--- a/src/Anon.cc
+++ b/src/Anon.cc
@@ -82,7 +82,8 @@ int AnonymizeIPAddr::PreserveNet(ipaddr32_t input)
 
 ipaddr32_t AnonymizeIPAddr_Seq::anonymize(ipaddr32_t /* input */)
 	{
-	return htonl(seq++);
+	++seq;
+	return htonl(seq);
 	}
 
 ipaddr32_t AnonymizeIPAddr_RandomMD5::anonymize(ipaddr32_t input)
diff --git a/src/Anon.h b/src/Anon.h
index ce234f4680..4270b88d45 100644
--- a/src/Anon.h
+++ b/src/Anon.h
@@ -66,7 +66,7 @@ protected:
 class AnonymizeIPAddr_Seq : public AnonymizeIPAddr {
 public:
 	AnonymizeIPAddr_Seq()	{ seq = 1; }
-	ipaddr32_t anonymize(ipaddr32_t addr);
+	ipaddr32_t anonymize(ipaddr32_t addr) override;
 
 protected:
 	ipaddr32_t seq;
@@ -74,12 +74,12 @@ protected:
 
 class AnonymizeIPAddr_RandomMD5 : public AnonymizeIPAddr {
 public:
-	ipaddr32_t anonymize(ipaddr32_t addr);
+	ipaddr32_t anonymize(ipaddr32_t addr) override;
 };
 
 class AnonymizeIPAddr_PrefixMD5 : public AnonymizeIPAddr {
 public:
-	ipaddr32_t anonymize(ipaddr32_t addr);
+	ipaddr32_t anonymize(ipaddr32_t addr) override;
 
 protected:
 	struct anon_prefix {
@@ -91,10 +91,10 @@ protected:
 class AnonymizeIPAddr_A50 : public AnonymizeIPAddr {
 public:
 	AnonymizeIPAddr_A50()	{ init(); }
-	~AnonymizeIPAddr_A50();
+	~AnonymizeIPAddr_A50() override;
 
-	ipaddr32_t anonymize(ipaddr32_t addr);
-	int PreservePrefix(ipaddr32_t input, int num_bits);
+	ipaddr32_t anonymize(ipaddr32_t addr) override;
+	int PreservePrefix(ipaddr32_t input, int num_bits) override;
 
 protected:
 	struct Node {
diff --git a/src/Attr.h b/src/Attr.h
index 0960a9d5f9..bfb7c4803c 100644
--- a/src/Attr.h
+++ b/src/Attr.h
@@ -40,8 +40,8 @@ typedef enum {
 
 class Attr : public BroObj {
 public:
-	Attr(attr_tag t, Expr* e = 0);
-	~Attr();
+	explicit Attr(attr_tag t, Expr* e = 0);
+	~Attr() override;
 
 	attr_tag Tag() const	{ return tag; }
 	Expr* AttrExpr() const	{ return expr; }
@@ -56,7 +56,7 @@ public:
 	int RedundantAttrOkay() const
 		{ return tag == ATTR_REDEF || tag == ATTR_OPTIONAL; }
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 	void DescribeReST(ODesc* d) const;
 
 	bool operator==(const Attr& other) const
@@ -84,7 +84,7 @@ protected:
 class Attributes : public BroObj {
 public:
 	Attributes(attr_list* a, BroType* t, bool in_record);
-	~Attributes();
+	~Attributes() override;
 
 	void AddAttr(Attr* a);
 	void AddAttrs(Attributes* a);	// Unref's 'a' when done
diff --git a/src/Base64.h b/src/Base64.h
index fb030915ef..b1f5200cd6 100644
--- a/src/Base64.h
+++ b/src/Base64.h
@@ -18,7 +18,7 @@ public:
 	// encode_base64()), encoding-errors will go to Reporter instead of
 	// Weird. Usage errors go to Reporter in any case. Empty alphabet
 	// indicates the default base64 alphabet.
-	Base64Converter(Connection* conn, const string& alphabet = "");
+	explicit Base64Converter(Connection* conn, const string& alphabet = "");
 	~Base64Converter();
 
 	// A note on Decode():
diff --git a/src/BroString.cc b/src/BroString.cc
index c86e14cf37..3dca28439c 100644
--- a/src/BroString.cc
+++ b/src/BroString.cc
@@ -166,17 +166,19 @@ void BroString::Set(const BroString& str)
 
 const char* BroString::CheckString() const
 	{
+	void *nulTerm;
 	if ( n == 0 )
 		return "";
 
-	if ( memchr(b, '\0', n + final_NUL) != &b[n] )
+	nulTerm = memchr(b, '\0', n + final_NUL);
+	if ( nulTerm != &b[n] )
 		{
 		// Either an embedded NUL, or no final NUL.
 		char* exp_s = Render();
-		if ( b[n-1] != '\0' )
-			reporter->Error("string without NUL terminator: \"%s\"", exp_s);
-		else
+		if ( nulTerm )
 			reporter->Error("string with embedded NUL: \"%s\"", exp_s);
+		else
+			reporter->Error("string without NUL terminator: \"%s\"", exp_s);
 
 		delete [] exp_s;
 		return "<string-with-NUL>";
diff --git a/src/BroString.h b/src/BroString.h
index 9afd40e5d7..cad03e83d8 100644
--- a/src/BroString.h
+++ b/src/BroString.h
@@ -36,8 +36,8 @@ public:
 
 	// Constructors creating internal copies of the data passed in.
 	BroString(const u_char* str, int arg_n, int add_NUL);
-	BroString(const char* str);
-	BroString(const string& str);
+	explicit BroString(const char* str);
+	explicit BroString(const string& str);
 	BroString(const BroString& bs);
 
 	// Constructor that takes owernship of the vector passed in.
@@ -158,7 +158,7 @@ protected:
 //
 class BroStringLenCmp {
 public:
-	BroStringLenCmp(bool increasing = true) { _increasing = increasing; }
+	explicit BroStringLenCmp(bool increasing = true) { _increasing = increasing; }
 	bool operator()(BroString*const& bst1, BroString*const& bst2);
 
  private:
diff --git a/src/Brofiler.cc b/src/Brofiler.cc
index e7d8c8fdeb..a31ec469f0 100644
--- a/src/Brofiler.cc
+++ b/src/Brofiler.cc
@@ -50,10 +50,18 @@ bool Brofiler::WriteStats()
 	char* bf = getenv("BRO_PROFILER_FILE");
 	if ( ! bf ) return false;
 
-	FILE* f;
-	const char* p = strstr(bf, ".XXXXXX");
+	SafeDirname dirname{bf};
 
-	if ( p && ! p[7] )
+	if ( ! ensure_intermediate_dirs(dirname.result.data()) )
+		{
+		reporter->Error("Failed to open BRO_PROFILER_FILE destination '%s' for writing", bf);
+		return false;
+		}
+
+	FILE* f;
+	const char* p = strstr(bf, "XXXXXX");
+
+	if ( p && ! p[6] )
 		{
 		mode_t old_umask = umask(S_IXUSR | S_IRWXO | S_IRWXG);
 		int fd = mkstemp(bf);
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index a564f16b32..f3dfd42d85 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -52,6 +52,7 @@ bison_target(BIFParser builtin-func.y
              COMPILE_FLAGS "${BISON_FLAGS}")
 flex_target(BIFScanner builtin-func.l ${CMAKE_CURRENT_BINARY_DIR}/bif_lex.cc)
 add_flex_bison_dependency(BIFScanner BIFParser)
+set_property(SOURCE bif_lex.cc APPEND_STRING PROPERTY COMPILE_FLAGS "-Wno-sign-compare")
 
 # Rule parser/scanner
 bison_target(RuleParser rule-parse.y
@@ -67,6 +68,7 @@ replace_yy_prefix_target(${CMAKE_CURRENT_BINARY_DIR}/rup.h
                          rules_ rules_)
 flex_target(RuleScanner rule-scan.l ${CMAKE_CURRENT_BINARY_DIR}/rule-scan.cc
             COMPILE_FLAGS "-Prules_")
+set_property(SOURCE rule-scan.cc APPEND_STRING PROPERTY COMPILE_FLAGS "-Wno-sign-compare")
 
 # RE parser/scanner
 bison_target(REParser re-parse.y
@@ -80,6 +82,7 @@ replace_yy_prefix_target(${CMAKE_CURRENT_BINARY_DIR}/rep.cc
 flex_target(REScanner re-scan.l ${CMAKE_CURRENT_BINARY_DIR}/re-scan.cc
             COMPILE_FLAGS "-Pre_")
 add_flex_bison_dependency(REScanner REParser)
+set_property(SOURCE re-scan.cc APPEND_STRING PROPERTY COMPILE_FLAGS "-Wno-sign-compare")
 
 # Parser/Scanner
 bison_target(Parser parse.y
@@ -92,24 +95,7 @@ replace_yy_prefix_target(${CMAKE_CURRENT_BINARY_DIR}/p.cc
                          bro yy)
 flex_target(Scanner scan.l ${CMAKE_CURRENT_BINARY_DIR}/scan.cc
             COMPILE_FLAGS "-Pbro")
-
-########################################################################
-## bifcl (BIF compiler) target
-
-set(bifcl_SRCS
-   ${BISON_BIFParser_INPUT}
-   ${FLEX_BIFScanner_INPUT}
-   ${BISON_BIFParser_OUTPUTS}
-   ${FLEX_BIFScanner_OUTPUTS}
-   bif_arg.cc
-   module_util.cc
-   bif_arg.h
-   module_util.h
-)
-
-add_executable(bifcl ${bifcl_SRCS})
-
-target_link_libraries(bifcl)
+set_property(SOURCE scan.cc APPEND_STRING PROPERTY COMPILE_FLAGS "-Wno-sign-compare")
 
 ########################################################################
 ## bifcl-dependent targets
@@ -124,6 +110,7 @@ set(BIF_SRCS
     types.bif
     strings.bif
     reporter.bif
+    option.bif
 )
 
 foreach (bift ${BIF_SRCS})
@@ -155,6 +142,7 @@ set(bro_SUBDIR_LIBS CACHE INTERNAL "subdir libraries" FORCE)
 set(bro_PLUGIN_LIBS CACHE INTERNAL "plugin libraries" FORCE)
 
 add_subdirectory(analyzer)
+add_subdirectory(broker)
 add_subdirectory(broxygen)
 add_subdirectory(file_analysis)
 add_subdirectory(input)
@@ -162,14 +150,6 @@ add_subdirectory(iosource)
 add_subdirectory(logging)
 add_subdirectory(probabilistic)
 
-if ( ENABLE_BROKER )
-    add_subdirectory(broker)
-else ()
-    # Just to satisfy coverage unit tests until new Broker-based
-    # communication is enabled by default.
-    add_subdirectory(broker-dummy)
-endif ()
-
 set(bro_SUBDIRS
     # Order is important here.
     ${bro_PLUGIN_LIBS}
@@ -433,3 +413,24 @@ install(CODE "
        ${BRO_SCRIPT_INSTALL_PATH}/policy/tuning/logs-to-elasticsearch.bro
    )
 ")
+
+install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/
+        DESTINATION include/bro
+        FILES_MATCHING
+        PATTERN "*.h"
+        PATTERN "*.pac"
+        PATTERN "3rdparty/*" EXCLUDE
+)
+
+install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/
+        DESTINATION include/bro
+        FILES_MATCHING
+        PATTERN "*.bif.func_h"
+        PATTERN "*.bif.netvar_h"
+        PATTERN "*.bif.h"
+        PATTERN "CMakeFiles" EXCLUDE
+)
+
+install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/sqlite3.h
+        DESTINATION include/bro/3rdparty
+)
diff --git a/src/ChunkedIO.h b/src/ChunkedIO.h
index de3e143b66..e9b41476df 100644
--- a/src/ChunkedIO.h
+++ b/src/ChunkedIO.h
@@ -167,21 +167,21 @@ public:
 	// messages, and pid gives a pid to monitor (if the process dies, we
 	// return EOF).
 	ChunkedIOFd(int fd, const char* tag, pid_t pid = 0);
-	virtual ~ChunkedIOFd();
+	~ChunkedIOFd() override;
 
-	virtual bool Read(Chunk** chunk, bool may_block = false);
-	virtual bool Write(Chunk* chunk);
-	virtual bool Flush();
-	virtual const char* Error();
-	virtual bool CanRead();
-	virtual bool CanWrite();
-	virtual bool IsIdle();
-	virtual bool IsFillingUp();
-	virtual void Clear();
-	virtual bool Eof()	{ return eof; }
-	virtual int Fd()	{ return fd; }
-	virtual iosource::FD_Set ExtraReadFDs() const;
-	virtual void Stats(char* buffer, int length);
+	bool Read(Chunk** chunk, bool may_block = false) override;
+	bool Write(Chunk* chunk) override;
+	bool Flush() override;
+	const char* Error() override;
+	bool CanRead() override;
+	bool CanWrite() override;
+	bool IsIdle() override;
+	bool IsFillingUp() override;
+	void Clear() override;
+	bool Eof() override { return eof; }
+	int Fd() override { return fd; }
+	iosource::FD_Set ExtraReadFDs() const override;
+	void Stats(char* buffer, int length) override;
 
 private:
 
@@ -252,22 +252,22 @@ public:
 	// Argument is an open socket and a flag indicating whether we are the
 	// server side of the connection.
 	ChunkedIOSSL(int socket, bool server);
-	virtual ~ChunkedIOSSL();
+	~ChunkedIOSSL() override;
 
-	virtual bool Init();
-	virtual bool Read(Chunk** chunk, bool mayblock = false);
-	virtual bool Write(Chunk* chunk);
-	virtual bool Flush();
-	virtual const char* Error();
-	virtual bool CanRead();
-	virtual bool CanWrite();
-	virtual bool IsIdle();
-	virtual bool IsFillingUp();
-	virtual void Clear();
-	virtual bool Eof()	{ return eof; }
-	virtual int Fd()	{ return socket; }
-	virtual iosource::FD_Set ExtraReadFDs() const;
-	virtual void Stats(char* buffer, int length);
+	bool Init() override;
+	bool Read(Chunk** chunk, bool mayblock = false) override;
+	bool Write(Chunk* chunk) override;
+	bool Flush() override;
+	const char* Error() override;
+	bool CanRead() override;
+	bool CanWrite() override;
+	bool IsIdle() override;
+	bool IsFillingUp() override;
+	void Clear() override;
+	bool Eof() override { return eof; }
+	int Fd() override { return socket; }
+	iosource::FD_Set ExtraReadFDs() const override;
+	void Stats(char* buffer, int length) override;
 
 private:
 
@@ -315,27 +315,27 @@ private:
 // Wrapper class around a another ChunkedIO which the (un-)compresses data.
 class CompressedChunkedIO : public ChunkedIO {
 public:
-	CompressedChunkedIO(ChunkedIO* arg_io) // takes ownership
+	explicit CompressedChunkedIO(ChunkedIO* arg_io) // takes ownership
 	    : io(arg_io), zin(), zout(), error(), compress(), uncompress(),
 	      uncompressed_bytes_read(), uncompressed_bytes_written() {}
-	virtual ~CompressedChunkedIO()	{ delete io; }
+	~CompressedChunkedIO() override { delete io; }
 
-	virtual bool Init(); // does *not* call arg_io->Init()
-	virtual bool Read(Chunk** chunk, bool may_block = false);
-	virtual bool Write(Chunk* chunk);
-	virtual bool Flush()	{ return io->Flush(); }
-	virtual const char* Error()	{ return error ? error : io->Error(); }
-	virtual bool CanRead()	{ return io->CanRead(); }
-	virtual bool CanWrite()	{ return io->CanWrite(); }
-	virtual bool IsIdle()	{ return io->IsIdle(); }
-	virtual bool IsFillingUp()	{ return io->IsFillingUp(); }
-	virtual void Clear()	{ return io->Clear(); }
+	bool Init() override; // does *not* call arg_io->Init()
+	bool Read(Chunk** chunk, bool may_block = false) override;
+	bool Write(Chunk* chunk) override;
+	bool Flush() override { return io->Flush(); }
+	const char* Error() override { return error ? error : io->Error(); }
+	bool CanRead() override { return io->CanRead(); }
+	bool CanWrite() override { return io->CanWrite(); }
+	bool IsIdle() override { return io->IsIdle(); }
+	bool IsFillingUp() override { return io->IsFillingUp(); }
+	void Clear() override { return io->Clear(); }
+	bool Eof() override { return io->Eof(); }
 
-	virtual bool Eof()	{ return io->Eof(); }
-	virtual int Fd()	{ return io->Fd(); }
-	virtual iosource::FD_Set ExtraReadFDs() const
+	int Fd() override { return io->Fd(); }
+	iosource::FD_Set ExtraReadFDs() const override
 		{ return io->ExtraReadFDs(); }
-	virtual void Stats(char* buffer, int length);
+	void Stats(char* buffer, int length) override;
 
 	void EnableCompression(int level)
 		{ deflateInit(&zout, level); compress = true; }
diff --git a/src/CompHash.cc b/src/CompHash.cc
index 2e28bff78e..f120c3618b 100644
--- a/src/CompHash.cc
+++ b/src/CompHash.cc
@@ -703,7 +703,7 @@ const char* CompositeHash::RecoverOneVal(const HashKey* k, const char* kp0,
 			break;
 
 		case TYPE_PORT:
-			pval = new PortVal(*kp);
+			pval = port_mgr->Get(*kp);
 			break;
 
 		default:
diff --git a/src/CompHash.h b/src/CompHash.h
index 1a02114358..532b2781ae 100644
--- a/src/CompHash.h
+++ b/src/CompHash.h
@@ -10,7 +10,7 @@ class ListVal;
 
 class CompositeHash {
 public:
-	CompositeHash(TypeList* composite_type);
+	explicit CompositeHash(TypeList* composite_type);
 	~CompositeHash();
 
 	// Compute the hash corresponding to the given index val,
diff --git a/src/Conn.cc b/src/Conn.cc
index 2034a57786..447f730418 100644
--- a/src/Conn.cc
+++ b/src/Conn.cc
@@ -289,6 +289,50 @@ bool Connection::IsReuse(double t, const u_char* pkt)
 	return root_analyzer && root_analyzer->IsReuse(t, pkt);
 	}
 
+bool Connection::ScaledHistoryEntry(char code, uint32& counter,
+                                    uint32& scaling_threshold,
+                                    uint32 scaling_base)
+	{
+	if ( ++counter == scaling_threshold )
+		{
+		AddHistory(code);
+
+		auto new_threshold = scaling_threshold * scaling_base;
+
+		if ( new_threshold <= scaling_threshold )
+			// This can happen due to wrap-around.  In that
+			// case, reset the counter but leave the threshold
+			// unchanged.
+			counter = 0;
+
+		else
+			scaling_threshold = new_threshold;
+
+		return true;
+		}
+
+	return false;
+	}
+
+void Connection::HistoryThresholdEvent(EventHandlerPtr e, bool is_orig,
+                                       uint32 threshold)
+	{
+	if ( ! e )
+		return;
+
+	if ( threshold == 1 )
+		// This will be far and away the most common case,
+		// and at this stage it's not a *multiple* instance.
+		return;
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+	vl->append(new Val(is_orig, TYPE_BOOL));
+	vl->append(new Val(threshold, TYPE_COUNT));
+
+	ConnectionEvent(e, 0, vl);
+	}
+
 void Connection::DeleteTimer(double /* t */)
 	{
 	if ( is_active )
@@ -364,9 +408,9 @@ RecordVal* Connection::BuildConnVal()
 
 		RecordVal* id_val = new RecordVal(conn_id);
 		id_val->Assign(0, new AddrVal(orig_addr));
-		id_val->Assign(1, new PortVal(ntohs(orig_port), prot_type));
+		id_val->Assign(1, port_mgr->Get(ntohs(orig_port), prot_type));
 		id_val->Assign(2, new AddrVal(resp_addr));
-		id_val->Assign(3, new PortVal(ntohs(resp_port), prot_type));
+		id_val->Assign(3, port_mgr->Get(ntohs(resp_port), prot_type));
 
 		RecordVal *orig_endp = new RecordVal(endpoint);
 		orig_endp->Assign(0, new Val(0, TYPE_COUNT));
diff --git a/src/Conn.h b/src/Conn.h
index b58ed0c2b8..07765ee474 100644
--- a/src/Conn.h
+++ b/src/Conn.h
@@ -57,7 +57,7 @@ class Connection : public BroObj {
 public:
 	Connection(NetSessions* s, HashKey* k, double t, const ConnID* id,
 	           uint32 flow, const Packet* pkt, const EncapsulationStack* arg_encap);
-	virtual ~Connection();
+	~Connection() override;
 
 	// Invoked when an encapsulation is discovered. It records the
 	// encapsulation with the connection and raises a "tunnel_changed"
@@ -240,6 +240,17 @@ public:
 			return true;
 		}
 
+	// Increments the passed counter and adds it as a history
+	// code if it has crossed the next scaling threshold.  Scaling
+	// is done in terms of powers of the third argument.
+	// Returns true if the threshold was crossed, false otherwise.
+	bool ScaledHistoryEntry(char code, uint32& counter,
+	                        uint32& scaling_threshold,
+	                        uint32 scaling_base = 10);
+
+	void HistoryThresholdEvent(EventHandlerPtr e, bool is_orig,
+	                           uint32 threshold);
+
 	void AddHistory(char code)	{ history += code; }
 
 	void DeleteTimer(double t);
@@ -252,7 +263,7 @@ public:
 	// Sets the transport protocol in use.
 	void SetTransport(TransportProto arg_proto)	{ proto = arg_proto; }
 
-	void SetUID(Bro::UID arg_uid)	 { uid = arg_uid; }
+	void SetUID(const Bro::UID &arg_uid)	 { uid = arg_uid; }
 
 	Bro::UID GetUID() const { return uid; }
 
@@ -336,7 +347,7 @@ public:
 			double arg_t, int arg_do_expire, TimerType arg_type)
 		: Timer(arg_t, arg_type)
 		{ Init(arg_conn, arg_timer, arg_do_expire); }
-	virtual ~ConnectionTimer();
+	~ConnectionTimer() override;
 
 	void Dispatch(double t, int is_expire) override;
 
diff --git a/src/DFA.h b/src/DFA.h
index a63beca9ac..2f06f4e98f 100644
--- a/src/DFA.h
+++ b/src/DFA.h
@@ -23,7 +23,7 @@ class DFA_State : public BroObj {
 public:
 	DFA_State(int state_num, const EquivClass* ec,
 			NFA_state_list* nfa_states, AcceptingSet* accept);
-	~DFA_State();
+	~DFA_State() override;
 
 	int StateNum() const		{ return state_num; }
 	int NFAStateNum() const		{ return nfa_states->length(); }
@@ -44,7 +44,7 @@ public:
 	// Returns the equivalence classes of ec's corresponding to this state.
 	const EquivClass* MetaECs() const	{ return meta_ec; }
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 	void Dump(FILE* f, DFA_Machine* m);
 	void Stats(unsigned int* computed, unsigned int* uncomputed);
 	unsigned int Size();
@@ -117,9 +117,7 @@ typedef PList(DFA_State) DFA_state_list;
 class DFA_Machine : public BroObj {
 public:
 	DFA_Machine(NFA_Machine* n, EquivClass* ec);
-	DFA_Machine(int** xtion_ptrs, int num_states, int num_ecs,
-			int* acc_array);
-	~DFA_Machine();
+	~DFA_Machine() override;
 
 	DFA_State* StartState() const	{ return start_state; }
 
@@ -129,7 +127,7 @@ public:
 
 	int Rep(int sym);
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 	void Dump(FILE* f);
 
 	unsigned int MemoryAllocation() const;
diff --git a/src/DNS_Mgr.cc b/src/DNS_Mgr.cc
index 7040b9a882..7f651b5fdd 100644
--- a/src/DNS_Mgr.cc
+++ b/src/DNS_Mgr.cc
@@ -112,7 +112,7 @@ public:
 	IPAddr ReqAddr() const		{ return req_addr; }
 	string ReqStr() const
 		{
-		return req_host ? req_host : req_addr;
+		return req_host ? req_host : req_addr.AsString();
 		}
 
 	ListVal* Addrs();
diff --git a/src/DNS_Mgr.h b/src/DNS_Mgr.h
index d8f420e6cc..0358ceba18 100644
--- a/src/DNS_Mgr.h
+++ b/src/DNS_Mgr.h
@@ -42,8 +42,8 @@ enum DNS_MgrMode {
 
 class DNS_Mgr : public iosource::IOSource {
 public:
-	DNS_Mgr(DNS_MgrMode mode);
-	virtual ~DNS_Mgr();
+	explicit DNS_Mgr(DNS_MgrMode mode);
+	~DNS_Mgr() override;
 
 	void InitPostScript();
 	void Flush();
@@ -132,11 +132,11 @@ protected:
 	void DoProcess(bool flush);
 
 	// IOSource interface.
-	virtual void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
-	                    iosource::FD_Set* except);
-	virtual double NextTimestamp(double* network_time);
-	virtual void Process();
-	virtual const char* Tag()	{ return "DNS_Mgr"; }
+	void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
+	                    iosource::FD_Set* except) override;
+	double NextTimestamp(double* network_time) override;
+	void Process() override;
+	const char* Tag() override { return "DNS_Mgr"; }
 
 	DNS_MgrMode mode;
 
diff --git a/src/DbgWatch.h b/src/DbgWatch.h
index e3359f53ad..3722d10e69 100644
--- a/src/DbgWatch.h
+++ b/src/DbgWatch.h
@@ -7,8 +7,8 @@
 
 class DbgWatch {
 public:
-	DbgWatch(BroObj* var_to_watch);
-	DbgWatch(Expr* expr_to_watch);
+	explicit DbgWatch(BroObj* var_to_watch);
+	explicit DbgWatch(Expr* expr_to_watch);
 	~DbgWatch();
 
 protected:
diff --git a/src/DebugLogger.cc b/src/DebugLogger.cc
index 6a095a15db..07590590df 100644
--- a/src/DebugLogger.cc
+++ b/src/DebugLogger.cc
@@ -19,7 +19,8 @@ DebugLogger::Stream DebugLogger::streams[NUM_DBGS] = {
 	{ "logging", 0, false }, {"input", 0, false },
 	{ "threading", 0, false }, { "file_analysis", 0, false },
 	{ "plugins", 0, false }, { "broxygen", 0, false },
-	{ "pktio", 0, false }, { "broker", 0, false }
+	{ "pktio", 0, false }, { "broker", 0, false },
+	{ "scripts", 0, false}
 };
 
 DebugLogger::DebugLogger()
diff --git a/src/DebugLogger.h b/src/DebugLogger.h
index 3ec3979e7f..1eb8e30417 100644
--- a/src/DebugLogger.h
+++ b/src/DebugLogger.h
@@ -33,6 +33,7 @@ enum DebugStream {
 	DBG_BROXYGEN,	// Broxygen
 	DBG_PKTIO,	// Packet sources and dumpers.
 	DBG_BROKER,	// Broker communication
+	DBG_SCRIPTS,	// Script initialization
 
 	NUM_DBGS // Has to be last
 };
diff --git a/src/Desc.cc b/src/Desc.cc
index 1d76c32e55..b64bcec8d8 100644
--- a/src/Desc.cc
+++ b/src/Desc.cc
@@ -145,7 +145,9 @@ void ODesc::Add(double d, bool no_exp)
 		AddBytes(&d, sizeof(d));
 	else
 		{
-		char tmp[256];
+		// Buffer needs enough chars to store max. possible "double" value
+		// of 1.79e308 without using scientific notation.
+		char tmp[350];
 
 		if ( no_exp )
 			modp_dtoa3(d, tmp, sizeof(tmp), IsReadable() ? 6 : 8);
diff --git a/src/Desc.h b/src/Desc.h
index fb56aad9ea..8f7ae53ac4 100644
--- a/src/Desc.h
+++ b/src/Desc.h
@@ -27,7 +27,7 @@ class BroType;
 
 class ODesc {
 public:
-	ODesc(desc_type t=DESC_READABLE, BroFile* f=0);
+	explicit ODesc(desc_type t=DESC_READABLE, BroFile* f=0);
 
 	~ODesc();
 
diff --git a/src/Dict.h b/src/Dict.h
index 2def5ea28f..a929319450 100644
--- a/src/Dict.h
+++ b/src/Dict.h
@@ -29,7 +29,7 @@ extern void generic_delete_func(void*);
 
 class Dictionary {
 public:
-	Dictionary(dict_order ordering = UNORDERED,
+	explicit Dictionary(dict_order ordering = UNORDERED,
 			int initial_size = DEFAULT_DICT_SIZE);
 	virtual ~Dictionary();
 
@@ -109,8 +109,6 @@ public:
 	// which should be delete'd when no longer needed.
 	IterCookie* InitForIteration() const;
 	void* NextEntry(HashKey*& h, IterCookie*& cookie, int return_hash) const;
-	void* NextEntry(const void*& key, int& key_len, IterCookie*& cookie)
-		const;
 	void StopIteration(IterCookie* cookie) const;
 
 	void SetDeleteFunc(dict_delete_func f)		{ delete_func = f; }
@@ -143,8 +141,8 @@ private:
 	int NextPrime(int n) const;
 	int IsPrime(int n) const;
 	void StartChangeSize(int new_size);
-	void FinishChangeSize(void);
-	void MoveChains(void);
+	void FinishChangeSize();
+	void MoveChains();
 
 	// The following get and set the "density" threshold - if the
 	// average hash chain length exceeds this threshold, the
@@ -197,7 +195,7 @@ private:
 #define PDictdeclare(type)	\
 class PDict(type) : public Dictionary {	\
 public:	\
-	PDict(type)(dict_order ordering = UNORDERED,	\
+	explicit PDict(type)(dict_order ordering = UNORDERED,	\
 			int initial_size = DEFAULT_DICT_SIZE) :	\
 		Dictionary(ordering, initial_size) {}	\
 	type* Lookup(const char* key) const	\
diff --git a/src/EquivClass.h b/src/EquivClass.h
index e5193cde47..7ac5931326 100644
--- a/src/EquivClass.h
+++ b/src/EquivClass.h
@@ -9,7 +9,7 @@
 
 class EquivClass {
 public:
-	EquivClass(int size);
+	explicit EquivClass(int size);
 	~EquivClass();
 
 	void UniqueChar(int sym);
diff --git a/src/Event.cc b/src/Event.cc
index 6371a69248..33256a573e 100644
--- a/src/Event.cc
+++ b/src/Event.cc
@@ -54,6 +54,38 @@ void Event::Describe(ODesc* d) const
 		d->Add("(");
 	}
 
+void Event::Dispatch(bool no_remote)
+	{
+	if ( src == SOURCE_BROKER )
+		no_remote = true;
+
+	if ( event_serializer )
+		{
+		SerialInfo info(event_serializer);
+		event_serializer->Serialize(&info, handler->Name(), args);
+		}
+
+	if ( handler->ErrorHandler() )
+		reporter->BeginErrorHandler();
+
+	try
+		{
+		handler->Call(args, no_remote);
+		}
+
+	catch ( InterpreterException& e )
+		{
+		// Already reported.
+		}
+
+	if ( obj )
+		// obj->EventDone();
+		Unref(obj);
+
+	if ( handler->ErrorHandler() )
+		reporter->EndErrorHandler();
+	}
+
 EventMgr::EventMgr()
 	{
 	head = tail = 0;
@@ -166,7 +198,7 @@ RecordVal* EventMgr::GetLocalPeerVal()
 		src_val = new RecordVal(peer);
 		src_val->Assign(0, new Val(0, TYPE_COUNT));
 		src_val->Assign(1, new AddrVal("127.0.0.1"));
-		src_val->Assign(2, new PortVal(0));
+		src_val->Assign(2, port_mgr->Get(0));
 		src_val->Assign(3, new Val(true, TYPE_BOOL));
 
 		Ref(peer_description);
diff --git a/src/Event.h b/src/Event.h
index 1b76928f10..69860daf50 100644
--- a/src/Event.h
+++ b/src/Event.h
@@ -16,7 +16,7 @@ public:
 	Event(EventHandlerPtr handler, val_list* args,
 		SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
 		TimerMgr* mgr = 0, BroObj* obj = 0);
-	~Event();
+	~Event() override;
 
 	void SetNext(Event* n)		{ next_event = n; }
 	Event* NextEvent() const	{ return next_event; }
@@ -27,41 +27,14 @@ public:
 	EventHandlerPtr Handler() const	{ return handler; }
 	val_list* Args() const	{ return args; }
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 
 protected:
 	friend class EventMgr;
 
 	// This method is protected to make sure that everybody goes through
 	// EventMgr::Dispatch().
-	void Dispatch(bool no_remote = false)
-		{
-		if ( event_serializer )
-			{
-			SerialInfo info(event_serializer);
-			event_serializer->Serialize(&info, handler->Name(), args);
-			}
-
-		if ( handler->ErrorHandler() )
-			reporter->BeginErrorHandler();
-
-		try
-			{
-			handler->Call(args, no_remote);
-			}
-
-		catch ( InterpreterException& e )
-			{
-			// Already reported.
-			}
-
-		if ( obj )
-			// obj->EventDone();
-			Unref(obj);
-
-		if ( handler->ErrorHandler() )
-			reporter->EndErrorHandler();
-		}
+	void Dispatch(bool no_remote = false);
 
 	EventHandlerPtr handler;
 	val_list* args;
@@ -78,9 +51,9 @@ extern uint64 num_events_dispatched;
 class EventMgr : public BroObj {
 public:
 	EventMgr();
-	~EventMgr();
+	~EventMgr() override;
 
-	void QueueEvent(EventHandlerPtr h, val_list* vl,
+	void QueueEvent(const EventHandlerPtr &h, val_list* vl,
 			SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
 			TimerMgr* mgr = 0, BroObj* obj = 0)
 		{
@@ -118,7 +91,7 @@ public:
 	// Returns a peer record describing the local Bro.
 	RecordVal* GetLocalPeerVal();
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 
 protected:
 	void QueueEvent(Event* event);
diff --git a/src/EventHandler.cc b/src/EventHandler.cc
index 3f1fd71ddf..00b19f7832 100644
--- a/src/EventHandler.cc
+++ b/src/EventHandler.cc
@@ -5,10 +5,8 @@
 #include "RemoteSerializer.h"
 #include "NetVar.h"
 
-#ifdef ENABLE_BROKER
 #include "broker/Manager.h"
 #include "broker/Data.h"
-#endif
 
 EventHandler::EventHandler(const char* arg_name)
 	{
@@ -32,19 +30,16 @@ EventHandler::operator bool() const
 	return enabled && ((local && local->HasBodies())
 			   || receivers.length()
 			   || generate_always
-#ifdef ENABLE_BROKER
-			   || ! auto_remote_send.empty()
-			   // TODO: and require a subscriber interested in a topic or unsolicited flags?
-#endif
-	                   );
+			   || ! auto_publish.empty());
 	}
 
-FuncType* EventHandler::FType()
+FuncType* EventHandler::FType(bool check_export)
 	{
 	if ( type )
 		return type;
 
-	ID* id = lookup_ID(name, current_module.c_str());
+	ID* id = lookup_ID(name, current_module.c_str(), false, false,
+	                   check_export);
 
 	if ( ! id )
 		return 0;
@@ -84,14 +79,11 @@ void EventHandler::Call(val_list* vl, bool no_remote)
 			remote_serializer->SendCall(&info, receivers[i], name, vl);
 			}
 
-#ifdef ENABLE_BROKER
-
-		if ( ! auto_remote_send.empty() )
+		if ( ! auto_publish.empty() )
 			{
-			// TODO: also short-circuit based on interested subscribers/flags?
-			broker::message msg;
-			msg.reserve(vl->length() + 1);
-			msg.emplace_back(Name());
+			// Send event in form [name, xs...] where xs represent the arguments.
+			broker::vector xs;
+			xs.reserve(vl->length());
 			bool valid_args = true;
 
 			for ( auto i = 0; i < vl->length(); ++i )
@@ -99,30 +91,33 @@ void EventHandler::Call(val_list* vl, bool no_remote)
 				auto opt_data = bro_broker::val_to_data((*vl)[i]);
 
 				if ( opt_data )
-					msg.emplace_back(move(*opt_data));
+					xs.emplace_back(move(*opt_data));
 				else
 					{
 					valid_args = false;
-					auto_remote_send.clear();
-					reporter->Error("failed auto-remote event '%s', disabled",
-					                Name());
+					auto_publish.clear();
+					reporter->Error("failed auto-remote event '%s', disabled", Name());
 					break;
 					}
 				}
 
 			if ( valid_args )
 				{
-				for ( auto it = auto_remote_send.begin();
-				      it != auto_remote_send.end(); ++it )
+				for ( auto it = auto_publish.begin(); ; )
 					{
-					if ( std::next(it) == auto_remote_send.end() )
-						broker_mgr->Event(it->first, move(msg), it->second);
+					const auto& topic = *it;
+					++it;
+
+					if ( it != auto_publish.end() )
+						broker_mgr->PublishEvent(topic, Name(), xs);
 					else
-						broker_mgr->Event(it->first, msg, it->second);
+						{
+						broker_mgr->PublishEvent(topic, Name(), std::move(xs));
+						break;
+						}
 					}
 				}
 			}
-#endif
 		}
 
 	if ( local )
diff --git a/src/EventHandler.h b/src/EventHandler.h
index 2acd2569a6..bad3d278fa 100644
--- a/src/EventHandler.h
+++ b/src/EventHandler.h
@@ -4,7 +4,7 @@
 #define EVENTHANDLER
 
 #include <assert.h>
-#include <map>
+#include <unordered_set>
 #include <string>
 #include "List.h"
 #include "BroList.h"
@@ -17,34 +17,32 @@ class UnserialInfo;
 
 class EventHandler {
 public:
-	EventHandler(const char* name);
+	explicit EventHandler(const char* name);
 	~EventHandler();
 
 	const char* Name()	{ return name; }
 	Func* LocalHandler()	{ return local; }
-	FuncType* FType();
+	FuncType* FType(bool check_export = true);
 
 	void SetLocalHandler(Func* f);
 
 	void AddRemoteHandler(SourceID peer);
 	void RemoveRemoteHandler(SourceID peer);
 
-#ifdef ENABLE_BROKER
-	void AutoRemote(std::string topic, int flags)
+	void AutoPublish(std::string topic)
 		{
-		auto_remote_send[std::move(topic)] = flags;
+		auto_publish.insert(std::move(topic));
 		}
 
-	void AutoRemoteStop(const std::string& topic)
+	void AutoUnpublish(const std::string& topic)
 		{
-		auto_remote_send.erase(topic);
+		auto_publish.erase(topic);
 		}
-#endif
 
 	void Call(val_list* vl, bool no_remote = false);
 
 	// Returns true if there is at least one local or remote handler.
-	operator  bool() const;
+	explicit operator  bool() const;
 
 	void SetUsed()	{ used = true; }
 	bool Used()	{ return used; }
@@ -81,9 +79,7 @@ private:
 	typedef List(SourceID) receiver_list;
 	receiver_list receivers;
 
-#ifdef ENABLE_BROKER
-	std::map<std::string, int> auto_remote_send;	// topic -> flags
-#endif
+	std::unordered_set<std::string> auto_publish;
 };
 
 // Encapsulates a ptr to an event handler to overload the boolean operator.
@@ -102,7 +98,7 @@ public:
 
 	EventHandler* Ptr()	{ return handler; }
 
-	operator bool() const	{ return handler && *handler; }
+	explicit operator bool() const	{ return handler && *handler; }
 	EventHandler* operator->()	{ return handler; }
 	const EventHandler* operator->() const	{ return handler; }
 
diff --git a/src/Expr.cc b/src/Expr.cc
index 9927ca52ec..07034db1a8 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -16,22 +16,24 @@
 #include "Trigger.h"
 #include "IPAddr.h"
 
+#include "broker/Data.h"
+
 const char* expr_name(BroExprTag t)
 	{
-	static char errbuf[512];
-
 	static const char* expr_names[int(NUM_EXPRS)] = {
 		"name", "const",
 		"(*)",
-		"++", "--", "!", "+", "-",
-		"+", "-", "+=", "-=", "*", "/", "%", "&&", "||",
+		"++", "--", "!", "~", "+", "-",
+		"+", "-", "+=", "-=", "*", "/", "%",
+		"&", "|", "^",
+		"&&", "||",
 		"<", "<=", "==", "!=", ">=", ">", "?:", "ref",
 		"=", "~", "[]", "$", "?$", "[=]",
 		"table()", "set()", "vector()",
 		"$=", "in", "<<>>",
 		"()", "event", "schedule",
 		"coerce", "record_coerce", "table_coerce",
-		"sizeof", "flatten"
+		"sizeof", "flatten", "cast", "is"
 	};
 
 	if ( int(t) >= NUM_EXPRS )
@@ -283,6 +285,9 @@ Expr* NameExpr::MakeLvalue()
 	if ( id->IsConst() && ! in_const_init )
 		ExprError("const is not a modifiable lvalue");
 
+	if ( id->IsOption() && ! in_const_init )
+		ExprError("option is not a modifiable lvalue");
+
 	return new RefExpr(this);
 	}
 
@@ -453,7 +458,13 @@ Val* UnaryExpr::Eval(Frame* f) const
 	if ( is_vector(v) )
 		{
 		VectorVal* v_op = v->AsVectorVal();
-		VectorVal* result = new VectorVal(Type()->AsVectorType());
+		VectorType* out_t;
+		if ( Type()->Tag() == TYPE_ANY )
+			out_t = v->Type()->AsVectorType();
+		else
+			out_t = Type()->AsVectorType();
+
+		VectorVal* result = new VectorVal(out_t);
 
 		for ( unsigned int i = 0; i < v_op->Size(); ++i )
 			{
@@ -660,6 +671,12 @@ Val* BinaryExpr::Fold(Val* v1, Val* v2) const
 	if ( it == TYPE_INTERNAL_STRING )
 		return StringFold(v1, v2);
 
+	if ( v1->Type()->Tag() == TYPE_PATTERN )
+		return PatternFold(v1, v2);
+
+	if ( v1->Type()->IsSet() )
+		return SetFold(v1, v2);
+
 	if ( it == TYPE_INTERNAL_ADDR )
 		return AddrFold(v1, v2);
 
@@ -701,6 +718,12 @@ Val* BinaryExpr::Fold(Val* v1, Val* v2) const
 	else \
 		Internal("bad type in BinaryExpr::Fold");
 
+#define DO_UINT_FOLD(op) \
+	if ( is_unsigned ) \
+		u3 = u1 op u2; \
+	else \
+		Internal("bad type in BinaryExpr::Fold");
+
 #define DO_FOLD(op) \
 	if ( is_integral ) \
 		i3 = i1 op i2; \
@@ -774,8 +797,12 @@ Val* BinaryExpr::Fold(Val* v1, Val* v2) const
 
 		break;
 
-	case EXPR_AND:		DO_INT_FOLD(&&); break;
-	case EXPR_OR:		DO_INT_FOLD(||); break;
+	case EXPR_AND:		DO_UINT_FOLD(&); break;
+	case EXPR_OR:		DO_UINT_FOLD(|); break;
+	case EXPR_XOR:		DO_UINT_FOLD(^); break;
+
+	case EXPR_AND_AND:	DO_INT_FOLD(&&); break;
+	case EXPR_OR_OR:	DO_INT_FOLD(||); break;
 
 	case EXPR_LT:		DO_INT_VAL_FOLD(<); break;
 	case EXPR_LE:		DO_INT_VAL_FOLD(<=); break;
@@ -836,6 +863,77 @@ Val* BinaryExpr::StringFold(Val* v1, Val* v2) const
 	return new Val(result, TYPE_BOOL);
 	}
 
+
+Val* BinaryExpr::PatternFold(Val* v1, Val* v2) const
+	{
+	const RE_Matcher* re1 = v1->AsPattern();
+	const RE_Matcher* re2 = v2->AsPattern();
+
+	if ( tag != EXPR_AND && tag != EXPR_OR )
+		BadTag("BinaryExpr::PatternFold");
+
+	RE_Matcher* res = tag == EXPR_AND ?
+		RE_Matcher_conjunction(re1, re2) :
+		RE_Matcher_disjunction(re1, re2);
+
+	return new PatternVal(res);
+	}
+
+Val* BinaryExpr::SetFold(Val* v1, Val* v2) const
+	{
+	TableVal* tv1 = v1->AsTableVal();
+	TableVal* tv2 = v2->AsTableVal();
+	TableVal* result;
+	bool res = false;
+
+	switch ( tag ) {
+	case EXPR_AND:
+		return tv1->Intersect(tv2);
+
+	case EXPR_OR:
+		result = v1->Clone()->AsTableVal();
+
+		if ( ! tv2->AddTo(result, false, false) )
+			reporter->InternalError("set union failed to type check");
+		return result;
+
+	case EXPR_SUB:
+		result = v1->Clone()->AsTableVal();
+
+		if ( ! tv2->RemoveFrom(result) )
+			reporter->InternalError("set difference failed to type check");
+		return result;
+
+	case EXPR_EQ:
+		res = tv1->EqualTo(tv2);
+		break;
+
+	case EXPR_NE:
+		res = ! tv1->EqualTo(tv2);
+		break;
+
+	case EXPR_LT:
+		res = tv1->IsSubsetOf(tv2) && tv1->Size() < tv2->Size();
+		break;
+
+	case EXPR_LE:
+		res = tv1->IsSubsetOf(tv2);
+		break;
+
+	case EXPR_GE:
+	case EXPR_GT:
+		// These should't happen due to canonicalization.
+		reporter->InternalError("confusion over canonicalization in set comparison");
+		break;
+
+	default:
+		BadTag("BinaryExpr::SetFold", expr_name(tag));
+		return 0;
+	}
+
+	return new Val(res, TYPE_BOOL);
+	}
+
 Val* BinaryExpr::AddrFold(Val* v1, Val* v2) const
 	{
 	IPAddr a1 = v1->AsAddr();
@@ -896,11 +994,17 @@ void BinaryExpr::PromoteOps(TypeTag t)
 	TypeTag bt1 = op1->Type()->Tag();
 	TypeTag bt2 = op2->Type()->Tag();
 
-	if ( IsVector(bt1) )
+	bool is_vec1 = IsVector(bt1);
+	bool is_vec2 = IsVector(bt2);
+
+	if ( is_vec1 )
 		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
-	if ( IsVector(bt2) )
+	if ( is_vec2 )
 		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
 
+	if ( (is_vec1 || is_vec2) && ! (is_vec1 && is_vec2) )
+		reporter->Warning("mixing vector and scalar operands is deprecated");
+
 	if ( bt1 != t )
 		op1 = new ArithCoerceExpr(op1, t);
 	if ( bt2 != t )
@@ -990,7 +1094,10 @@ IncrExpr::IncrExpr(BroExprTag arg_tag, Expr* arg_op)
 		if ( ! IsIntegral(t->AsVectorType()->YieldType()->Tag()) )
 			ExprError("vector elements must be integral for increment operator");
 		else
+			{
+			reporter->Warning("increment/decrement operations for vectors deprecated");
 			SetType(t->Ref());
+			}
 		}
 	else
 		{
@@ -1076,6 +1183,39 @@ bool IncrExpr::DoUnserialize(UnserialInfo* info)
 	return true;
 	}
 
+ComplementExpr::ComplementExpr(Expr* arg_op) : UnaryExpr(EXPR_COMPLEMENT, arg_op)
+	{
+	if ( IsError() )
+		return;
+
+	BroType* t = op->Type();
+	TypeTag bt = t->Tag();
+
+	if ( bt != TYPE_COUNT )
+		ExprError("requires \"count\" operand");
+	else
+		SetType(base_type(TYPE_COUNT));
+	}
+
+Val* ComplementExpr::Fold(Val* v) const
+	{
+	return new Val(~ v->InternalUnsigned(), type->Tag());
+	}
+
+IMPLEMENT_SERIAL(ComplementExpr, SER_COMPLEMENT_EXPR);
+
+bool ComplementExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_COMPLEMENT_EXPR, UnaryExpr);
+	return true;
+	}
+
+bool ComplementExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return true;
+	}
+
 NotExpr::NotExpr(Expr* arg_op) : UnaryExpr(EXPR_NOT, arg_op)
 	{
 	if ( IsError() )
@@ -1311,7 +1451,8 @@ bool AddExpr::DoUnserialize(UnserialInfo* info)
 	}
 
 AddToExpr::AddToExpr(Expr* arg_op1, Expr* arg_op2)
-: BinaryExpr(EXPR_ADD_TO, arg_op1->MakeLvalue(), arg_op2)
+: BinaryExpr(EXPR_ADD_TO,
+             is_vector(arg_op1) ? arg_op1 : arg_op1->MakeLvalue(), arg_op2)
 	{
 	if ( IsError() )
 		return;
@@ -1325,6 +1466,32 @@ AddToExpr::AddToExpr(Expr* arg_op1, Expr* arg_op2)
 		SetType(base_type(bt1));
 	else if ( BothInterval(bt1, bt2) )
 		SetType(base_type(bt1));
+
+	else if ( IsVector(bt1) )
+		{
+		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+
+		if ( IsArithmetic(bt1) )
+			{
+			if ( IsArithmetic(bt2) )
+				{
+				if ( bt2 != bt1 )
+					op2 = new ArithCoerceExpr(op2, bt1);
+
+				SetType(op1->Type()->Ref());
+				}
+
+			else
+				ExprError("appending non-arithmetic to arithmetic vector");
+			}
+
+		else if ( bt1 != bt2 )
+			ExprError("incompatible vector append");
+
+		else
+			SetType(op1->Type()->Ref());
+		}
+
 	else
 		ExprError("requires two arithmetic or two string operands");
 	}
@@ -1342,6 +1509,14 @@ Val* AddToExpr::Eval(Frame* f) const
 		return 0;
 		}
 
+	if ( is_vector(v1) )
+		{
+		VectorVal* vv = v1->AsVectorVal();
+		if ( ! vv->Assign(vv->Size(), v2) )
+			reporter->Error("type-checking failed in vector append");
+		return v1;
+		}
+
 	Val* result = Fold(v1, v2);
 	Unref(v1);
 	Unref(v2);
@@ -1375,24 +1550,39 @@ SubExpr::SubExpr(Expr* arg_op1, Expr* arg_op2)
 	if ( IsError() )
 		return;
 
-	TypeTag bt1 = op1->Type()->Tag();
-	if ( IsVector(bt1) )
-		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+	const BroType* t1 = op1->Type();
+	const BroType* t2 = op2->Type();
 
-	TypeTag bt2 = op2->Type()->Tag();
+	TypeTag bt1 = t1->Tag();
+	if ( IsVector(bt1) )
+		bt1 = t1->AsVectorType()->YieldType()->Tag();
+
+	TypeTag bt2 = t2->Tag();
 	if ( IsVector(bt2) )
-		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
+		bt2 = t2->AsVectorType()->YieldType()->Tag();
 
 	BroType* base_result_type = 0;
 
 	if ( bt1 == TYPE_TIME && bt2 == TYPE_INTERVAL )
 		base_result_type = base_type(bt1);
+
 	else if ( bt1 == TYPE_TIME && bt2 == TYPE_TIME )
 		SetType(base_type(TYPE_INTERVAL));
+
 	else if ( bt1 == TYPE_INTERVAL && bt2 == TYPE_INTERVAL )
 		base_result_type = base_type(bt1);
+
+	else if ( t1->IsSet() && t2->IsSet() )
+		{
+		if ( same_type(t1, t2) )
+			SetType(op1->Type()->Ref());
+		else
+			ExprError("incompatible \"set\" operands");
+		}
+
 	else if ( BothArithmetic(bt1, bt2) )
 		PromoteType(max_type(bt1, bt2), is_vector(op1) || is_vector(op2));
+
 	else
 		ExprError("requires arithmetic operands");
 
@@ -1643,13 +1833,20 @@ BoolExpr::BoolExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 	if ( BothBool(bt1, bt2) )
 		{
 		if ( is_vector(op1) || is_vector(op2) )
+			{
+			if ( ! (is_vector(op1) && is_vector(op2)) )
+				reporter->Warning("mixing vector and scalar operands is deprecated");
 			SetType(new VectorType(base_type(TYPE_BOOL)));
+			}
 		else
 			SetType(base_type(TYPE_BOOL));
 		}
 
 	else if ( bt1 == TYPE_PATTERN && bt2 == bt1 )
+		{
+		reporter->Warning("&& and || operators deprecated for pattern operands");
 		SetType(base_type(TYPE_PATTERN));
+		}
 
 	else
 		ExprError("requires boolean operands");
@@ -1660,23 +1857,7 @@ Val* BoolExpr::DoSingleEval(Frame* f, Val* v1, Expr* op2) const
 	if ( ! v1 )
 		return 0;
 
-	if ( Type()->Tag() == TYPE_PATTERN )
-		{
-		Val* v2 = op2->Eval(f);
-		if ( ! v2 )
-			return 0;
-
-		RE_Matcher* re1 = v1->AsPattern();
-		RE_Matcher* re2 = v2->AsPattern();
-
-		RE_Matcher* res = tag == EXPR_AND ?
-			RE_Matcher_conjunction(re1, re2) :
-			RE_Matcher_disjunction(re1, re2);
-
-		return new PatternVal(res);
-		}
-
-	if ( tag == EXPR_AND )
+	if ( tag == EXPR_AND_AND )
 		{
 		if ( v1->IsZero() )
 			return v1;
@@ -1740,8 +1921,8 @@ Val* BoolExpr::Eval(Frame* f) const
 
 		VectorVal* result = 0;
 
-		// It's either and EXPR_AND or an EXPR_OR.
-		bool is_and = (tag == EXPR_AND);
+		// It's either an EXPR_AND_AND or an EXPR_OR_OR.
+		bool is_and = (tag == EXPR_AND_AND);
 
 		if ( scalar_v->IsZero() == is_and )
 			{
@@ -1782,7 +1963,7 @@ Val* BoolExpr::Eval(Frame* f) const
 		Val* op2 = vec_v2->Lookup(i);
 		if ( op1 && op2 )
 			{
-			bool local_result = (tag == EXPR_AND) ?
+			bool local_result = (tag == EXPR_AND_AND) ?
 				(! op1->IsZero() && ! op2->IsZero()) :
 				(! op1->IsZero() || ! op2->IsZero());
 
@@ -1812,6 +1993,70 @@ bool BoolExpr::DoUnserialize(UnserialInfo* info)
 	return true;
 	}
 
+BitExpr::BitExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
+: BinaryExpr(arg_tag, arg_op1, arg_op2)
+	{
+	if ( IsError() )
+		return;
+
+	const BroType* t1 = op1->Type();
+	const BroType* t2 = op2->Type();
+
+	TypeTag bt1 = t1->Tag();
+	if ( IsVector(bt1) )
+		bt1 = t1->AsVectorType()->YieldType()->Tag();
+
+	TypeTag bt2 = t2->Tag();
+	if ( IsVector(bt2) )
+		bt2 = t2->AsVectorType()->YieldType()->Tag();
+
+	if ( (bt1 == TYPE_COUNT || bt1 == TYPE_COUNTER) &&
+	     (bt2 == TYPE_COUNT || bt2 == TYPE_COUNTER) )
+		{
+		if ( bt1 == TYPE_COUNTER && bt2 == TYPE_COUNTER )
+			ExprError("cannot apply a bitwise operator to two \"counter\" operands");
+		else if ( is_vector(op1) || is_vector(op2) )
+			SetType(new VectorType(base_type(TYPE_COUNT)));
+		else
+			SetType(base_type(TYPE_COUNT));
+		}
+
+	else if ( bt1 == TYPE_PATTERN )
+		{
+		if ( bt2 != TYPE_PATTERN )
+			ExprError("cannot mix pattern and non-pattern operands");
+		else if ( tag == EXPR_XOR )
+			ExprError("'^' operator does not apply to patterns");
+		else
+			SetType(base_type(TYPE_PATTERN));
+		}
+
+	else if ( t1->IsSet() && t2->IsSet() )
+		{
+		if ( same_type(t1, t2) )
+			SetType(op1->Type()->Ref());
+		else
+			ExprError("incompatible \"set\" operands");
+		}
+
+	else
+		ExprError("requires \"count\" or compatible \"set\" operands");
+	}
+
+IMPLEMENT_SERIAL(BitExpr, SER_BIT_EXPR);
+
+bool BitExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_BIT_EXPR, BinaryExpr);
+	return true;
+	}
+
+bool BitExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(BinaryExpr);
+	return true;
+	}
+
 EqExpr::EqExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 : BinaryExpr(arg_tag, arg_op1, arg_op2)
 	{
@@ -1820,13 +2065,16 @@ EqExpr::EqExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 
 	Canonicize();
 
-	TypeTag bt1 = op1->Type()->Tag();
-	if ( IsVector(bt1) )
-		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+	const BroType* t1 = op1->Type();
+	const BroType* t2 = op2->Type();
 
-	TypeTag bt2 = op2->Type()->Tag();
+	TypeTag bt1 = t1->Tag();
+	if ( IsVector(bt1) )
+		bt1 = t1->AsVectorType()->YieldType()->Tag();
+
+	TypeTag bt2 = t2->Tag();
 	if ( IsVector(bt2) )
-		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
+		bt2 = t2->AsVectorType()->YieldType()->Tag();
 
 	if ( is_vector(op1) || is_vector(op2) )
 		SetType(new VectorType(base_type(TYPE_BOOL)));
@@ -1856,10 +2104,20 @@ EqExpr::EqExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 			break;
 
 		case TYPE_ENUM:
-			if ( ! same_type(op1->Type(), op2->Type()) )
+			if ( ! same_type(t1, t2) )
 				ExprError("illegal enum comparison");
 			break;
 
+		case TYPE_TABLE:
+			if ( t1->IsSet() && t2->IsSet() )
+				{
+				if ( ! same_type(t1, t2) )
+					ExprError("incompatible sets in comparison");
+				break;
+				}
+
+			// FALL THROUGH
+
 		default:
 			ExprError("illegal comparison");
 		}
@@ -1922,13 +2180,16 @@ RelExpr::RelExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 
 	Canonicize();
 
-	TypeTag bt1 = op1->Type()->Tag();
-	if ( IsVector(bt1) )
-		bt1 = op1->Type()->AsVectorType()->YieldType()->Tag();
+	const BroType* t1 = op1->Type();
+	const BroType* t2 = op2->Type();
 
-	TypeTag bt2 = op2->Type()->Tag();
+	TypeTag bt1 = t1->Tag();
+	if ( IsVector(bt1) )
+		bt1 = t1->AsVectorType()->YieldType()->Tag();
+
+	TypeTag bt2 = t2->Tag();
 	if ( IsVector(bt2) )
-		bt2 = op2->Type()->AsVectorType()->YieldType()->Tag();
+		bt2 = t2->AsVectorType()->YieldType()->Tag();
 
 	if ( is_vector(op1) || is_vector(op2) )
 		SetType(new VectorType(base_type(TYPE_BOOL)));
@@ -1938,6 +2199,12 @@ RelExpr::RelExpr(BroExprTag arg_tag, Expr* arg_op1, Expr* arg_op2)
 	if ( BothArithmetic(bt1, bt2) )
 		PromoteOps(max_type(bt1, bt2));
 
+	else if ( t1->IsSet() && t2->IsSet() )
+		{
+		if ( ! same_type(t1, t2) )
+			ExprError("incompatible sets in comparison");
+		}
+
 	else if ( bt1 != bt2 )
 		ExprError("operands must be of the same type");
 
@@ -4351,9 +4618,8 @@ Val* InExpr::Fold(Val* v1, Val* v2) const
 		const BroString* s1 = v1->AsString();
 		const BroString* s2 = v2->AsString();
 
-		// Could do better here - either roll our own, to deal with
-		// NULs, and/or Boyer-Moore if done repeatedly.
-		return new Val(strstr(s2->CheckString(), s1->CheckString()) != 0, TYPE_BOOL);
+		// Could do better here e.g. Boyer-Moore if done repeatedly.
+		return new Val(strstr_n(s2->Len(), s2->Bytes(), s1->Len(), reinterpret_cast<const unsigned char*>(s1->CheckString())) != -1, TYPE_BOOL);
 		}
 
 	if ( v1->Type()->Tag() == TYPE_ADDR &&
@@ -4535,13 +4801,21 @@ Val* CallExpr::Eval(Frame* f) const
 	if ( func_val && v )
 		{
 		const ::Func* func = func_val->AsFunc();
-		calling_expr = this;
 		const CallExpr* current_call = f ? f->GetCall() : 0;
+		call_stack.emplace_back(CallInfo{this, func});
 
 		if ( f )
 			f->SetCall(this);
 
-		ret = func->Call(v, f); // No try/catch here; we pass exceptions upstream.
+		try
+			{
+			ret = func->Call(v, f);
+			}
+		catch ( ... )
+			{
+			call_stack.pop_back();
+			throw;
+			}
 
 		if ( f )
 			f->SetCall(current_call);
@@ -4549,7 +4823,7 @@ Val* CallExpr::Eval(Frame* f) const
 		// Don't Unref() the arguments, as Func::Call already did that.
 		delete v;
 
-		calling_expr = 0;
+		call_stack.pop_back();
 		}
 	else
 		delete_vals(v);
@@ -4870,7 +5144,7 @@ Val* ListExpr::InitVal(const BroType* t, Val* aggr) const
 				Unref(v);
 				return 0;
 				}
-				
+
 			v->Append(vi);
 			}
 		return v;
@@ -5201,6 +5475,117 @@ bool RecordAssignExpr::DoUnserialize(UnserialInfo* info)
 	return true;
 	}
 
+CastExpr::CastExpr(Expr* arg_op, BroType* t) : UnaryExpr(EXPR_CAST, arg_op)
+	{
+	auto stype = Op()->Type();
+
+	::Ref(t);
+	SetType(t);
+
+	if ( ! can_cast_value_to_type(stype, t) )
+		ExprError("cast not supported");
+	}
+
+Val* CastExpr::Eval(Frame* f) const
+	{
+	if ( IsError() )
+		return 0;
+
+	Val* v = op->Eval(f);
+
+	if ( ! v )
+		return 0;
+
+	Val* nv = cast_value_to_type(v, Type());
+
+	if ( nv )
+		{
+		Unref(v);
+		return nv;
+		}
+
+	ODesc d;
+	d.Add("invalid cast of value with type '");
+	v->Type()->Describe(&d);
+	d.Add("' to type '");
+	Type()->Describe(&d);
+	d.Add("'");
+
+	if ( same_type(v->Type(), bro_broker::DataVal::ScriptDataType()) &&
+		 ! v->AsRecordVal()->Lookup(0) )
+		d.Add(" (nil $data field)");
+
+	Unref(v);
+	reporter->ExprRuntimeError(this, "%s", d.Description());
+	return 0;  // not reached.
+	}
+
+void CastExpr::ExprDescribe(ODesc* d) const
+	{
+	Op()->Describe(d);
+	d->Add(" as ");
+	Type()->Describe(d);
+	}
+
+IMPLEMENT_SERIAL(CastExpr, SER_CAST_EXPR);
+
+bool CastExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_CAST_EXPR, UnaryExpr);
+	return true;
+	}
+
+bool CastExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return true;
+	}
+
+IsExpr::IsExpr(Expr* arg_op, BroType* arg_t) : UnaryExpr(EXPR_IS, arg_op)
+	{
+	t = arg_t;
+	::Ref(t);
+
+	SetType(base_type(TYPE_BOOL));
+	}
+
+IsExpr::~IsExpr()
+	{
+	Unref(t);
+	}
+
+Val* IsExpr::Fold(Val* v) const
+	{
+	if ( IsError() )
+		return 0;
+
+	if ( can_cast_value_to_type(v, t) )
+		return new Val(1, TYPE_BOOL);
+	else
+		return new Val(0, TYPE_BOOL);
+	}
+
+void IsExpr::ExprDescribe(ODesc* d) const
+	{
+	Op()->Describe(d);
+	d->Add(" is ");
+	t->Describe(d);
+	}
+
+IMPLEMENT_SERIAL(IsExpr, SER_IS_EXPR_ /* sic */);
+
+bool IsExpr::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_IS_EXPR_, UnaryExpr);
+	return true;
+	}
+
+bool IsExpr::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(UnaryExpr);
+	return true;
+	}
+
 Expr* get_assign_expr(Expr* op1, Expr* op2, int is_init)
 	{
 	if ( op1->Type()->Tag() == TYPE_RECORD &&
@@ -5210,7 +5595,6 @@ Expr* get_assign_expr(Expr* op1, Expr* op2, int is_init)
 		return new AssignExpr(op1, op2, is_init);
 	}
 
-
 int check_and_promote_expr(Expr*& e, BroType* t)
 	{
 	BroType* et = e->Type();
diff --git a/src/Expr.h b/src/Expr.h
index fb533b1469..8ac547c534 100644
--- a/src/Expr.h
+++ b/src/Expr.h
@@ -17,10 +17,13 @@ typedef enum {
 	EXPR_ANY = -1,
 	EXPR_NAME, EXPR_CONST,
 	EXPR_CLONE,
-	EXPR_INCR, EXPR_DECR, EXPR_NOT, EXPR_POSITIVE, EXPR_NEGATE,
+	EXPR_INCR, EXPR_DECR,
+	EXPR_NOT, EXPR_COMPLEMENT,
+	EXPR_POSITIVE, EXPR_NEGATE,
 	EXPR_ADD, EXPR_SUB, EXPR_ADD_TO, EXPR_REMOVE_FROM,
 	EXPR_TIMES, EXPR_DIVIDE, EXPR_MOD,
-	EXPR_AND, EXPR_OR,
+	EXPR_AND, EXPR_OR, EXPR_XOR,
+	EXPR_AND_AND, EXPR_OR_OR,
 	EXPR_LT, EXPR_LE, EXPR_EQ, EXPR_NE, EXPR_GE, EXPR_GT,
 	EXPR_COND,
 	EXPR_REF,
@@ -44,7 +47,9 @@ typedef enum {
 	EXPR_VECTOR_COERCE,
 	EXPR_SIZE,
 	EXPR_FLATTEN,
-#define NUM_EXPRS (int(EXPR_FLATTEN) + 1)
+	EXPR_CAST,
+	EXPR_IS,
+#define NUM_EXPRS (int(EXPR_IS) + 1)
 } BroExprTag;
 
 extern const char* expr_name(BroExprTag t);
@@ -63,7 +68,7 @@ public:
 	BroType* Type() const		{ return type; }
 	BroExprTag Tag() const	{ return tag; }
 
-	virtual ~Expr();
+	~Expr() override;
 
 	Expr* Ref()			{ ::Ref(this); return this; }
 
@@ -182,7 +187,7 @@ public:
 		return (AssignExpr*) this;
 		}
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 
 	bool Serialize(SerialInfo* info) const;
 	static Expr* Unserialize(UnserialInfo* info, BroExprTag want = EXPR_ANY);
@@ -191,7 +196,7 @@ public:
 
 protected:
 	Expr()	{ type = 0; }
-	Expr(BroExprTag arg_tag);
+	explicit Expr(BroExprTag arg_tag);
 
 	virtual void ExprDescribe(ODesc* d) const = 0;
 	void AddTag(ODesc* d) const;
@@ -215,8 +220,8 @@ protected:
 
 class NameExpr : public Expr {
 public:
-	NameExpr(ID* id, bool const_init = false);
-	~NameExpr();
+	explicit NameExpr(ID* id, bool const_init = false);
+	~NameExpr() override;
 
 	ID* Id() const		{ return id; }
 
@@ -241,8 +246,8 @@ protected:
 
 class ConstExpr : public Expr {
 public:
-	ConstExpr(Val* val);
-	~ConstExpr();
+	explicit ConstExpr(Val* val);
+	~ConstExpr() override;
 
 	Val* Value() const	{ return val; }
 
@@ -278,7 +283,7 @@ protected:
 	UnaryExpr()	{ op = 0; }
 
 	UnaryExpr(BroExprTag arg_tag, Expr* arg_op);
-	virtual ~UnaryExpr();
+	~UnaryExpr() override;
 
 	void ExprDescribe(ODesc* d) const override;
 
@@ -316,7 +321,7 @@ protected:
 		if ( op1->IsError() || op2->IsError() )
 			SetError();
 		}
-	virtual ~BinaryExpr();
+	~BinaryExpr() override;
 
 	// Returns the expression folded using the given constants.
 	virtual Val* Fold(Val* v1, Val* v2) const;
@@ -324,6 +329,12 @@ protected:
 	// Same for when the constants are strings.
 	virtual Val* StringFold(Val* v1, Val* v2) const;
 
+	// Same for when the constants are patterns.
+	virtual Val* PatternFold(Val* v1, Val* v2) const;
+
+	// Same for when the constants are sets.
+	virtual Val* SetFold(Val* v1, Val* v2) const;
+
 	// Same for when the constants are addresses or subnets.
 	virtual Val* AddrFold(Val* v1, Val* v2) const;
 	virtual Val* SubNetFold(Val* v1, Val* v2) const;
@@ -350,7 +361,7 @@ protected:
 
 class CloneExpr : public UnaryExpr {
 public:
-	CloneExpr(Expr* op);
+	explicit CloneExpr(Expr* op);
 	Val* Eval(Frame* f) const override;
 
 protected:
@@ -377,9 +388,22 @@ protected:
 	DECLARE_SERIAL(IncrExpr);
 };
 
+class ComplementExpr : public UnaryExpr {
+public:
+	explicit ComplementExpr(Expr* op);
+
+protected:
+	friend class Expr;
+	ComplementExpr()	{ }
+
+	Val* Fold(Val* v) const override;
+
+	DECLARE_SERIAL(ComplementExpr);
+};
+
 class NotExpr : public UnaryExpr {
 public:
-	NotExpr(Expr* op);
+	explicit NotExpr(Expr* op);
 
 protected:
 	friend class Expr;
@@ -392,7 +416,7 @@ protected:
 
 class PosExpr : public UnaryExpr {
 public:
-	PosExpr(Expr* op);
+	explicit PosExpr(Expr* op);
 
 protected:
 	friend class Expr;
@@ -405,7 +429,7 @@ protected:
 
 class NegExpr : public UnaryExpr {
 public:
-	NegExpr(Expr* op);
+	explicit NegExpr(Expr* op);
 
 protected:
 	friend class Expr;
@@ -418,7 +442,7 @@ protected:
 
 class SizeExpr : public UnaryExpr {
 public:
-	SizeExpr(Expr* op);
+	explicit SizeExpr(Expr* op);
 	Val* Eval(Frame* f) const override;
 
 protected:
@@ -530,6 +554,17 @@ protected:
 	DECLARE_SERIAL(BoolExpr);
 };
 
+class BitExpr : public BinaryExpr {
+public:
+	BitExpr(BroExprTag tag, Expr* op1, Expr* op2);
+
+protected:
+	friend class Expr;
+	BitExpr()	{ }
+
+	DECLARE_SERIAL(BitExpr);
+};
+
 class EqExpr : public BinaryExpr {
 public:
 	EqExpr(BroExprTag tag, Expr* op1, Expr* op2);
@@ -559,7 +594,7 @@ protected:
 class CondExpr : public Expr {
 public:
 	CondExpr(Expr* op1, Expr* op2, Expr* op3);
-	~CondExpr();
+	~CondExpr() override;
 
 	const Expr* Op1() const	{ return op1; }
 	const Expr* Op2() const	{ return op2; }
@@ -585,7 +620,7 @@ protected:
 
 class RefExpr : public UnaryExpr {
 public:
-	RefExpr(Expr* op);
+	explicit RefExpr(Expr* op);
 
 	void Assign(Frame* f, Val* v, Opcode op = OP_ASSIGN) override;
 	Expr* MakeLvalue() override;
@@ -602,7 +637,7 @@ public:
 	// If val is given, evaluating this expression will always yield the val
 	// yet still perform the assignment.  Used for triggers.
 	AssignExpr(Expr* op1, Expr* op2, int is_init, Val* val = 0, attr_list* attrs = 0);
-	virtual ~AssignExpr()	{ Unref(val); }
+	~AssignExpr() override { Unref(val); }
 
 	Val* Eval(Frame* f) const override;
 	void EvalIntoAggregate(const BroType* t, Val* aggr, Frame* f) const override;
@@ -657,7 +692,7 @@ protected:
 class FieldExpr : public UnaryExpr {
 public:
 	FieldExpr(Expr* op, const char* field_name);
-	~FieldExpr();
+	~FieldExpr() override;
 
 	int Field() const	{ return field; }
 	const char* FieldName() const	{ return field_name; }
@@ -689,7 +724,7 @@ protected:
 class HasFieldExpr : public UnaryExpr {
 public:
 	HasFieldExpr(Expr* op, const char* field_name);
-	~HasFieldExpr();
+	~HasFieldExpr() override;
 
 	const char* FieldName() const	{ return field_name; }
 
@@ -709,8 +744,8 @@ protected:
 
 class RecordConstructorExpr : public UnaryExpr {
 public:
-	RecordConstructorExpr(ListExpr* constructor_list);
-	~RecordConstructorExpr();
+	explicit RecordConstructorExpr(ListExpr* constructor_list);
+	~RecordConstructorExpr() override;
 
 protected:
 	friend class Expr;
@@ -728,7 +763,7 @@ class TableConstructorExpr : public UnaryExpr {
 public:
 	TableConstructorExpr(ListExpr* constructor_list, attr_list* attrs,
 	                     BroType* arg_type = 0);
-	~TableConstructorExpr()	{ Unref(attrs); }
+	~TableConstructorExpr() override { Unref(attrs); }
 
 	Attributes* Attrs() { return attrs; }
 
@@ -751,7 +786,7 @@ class SetConstructorExpr : public UnaryExpr {
 public:
 	SetConstructorExpr(ListExpr* constructor_list, attr_list* attrs,
 	                   BroType* arg_type = 0);
-	~SetConstructorExpr()	{ Unref(attrs); }
+	~SetConstructorExpr() override { Unref(attrs); }
 
 	Attributes* Attrs() { return attrs; }
 
@@ -772,7 +807,7 @@ protected:
 
 class VectorConstructorExpr : public UnaryExpr {
 public:
-	VectorConstructorExpr(ListExpr* constructor_list, BroType* arg_type = 0);
+	explicit VectorConstructorExpr(ListExpr* constructor_list, BroType* arg_type = 0);
 
 	Val* Eval(Frame* f) const override;
 
@@ -824,7 +859,7 @@ protected:
 class RecordCoerceExpr : public UnaryExpr {
 public:
 	RecordCoerceExpr(Expr* op, RecordType* r);
-	~RecordCoerceExpr();
+	~RecordCoerceExpr() override;
 
 protected:
 	friend class Expr;
@@ -844,7 +879,7 @@ protected:
 class TableCoerceExpr : public UnaryExpr {
 public:
 	TableCoerceExpr(Expr* op, TableType* r);
-	~TableCoerceExpr();
+	~TableCoerceExpr() override;
 
 protected:
 	friend class Expr;
@@ -858,7 +893,7 @@ protected:
 class VectorCoerceExpr : public UnaryExpr {
 public:
 	VectorCoerceExpr(Expr* op, VectorType* v);
-	~VectorCoerceExpr();
+	~VectorCoerceExpr() override;
 
 protected:
 	friend class Expr;
@@ -873,7 +908,7 @@ protected:
 // into a list of individual values.
 class FlattenExpr : public UnaryExpr {
 public:
-	FlattenExpr(Expr* op);
+	explicit FlattenExpr(Expr* op);
 
 protected:
 	friend class Expr;
@@ -892,9 +927,9 @@ class ScheduleTimer : public Timer {
 public:
 	ScheduleTimer(EventHandlerPtr event, val_list* args, double t,
 			TimerMgr* tmgr);
-	~ScheduleTimer();
+	~ScheduleTimer() override;
 
-	void Dispatch(double t, int is_expire);
+	void Dispatch(double t, int is_expire) override;
 
 protected:
 	EventHandlerPtr event;
@@ -905,7 +940,7 @@ protected:
 class ScheduleExpr : public Expr {
 public:
 	ScheduleExpr(Expr* when, EventExpr* event);
-	~ScheduleExpr();
+	~ScheduleExpr() override;
 
 	int IsPure() const override;
 
@@ -945,7 +980,7 @@ protected:
 class CallExpr : public Expr {
 public:
 	CallExpr(Expr* func, ListExpr* args, bool in_hook = false);
-	~CallExpr();
+	~CallExpr() override;
 
 	Expr* Func() const	{ return func; }
 	ListExpr* Args() const	{ return args; }
@@ -971,7 +1006,7 @@ protected:
 class EventExpr : public Expr {
 public:
 	EventExpr(const char* name, ListExpr* args);
-	~EventExpr();
+	~EventExpr() override;
 
 	const char* Name() const	{ return name.c_str(); }
 	ListExpr* Args() const		{ return args; }
@@ -997,8 +1032,8 @@ protected:
 class ListExpr : public Expr {
 public:
 	ListExpr();
-	ListExpr(Expr* e);
-	~ListExpr();
+	explicit ListExpr(Expr* e);
+	~ListExpr() override;
 
 	void Append(Expr* e);
 
@@ -1044,6 +1079,37 @@ protected:
 	DECLARE_SERIAL(RecordAssignExpr);
 };
 
+class CastExpr : public UnaryExpr {
+public:
+	CastExpr(Expr* op, BroType* t);
+
+protected:
+	friend class Expr;
+	CastExpr()	{ }
+
+	Val* Eval(Frame* f) const override;
+	void ExprDescribe(ODesc* d) const override;
+
+	DECLARE_SERIAL(CastExpr);
+};
+
+class IsExpr : public UnaryExpr {
+public:
+	IsExpr(Expr* op, BroType* t);
+	virtual ~IsExpr();
+
+protected:
+	friend class Expr;
+	IsExpr()	{ }
+
+	Val* Fold(Val* v) const override;
+	void ExprDescribe(ODesc* d) const override;
+	DECLARE_SERIAL(IsExpr);
+
+private:
+	BroType* t;
+};
+
 inline Val* Expr::ExprVal() const
 	{
 	if ( ! IsConst() )
diff --git a/src/File.cc b/src/File.cc
index 7c4a21d5e8..609ea4f0ac 100644
--- a/src/File.cc
+++ b/src/File.cc
@@ -302,7 +302,7 @@ FILE* BroFile::BringIntoCache()
 
 	if ( ! f )
 		{
-		strerror_r(errno, buf, sizeof(buf));
+		bro_strerror_r(errno, buf, sizeof(buf));
 		reporter->Error("can't open %s: %s", name, buf);
 
 		f = fopen("/dev/null", "w");
@@ -313,7 +313,7 @@ FILE* BroFile::BringIntoCache()
 			return f;
 			}
 
-		strerror_r(errno, buf, sizeof(buf));
+		bro_strerror_r(errno, buf, sizeof(buf));
 		reporter->Error("can't open /dev/null: %s", buf);
 		return 0;
 		}
@@ -323,7 +323,7 @@ FILE* BroFile::BringIntoCache()
 
 	if ( fseek(f, position, SEEK_SET) < 0 )
 		{
-		strerror_r(errno, buf, sizeof(buf));
+		bro_strerror_r(errno, buf, sizeof(buf));
 		reporter->Error("reopen seek failed: %s", buf);
 		}
 
@@ -413,7 +413,7 @@ void BroFile::Suspend()
 	if ( (position = ftell(f)) < 0 )
 		{
 		char buf[256];
-		strerror_r(errno, buf, sizeof(buf));
+		bro_strerror_r(errno, buf, sizeof(buf));
 		reporter->Error("ftell failed: %s", buf);
 		position = 0;
 		}
@@ -692,7 +692,7 @@ void BroFile::InitEncrypt(const char* keyfile)
 	// Depending on the OpenSSL version, EVP_*_cbc()
 	// returns a const or a non-const.
 	EVP_CIPHER* cipher_type = (EVP_CIPHER*) EVP_bf_cbc();
-	cipher_ctx = new EVP_CIPHER_CTX;
+	cipher_ctx = EVP_CIPHER_CTX_new();
 
 	unsigned char secret[EVP_PKEY_size(pub_key)];
 	unsigned char* psecret = secret;
@@ -747,7 +747,7 @@ void BroFile::FinishEncrypt()
 			return;
 			}
 
-		delete cipher_ctx;
+		EVP_CIPHER_CTX_free(cipher_ctx);
 		cipher_ctx = 0;
 		}
 	}
diff --git a/src/File.h b/src/File.h
index 6410a67624..3660d3caa4 100644
--- a/src/File.h
+++ b/src/File.h
@@ -22,10 +22,10 @@ class RotateTimer;
 
 class BroFile : public BroObj {
 public:
-	BroFile(FILE* arg_f);
+	explicit BroFile(FILE* arg_f);
 	BroFile(FILE* arg_f, const char* filename, const char* access);
 	BroFile(const char* filename, const char* access, BroType* arg_t = 0);
-	virtual ~BroFile();
+	~BroFile() override;
 
 	const char* Name() const;
 
diff --git a/src/Flare.cc b/src/Flare.cc
index 5df6d663aa..87dc946955 100644
--- a/src/Flare.cc
+++ b/src/Flare.cc
@@ -16,7 +16,7 @@ Flare::Flare()
 static void bad_pipe_op(const char* which)
 	{
 	char buf[256];
-	strerror_r(errno, buf, sizeof(buf));
+	bro_strerror_r(errno, buf, sizeof(buf));
 	reporter->FatalErrorWithCore("unexpected pipe %s failure: %s", which, buf);
 	}
 
diff --git a/src/Frag.h b/src/Frag.h
index 7f3a0eec02..4d4ff1cccb 100644
--- a/src/Frag.h
+++ b/src/Frag.h
@@ -21,7 +21,7 @@ class FragReassembler : public Reassembler {
 public:
 	FragReassembler(NetSessions* s, const IP_Hdr* ip, const u_char* pkt,
 			HashKey* k, double t);
-	~FragReassembler();
+	~FragReassembler() override;
 
 	void AddFragment(double t, const IP_Hdr* ip, const u_char* pkt);
 
@@ -33,8 +33,8 @@ public:
 	HashKey* Key() const	{ return key; }
 
 protected:
-	void BlockInserted(DataBlock* start_block);
-	void Overlap(const u_char* b1, const u_char* b2, uint64 n);
+	void BlockInserted(DataBlock* start_block) override;
+	void Overlap(const u_char* b1, const u_char* b2, uint64 n) override;
 	void Weird(const char* name) const;
 
 	u_char* proto_hdr;
@@ -53,9 +53,9 @@ public:
 	FragTimer(FragReassembler* arg_f, double arg_t)
 		: Timer(arg_t, TIMER_FRAG)
 			{ f = arg_f; }
-	~FragTimer();
+	~FragTimer() override;
 
-	void Dispatch(double t, int is_expire);
+	void Dispatch(double t, int is_expire) override;
 
 	// Break the association between this timer and its creator.
 	void ClearReassembler()	{ f = 0; }
diff --git a/src/Frame.cc b/src/Frame.cc
index e97b948dbe..f30312aaec 100644
--- a/src/Frame.cc
+++ b/src/Frame.cc
@@ -33,6 +33,15 @@ Frame::~Frame()
 	Release();
 	}
 
+void Frame::Reset(int startIdx)
+	{
+	for ( int i = startIdx; i < size; ++i )
+		{
+		Unref(frame[i]);
+		frame[i] = 0;
+		}
+	}
+
 void Frame::Release()
 	{
 	for ( int i = 0; i < size; ++i )
diff --git a/src/Frame.h b/src/Frame.h
index 85e1dbec2e..1469543e10 100644
--- a/src/Frame.h
+++ b/src/Frame.h
@@ -15,7 +15,7 @@ class CallExpr;
 class Frame : public BroObj {
 public:
 	Frame(int size, const BroFunc* func, const val_list *fn_args);
-	~Frame();
+	~Frame() override;
 
 	Val* NthElement(int n)		{ return frame[n]; }
 	void SetElement(int n, Val* v)
@@ -24,9 +24,10 @@ public:
 		frame[n] = v;
 		}
 
+	void Reset(int startIdx);
 	void Release();
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 
 	// For which function is this stack frame.
 	const BroFunc* GetFunction() const	{ return function; }
diff --git a/src/Func.cc b/src/Func.cc
index ccb2570f70..703cc04d29 100644
--- a/src/Func.cc
+++ b/src/Func.cc
@@ -50,7 +50,7 @@
 
 extern	RETSIGTYPE sig_handler(int signo);
 
-const Expr* calling_expr = 0;
+vector<CallInfo> call_stack;
 bool did_builtin_init = false;
 
 vector<Func*> Func::unique_ids;
@@ -383,11 +383,7 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
 			FType()->FlavorString().c_str(), d.Description());
 		}
 
-	loop_over_list(*args, i)
-		f->SetElement(i, (*args)[i]);
-
 	stmt_flow_type flow = FLOW_NEXT;
-
 	Val* result = 0;
 
 	for ( size_t i = 0; i < bodies.size(); ++i )
@@ -398,6 +394,21 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
 
 		Unref(result);
 
+		loop_over_list(*args, j)
+			{
+			Val* arg = (*args)[j];
+
+			if ( f->NthElement(j) != arg )
+				{
+				// Either not yet set, or somebody reassigned
+				// the frame slot.
+				Ref(arg);
+				f->SetElement(j, arg);
+				}
+			}
+
+		f->Reset(args->length());
+
 		try
 			{
 			result = bodies[i].stmts->Exec(f, flow);
@@ -433,6 +444,11 @@ Val* BroFunc::Call(val_list* args, Frame* parent) const
 			}
 		}
 
+	// We have an extra Ref for each argument (so that they don't get
+	// deleted between bodies), release that.
+	loop_over_list(*args, k)
+		Unref((*args)[k]);
+
 	if ( Flavor() == FUNC_FLAVOR_HOOK )
 		{
 		if ( ! result )
@@ -621,21 +637,73 @@ bool BuiltinFunc::DoUnserialize(UnserialInfo* info)
 
 void builtin_error(const char* msg, BroObj* arg)
 	{
-	if ( calling_expr )
-		calling_expr->Error(msg, arg);
-	else
+	if ( call_stack.empty() )
+		{
 		reporter->Error(msg, arg);
+		return;
+		}
+
+	auto last_call = call_stack.back();
+
+	if ( call_stack.size() < 2 )
+		{
+		// Don't need to check for wrapper function like "<module>::__<func>"
+		last_call.call->Error(msg, arg);
+		return;
+		}
+
+	auto starts_with_double_underscore = [](const std::string& name) -> bool
+		{ return name.size() > 2 && name[0] == '_' && name[1] == '_'; };
+	auto last_loc = last_call.call->GetLocationInfo();
+	std::string last_func = last_call.func->Name();
+
+	auto pos = last_func.find_first_of("::");
+	std::string wrapper_func;
+
+	if ( pos == std::string::npos )
+		{
+		if ( ! starts_with_double_underscore(last_func) )
+			{
+			last_call.call->Error(msg, arg);
+			return;
+			}
+
+		wrapper_func = last_func.substr(2);
+		}
+	else
+		{
+		auto module_name = last_func.substr(0, pos);
+		auto func_name = last_func.substr(pos + 2);
+
+		if ( ! starts_with_double_underscore(func_name) )
+			{
+			last_call.call->Error(msg, arg);
+			return;
+			}
+
+		wrapper_func = module_name + "::" + func_name.substr(2);
+		}
+
+	auto parent_call = call_stack[call_stack.size() - 2];
+	auto parent_func = parent_call.func->Name();
+
+	if ( wrapper_func == parent_func )
+		parent_call.call->Error(msg, arg);
+	else
+		last_call.call->Error(msg, arg);
 	}
 
 #include "bro.bif.func_h"
 #include "stats.bif.func_h"
 #include "reporter.bif.func_h"
 #include "strings.bif.func_h"
+#include "option.bif.func_h"
 
 #include "bro.bif.func_def"
 #include "stats.bif.func_def"
 #include "reporter.bif.func_def"
 #include "strings.bif.func_def"
+#include "option.bif.func_def"
 
 #include "__all__.bif.cc" // Autogenerated for compiling in the bif_target() code.
 #include "__all__.bif.register.cc" // Autogenerated for compiling in the bif_target() code.
@@ -653,6 +721,7 @@ void init_builtin_funcs()
 	TimerStats = internal_type("TimerStats")->AsRecordType();
 	FileAnalysisStats = internal_type("FileAnalysisStats")->AsRecordType();
 	ThreadStats = internal_type("ThreadStats")->AsRecordType();
+	BrokerStats = internal_type("BrokerStats")->AsRecordType();
 
 	var_sizes = internal_type("var_sizes")->AsTableType();
 
@@ -660,6 +729,7 @@ void init_builtin_funcs()
 #include "stats.bif.func_init"
 #include "reporter.bif.func_init"
 #include "strings.bif.func_init"
+#include "option.bif.func_init"
 
 	did_builtin_init = true;
 	}
diff --git a/src/Func.h b/src/Func.h
index 791f8b7135..dc54087e06 100644
--- a/src/Func.h
+++ b/src/Func.h
@@ -22,9 +22,9 @@ public:
 
 	enum Kind { BRO_FUNC, BUILTIN_FUNC };
 
-	Func(Kind arg_kind);
+	explicit Func(Kind arg_kind);
 
-	virtual ~Func();
+	~Func() override;
 
 	virtual int IsPure() const = 0;
 	function_flavor Flavor() const	{ return FType()->Flavor(); }
@@ -56,7 +56,7 @@ public:
 	const char* Name() const { return name.c_str(); }
 	void SetName(const char* arg_name)	{ name = arg_name; }
 
-	virtual void Describe(ODesc* d) const = 0;
+	void Describe(ODesc* d) const override = 0;
 	virtual void DescribeDebug(ODesc* d, const val_list* args) const;
 
 	// This (un-)serializes only a single body (as given in SerialInfo).
@@ -90,7 +90,7 @@ protected:
 class BroFunc : public Func {
 public:
 	BroFunc(ID* id, Stmt* body, id_list* inits, int frame_size, int priority);
-	~BroFunc();
+	~BroFunc() override;
 
 	int IsPure() const override;
 	Val* Call(val_list* args, Frame* parent) const override;
@@ -116,7 +116,7 @@ typedef Val* (*built_in_func)(Frame* frame, val_list* args);
 class BuiltinFunc : public Func {
 public:
 	BuiltinFunc(built_in_func func, const char* name, int is_pure);
-	~BuiltinFunc();
+	~BuiltinFunc() override;
 
 	int IsPure() const override;
 	Val* Call(val_list* args, Frame* parent) const override;
@@ -140,10 +140,12 @@ extern void init_builtin_funcs_subdirs();
 
 extern bool check_built_in_call(BuiltinFunc* f, CallExpr* call);
 
-// This global is set prior to the interpreter making a function call.
-// It's there so that built-in functions can access the location information
-// associated with a call when reporting error messages.
-extern const Expr* calling_expr;
+struct CallInfo {
+	const CallExpr* call;
+	const Func* func;
+};
+
+extern vector<CallInfo> call_stack;
 
 // This is set to true after the built-in functions have been initialized.
 extern bool did_builtin_init;
diff --git a/src/Hash.h b/src/Hash.h
index b8c998f461..922acdc74f 100644
--- a/src/Hash.h
+++ b/src/Hash.h
@@ -20,14 +20,14 @@ typedef enum {
 
 class HashKey {
 public:
-	HashKey(bro_int_t i);
-	HashKey(bro_uint_t u);
-	HashKey(uint32 u);
+	explicit HashKey(bro_int_t i);
+	explicit HashKey(bro_uint_t u);
+	explicit HashKey(uint32 u);
 	HashKey(const uint32 u[], int n);
-	HashKey(double d);
-	HashKey(const void* p);
-	HashKey(const char* s);
-	HashKey(const BroString* s);
+	explicit HashKey(double d);
+	explicit HashKey(const void* p);
+	explicit HashKey(const char* s);
+	explicit HashKey(const BroString* s);
 	~HashKey()
 		{
 		if ( is_our_dynamic )
diff --git a/src/ID.cc b/src/ID.cc
index efc488449b..a68abb6264 100644
--- a/src/ID.cc
+++ b/src/ID.cc
@@ -21,12 +21,13 @@ ID::ID(const char* arg_name, IDScope arg_scope, bool arg_is_export)
 	name = copy_string(arg_name);
 	scope = arg_scope;
 	is_export = arg_is_export;
+	is_option = false;
 	type = 0;
 	val = 0;
 	attrs = 0;
-	is_const = 0;
-	is_enum_const = 0;
-	is_type = 0;
+	is_const = false;
+	is_enum_const = false;
+	is_type = false;
 	offset = 0;
 
 	infer_return_type = false;
@@ -41,6 +42,9 @@ ID::~ID()
 	Unref(type);
 	Unref(attrs);
 
+	for ( auto element : option_handlers )
+		Unref(element.second);
+
 	if ( ! weak_ref )
 		Unref(val);
 	}
@@ -290,6 +294,22 @@ void ID::RemoveAttr(attr_tag a)
 		}
 	}
 
+void ID::SetOption()
+	{
+	if ( is_option )
+		return;
+
+	is_option = true;
+
+	// option implied redefinable
+	if ( ! IsRedefinable() )
+		{
+		attr_list* attr = new attr_list;
+		attr->append(new Attr(ATTR_REDEF));
+		AddAttrs(new Attributes(attr, Type(), false));
+		}
+	}
+
 void ID::EvalFunc(Expr* ef, Expr* ev)
 	{
 	Expr* arg1 = new ConstExpr(val->Ref());
@@ -772,3 +792,18 @@ void ID::UpdateValID()
 	}
 #endif
 
+void ID::AddOptionHandler(Func* callback, int priority)
+	{
+	option_handlers.insert({priority, callback});
+	}
+
+vector<Func*> ID::GetOptionHandlers() const
+	{
+	// multimap is sorted
+	// It might be worth caching this if we expect it to be called
+	// a lot...
+	vector<Func*> v;
+	for ( auto& element : option_handlers )
+		v.push_back(element.second);
+	return v;
+	}
diff --git a/src/ID.h b/src/ID.h
index 2e0d5708a9..18754584df 100644
--- a/src/ID.h
+++ b/src/ID.h
@@ -11,6 +11,7 @@
 
 class Val;
 class SerialInfo;
+class Func;
 
 typedef enum { INIT_NONE, INIT_FULL, INIT_EXTRA, INIT_REMOVE, } init_class;
 typedef enum { SCOPE_FUNCTION, SCOPE_MODULE, SCOPE_GLOBAL } IDScope;
@@ -18,7 +19,7 @@ typedef enum { SCOPE_FUNCTION, SCOPE_MODULE, SCOPE_GLOBAL } IDScope;
 class ID : public BroObj {
 public:
 	ID(const char* name, IDScope arg_scope, bool arg_is_export);
-	~ID();
+	~ID() override;
 
 	const char* Name() const	{ return name; }
 
@@ -34,7 +35,7 @@ public:
 	BroType* Type()			{ return type; }
 	const BroType* Type() const	{ return type; }
 
-	void MakeType()			{ is_type = 1; }
+	void MakeType()			{ is_type = true; }
 	BroType* AsType()		{ return is_type ? Type() : 0; }
 	const BroType* AsType() const	{ return is_type ? Type() : 0; }
 
@@ -51,21 +52,24 @@ public:
 	void SetVal(Val* v, init_class c);
 	void SetVal(Expr* ev, init_class c);
 
-	int HasVal() const		{ return val != 0; }
+	bool HasVal() const		{ return val != 0; }
 	Val* ID_Val()			{ return val; }
 	const Val* ID_Val() const	{ return val; }
 	void ClearVal();
 
-	void SetConst()			{ is_const = 1; }
-	int IsConst() const		{ return is_const; }
+	void SetConst()			{ is_const = true; }
+	bool IsConst() const		{ return is_const; }
 
-	void SetEnumConst()		{ is_enum_const = 1; }
-	int IsEnumConst() const		{ return is_enum_const; }
+	void SetOption();
+	bool IsOption() const		{ return is_option; }
+
+	void SetEnumConst()		{ is_enum_const = true; }
+	bool IsEnumConst() const		{ return is_enum_const; }
 
 	void SetOffset(int arg_offset)	{ offset = arg_offset; }
 	int Offset() const		{ return offset; }
 
-	int IsRedefinable() const	{ return FindAttr(ATTR_REDEF) != 0; }
+	bool IsRedefinable() const	{ return FindAttr(ATTR_REDEF) != 0; }
 
 	// Returns true if ID is one of those internal globally unique IDs
 	// to which MutableVals are bound (there name start with a '#').
@@ -97,16 +101,23 @@ public:
 	bool Serialize(SerialInfo* info) const;
 	static ID* Unserialize(UnserialInfo* info);
 
-	bool DoInferReturnType()        { return infer_return_type; }
+	bool DoInferReturnType() const
+		{ return infer_return_type; }
 	void SetInferReturnType(bool infer)
-	        { infer_return_type = infer; }
+		{ infer_return_type = infer; }
 
 	virtual TraversalCode Traverse(TraversalCallback* cb) const;
 
+	bool HasOptionHandlers() const
+		{ return !option_handlers.empty(); }
+
+	// Takes ownership of callback.
+	void AddOptionHandler(Func* callback, int priority);
+	vector<Func*> GetOptionHandlers() const;
+
 protected:
 	ID()	{ name = 0; type = 0; val = 0; attrs = 0; }
 
-	void CheckAttr(Attr* attr);
 	void EvalFunc(Expr* ef, Expr* ev);
 
 #ifdef DEBUG
@@ -119,10 +130,12 @@ protected:
 	IDScope scope;
 	bool is_export;
 	BroType* type;
-	int is_const, is_enum_const, is_type;
+	bool is_const, is_enum_const, is_type, is_option;
 	int offset;
 	Val* val;
 	Attributes* attrs;
+	// contains list of functions that are called when an option changes
+	std::multimap<int, Func*> option_handlers;
 
 	bool infer_return_type;
 	bool weak_ref;
diff --git a/src/IP.cc b/src/IP.cc
index ebe778e3d7..79e1cf4fba 100644
--- a/src/IP.cc
+++ b/src/IP.cc
@@ -370,8 +370,8 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
 		int tcp_hdr_len = tp->th_off * 4;
 		int data_len = PayloadLen() - tcp_hdr_len;
 
-		tcp_hdr->Assign(0, new PortVal(ntohs(tp->th_sport), TRANSPORT_TCP));
-		tcp_hdr->Assign(1, new PortVal(ntohs(tp->th_dport), TRANSPORT_TCP));
+		tcp_hdr->Assign(0, port_mgr->Get(ntohs(tp->th_sport), TRANSPORT_TCP));
+		tcp_hdr->Assign(1, port_mgr->Get(ntohs(tp->th_dport), TRANSPORT_TCP));
 		tcp_hdr->Assign(2, new Val(uint32(ntohl(tp->th_seq)), TYPE_COUNT));
 		tcp_hdr->Assign(3, new Val(uint32(ntohl(tp->th_ack)), TYPE_COUNT));
 		tcp_hdr->Assign(4, new Val(tcp_hdr_len, TYPE_COUNT));
@@ -388,8 +388,8 @@ RecordVal* IP_Hdr::BuildPktHdrVal(RecordVal* pkt_hdr, int sindex) const
 		const struct udphdr* up = (const struct udphdr*) data;
 		RecordVal* udp_hdr = new RecordVal(udp_hdr_type);
 
-		udp_hdr->Assign(0, new PortVal(ntohs(up->uh_sport), TRANSPORT_UDP));
-		udp_hdr->Assign(1, new PortVal(ntohs(up->uh_dport), TRANSPORT_UDP));
+		udp_hdr->Assign(0, port_mgr->Get(ntohs(up->uh_sport), TRANSPORT_UDP));
+		udp_hdr->Assign(1, port_mgr->Get(ntohs(up->uh_dport), TRANSPORT_UDP));
 		udp_hdr->Assign(2, new Val(ntohs(up->uh_ulen), TYPE_COUNT));
 
 		pkt_hdr->Assign(sindex + 3, udp_hdr);
diff --git a/src/IPAddr.h b/src/IPAddr.h
index cc7b2baa6e..8ff258a860 100644
--- a/src/IPAddr.h
+++ b/src/IPAddr.h
@@ -88,7 +88,7 @@ public:
 	 * @param s String containing an IP address as either a dotted IPv4
 	 * address or a hex IPv6 address.
 	 */
-	IPAddr(const BroString& s)
+	explicit IPAddr(const BroString& s)
 		{
 		Init(s.CheckString());
 		}
diff --git a/src/IntSet.h b/src/IntSet.h
index ef58e8b12f..5bbdf88d9b 100644
--- a/src/IntSet.h
+++ b/src/IntSet.h
@@ -12,7 +12,7 @@
 class IntSet {
 public:
 	// n is a hint for the value of the largest integer.
-	IntSet(unsigned int n = 1);
+	explicit IntSet(unsigned int n = 1);
 	~IntSet();
 
 	void Insert(unsigned int i);
diff --git a/src/List.h b/src/List.h
index bf87ade67d..fcc0274225 100644
--- a/src/List.h
+++ b/src/List.h
@@ -42,7 +42,7 @@ public:
 		{ return padded_sizeof(*this) + pad_size(max_entries * sizeof(ent)); }
 
 protected:
-	BaseList(int = 0);
+	explicit BaseList(int = 0);
 	BaseList(BaseList&);
 
 	void insert(ent);	// add at head of list
@@ -102,9 +102,9 @@ protected:
 #define Listdeclare(type)						\
 struct List(type) : BaseList						\
 	{								\
-	List(type)(type ...);						\
+	explicit List(type)(type ...);						\
 	List(type)() : BaseList(0) {}					\
-	List(type)(int sz) : BaseList(sz) {}				\
+	explicit List(type)(int sz) : BaseList(sz) {}				\
 	List(type)(List(type)& l) : BaseList((BaseList&)l) {}		\
 									\
 	void operator=(List(type)& l)					\
@@ -143,9 +143,9 @@ List(type)::List(type)(type e1 ...) : BaseList()			\
 #define PListdeclare(type)						\
 struct PList(type) : BaseList						\
 	{								\
-	PList(type)(type* ...);						\
+	explicit PList(type)(type* ...);						\
 	PList(type)() : BaseList(0) {}					\
-	PList(type)(int sz) : BaseList(sz) {}				\
+	explicit PList(type)(int sz) : BaseList(sz) {}				\
 	PList(type)(PList(type)& l) : BaseList((BaseList&)l) {}		\
 									\
 	void operator=(PList(type)& l)					\
diff --git a/src/NFA.cc b/src/NFA.cc
index 43ec3d2a90..c53aa4304b 100644
--- a/src/NFA.cc
+++ b/src/NFA.cc
@@ -12,6 +12,7 @@ NFA_State::NFA_State(int arg_sym, EquivClass* ec)
 	sym = arg_sym;
 	ccl = 0;
 	accept = NO_ACCEPT;
+	first_trans_is_back_ref = false;
 	mark = 0;
 	epsclosure = 0;
 	id = ++nfa_state_id;
@@ -33,6 +34,7 @@ NFA_State::NFA_State(CCL* arg_ccl)
 	sym = SYM_CCL;
 	ccl = arg_ccl;
 	accept = NO_ACCEPT;
+	first_trans_is_back_ref = false;
 	mark = 0;
 	id = ++nfa_state_id;
 	epsclosure = 0;
@@ -41,7 +43,8 @@ NFA_State::NFA_State(CCL* arg_ccl)
 NFA_State::~NFA_State()
 	{
 	for ( int i = 0; i < xtions.length(); ++i )
-		Unref(xtions[i]);
+		if ( i > 0 || ! first_trans_is_back_ref )
+			Unref(xtions[i]);
 
 	delete epsclosure;
 	}
@@ -55,7 +58,10 @@ void NFA_State::AddXtionsTo(NFA_state_list* ns)
 NFA_State* NFA_State::DeepCopy()
 	{
 	if ( mark )
+		{
+		Ref(mark);
 		return mark;
+		}
 
 	NFA_State* copy = ccl ? new NFA_State(ccl) : new NFA_State(sym, 0);
 	SetMark(copy);
@@ -244,7 +250,10 @@ void NFA_Machine::MakePositiveClosure()
 	{
 	AppendEpsilon();
 	final_state->AddXtion(first_state);
-	Ref(first_state);
+
+	// Don't Ref the state the final epsilon points to, otherwise we'll
+	// have reference cycles that lead to leaks.
+	final_state->SetFirstTransIsBackRef();
 	}
 
 void NFA_Machine::MakeRepl(int lower, int upper)
@@ -304,6 +313,13 @@ NFA_Machine* make_alternate(NFA_Machine* m1, NFA_Machine* m2)
 	m2->AppendState(last);
 	Ref(last);
 
+	// Keep these around.
+	Ref(m1->FirstState());
+	Ref(m2->FirstState());
+
+	Unref(m1);
+	Unref(m2);
+
 	return new NFA_Machine(first, last);
 	}
 
diff --git a/src/NFA.h b/src/NFA.h
index 88ce3429c9..79c3961dd5 100644
--- a/src/NFA.h
+++ b/src/NFA.h
@@ -27,8 +27,8 @@ typedef PList(NFA_State) NFA_state_list;
 class NFA_State : public BroObj  {
 public:
 	NFA_State(int sym, EquivClass* ec);
-	NFA_State(CCL* ccl);
-	~NFA_State();
+	explicit NFA_State(CCL* ccl);
+	~NFA_State() override;
 
 	void AddXtion(NFA_State* next_state)	{ xtions.append(next_state); }
 	NFA_state_list* Transitions()		{ return &xtions; }
@@ -46,13 +46,15 @@ public:
 	NFA_State* Mark() const		{ return mark; }
 	void ClearMarks();
 
+	void SetFirstTransIsBackRef()	{ first_trans_is_back_ref = true; }
+
 	int TransSym() const	{ return sym; }
 	CCL* TransCCL() const	{ return ccl; }
 	int ID() const		{ return id; }
 
 	NFA_state_list* EpsilonClosure();
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 	void Dump(FILE* f);
 
 	// Recursivly count all the reachable states.
@@ -62,7 +64,13 @@ protected:
 	int sym;	// if SYM_CCL, then use ccl
 	CCL* ccl;	// if nil, then use sym
 	int accept;
+
+	// Whether the first transition points backwards.  Used
+	// to avoid reference-counting loops.
+	bool first_trans_is_back_ref;
+
 	int id;	// number that uniquely identifies this state
+
 	NFA_state_list xtions;
 	NFA_state_list* epsclosure;
 	NFA_State* mark;
@@ -75,8 +83,8 @@ public:
 
 class NFA_Machine : public BroObj {
 public:
-	NFA_Machine(NFA_State* first, NFA_State* final = 0);
-	~NFA_Machine();
+	explicit NFA_Machine(NFA_State* first, NFA_State* final = 0);
+	~NFA_Machine() override;
 
 	NFA_State* FirstState() const	{ return first_state; }
 
@@ -103,7 +111,7 @@ public:
 	void AppendState(NFA_State* new_state);
 	void AppendMachine(NFA_Machine* new_mach);
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 	void Dump(FILE* f);
 
 	unsigned int MemoryAllocation() const
diff --git a/src/Net.cc b/src/Net.cc
index 0b0491719f..4357f122ca 100644
--- a/src/Net.cc
+++ b/src/Net.cc
@@ -33,10 +33,7 @@
 #include "iosource/PktSrc.h"
 #include "iosource/PktDumper.h"
 #include "plugin/Manager.h"
-
-#ifdef ENABLE_BROKER
 #include "broker/Manager.h"
-#endif
 
 extern "C" {
 #include "setsignal.h"
@@ -61,6 +58,7 @@ double bro_start_time = 0.0; // time Bro started.
 double bro_start_network_time;	// timestamp of first packet
 double last_watchdog_proc_time = 0.0;	// value of above during last watchdog
 bool terminating = false;	// whether we're done reading and finishing up
+bool is_parsing = false;
 
 const Packet *current_pkt = 0;
 int current_dispatched = 0;
@@ -311,11 +309,7 @@ void net_run()
 			}
 #endif
 		current_iosrc = src;
-		bool communication_enabled = using_communication;
-
-#ifdef ENABLE_BROKER
-		communication_enabled |= broker_mgr->Enabled();
-#endif
+		auto communication_enabled = using_communication || broker_mgr->Active();
 
 		if ( src )
 			src->Process();	// which will call net_packet_dispatch()
@@ -333,7 +327,8 @@ void net_run()
 				}
 			}
 
-		else if ( (have_pending_timers || communication_enabled) &&
+		else if ( (have_pending_timers || communication_enabled ||
+		           BifConst::exit_only_after_terminate) &&
 			  ! pseudo_realtime )
 			{
 			// Take advantage of the lull to get up to
@@ -386,6 +381,24 @@ void net_run()
 			// Check whether we have timers scheduled for
 			// the future on which we need to wait.
 			have_pending_timers = timer_mgr->Size() > 0;
+
+		if ( pseudo_realtime && communication_enabled )
+			{
+			auto have_active_packet_source = false;
+
+			for ( auto& ps : iosource_mgr->GetPktSrcs() )
+				{
+				if ( ps->IsOpen() )
+					{
+					have_active_packet_source = true;
+					break;
+					}
+				}
+
+			if (  ! have_active_packet_source )
+				// Can turn off pseudo realtime now
+				pseudo_realtime = 0;
+			}
 		}
 
 	// Get the final statistics now, and not when net_finish() is
diff --git a/src/Net.h b/src/Net.h
index 370f08a3ca..bdc84ec74f 100644
--- a/src/Net.h
+++ b/src/Net.h
@@ -70,6 +70,9 @@ extern bool terminating;
 // True if the remote serializer is to be activated.
 extern bool using_communication;
 
+// True if Bro is currently parsing scripts.
+extern bool is_parsing;
+
 extern const Packet* current_pkt;
 extern int current_dispatched;
 extern double current_timestamp;
@@ -80,6 +83,8 @@ extern iosource::PktDumper* pkt_dumper;	// where to save packets
 
 extern char* writefile;
 
+extern int old_comm_usage_count;
+
 // Script file we have already scanned (or are in the process of scanning).
 // They are identified by inode number.
 struct ScannedFile {
diff --git a/src/NetVar.cc b/src/NetVar.cc
index 75613364e2..93533b9627 100644
--- a/src/NetVar.cc
+++ b/src/NetVar.cc
@@ -110,9 +110,6 @@ RecordType* geo_location;
 
 RecordType* entropy_test_result;
 
-TableType* dhcp_router_list;
-RecordType* dhcp_msg;
-
 RecordType* dns_msg;
 RecordType* dns_answer;
 RecordType* dns_soa;
@@ -426,9 +423,6 @@ void init_net_var()
 
 	entropy_test_result = internal_type("entropy_test_result")->AsRecordType();
 
-	dhcp_router_list = internal_type("dhcp_router_list")->AsTableType();
-	dhcp_msg = internal_type("dhcp_msg")->AsRecordType();
-
 	dns_msg = internal_type("dns_msg")->AsRecordType();
 	dns_answer = internal_type("dns_answer")->AsRecordType();
 	dns_soa = internal_type("dns_soa")->AsRecordType();
diff --git a/src/NetVar.h b/src/NetVar.h
index 2b8ebd69c2..023be18867 100644
--- a/src/NetVar.h
+++ b/src/NetVar.h
@@ -113,9 +113,6 @@ extern RecordType* geo_location;
 
 extern RecordType* entropy_test_result;
 
-extern TableType* dhcp_router_list;
-extern RecordType* dhcp_msg;
-
 extern RecordType* dns_msg;
 extern RecordType* dns_answer;
 extern RecordType* dns_soa;
diff --git a/src/OSFinger.h b/src/OSFinger.h
index 0968fb5fd3..b7c731900c 100644
--- a/src/OSFinger.h
+++ b/src/OSFinger.h
@@ -81,7 +81,7 @@ enum FingerprintMode {
 
 class OSFingerprint {
 public:
-	OSFingerprint(FingerprintMode mode);
+	explicit OSFingerprint(FingerprintMode mode);
 	~OSFingerprint()	{}
 
 	bool Error() const	{ return err; }
@@ -90,13 +90,6 @@ public:
 		uint8 TTL, uint16 WSS, uint8 ocnt, uint8* op, uint16 MSS,
 		uint8 win_scale, uint32 tstamp, uint32 quirks, uint8 ECN) const;
 	bool CacheMatch(const IPAddr& addr, int id);
-
-	int Get_OS_From_SYN(struct os_type* retval,
-			uint16 tot, uint8 DF_flag, uint8 TTL, uint16 WSS,
-			uint8 ocnt, uint8* op, uint16 MSS, uint8 win_scale,
-			uint32 tstamp, /* uint8 TOS, */ uint32 quirks,
-			uint8 ecn) const;
-
 	void load_config(const char* file);
 
 protected:
diff --git a/src/Obj.h b/src/Obj.h
index 59a1589afa..047eec0856 100644
--- a/src/Obj.h
+++ b/src/Obj.h
@@ -36,7 +36,7 @@ public:
 		text = 0;
 		}
 
-	virtual ~Location()
+	~Location() override
 		{
 		if ( delete_data )
 			delete [] filename;
@@ -112,7 +112,7 @@ public:
 			SetLocationInfo(&start_location, &end_location);
 		}
 
-	virtual ~BroObj();
+	~BroObj() override;
 
 	// Report user warnings/errors.  If obj2 is given, then it's
 	// included in the message, though if pinpoint_only is non-zero,
diff --git a/src/OpaqueVal.h b/src/OpaqueVal.h
index df928dff60..61549f414a 100644
--- a/src/OpaqueVal.h
+++ b/src/OpaqueVal.h
@@ -23,7 +23,8 @@ public:
 
 protected:
 	HashVal() { };
-	HashVal(OpaqueType* t);
+	explicit HashVal(OpaqueType* t);
+
 	virtual bool DoInit();
 	virtual bool DoFeed(const void* data, size_t size);
 	virtual StringVal* DoGet();
@@ -48,9 +49,9 @@ public:
 protected:
 	friend class Val;
 
-	virtual bool DoInit() override;
-	virtual bool DoFeed(const void* data, size_t size) override;
-	virtual StringVal* DoGet() override;
+	bool DoInit() override;
+	bool DoFeed(const void* data, size_t size) override;
+	StringVal* DoGet() override;
 
 	DECLARE_SERIAL(MD5Val);
 
@@ -67,9 +68,9 @@ public:
 protected:
 	friend class Val;
 
-	virtual bool DoInit() override;
-	virtual bool DoFeed(const void* data, size_t size) override;
-	virtual StringVal* DoGet() override;
+	bool DoInit() override;
+	bool DoFeed(const void* data, size_t size) override;
+	StringVal* DoGet() override;
 
 	DECLARE_SERIAL(SHA1Val);
 
@@ -86,9 +87,9 @@ public:
 protected:
 	friend class Val;
 
-	virtual bool DoInit() override;
-	virtual bool DoFeed(const void* data, size_t size) override;
-	virtual StringVal* DoGet() override;
+	bool DoInit() override;
+	bool DoFeed(const void* data, size_t size) override;
+	StringVal* DoGet() override;
 
 	DECLARE_SERIAL(SHA256Val);
 
@@ -106,7 +107,6 @@ public:
 
 protected:
 	friend class Val;
-	EntropyVal(OpaqueType* t);
 
 	DECLARE_SERIAL(EntropyVal);
 
@@ -117,7 +117,7 @@ private:
 class BloomFilterVal : public OpaqueVal {
 public:
 	explicit BloomFilterVal(probabilistic::BloomFilter* bf);
-	virtual ~BloomFilterVal();
+	~BloomFilterVal() override;
 
 	BroType* Type() const;
 	bool Typify(BroType* type);
@@ -134,7 +134,7 @@ public:
 protected:
 	friend class Val;
 	BloomFilterVal();
-	BloomFilterVal(OpaqueType* t);
+	explicit BloomFilterVal(OpaqueType* t);
 
 	DECLARE_SERIAL(BloomFilterVal);
 
@@ -152,7 +152,7 @@ private:
 class CardinalityVal: public OpaqueVal {
 public:
 	explicit CardinalityVal(probabilistic::CardinalityCounter*);
-	virtual ~CardinalityVal();
+	~CardinalityVal() override;
 
 	void Add(const Val* val);
 
diff --git a/src/PacketDumper.h b/src/PacketDumper.h
index baace47876..080d9af724 100644
--- a/src/PacketDumper.h
+++ b/src/PacketDumper.h
@@ -12,7 +12,7 @@ using namespace std;
 
 class PacketDumper {
 public:
-	PacketDumper(pcap_dumper_t* pkt_dump);
+	explicit PacketDumper(pcap_dumper_t* pkt_dump);
 
 	void DumpPacket(const struct pcap_pkthdr* hdr,
 			const u_char* pkt, int len);
diff --git a/src/PacketFilter.h b/src/PacketFilter.h
index 3d7a3aa3be..6369a84323 100644
--- a/src/PacketFilter.h
+++ b/src/PacketFilter.h
@@ -8,7 +8,7 @@
 
 class PacketFilter {
 public:
-	PacketFilter(bool arg_default)	{ default_match = arg_default; }
+	explicit PacketFilter(bool arg_default)	{ default_match = arg_default; }
 	~PacketFilter()	{}
 
 	// Drops all packets from a particular source (which may be given
diff --git a/src/PersistenceSerializer.cc b/src/PersistenceSerializer.cc
index 9400b2d0ca..52778ed10c 100644
--- a/src/PersistenceSerializer.cc
+++ b/src/PersistenceSerializer.cc
@@ -191,7 +191,7 @@ void PersistenceSerializer::RaiseFinishedSendState()
 	{
 	val_list* vl = new val_list;
 	vl->append(new AddrVal(htonl(remote_host)));
-	vl->append(new PortVal(remote_port));
+	vl->append(port_mgr->Get(remote_port));
 
 	mgr.QueueEvent(finished_send_state, vl);
 	reporter->Log("Serialization done.");
diff --git a/src/PersistenceSerializer.h b/src/PersistenceSerializer.h
index 7274e60569..99d8da88c4 100644
--- a/src/PersistenceSerializer.h
+++ b/src/PersistenceSerializer.h
@@ -11,7 +11,8 @@ class StateAccess;
 class PersistenceSerializer : public FileSerializer {
 public:
 	PersistenceSerializer();
-	virtual ~PersistenceSerializer();
+
+	~PersistenceSerializer() override;
 
 	// Define the directory where to store the data.
 	void SetDir(const char* arg_dir)	{ dir = copy_string(arg_dir); }
@@ -59,15 +60,15 @@ protected:
 	friend class RemoteSerializer;
 	friend class IncrementalWriteTimer;
 
-	virtual void GotID(ID* id, Val* val);
-	virtual void GotEvent(const char* name, double time,
-				EventHandlerPtr event, val_list* args);
-	virtual void GotFunctionCall(const char* name, double time,
-				Func* func, val_list* args) ;
-	virtual void GotStateAccess(StateAccess* s);
-	virtual void GotTimer(Timer* t);
-	virtual void GotConnection(Connection* c);
-	virtual void GotPacket(Packet* packet);
+	void GotID(ID* id, Val* val) override;
+	void GotEvent(const char* name, double time,
+				EventHandlerPtr event, val_list* args) override;
+	void GotFunctionCall(const char* name, double time,
+				Func* func, val_list* args) override;
+	void GotStateAccess(StateAccess* s) override;
+	void GotTimer(Timer* t) override;
+	void GotConnection(Connection* c) override;
+	void GotPacket(Packet* packet) override;
 
 	// If file has changed since last check, read it.
 	bool CheckForFile(UnserialInfo* info, const char* file,
diff --git a/src/Pipe.cc b/src/Pipe.cc
index 3f60409fdb..3775ca705d 100644
--- a/src/Pipe.cc
+++ b/src/Pipe.cc
@@ -12,7 +12,7 @@ using namespace bro;
 static void pipe_fail(int eno)
 	{
 	char tmp[256];
-	strerror_r(eno, tmp, sizeof(tmp));
+	bro_strerror_r(eno, tmp, sizeof(tmp));
 	reporter->FatalError("Pipe failure: %s", tmp);
 	}
 
diff --git a/src/Pipe.h b/src/Pipe.h
index 77b341117e..05153bfd4d 100644
--- a/src/Pipe.h
+++ b/src/Pipe.h
@@ -15,7 +15,7 @@ public:
 	 * @param status_flags0 descriptor status flags to set on read end of pipe.
 	 * @param status_flags1 descriptor status flags to set on write end of pipe.
 	 */
-	Pipe(int flags0 = 0, int flags1 = 0, int status_flags0 = 0,
+	explicit Pipe(int flags0 = 0, int flags1 = 0, int status_flags0 = 0,
 	     int status_flags1 = 0);
 
 	/**
diff --git a/src/PolicyFile.cc b/src/PolicyFile.cc
index bd41c15e9d..22f09e6970 100644
--- a/src/PolicyFile.cc
+++ b/src/PolicyFile.cc
@@ -84,7 +84,7 @@ bool LoadPolicyFileText(const char* policy_filename)
 	if ( fstat(fileno(f), &st) != 0 )
 		{
 		char buf[256];
-		strerror_r(errno, buf, sizeof(buf));
+		bro_strerror_r(errno, buf, sizeof(buf));
 		reporter->Error("fstat failed on %s: %s", policy_filename, buf);
 		fclose(f);
 		return false;
diff --git a/src/PriorityQueue.h b/src/PriorityQueue.h
index 6fe36f43fe..e1700f5b38 100644
--- a/src/PriorityQueue.h
+++ b/src/PriorityQueue.h
@@ -10,7 +10,7 @@ class PriorityQueue;
 
 class PQ_Element {
 public:
-	PQ_Element(double t)	{ time = t; offset = -1; }
+	explicit PQ_Element(double t)	{ time = t; offset = -1; }
 	virtual ~PQ_Element()	{ }
 
 	double Time() const	{ return time; }
@@ -28,7 +28,7 @@ protected:
 
 class PriorityQueue {
 public:
-	PriorityQueue(int initial_size = 16);
+	explicit PriorityQueue(int initial_size = 16);
 	~PriorityQueue();
 
 	// Returns the top of queue, or nil if the queue is empty.
diff --git a/src/Queue.h b/src/Queue.h
index c9a69ad926..691b5b9908 100644
--- a/src/Queue.h
+++ b/src/Queue.h
@@ -39,7 +39,7 @@ public:
 	void incr(int& index)	{ index < max_entries ? ++index : index = 0; }
 
 protected:
-	BaseQueue(int = 0);
+	explicit BaseQueue(int = 0);
 
 	void push_front(ent);	// add in front of queue
 	void push_back(ent);	// add at end of queue
@@ -73,7 +73,7 @@ protected:
 struct Queue(type) : BaseQueue						\
 	{								\
 	Queue(type)() : BaseQueue(0) {}					\
-	Queue(type)(int sz) : BaseQueue(sz) {}				\
+	explicit Queue(type)(int sz) : BaseQueue(sz) {}				\
 									\
 	void push_front(type a)	{ BaseQueue::push_front(ent(a)); }	\
 	void push_back(type a)	{ BaseQueue::push_back(ent(a)); }	\
@@ -88,7 +88,7 @@ struct Queue(type) : BaseQueue						\
 struct PQueue(type) : BaseQueue						\
 	{								\
 	PQueue(type)() : BaseQueue(0) {}				\
-	PQueue(type)(int sz) : BaseQueue(sz) {}				\
+	explicit PQueue(type)(int sz) : BaseQueue(sz) {}				\
 									\
 	void push_front(type* a){ BaseQueue::push_front(ent(a)); }	\
 	void push_back(type* a)	{ BaseQueue::push_back(ent(a)); }	\
diff --git a/src/RE.cc b/src/RE.cc
index 6c1e80588f..517fab4c91 100644
--- a/src/RE.cc
+++ b/src/RE.cc
@@ -19,6 +19,7 @@ int case_insensitive = 0;
 
 extern int RE_parse(void);
 extern void RE_set_input(const char* str);
+extern void RE_done_with_scan();
 
 Specific_RE_Matcher::Specific_RE_Matcher(match_type arg_mt, int arg_multiline)
 : equiv_class(NUM_SYM)
@@ -101,6 +102,19 @@ void Specific_RE_Matcher::AddPat(const char* new_pat,
 	pattern_text = s;
 	}
 
+void Specific_RE_Matcher::MakeCaseInsensitive()
+	{
+	const char fmt[] = "(?i:%s)";
+	int n = strlen(pattern_text) + strlen(fmt);
+
+	char* s = new char[n + 5 /* slop */];
+
+	safe_snprintf(s, n + 5, fmt, pattern_text);
+
+	delete [] pattern_text;
+	pattern_text = s;
+	}
+
 int Specific_RE_Matcher::Compile(int lazy)
 	{
 	if ( ! pattern_text )
@@ -108,9 +122,15 @@ int Specific_RE_Matcher::Compile(int lazy)
 
 	rem = this;
 	RE_set_input(pattern_text);
-	if ( RE_parse() )
+
+	int parse_status = RE_parse();
+	RE_done_with_scan();
+
+	if ( parse_status )
 		{
 		reporter->Error("error compiling pattern /%s/", pattern_text);
+		Unref(nfa);
+		nfa = 0;
 		return 0;
 		}
 
@@ -139,9 +159,19 @@ int Specific_RE_Matcher::CompileSet(const string_list& set, const int_list& idx)
 	loop_over_list(set, i)
 		{
 		RE_set_input(set[i]);
-		if ( RE_parse() )
+		int parse_status = RE_parse();
+		RE_done_with_scan();
+
+		if ( parse_status )
 			{
 			reporter->Error("error compiling pattern /%s/", set[i]);
+
+			if ( set_nfa && set_nfa != nfa )
+				Unref(set_nfa);
+			else
+				Unref(nfa);
+
+			nfa = 0;
 			return 0;
 			}
 
@@ -408,6 +438,14 @@ RE_Matcher::RE_Matcher(const char* pat)
 	AddPat(pat);
 	}
 
+RE_Matcher::RE_Matcher(const char* exact_pat, const char* anywhere_pat)
+	{
+	re_anywhere = new Specific_RE_Matcher(MATCH_ANYWHERE);
+	re_anywhere->SetPat(anywhere_pat);
+	re_exact = new Specific_RE_Matcher(MATCH_EXACTLY);
+	re_exact->SetPat(exact_pat);
+	}
+
 RE_Matcher::~RE_Matcher()
 	{
 	delete re_anywhere;
@@ -420,6 +458,12 @@ void RE_Matcher::AddPat(const char* new_pat)
 	re_exact->AddPat(new_pat);
 	}
 
+void RE_Matcher::MakeCaseInsensitive()
+	{
+	re_anywhere->MakeCaseInsensitive();
+	re_exact->MakeCaseInsensitive();
+	}
+
 int RE_Matcher::Compile(int lazy)
 	{
 	return re_anywhere->Compile(lazy) && re_exact->Compile(lazy);
diff --git a/src/RE.h b/src/RE.h
index 7437dbb8b8..06b0699864 100644
--- a/src/RE.h
+++ b/src/RE.h
@@ -49,11 +49,13 @@ typedef enum { MATCH_ANYWHERE, MATCH_EXACTLY, } match_type;
 
 class Specific_RE_Matcher {
 public:
-	Specific_RE_Matcher(match_type mt, int multiline=0);
+	explicit Specific_RE_Matcher(match_type mt, int multiline=0);
 	~Specific_RE_Matcher();
 
 	void AddPat(const char* pat);
 
+	void MakeCaseInsensitive();
+
 	void SetPat(const char* pat)	{ pattern_text = copy_string(pat); }
 
 	int Compile(int lazy = 0);
@@ -133,7 +135,7 @@ protected:
 
 class RE_Match_State {
 public:
-	RE_Match_State(Specific_RE_Matcher* matcher)
+	explicit RE_Match_State(Specific_RE_Matcher* matcher)
 		{
 		dfa = matcher->DFA() ? matcher->DFA() : 0;
 		ecs = matcher->EC()->EquivClasses();
@@ -172,12 +174,15 @@ protected:
 class RE_Matcher : SerialObj {
 public:
 	RE_Matcher();
-	RE_Matcher(const char* pat);
-	virtual ~RE_Matcher();
+	explicit RE_Matcher(const char* pat);
+	RE_Matcher(const char* exact_pat, const char* anywhere_pat);
+	virtual ~RE_Matcher() override;
 
-	void AddDef(const char* defn_name, const char* defn_val);
 	void AddPat(const char* pat);
 
+	// Makes the matcher as specified to date case-insensitive.
+	void MakeCaseInsensitive();
+
 	int Compile(int lazy = 0);
 
 	// Returns true if s exactly matches the pattern, false otherwise.
diff --git a/src/Reassem.cc b/src/Reassem.cc
index 14d894be4f..0cdeadf80d 100644
--- a/src/Reassem.cc
+++ b/src/Reassem.cc
@@ -10,9 +10,9 @@
 
 static const bool DEBUG_reassem = false;
 
-DataBlock::DataBlock(const u_char* data, uint64 size, uint64 arg_seq,
-		     DataBlock* arg_prev, DataBlock* arg_next,
-		     ReassemblerType reassem_type)
+DataBlock::DataBlock(Reassembler* reass, const u_char* data,
+                     uint64 size, uint64 arg_seq, DataBlock* arg_prev,
+                     DataBlock* arg_next, ReassemblerType reassem_type)
 	{
 	seq = arg_seq;
 	upper = seq + size;
@@ -28,6 +28,9 @@ DataBlock::DataBlock(const u_char* data, uint64 size, uint64 arg_seq,
 	if ( next )
 		next->prev = this;
 
+	reassembler = reass;
+	reassembler->size_of_all_blocks += size;
+
 	rtype = reassem_type;
 	Reassembler::sizes[rtype] += pad_size(size) + padded_sizeof(DataBlock);
 	Reassembler::total_size += pad_size(size) + padded_sizeof(DataBlock);
@@ -37,12 +40,11 @@ uint64 Reassembler::total_size = 0;
 uint64 Reassembler::sizes[REASSEM_NUM];
 
 Reassembler::Reassembler(uint64 init_seq, ReassemblerType reassem_type)
+	:  blocks(), last_block(), old_blocks(), last_old_block(),
+	  last_reassem_seq(init_seq), trim_seq(init_seq),
+	  max_old_blocks(0), total_old_blocks(0), size_of_all_blocks(0),
+	  rtype(reassem_type)
 	{
-	blocks = last_block = 0;
-	old_blocks = last_old_block = 0;
-	total_old_blocks = max_old_blocks = 0;
-	trim_seq = last_reassem_seq = init_seq;
-	rtype = reassem_type;
 	}
 
 Reassembler::~Reassembler()
@@ -57,6 +59,10 @@ void Reassembler::CheckOverlap(DataBlock *head, DataBlock *tail,
 	if ( ! head || ! tail )
 		return;
 
+	if ( seq == tail->upper )
+		// Special case check for common case of appending to the end.
+		return;
+
 	uint64 upper = (seq + len);
 
 	for ( DataBlock* b = head; b; b = b->next )
@@ -116,7 +122,7 @@ void Reassembler::NewBlock(double t, uint64 seq, uint64 len, const u_char* data)
 
 	if ( ! blocks )
 		blocks = last_block = start_block =
-			new DataBlock(data, len, seq, 0, 0, rtype);
+			new DataBlock(this, data, len, seq, 0, 0, rtype);
 	else
 		start_block = AddAndCheck(blocks, seq, upper_seq, data);
 
@@ -249,12 +255,7 @@ void Reassembler::ClearOldBlocks()
 
 uint64 Reassembler::TotalSize() const
 	{
-	uint64 size = 0;
-
-	for ( DataBlock* b = blocks; b; b = b->next )
-		size += b->Size();
-
-	return size;
+	return size_of_all_blocks;
 	}
 
 void Reassembler::Describe(ODesc* d) const
@@ -280,8 +281,8 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, uint64 seq, uint64 upper,
 	// Special check for the common case of appending to the end.
 	if ( last_block && seq == last_block->upper )
 		{
-		last_block = new DataBlock(data, upper - seq, seq,
-					   last_block, 0, rtype);
+		last_block = new DataBlock(this, data, upper - seq,
+		                           seq, last_block, 0, rtype);
 		return last_block;
 		}
 
@@ -294,7 +295,8 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, uint64 seq, uint64 upper,
 		{
 		// b is the last block, and it comes completely before
 		// the new block.
-		last_block = new DataBlock(data, upper - seq, seq, b, 0, rtype);
+		last_block = new DataBlock(this, data, upper - seq,
+		                           seq, b, 0, rtype);
 		return last_block;
 		}
 
@@ -303,7 +305,8 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, uint64 seq, uint64 upper,
 	if ( upper <= b->seq )
 		{
 		// The new block comes completely before b.
-		new_b = new DataBlock(data, upper - seq, seq, b->prev, b, rtype);
+		new_b = new DataBlock(this, data, upper - seq, seq,
+		                      b->prev, b, rtype);
 		if ( b == blocks )
 			blocks = new_b;
 		return new_b;
@@ -314,7 +317,8 @@ DataBlock* Reassembler::AddAndCheck(DataBlock* b, uint64 seq, uint64 upper,
 		{
 		// The new block has a prefix that comes before b.
 		uint64 prefix_len = b->seq - seq;
-		new_b = new DataBlock(data, prefix_len, seq, b->prev, b, rtype);
+		new_b = new DataBlock(this, data, prefix_len, seq,
+		                      b->prev, b, rtype);
 		if ( b == blocks )
 			blocks = new_b;
 
diff --git a/src/Reassem.h b/src/Reassem.h
index 1672a4f9dd..501cd23a18 100644
--- a/src/Reassem.h
+++ b/src/Reassem.h
@@ -18,11 +18,14 @@ enum ReassemblerType {
 	REASSEM_NUM,
 };
 
+class Reassembler;
+
 class DataBlock {
 public:
-	DataBlock(const u_char* data, uint64 size, uint64 seq,
-		  DataBlock* prev, DataBlock* next,
-		  ReassemblerType reassem_type = REASSEM_UNKNOWN);
+	DataBlock(Reassembler* reass, const u_char* data,
+	          uint64 size, uint64 seq,
+	          DataBlock* prev, DataBlock* next,
+	          ReassemblerType reassem_type = REASSEM_UNKNOWN);
 
 	~DataBlock();
 
@@ -33,12 +36,14 @@ public:
 	uint64 seq, upper;
 	u_char* block;
 	ReassemblerType rtype;
+
+	Reassembler* reassembler; // Non-owning pointer back to parent.
 };
 
 class Reassembler : public BroObj {
 public:
 	Reassembler(uint64 init_seq, ReassemblerType reassem_type = REASSEM_UNKNOWN);
-	virtual ~Reassembler();
+	~Reassembler() override;
 
 	void NewBlock(double t, uint64 seq, uint64 len, const u_char* data);
 
@@ -55,7 +60,7 @@ public:
 
 	uint64 TotalSize() const;	// number of bytes buffered up
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 
 	bool Serialize(SerialInfo* info) const;
 	static Reassembler* Unserialize(UnserialInfo* info);
@@ -96,6 +101,7 @@ protected:
 	uint64 trim_seq;	// how far we've trimmed
 	uint32 max_old_blocks;
 	uint32 total_old_blocks;
+	uint64 size_of_all_blocks;
 
 	ReassemblerType rtype;
 
@@ -105,6 +111,7 @@ protected:
 
 inline DataBlock::~DataBlock()
 	{
+	reassembler->size_of_all_blocks -= Size();
 	Reassembler::total_size -= pad_size(upper - seq) + padded_sizeof(DataBlock);
 	Reassembler::sizes[rtype] -= pad_size(upper - seq) + padded_sizeof(DataBlock);
 	delete [] block;
diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc
index 4842f819b6..392bdb8f6f 100644
--- a/src/RemoteSerializer.cc
+++ b/src/RemoteSerializer.cc
@@ -255,7 +255,7 @@ struct ping_args {
 # define DEBUG_COMM(msg)
 #endif
 
-#define READ_CHUNK(i, c, do_if_eof) \
+#define READ_CHUNK(i, c, do_if_eof, kill_me) \
 	{ \
 	if ( ! i->Read(&c) ) \
 		{ \
@@ -264,7 +264,7 @@ struct ping_args {
 			do_if_eof; \
 			} \
 		else \
-			Error(fmt("can't read data chunk: %s", io->Error()), i == io); \
+			Error(fmt("can't read data chunk: %s", io->Error()), kill_me); \
 		return false; \
 		} \
 	\
@@ -1809,7 +1809,7 @@ RecordVal* RemoteSerializer::MakePeerVal(Peer* peer)
 	v->Assign(0, new Val(uint32(peer->id), TYPE_COUNT));
 	// Sic! Network order for AddrVal, host order for PortVal.
 	v->Assign(1, new AddrVal(peer->ip));
-	v->Assign(2, new PortVal(peer->port, TRANSPORT_TCP));
+	v->Assign(2, port_mgr->Get(peer->port, TRANSPORT_TCP));
 	v->Assign(3, new Val(false, TYPE_BOOL));
 	v->Assign(4, new StringVal(""));	// set when received
 	v->Assign(5, peer->peer_class.size() ?
@@ -2730,10 +2730,10 @@ bool RemoteSerializer::ProcessLogCreateWriter()
 	id_val = new EnumVal(id, internal_type("Log::ID")->AsEnumType());
 	writer_val = new EnumVal(writer, internal_type("Log::Writer")->AsEnumType());
 
-	if ( ! log_mgr->CreateWriter(id_val, writer_val, info, num_fields, fields,
-	                             true, false, true) )
+	if ( ! log_mgr->CreateWriterForRemoteLog(id_val, writer_val, info, num_fields, fields) )
 		{
-		delete_fields_up_to = num_fields;
+		info = 0;
+		fields = 0;
 		goto error;
 		}
 
@@ -2803,7 +2803,7 @@ bool RemoteSerializer::ProcessLogWrite()
 		id_val = new EnumVal(id, internal_type("Log::ID")->AsEnumType());
 		writer_val = new EnumVal(writer, internal_type("Log::Writer")->AsEnumType());
 
-		success = log_mgr->Write(id_val, writer_val, path, num_fields, vals);
+		success = log_mgr->WriteFromRemote(id_val, writer_val, path, num_fields, vals);
 
 		Unref(id_val);
 		Unref(writer_val);
@@ -3586,7 +3586,7 @@ bool SocketComm::ProcessParentMessage()
 		{
 		// Argument chunk follows.
 		ChunkedIO::Chunk* c = 0;
-		READ_CHUNK(io, c, Error("parent died", true));
+		READ_CHUNK(io, c, Error("parent died", true), true);
 		parent_args = c;
 		parent_msgstate = TYPE;
 		bool result = DoParentMessage();
@@ -3872,7 +3872,7 @@ bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer)
 		{ // CMsg follows
 		ChunkedIO::Chunk* c;
 		READ_CHUNK(peer->io, c,
-			(CloseConnection(peer, true), peer))
+			(CloseConnection(peer, true), peer), false)
 
 		CMsg* msg = (CMsg*) c->data;
 
@@ -3907,7 +3907,7 @@ bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer)
 		// forward to our parent.
 		ChunkedIO::Chunk* c;
 		READ_CHUNK(peer->io, c,
-			(CloseConnection(peer, true), peer))
+			(CloseConnection(peer, true), peer), false)
 
 		// Set time3.
 		ping_args* args = (ping_args*) c->data;
@@ -3921,7 +3921,7 @@ bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer)
 		// forward to our parent.
 		ChunkedIO::Chunk* c;
 		READ_CHUNK(peer->io, c,
-			(CloseConnection(peer, true), peer))
+			(CloseConnection(peer, true), peer), false)
 
 		// Calculate time delta.
 		ping_args* args = (ping_args*) c->data;
@@ -3944,7 +3944,7 @@ bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer)
 		// forward to our parent.
 		ChunkedIO::Chunk* c;
 		READ_CHUNK(peer->io, c,
-			(CloseConnection(peer, true), peer))
+			(CloseConnection(peer, true), peer), false)
 
 		return ForwardChunkToParent(peer, c);
 		}
diff --git a/src/RemoteSerializer.h b/src/RemoteSerializer.h
index 2af7610a7c..28ca495f17 100644
--- a/src/RemoteSerializer.h
+++ b/src/RemoteSerializer.h
@@ -25,7 +25,7 @@ namespace threading {
 class RemoteSerializer : public Serializer, public iosource::IOSource {
 public:
 	RemoteSerializer();
-	virtual ~RemoteSerializer();
+	~RemoteSerializer() override;
 
 	// Initialize the remote serializer (calling this will fork).
 	void Enable();
@@ -140,12 +140,12 @@ public:
 	void Finish();
 
 	// Overidden from IOSource:
-	virtual void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
-	                    iosource::FD_Set* except);
-	virtual double NextTimestamp(double* local_network_time);
-	virtual void Process();
-	virtual TimerMgr::Tag* GetCurrentTag();
-	virtual const char* Tag()	{ return "RemoteSerializer"; }
+	void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
+	                    iosource::FD_Set* except) override;
+	double NextTimestamp(double* local_network_time) override;
+	void Process() override;
+	TimerMgr::Tag* GetCurrentTag() override;
+	const char* Tag() override { return "RemoteSerializer"; }
 
 	// Gracefully finishes communication by first making sure that all
 	// remaining data (parent & child) has been sent out.
@@ -246,17 +246,17 @@ protected:
 
 	static void Log(LogLevel level, const char* msg, Peer* peer, LogSrc src = LogParent);
 
-	virtual void ReportError(const char* msg);
+	void ReportError(const char* msg) override;
 
-	virtual void GotEvent(const char* name, double time,
-				EventHandlerPtr event, val_list* args);
-	virtual void GotFunctionCall(const char* name, double time,
-				Func* func, val_list* args);
-	virtual void GotID(ID* id, Val* val);
-	virtual void GotStateAccess(StateAccess* s);
-	virtual void GotTimer(Timer* t);
-	virtual void GotConnection(Connection* c);
-	virtual void GotPacket(Packet* packet);
+	void GotEvent(const char* name, double time,
+				EventHandlerPtr event, val_list* args) override;
+	void GotFunctionCall(const char* name, double time,
+				Func* func, val_list* args) override;
+	void GotID(ID* id, Val* val) override;
+	void GotStateAccess(StateAccess* s) override;
+	void GotTimer(Timer* t) override;
+	void GotConnection(Connection* c) override;
+	void GotPacket(Packet* packet) override;
 
 	void Fork();
 
diff --git a/src/Reporter.cc b/src/Reporter.cc
index 4823b33ef3..eb89a29d30 100644
--- a/src/Reporter.cc
+++ b/src/Reporter.cc
@@ -10,6 +10,8 @@
 #include "NetVar.h"
 #include "Net.h"
 #include "Conn.h"
+#include "plugin/Plugin.h"
+#include "plugin/Manager.h"
 
 #ifdef SYSLOG_INT
 extern "C" {
@@ -323,7 +325,24 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
 		// buffer size above.
 		safe_snprintf(buffer + strlen(buffer), size - strlen(buffer), " [%s]", postfix);
 
-	if ( event && via_events && ! in_error_handler )
+	bool raise_event = true;
+
+	if ( via_events && ! in_error_handler )
+		{
+		if ( locations.size() )
+			{
+			auto locs = locations.back();
+			raise_event = PLUGIN_HOOK_WITH_RESULT(HOOK_REPORTER,
+							      HookReporter(prefix, event, conn, addl, location,
+									   locs.first, locs.second, time, buffer), true);
+			}
+		else
+			raise_event = PLUGIN_HOOK_WITH_RESULT(HOOK_REPORTER,
+							      HookReporter(prefix, event, conn, addl, location,
+									   nullptr, nullptr, time, buffer), true);
+		}
+
+	if ( raise_event && event && via_events && ! in_error_handler )
 		{
 		val_list* vl = new val_list;
 
diff --git a/src/Reporter.h b/src/Reporter.h
index 19cdbb7e82..85b9a483a2 100644
--- a/src/Reporter.h
+++ b/src/Reporter.h
@@ -66,11 +66,11 @@ public:
 
 	// Report a runtime error in evaluating a Bro script expression. This
 	// function will not return but raise an InterpreterException.
-	void ExprRuntimeError(const Expr* expr, const char* fmt, ...);
+	void ExprRuntimeError(const Expr* expr, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
 
 	// Report a runtime error in evaluating a Bro script expression. This
 	// function will not return but raise an InterpreterException.
-	void RuntimeError(const Location* location, const char* fmt, ...);
+	void RuntimeError(const Location* location, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
 
 	// Report a traffic weirdness, i.e., an unexpected protocol situation
 	// that may lead to incorrectly processing a connnection.
@@ -123,7 +123,7 @@ public:
 private:
 	void DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
 		   Connection* conn, val_list* addl, bool location, bool time,
-		   const char* postfix, const char* fmt, va_list ap);
+		   const char* postfix, const char* fmt, va_list ap) __attribute__((format(printf, 10, 0)));
 
 	// The order if addl, name needs to be like that since fmt_name can
 	// contain format specifiers
diff --git a/src/RuleAction.h b/src/RuleAction.h
index 7b5a76fad5..8499065ea0 100644
--- a/src/RuleAction.h
+++ b/src/RuleAction.h
@@ -24,13 +24,13 @@ public:
 // Implements the "event" keyword.
 class RuleActionEvent : public RuleAction {
 public:
-	RuleActionEvent(const char* arg_msg)	{ msg = copy_string(arg_msg); }
-	virtual ~RuleActionEvent()	{ delete [] msg; }
+	explicit RuleActionEvent(const char* arg_msg)	{ msg = copy_string(arg_msg); }
+	~RuleActionEvent() override { delete [] msg; }
 
-	virtual void DoAction(const Rule* parent, RuleEndpointState* state,
-				const u_char* data, int len);
+	void DoAction(const Rule* parent, RuleEndpointState* state,
+				const u_char* data, int len) override;
 
-	virtual void PrintDebug();
+	void PrintDebug() override;
 
 private:
 	const char* msg;
@@ -38,17 +38,17 @@ private:
 
 class RuleActionMIME : public RuleAction {
 public:
-	RuleActionMIME(const char* arg_mime, int arg_strength = 0)
+	explicit RuleActionMIME(const char* arg_mime, int arg_strength = 0)
 		{ mime = copy_string(arg_mime); strength = arg_strength; }
 
-	virtual ~RuleActionMIME()
+	~RuleActionMIME() override
 		{ delete [] mime; }
 
-	virtual void DoAction(const Rule* parent, RuleEndpointState* state,
-	                      const u_char* data, int len)
+	void DoAction(const Rule* parent, RuleEndpointState* state,
+	                      const u_char* data, int len) override
 		{ }
 
-	virtual void PrintDebug();
+	void PrintDebug() override;
 
 	string GetMIME() const
 		{ return mime; }
@@ -64,12 +64,12 @@ private:
 // Base class for enable/disable actions.
 class RuleActionAnalyzer : public RuleAction {
 public:
-	RuleActionAnalyzer(const char* analyzer);
+	explicit RuleActionAnalyzer(const char* analyzer);
 
-	virtual void DoAction(const Rule* parent, RuleEndpointState* state,
-			      const u_char* data, int len) = 0;
+	void DoAction(const Rule* parent, RuleEndpointState* state,
+			      const u_char* data, int len) override = 0;
 
-	virtual void PrintDebug();
+	void PrintDebug() override;
 
 	analyzer::Tag Analyzer() const { return analyzer; }
 	analyzer::Tag ChildAnalyzer() const { return child_analyzer; }
@@ -81,22 +81,22 @@ private:
 
 class RuleActionEnable : public RuleActionAnalyzer {
 public:
-	RuleActionEnable(const char* analyzer) : RuleActionAnalyzer(analyzer)	{}
+	explicit RuleActionEnable(const char* analyzer) : RuleActionAnalyzer(analyzer)	{}
 
-	virtual void DoAction(const Rule* parent, RuleEndpointState* state,
-				const u_char* data, int len);
+	void DoAction(const Rule* parent, RuleEndpointState* state,
+				const u_char* data, int len) override;
 
-	virtual void PrintDebug();
+	void PrintDebug() override;
 };
 
 class RuleActionDisable : public RuleActionAnalyzer {
 public:
-	RuleActionDisable(const char* analyzer) : RuleActionAnalyzer(analyzer)	{}
+	explicit RuleActionDisable(const char* analyzer) : RuleActionAnalyzer(analyzer)	{}
 
-	virtual void DoAction(const Rule* parent, RuleEndpointState* state,
-				const u_char* data, int len);
+	void DoAction(const Rule* parent, RuleEndpointState* state,
+				const u_char* data, int len) override;
 
-	virtual void PrintDebug();
+	void PrintDebug() override;
 };
 
 #endif
diff --git a/src/RuleCondition.cc b/src/RuleCondition.cc
index 9df70f118b..d9a8608e8c 100644
--- a/src/RuleCondition.cc
+++ b/src/RuleCondition.cc
@@ -175,8 +175,14 @@ bool RuleConditionEval::DoMatch(Rule* rule, RuleEndpointState* state,
 	try
 		{
 		Val* val = id->ID_Val()->AsFunc()->Call(&args);
-		result = val->AsBool();
-		Unref(val);
+
+		if ( val )
+			{
+			result = val->AsBool();
+			Unref(val);
+			}
+		else
+			result = false;
 		}
 
 	catch ( InterpreterException& e )
diff --git a/src/RuleCondition.h b/src/RuleCondition.h
index b859930581..4b1fbf6c57 100644
--- a/src/RuleCondition.h
+++ b/src/RuleCondition.h
@@ -31,15 +31,15 @@ public:
 		STATE_STATELESS = 8
 	};
 
-	RuleConditionTCPState(int arg_tcpstates)
+	explicit RuleConditionTCPState(int arg_tcpstates)
 		{ tcpstates = arg_tcpstates; }
 
-	virtual ~RuleConditionTCPState()	{ }
+	~RuleConditionTCPState() override { }
 
-	virtual bool DoMatch(Rule* rule, RuleEndpointState* state,
-				const u_char* data, int len);
+	bool DoMatch(Rule* rule, RuleEndpointState* state,
+				const u_char* data, int len) override;
 
-	virtual void PrintDebug();
+	void PrintDebug() override;
 
 private:
 	int tcpstates;
@@ -56,13 +56,15 @@ public:
 		OPT_SSRR = 8,
 	};
 
-	RuleConditionIPOptions(int arg_options)	{ options = arg_options; }
-	virtual ~RuleConditionIPOptions()	{ }
+	explicit RuleConditionIPOptions(int arg_options)	{ options = arg_options; }
 
-	virtual bool DoMatch(Rule* rule, RuleEndpointState* state,
-				const u_char* data, int len);
+	~RuleConditionIPOptions() override
+		{ }
 
-	virtual void PrintDebug();
+	bool DoMatch(Rule* rule, RuleEndpointState* state,
+				const u_char* data, int len) override;
+
+	void PrintDebug() override;
 
 private:
 	int options;
@@ -72,12 +74,12 @@ private:
 class RuleConditionSameIP : public RuleCondition {
 public:
 	RuleConditionSameIP()	{ }
-	virtual ~RuleConditionSameIP()	{}
+	~RuleConditionSameIP() override {}
 
-	virtual bool DoMatch(Rule* rule, RuleEndpointState* state,
-				const u_char* data, int len);
+	bool DoMatch(Rule* rule, RuleEndpointState* state,
+				const u_char* data, int len) override;
 
-	virtual void PrintDebug();
+	void PrintDebug() override;
 };
 
 // Implements "payload-size".
@@ -88,12 +90,12 @@ public:
 	RuleConditionPayloadSize(uint32 arg_val, Comp arg_comp)
 		{ val = arg_val; comp = arg_comp; }
 
-	virtual ~RuleConditionPayloadSize()	{}
+	~RuleConditionPayloadSize() override {}
 
-	virtual bool DoMatch(Rule* rule, RuleEndpointState* state,
-				const u_char* data, int len);
+	bool DoMatch(Rule* rule, RuleEndpointState* state,
+				const u_char* data, int len) override;
 
-	virtual void PrintDebug();
+	void PrintDebug() override;
 
 private:
 	uint32 val;
@@ -103,13 +105,13 @@ private:
 // Implements "eval" which evaluates the given Bro identifier.
 class RuleConditionEval : public RuleCondition {
 public:
-	RuleConditionEval(const char* func);
-	virtual ~RuleConditionEval() {}
+	explicit RuleConditionEval(const char* func);
+	~RuleConditionEval() override {}
 
-	virtual bool DoMatch(Rule* rule, RuleEndpointState* state,
-				const u_char* data, int len);
+	bool DoMatch(Rule* rule, RuleEndpointState* state,
+				const u_char* data, int len) override;
 
-	virtual void PrintDebug();
+	void PrintDebug() override;
 private:
 	ID* id;
 };
diff --git a/src/Scope.cc b/src/Scope.cc
index 091dbabb9b..97d8e23003 100644
--- a/src/Scope.cc
+++ b/src/Scope.cc
@@ -113,13 +113,13 @@ TraversalCode Scope::Traverse(TraversalCallback* cb) const
 
 
 ID* lookup_ID(const char* name, const char* curr_module, bool no_global,
-	      bool same_module_only)
+	      bool same_module_only, bool check_export)
 	{
 	string fullname = make_full_var_name(curr_module, name);
 
 	string ID_module = extract_module_name(fullname.c_str());
-	bool need_export = ID_module != GLOBAL_MODULE_NAME &&
-				ID_module != curr_module;
+	bool need_export = check_export && (ID_module != GLOBAL_MODULE_NAME &&
+	                                    ID_module != curr_module);
 
 	for ( int i = scopes.length() - 1; i >= 0; --i )
 		{
diff --git a/src/Scope.h b/src/Scope.h
index 265d624a66..f2713fef80 100644
--- a/src/Scope.h
+++ b/src/Scope.h
@@ -19,8 +19,8 @@ declare(PDict,ID);
 
 class Scope : public BroObj {
 public:
-	Scope(ID* id);
-	~Scope();
+	explicit Scope(ID* id);
+	~Scope() override;
 
 	ID* Lookup(const char* name) const	{ return local->Lookup(name); }
 	void Insert(const char* name, ID* id)	{ local->Insert(name, id); }
@@ -47,7 +47,7 @@ public:
 	// Adds a variable to the list.
 	void AddInit(ID* id)		{ inits->append(id); }
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 
 	TraversalCode Traverse(TraversalCallback* cb) const;
 
@@ -64,7 +64,8 @@ extern bool in_debug;
 // If no_global is true, don't search in the default "global" namespace.
 // This passed ownership of a ref'ed ID to the caller.
 extern ID* lookup_ID(const char* name, const char* module,
-		     bool no_global = false, bool same_module_only=false);
+		     bool no_global = false, bool same_module_only = false,
+		     bool check_export = true);
 extern ID* install_ID(const char* name, const char* module_name,
 			bool is_global, bool is_export);
 
diff --git a/src/SerialObj.h b/src/SerialObj.h
index ca661db8af..b502414f71 100644
--- a/src/SerialObj.h
+++ b/src/SerialObj.h
@@ -3,7 +3,7 @@
 // How to make objects of class Foo serializable:
 //
 //    1. Derive Foo (directly or indirectly) from SerialObj.
-//    2. Add a SER_FOO constant to SerialTypes below.
+//    2. Add a SER_FOO constant to SerialTypes in SerialTypes.h.
 //    3. Add DECLARE_SERIAL(Foo) into class definition.
 //    4. Add a (preferably protected) default ctor if it doesn't already exist.
 //    5. For non-abstract classes, add IMPLEMENT_SERIAL(Foo, SER_FOO) to *.cc
@@ -163,16 +163,16 @@ public:
 // Macro helpers.
 
 #define DECLARE_ABSTRACT_SERIAL(classname) \
-	virtual bool DoSerialize(SerialInfo*) const; \
-	virtual bool DoUnserialize(UnserialInfo*); \
+	bool DoSerialize(SerialInfo*) const override; \
+	bool DoUnserialize(UnserialInfo*) override; \
 
 #define DECLARE_SERIAL(classname) \
 	static classname* Instantiate(); \
 	static SerialTypeRegistrator register_type; \
-	virtual bool DoSerialize(SerialInfo*) const override; \
-	virtual bool DoUnserialize(UnserialInfo*) override; \
-	virtual const TransientID*  GetTID() const override	{ return &tid; } \
-	virtual SerialType GetSerialType() const override; \
+	bool DoSerialize(SerialInfo*) const override; \
+	bool DoUnserialize(UnserialInfo*) override; \
+	const TransientID*  GetTID() const override	{ return &tid; } \
+	SerialType GetSerialType() const override; \
 	TransientID tid;
 
 // Only needed (and usable) for non-abstract classes.
diff --git a/src/SerialTypes.h b/src/SerialTypes.h
index cf2c52a08b..029048a80f 100644
--- a/src/SerialTypes.h
+++ b/src/SerialTypes.h
@@ -115,6 +115,7 @@ SERIAL_VAL(CARDINALITY_VAL, 22)
 SERIAL_VAL(X509_VAL, 23)
 SERIAL_VAL(COMM_STORE_HANDLE_VAL, 24)
 SERIAL_VAL(COMM_DATA_VAL, 25)
+SERIAL_VAL(OCSP_RESP_VAL, 26)
 
 #define SERIAL_EXPR(name, val) SERIAL_CONST(name, val, EXPR)
 SERIAL_EXPR(EXPR, 1)
@@ -161,6 +162,10 @@ SERIAL_EXPR(SET_CONSTRUCTOR_EXPR, 41)
 SERIAL_EXPR(VECTOR_CONSTRUCTOR_EXPR, 42)
 SERIAL_EXPR(TABLE_COERCE_EXPR, 43)
 SERIAL_EXPR(VECTOR_COERCE_EXPR, 44)
+SERIAL_EXPR(CAST_EXPR, 45)
+SERIAL_EXPR(IS_EXPR_, 46) // Name conflict with internal SER_IS_EXPR constant.
+SERIAL_EXPR(BIT_EXPR, 47)
+SERIAL_EXPR(COMPLEMENT_EXPR, 48)
 
 #define SERIAL_STMT(name, val) SERIAL_CONST(name, val, STMT)
 SERIAL_STMT(STMT, 1)
diff --git a/src/SerializationFormat.cc b/src/SerializationFormat.cc
index 1483578a9e..d5f366f7fd 100644
--- a/src/SerializationFormat.cc
+++ b/src/SerializationFormat.cc
@@ -18,7 +18,7 @@ SerializationFormat::~SerializationFormat()
 	free(output);
 	}
 
-void SerializationFormat::StartRead(char* data, uint32 arg_len)
+void SerializationFormat::StartRead(const char* data, uint32 arg_len)
 	{
 	input = data;
 	input_len = arg_len;
diff --git a/src/SerializationFormat.h b/src/SerializationFormat.h
index 3a6a578653..43e6fde693 100644
--- a/src/SerializationFormat.h
+++ b/src/SerializationFormat.h
@@ -19,7 +19,7 @@ public:
 	virtual ~SerializationFormat();
 
 	// Unserialization.
-	virtual void StartRead(char* data, uint32 len);
+	virtual void StartRead(const char* data, uint32 len);
 	virtual void EndRead();
 
 	virtual bool Read(int* v, const char* tag) = 0;
@@ -87,7 +87,7 @@ protected:
 	uint32 output_size;
 	uint32 output_pos;
 
-	char* input;
+	const char* input;
 	uint32 input_len;
 	uint32 input_pos;
 
@@ -98,40 +98,40 @@ protected:
 class BinarySerializationFormat : public SerializationFormat {
 public:
 	BinarySerializationFormat();
-	virtual ~BinarySerializationFormat();
+	~BinarySerializationFormat() override;
 
-	virtual bool Read(int* v, const char* tag);
-	virtual bool Read(uint16* v, const char* tag);
-	virtual bool Read(uint32* v, const char* tag);
-	virtual bool Read(int64* v, const char* tag);
-	virtual bool Read(uint64* v, const char* tag);
-	virtual bool Read(char* v, const char* tag);
-	virtual bool Read(bool* v, const char* tag);
-	virtual bool Read(double* d, const char* tag);
-	virtual bool Read(char** str, int* len, const char* tag);
-	virtual bool Read(string* s, const char* tag);
-	virtual bool Read(IPAddr* addr, const char* tag);
-	virtual bool Read(IPPrefix* prefix, const char* tag);
-	virtual bool Read(struct in_addr* addr, const char* tag);
-	virtual bool Read(struct in6_addr* addr, const char* tag);
-	virtual bool Write(int v, const char* tag);
-	virtual bool Write(uint16 v, const char* tag);
-	virtual bool Write(uint32 v, const char* tag);
-	virtual bool Write(int64 v, const char* tag);
-	virtual bool Write(uint64 v, const char* tag);
-	virtual bool Write(char v, const char* tag);
-	virtual bool Write(bool v, const char* tag);
-	virtual bool Write(double d, const char* tag);
-	virtual bool Write(const char* s, const char* tag);
-	virtual bool Write(const char* buf, int len, const char* tag);
-	virtual bool Write(const string& s, const char* tag);
-	virtual bool Write(const IPAddr& addr, const char* tag);
-	virtual bool Write(const IPPrefix& prefix, const char* tag);
-	virtual bool Write(const struct in_addr& addr, const char* tag);
-	virtual bool Write(const struct in6_addr& addr, const char* tag);
-	virtual bool WriteOpenTag(const char* tag);
-	virtual bool WriteCloseTag(const char* tag);
-	virtual bool WriteSeparator();
+	bool Read(int* v, const char* tag) override;
+	bool Read(uint16* v, const char* tag) override;
+	bool Read(uint32* v, const char* tag) override;
+	bool Read(int64* v, const char* tag) override;
+	bool Read(uint64* v, const char* tag) override;
+	bool Read(char* v, const char* tag) override;
+	bool Read(bool* v, const char* tag) override;
+	bool Read(double* d, const char* tag) override;
+	bool Read(char** str, int* len, const char* tag) override;
+	bool Read(string* s, const char* tag) override;
+	bool Read(IPAddr* addr, const char* tag) override;
+	bool Read(IPPrefix* prefix, const char* tag) override;
+	bool Read(struct in_addr* addr, const char* tag) override;
+	bool Read(struct in6_addr* addr, const char* tag) override;
+	bool Write(int v, const char* tag) override;
+	bool Write(uint16 v, const char* tag) override;
+	bool Write(uint32 v, const char* tag) override;
+	bool Write(int64 v, const char* tag) override;
+	bool Write(uint64 v, const char* tag) override;
+	bool Write(char v, const char* tag) override;
+	bool Write(bool v, const char* tag) override;
+	bool Write(double d, const char* tag) override;
+	bool Write(const char* s, const char* tag) override;
+	bool Write(const char* buf, int len, const char* tag) override;
+	bool Write(const string& s, const char* tag) override;
+	bool Write(const IPAddr& addr, const char* tag) override;
+	bool Write(const IPPrefix& prefix, const char* tag) override;
+	bool Write(const struct in_addr& addr, const char* tag) override;
+	bool Write(const struct in6_addr& addr, const char* tag) override;
+	bool WriteOpenTag(const char* tag) override;
+	bool WriteCloseTag(const char* tag) override;
+	bool WriteSeparator() override;
 };
 
 #endif
diff --git a/src/Serializer.cc b/src/Serializer.cc
index b759334b4d..0366c36c81 100644
--- a/src/Serializer.cc
+++ b/src/Serializer.cc
@@ -1017,7 +1017,7 @@ double EventPlayer::NextTimestamp(double* local_network_time)
 		return ne_time;
 
 	if ( ! io )
-		return 0;
+		return -1;
 
 	// Read next event if we don't have one waiting.
 	if ( ! ne_time )
@@ -1028,7 +1028,7 @@ double EventPlayer::NextTimestamp(double* local_network_time)
 		}
 
 	if ( ! ne_time )
-		return 0;
+		return -1;
 
 	if ( ! network_time )
 		{
diff --git a/src/Serializer.h b/src/Serializer.h
index 7f31e27d55..3b863a5b6e 100644
--- a/src/Serializer.h
+++ b/src/Serializer.h
@@ -96,7 +96,7 @@ public:
 
 protected:
 	// Format defaults to binary serialization.
-	Serializer(SerializationFormat* format = 0);
+	explicit Serializer(SerializationFormat* format = 0);
 	virtual ~Serializer();
 
 	// Reads next object.
@@ -159,7 +159,7 @@ public:
 
 	// If max_cache_size is greater than zero, we'll remove old entries
 	// automatically if limit is reached (LRU expiration).
-	SerializationCache(unsigned int max_cache_size = 0);
+	explicit SerializationCache(unsigned int max_cache_size = 0);
 	~SerializationCache();
 
 	PermanentID Register(const SerialObj* obj, PermanentID pid,
@@ -261,27 +261,27 @@ private:
 // minimal implementation of Serializer!
 class CloneSerializer : public Serializer {
 public:
-	CloneSerializer(SerializationFormat* format = 0) : Serializer(format) { }
-	virtual ~CloneSerializer()	{ }
+	explicit CloneSerializer(SerializationFormat* format = 0) : Serializer(format) { }
+	~CloneSerializer() override
+		{ }
 
 protected:
-	virtual void ReportError(const char* msg)	{ reporter->Error("%s", msg); }
-	virtual void GotID(ID* id, Val* val)	{ }
-	virtual void GotEvent(const char* name, double time,
-				EventHandlerPtr event, val_list* args)	{ }
-	virtual void GotFunctionCall(const char* name, double time,
-				Func* func, val_list* args)	{ }
-	virtual void GotStateAccess(StateAccess* s)	{ delete s; }
-	virtual void GotTimer(Timer* t)	{ }
-	virtual void GotConnection(Connection* c)	{ }
-	virtual void GotPacket(Packet* packet)	{ }
+	void ReportError(const char* msg) override { reporter->Error("%s", msg); }
+	void GotID(ID* id, Val* val) override { }
+	void GotEvent(const char* name, double time, EventHandlerPtr event, val_list* args) override { }
+	void GotFunctionCall(const char* name, double time,
+				Func* func, val_list* args) override { }
+	void GotStateAccess(StateAccess* s) override { delete s; }
+	void GotTimer(Timer* t) override { }
+	void GotConnection(Connection* c) override { }
+	void GotPacket(Packet* packet) override { }
 };
 
 // Write values/events to file or fd.
 class FileSerializer : public Serializer {
 public:
-	FileSerializer(SerializationFormat* format = 0);
-	virtual ~FileSerializer();
+	explicit FileSerializer(SerializationFormat* format = 0);
+	~FileSerializer() override;
 
 	// Opens the file for serialization.
 	bool Open(const char* file, bool pure = false);
@@ -291,16 +291,16 @@ public:
 	bool Read(UnserialInfo* info, const char* file, bool header = true);
 
 protected:
-	virtual void ReportError(const char* msg);
-	virtual void GotID(ID* id, Val* val);
-	virtual void GotEvent(const char* name, double time,
-				EventHandlerPtr event, val_list* args);
-	virtual void GotFunctionCall(const char* name, double time,
-				Func* func, val_list* args);
-	virtual void GotStateAccess(StateAccess* s);
-	virtual void GotTimer(Timer* t);
-	virtual void GotConnection(Connection* c);
-	virtual void GotPacket(Packet* packet);
+	void ReportError(const char* msg) override;
+	void GotID(ID* id, Val* val) override;
+	void GotEvent(const char* name, double time,
+				EventHandlerPtr event, val_list* args) override;
+	void GotFunctionCall(const char* name, double time,
+				Func* func, val_list* args) override;
+	void GotStateAccess(StateAccess* s) override;
+	void GotTimer(Timer* t) override;
+	void GotConnection(Connection* c) override;
+	void GotPacket(Packet* packet) override;
 
 	bool OpenFile(const char* file, bool readonly, bool should_exist = false);
 	void CloseFile();
@@ -331,21 +331,21 @@ public:
 // Plays a file of events back.
 class EventPlayer : public FileSerializer, public iosource::IOSource {
 public:
-	EventPlayer(const char* file);
-	virtual ~EventPlayer();
+	explicit EventPlayer(const char* file);
+	~EventPlayer() override;
 
-	virtual void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
-	                    iosource::FD_Set* except);
-	virtual double NextTimestamp(double* local_network_time);
-	virtual void Process();
-	virtual const char* Tag()	{ return "EventPlayer"; }
+	void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
+	                    iosource::FD_Set* except) override;
+	double NextTimestamp(double* local_network_time) override;
+	void Process() override;
+	const char* Tag() override { return "EventPlayer"; }
 
 protected:
-	virtual void GotID(ID* id, Val* val)	{}
-	virtual void GotEvent(const char* name, double time,
-				EventHandlerPtr event, val_list* args);
-	virtual void GotFunctionCall(const char* name, double time,
-				Func* func, val_list* args);
+	void GotID(ID* id, Val* val) override {}
+	void GotEvent(const char* name, double time,
+				EventHandlerPtr event, val_list* args) override;
+	void GotFunctionCall(const char* name, double time,
+				Func* func, val_list* args) override;
 
 	double stream_time;	// time of first captured event
 	double replay_time;	// network time of replay start
diff --git a/src/Sessions.cc b/src/Sessions.cc
index 9361b7cde2..876988361d 100644
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@@ -337,11 +337,25 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 		return;
 		}
 
+	// For both of these it is safe to pass ip_hdr because the presence
+	// is guaranteed for the functions that pass data to us.
+	uint16 ip_hdr_len = ip_hdr->HdrLen();
+	if ( ip_hdr_len > len )
+		{
+		Weird("invalid_IP_header_size", ip_hdr, encapsulation);
+		return;
+		}
+
+	if ( ip_hdr_len > caplen )
+		{
+		Weird("internally_truncated_header", ip_hdr, encapsulation);
+		return;
+		}
+
 	// Ignore if packet matches packet filter.
 	if ( packet_filter && packet_filter->Match(ip_hdr, len, caplen) )
 		 return;
 
-	int ip_hdr_len = ip_hdr->HdrLen();
 	if ( ! ignore_checksums && ip4 &&
 	     ones_complement_checksum((void*) ip4, ip_hdr_len, 0) != 0xffff )
 		{
@@ -381,6 +395,12 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 
 			caplen = len = ip_hdr->TotalLen();
 			ip_hdr_len = ip_hdr->HdrLen();
+
+			if ( ip_hdr_len > len )
+				{
+				Weird("invalid_IP_header_size", ip_hdr, encapsulation);
+				return;
+				}
 			}
 		}
 
@@ -431,7 +451,6 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 		return;
 		}
 #endif
-
 	int proto = ip_hdr->NextProto();
 
 	if ( CheckHeaderTrunc(proto, len, caplen, pkt, encapsulation) )
@@ -510,6 +529,11 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 		uint16 proto_typ = ntohs(*((uint16*)(data + 2)));
 		int gre_version = flags_ver & 0x0007;
 
+		// If a carried packet has ethernet, this will help skip it.
+		unsigned int eth_len = 0;
+		unsigned int gre_len = gre_header_len(flags_ver);
+		unsigned int ppp_len = gre_version == 1 ? 4 : 0;
+
 		if ( gre_version != 0 && gre_version != 1 )
 			{
 			Weird(fmt("unknown_gre_version_%d", gre_version), ip_hdr,
@@ -519,7 +543,18 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 
 		if ( gre_version == 0 )
 			{
-			if ( proto_typ != 0x0800 && proto_typ != 0x86dd )
+			if ( proto_typ == 0x6558 && len > gre_len + 14 )
+				{
+				// transparent ethernet bridging
+				eth_len = 14;
+				proto_typ = ntohs(*((uint16*)(data + gre_len + 12)));
+				}
+
+			if ( proto_typ == 0x0800 )
+				proto = IPPROTO_IPV4;
+			else if ( proto_typ == 0x86dd )
+				proto = IPPROTO_IPV6;
+			else
 				{
 				// Not IPv4/IPv6 payload.
 				Weird(fmt("unknown_gre_protocol_%" PRIu16, proto_typ), ip_hdr,
@@ -527,7 +562,6 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 				return;
 				}
 
-			proto = (proto_typ == 0x0800) ? IPPROTO_IPV4 : IPPROTO_IPV6;
 			}
 
 		else // gre_version == 1
@@ -556,10 +590,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 			return;
 			}
 
-		unsigned int gre_len = gre_header_len(flags_ver);
-		unsigned int ppp_len = gre_version == 1 ? 1 : 0;
-
-		if ( len < gre_len + ppp_len || caplen < gre_len + ppp_len )
+		if ( len < gre_len + ppp_len + eth_len || caplen < gre_len + ppp_len + eth_len )
 			{
 			Weird("truncated_GRE", ip_hdr, encapsulation);
 			return;
@@ -567,7 +598,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 
 		if ( gre_version == 1 )
 			{
-			int ppp_proto = *((uint8*)(data + gre_len));
+			uint16 ppp_proto = ntohs(*((uint16*)(data + gre_len + 2)));
 
 			if ( ppp_proto != 0x0021 && ppp_proto != 0x0057 )
 				{
@@ -578,9 +609,9 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 			proto = (ppp_proto == 0x0021) ? IPPROTO_IPV4 : IPPROTO_IPV6;
 			}
 
-		data += gre_len + ppp_len;
-		len -= gre_len + ppp_len;
-		caplen -= gre_len + ppp_len;
+		data += gre_len + ppp_len + eth_len;
+		len -= gre_len + ppp_len + eth_len;
+		caplen -= gre_len + ppp_len + eth_len;
 
 		// Treat GRE tunnel like IP tunnels, fallthrough to logic below now
 		// that GRE header is stripped and only payload packet remains.
@@ -607,10 +638,10 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 		// Check for a valid inner packet first.
 		IP_Hdr* inner = 0;
 		int result = ParseIPPacket(caplen, data, proto, inner);
-
-		if ( result < 0 )
+		if ( result == -2 )
+			Weird("invalid_inner_IP_version", ip_hdr, encapsulation);
+		else if ( result < 0 )
 			Weird("truncated_inner_IP", ip_hdr, encapsulation);
-
 		else if ( result > 0 )
 			Weird("inner_IP_payload_length_mismatch", ip_hdr, encapsulation);
 
@@ -794,6 +825,7 @@ void NetSessions::DoNextInnerPacket(double t, const Packet* pkt,
 	// Construct fake packet for DoNextPacket
 	Packet p;
 	p.Init(DLT_RAW, &ts, caplen, len, data, false, "");
+
 	DoNextPacket(t, &p, inner, outer);
 
 	delete inner;
@@ -808,7 +840,10 @@ int NetSessions::ParseIPPacket(int caplen, const u_char* const pkt, int proto,
 		if ( caplen < (int)sizeof(struct ip6_hdr) )
 			return -1;
 
-		inner = new IP_Hdr((const struct ip6_hdr*) pkt, false, caplen);
+		const struct ip6_hdr* ip6 = (const struct ip6_hdr*) pkt;
+		inner = new IP_Hdr(ip6, false, caplen);
+		if ( ( ip6->ip6_ctlun.ip6_un2_vfc & 0xF0 ) != 0x60 )
+			return -2;
 		}
 
 	else if ( proto == IPPROTO_IPV4 )
@@ -816,7 +851,10 @@ int NetSessions::ParseIPPacket(int caplen, const u_char* const pkt, int proto,
 		if ( caplen < (int)sizeof(struct ip) )
 			return -1;
 
-		inner = new IP_Hdr((const struct ip*) pkt, false);
+		const struct ip* ip4 = (const struct ip*) pkt;
+		inner = new IP_Hdr(ip4, false);
+		if ( ip4->ip_v != 4 )
+			return -2;
 		}
 
 	else
@@ -1212,28 +1250,11 @@ Connection* NetSessions::NewConn(HashKey* k, double t, const ConnID* id,
 	if ( ! WantConnection(src_h, dst_h, tproto, flags, flip) )
 		return 0;
 
-	ConnID flip_id = *id;
-
-	if ( flip )
-		{
-		// Make a guess that we're seeing the tail half of
-		// an analyzable connection.
-		const IPAddr ta = flip_id.src_addr;
-		flip_id.src_addr = flip_id.dst_addr;
-		flip_id.dst_addr = ta;
-
-		uint32 t = flip_id.src_port;
-		flip_id.src_port = flip_id.dst_port;
-		flip_id.dst_port = t;
-
-		id = &flip_id;
-		}
-
 	Connection* conn = new Connection(this, k, t, id, flow_label, pkt, encapsulation);
 	conn->SetTransport(tproto);
 
 	if ( flip )
-		conn->AddHistory('^');
+		conn->FlipRoles();
 
 	if ( ! analyzer_mgr->BuildInitialAnalyzerTree(conn) )
 		{
diff --git a/src/Sessions.h b/src/Sessions.h
index 305c9c145f..915b2f5631 100644
--- a/src/Sessions.h
+++ b/src/Sessions.h
@@ -56,7 +56,7 @@ public:
 	    : Timer(t, TIMER_TIMERMGR_EXPIRE), mgr(arg_mgr)
 		{ }
 
-	virtual void Dispatch(double t, int is_expire);
+	void Dispatch(double t, int is_expire) override;
 
 protected:
 	TimerMgr* mgr;
@@ -151,8 +151,9 @@ public:
 
 	/**
 	 * Returns a wrapper IP_Hdr object if \a pkt appears to be a valid IPv4
-	 * or IPv6 header based on whether it's long enough to contain such a header
-	 * and also that the payload length field of that header matches the actual
+	 * or IPv6 header based on whether it's long enough to contain such a header,
+	 * if version given in the header matches the proto argument, and also checks
+	 * that the payload length field of that header matches the actual
 	 * length of \a pkt given by \a caplen.
 	 *
 	 * @param caplen The length of \a pkt in bytes.
@@ -163,7 +164,8 @@ public:
 	 *        if \a pkt looks like a valid IP packet or at least long enough
 	 *        to hold an IP header.
 	 * @return 0 If the inner IP packet appeared valid, else -1 if \a caplen
-	 *         is greater than the supposed IP packet's payload length field or
+	 *         is greater than the supposed IP packet's payload length field, -2
+	 *         if the version of the inner header does not match proto or
 	 *         1 if \a caplen is less than the supposed packet's payload length.
 	 *         In the -1 case, \a inner may still be non-null if \a caplen was
 	 *         long enough to be an IP header, and \a inner is always non-null
@@ -258,9 +260,9 @@ public:
 	: Timer(t + BifConst::Tunnel::ip_tunnel_timeout,
 			TIMER_IP_TUNNEL_INACTIVITY), tunnel_idx(p) {}
 
-	~IPTunnelTimer() {}
+	~IPTunnelTimer() override {}
 
-	void Dispatch(double t, int is_expire);
+	void Dispatch(double t, int is_expire) override;
 
 protected:
 	NetSessions::IPPair tunnel_idx;
diff --git a/src/SmithWaterman.h b/src/SmithWaterman.h
index 190ecda597..2eb359dec0 100644
--- a/src/SmithWaterman.h
+++ b/src/SmithWaterman.h
@@ -41,10 +41,10 @@ public:
 	typedef BSSAlignVec::iterator BSSAlignVecIt;
 	typedef BSSAlignVec::const_iterator BSSAlignVecCIt;
 
-	BroSubstring(const string& string)
+	explicit BroSubstring(const string& string)
 		: BroString(string), _num(), _new(false) { }
 
-	BroSubstring(const BroString& string)
+	explicit BroSubstring(const BroString& string)
 		: BroString(string), _num(), _new(false) { }
 
 	BroSubstring(const BroSubstring& bst);
@@ -97,7 +97,7 @@ private:
 //
 class BroSubstringCmp {
 public:
-	BroSubstringCmp(unsigned int index)	{ _index = index; }
+	explicit BroSubstringCmp(unsigned int index)	{ _index = index; }
 	bool operator()(const BroSubstring* bst1, const BroSubstring* bst2) const;
 
  private:
@@ -119,7 +119,7 @@ enum SWVariant {
 // Parameters for Smith-Waterman are stored in this simple record.
 //
 struct SWParams {
-	SWParams(unsigned int min_toklen = 3, SWVariant sw_variant = SW_SINGLE)
+	explicit SWParams(unsigned int min_toklen = 3, SWVariant sw_variant = SW_SINGLE)
 		{
 		_min_toklen = min_toklen;
 		_sw_variant = sw_variant;
diff --git a/src/StateAccess.h b/src/StateAccess.h
index bc5064602b..1e84430956 100644
--- a/src/StateAccess.h
+++ b/src/StateAccess.h
@@ -48,7 +48,7 @@ public:
 
 	StateAccess(const StateAccess& sa);
 
-	virtual ~StateAccess();
+	~StateAccess() override;
 
 	// Replays this access in the our environment.
 	void Replay();
diff --git a/src/Stats.cc b/src/Stats.cc
index d1f447c05c..b1d5c427a9 100644
--- a/src/Stats.cc
+++ b/src/Stats.cc
@@ -9,10 +9,7 @@
 #include "DNS_Mgr.h"
 #include "Trigger.h"
 #include "threading/Manager.h"
-
-#ifdef ENABLE_BROKER
 #include "broker/Manager.h"
-#endif
 
 uint64 killed_by_inactivity = 0;
 
@@ -226,25 +223,19 @@ void ProfileLogger::Log()
 			    ));
 		}
 
-#ifdef ENABLE_BROKER
-	auto cs = broker_mgr->ConsumeStatistics();
+	auto cs = broker_mgr->GetStatistics();
 
 	file->Write(fmt("%0.6f Comm: peers=%zu stores=%zu "
-	                "store_queries=%zu store_responses=%zu "
-	                "outgoing_conn_status=%zu incoming_conn_status=%zu "
-	                "reports=%zu\n",
-	                network_time, cs.outgoing_peer_count, cs.data_store_count,
-	                cs.pending_query_count, cs.response_count,
-	                cs.outgoing_conn_status_count, cs.incoming_conn_status_count,
-	                cs.report_count));
-
-	for ( const auto& s : cs.print_count )
-		file->Write(fmt("    %-25s prints dequeued=%zu\n", s.first.data(), s.second));
-	for ( const auto& s : cs.event_count )
-		file->Write(fmt("    %-25s events dequeued=%zu\n", s.first.data(), s.second));
-	for ( const auto& s : cs.log_count )
-		file->Write(fmt("    %-25s logs dequeued=%zu\n", s.first.data(), s.second));
-#endif
+			"pending_queries=%zu "
+			"events_in=%zu events_out=%zu "
+			"logs_in=%zu logs_out=%zu "
+			"ids_in=%zu ids_out=%zu ",
+			network_time, cs.num_peers, cs.num_stores,
+			cs.num_pending_queries,
+			cs.num_events_incoming, cs.num_events_outgoing,
+			cs.num_logs_incoming, cs.num_logs_outgoing,
+			cs.num_ids_incoming, cs.num_ids_outgoing
+		       ));
 
 	// Script-level state.
 	unsigned int size, mem = 0;
diff --git a/src/Stats.h b/src/Stats.h
index 7fbec8cab6..af9a0e1f3c 100644
--- a/src/Stats.h
+++ b/src/Stats.h
@@ -63,14 +63,14 @@ protected:
 class ProfileLogger : public SegmentStatsReporter {
 public:
 	ProfileLogger(BroFile* file, double interval);
-	~ProfileLogger();
+	~ProfileLogger() override;
 
 	void Log();
 	BroFile* File()	{ return file; }
 
 protected:
 	void SegmentProfile(const char* name, const Location* loc,
-				double dtime, int dmem);
+				double dtime, int dmem) override;
 
 private:
 	BroFile* file;
@@ -82,7 +82,7 @@ private:
 class SampleLogger : public SegmentStatsReporter {
 public:
 	SampleLogger();
-	~SampleLogger();
+	~SampleLogger() override;
 
 	// These are called to report that a given function or location
 	// has been seen during the sampling.
@@ -91,7 +91,7 @@ public:
 
 protected:
 	void SegmentProfile(const char* name, const Location* loc,
-				double dtime, int dmem);
+				double dtime, int dmem) override;
 
 	TableVal* load_samples;
 };
diff --git a/src/Stmt.cc b/src/Stmt.cc
index d93e8ff14e..26be70c373 100644
--- a/src/Stmt.cc
+++ b/src/Stmt.cc
@@ -546,8 +546,8 @@ static BroStmtTag get_last_stmt_tag(const Stmt* stmt)
 	return get_last_stmt_tag(stmts->Stmts()[len - 1]);
 	}
 
-Case::Case(ListExpr* c, Stmt* arg_s)
-    : cases(c), s(arg_s)
+Case::Case(ListExpr* arg_expr_cases, id_list* arg_type_cases, Stmt* arg_s)
+	: expr_cases(arg_expr_cases), type_cases(arg_type_cases), s(arg_s)
 	{
 	BroStmtTag t = get_last_stmt_tag(Body());
 
@@ -557,13 +557,18 @@ Case::Case(ListExpr* c, Stmt* arg_s)
 
 Case::~Case()
 	{
-	Unref(cases);
+	Unref(expr_cases);
 	Unref(s);
+
+	loop_over_list((*type_cases), i)
+		Unref((*type_cases)[i]);
+
+	delete type_cases;
 	}
 
 void Case::Describe(ODesc* d) const
 	{
-	if ( ! Cases() )
+	if ( ! (expr_cases || type_cases) )
 		{
 		if ( ! d->IsBinary() )
 			d->Add("default:");
@@ -578,20 +583,49 @@ void Case::Describe(ODesc* d) const
 		return;
 		}
 
-	const expr_list& e = Cases()->Exprs();
-
 	if ( ! d->IsBinary() )
 		d->Add("case");
 
-	d->AddCount(e.length());
-
-	loop_over_list(e, j)
+	if ( expr_cases )
 		{
-		if ( j > 0 && ! d->IsReadable() )
-			d->Add(",");
+		const expr_list& e = expr_cases->Exprs();
 
-		d->SP();
-		e[j]->Describe(d);
+		d->AddCount(e.length());
+
+		loop_over_list(e, i)
+			{
+			if ( i > 0 && d->IsReadable() )
+				d->Add(",");
+
+			d->SP();
+			e[i]->Describe(d);
+			}
+		}
+
+	if ( type_cases )
+		{
+		const id_list& t = *type_cases;
+
+		d->AddCount(t.length());
+
+		loop_over_list(t, i)
+			{
+			if ( i > 0 && d->IsReadable() )
+				d->Add(",");
+
+			d->SP();
+			d->Add("type");
+			d->SP();
+			t[i]->Type()->Describe(d);
+
+			if ( t[i]->Name() )
+				{
+				d->SP();
+				d->Add("as");
+				d->SP();
+				d->Add(t[i]->Name());
+				}
+			}
 		}
 
 	if ( d->IsReadable() )
@@ -607,12 +641,17 @@ TraversalCode Case::Traverse(TraversalCallback* cb) const
 	{
 	TraversalCode tc;
 
-	if ( cases )
+	if ( expr_cases )
 		{
-		tc = cases->Traverse(cb);
+		tc = expr_cases->Traverse(cb);
 		HANDLE_TC_STMT_PRE(tc);
 		}
 
+	if ( type_cases )
+		{
+		// No traverse support for types.
+		}
+
 	tc = s->Traverse(cb);
 	HANDLE_TC_STMT_PRE(tc);
 
@@ -634,17 +673,48 @@ IMPLEMENT_SERIAL(Case, SER_CASE);
 bool Case::DoSerialize(SerialInfo* info) const
 	{
 	DO_SERIALIZE(SER_CASE, BroObj);
-	return cases->Serialize(info) && this->s->Serialize(info);
+
+	if ( ! expr_cases->Serialize(info) )
+		return false;
+
+	id_list empty;
+	id_list* types = (type_cases ? type_cases : &empty);
+
+	if ( ! SERIALIZE(types->length()) )
+		return false;
+
+	loop_over_list((*types), i)
+		{
+		if ( ! (*types)[i]->Serialize(info) )
+			return false;
+		}
+
+	return this->s->Serialize(info);
 	}
 
 bool Case::DoUnserialize(UnserialInfo* info)
 	{
 	DO_UNSERIALIZE(BroObj);
 
-	cases = (ListExpr*) Expr::Unserialize(info, EXPR_LIST);
-	if ( ! cases )
+	expr_cases = (ListExpr*) Expr::Unserialize(info, EXPR_LIST);
+	if ( ! expr_cases )
 		return false;
 
+	int len;
+	if ( ! UNSERIALIZE(&len) )
+		return false;
+
+	type_cases = new id_list;
+
+	while ( len-- )
+		{
+		ID* id = ID::Unserialize(info);
+		if ( ! id )
+			return false;
+
+		type_cases->append(id);
+		}
+
 	this->s = Stmt::Unserialize(info);
 	return this->s != 0;
 	}
@@ -661,7 +731,7 @@ void SwitchStmt::Init()
 	comp_hash = new CompositeHash(t);
 	Unref(t);
 
-	case_label_map.SetDeleteFunc(int_del_func);
+	case_label_value_map.SetDeleteFunc(int_del_func);
 	}
 
 SwitchStmt::SwitchStmt(Expr* index, case_list* arg_cases) :
@@ -669,16 +739,22 @@ SwitchStmt::SwitchStmt(Expr* index, case_list* arg_cases) :
 	{
 	Init();
 
-	if ( ! is_atomic_type(e->Type()) )
-		e->Error("switch expression must be of an atomic type");
+	bool have_exprs = false;
+	bool have_types = false;
 
 	loop_over_list(*cases, i)
 		{
 		Case* c = (*cases)[i];
-		ListExpr* le = c->Cases();
+		ListExpr* le = c->ExprCases();
+		id_list* tl = c->TypeCases();
 
 		if ( le )
 			{
+			have_exprs = true;
+
+			if ( ! is_atomic_type(e->Type()) )
+				e->Error("switch expression must be of an atomic type when cases are expressions");
+
 			if ( ! le->Type()->AsTypeList()->AllMatch(e->Type(), false) )
 				{
 				le->Error("case expression type differs from switch type", e);
@@ -736,12 +812,34 @@ SwitchStmt::SwitchStmt(Expr* index, case_list* arg_cases) :
 					exprs[j]->Error("case label expression isn't constant");
 				else
 					{
-					if ( ! AddCaseLabelMapping(exprs[j]->ExprVal(), i) )
+					if ( ! AddCaseLabelValueMapping(exprs[j]->ExprVal(), i) )
 						exprs[j]->Error("duplicate case label");
 					}
 				}
 			}
 
+		else if ( tl )
+			{
+			have_types = true;
+
+			loop_over_list((*tl), j)
+				{
+				BroType* ct = (*tl)[j]->Type();
+
+	   			if ( ! can_cast_value_to_type(e->Type(), ct) )
+					{
+					c->Error("cannot cast switch expression to case type");
+					continue;
+					}
+
+				if ( ! AddCaseLabelTypeMapping((*tl)[j], i) )
+					{
+					c->Error("duplicate case label");
+					continue;
+					}
+				}
+			}
+
 		else
 			{
 			if ( default_case_idx != -1 )
@@ -750,6 +848,10 @@ SwitchStmt::SwitchStmt(Expr* index, case_list* arg_cases) :
 				default_case_idx = i;
 			}
 		}
+
+	if ( have_exprs && have_types )
+		Error("cannot mix cases with expressions and types");
+
 	}
 
 SwitchStmt::~SwitchStmt()
@@ -761,7 +863,7 @@ SwitchStmt::~SwitchStmt()
 	delete comp_hash;
 	}
 
-bool SwitchStmt::AddCaseLabelMapping(const Val* v, int idx)
+bool SwitchStmt::AddCaseLabelValueMapping(const Val* v, int idx)
 	{
 	HashKey* hk = comp_hash->ComputeHash(v, 1);
 
@@ -772,7 +874,7 @@ bool SwitchStmt::AddCaseLabelMapping(const Val* v, int idx)
 		    type_name(v->Type()->Tag()), type_name(e->Type()->Tag()));
 		}
 
-	int* label_idx = case_label_map.Lookup(hk);
+	int* label_idx = case_label_value_map.Lookup(hk);
 
 	if ( label_idx )
 		{
@@ -780,38 +882,76 @@ bool SwitchStmt::AddCaseLabelMapping(const Val* v, int idx)
 		return false;
 		}
 
-	case_label_map.Insert(hk, new int(idx));
+	case_label_value_map.Insert(hk, new int(idx));
 	delete hk;
 	return true;
 	}
 
-int SwitchStmt::FindCaseLabelMatch(const Val* v) const
+bool SwitchStmt::AddCaseLabelTypeMapping(ID* t, int idx)
 	{
-	HashKey* hk = comp_hash->ComputeHash(v, 1);
-
-	if ( ! hk )
+	for ( auto i : case_label_type_list )
 		{
-		reporter->PushLocation(e->GetLocationInfo());
-		reporter->Error("switch expression type mismatch (%s/%s)",
-		    type_name(v->Type()->Tag()), type_name(e->Type()->Tag()));
-		return -1;
+		if ( same_type(i.first->Type(), t->Type()) )
+			return false;
 		}
 
-	int* label_idx = case_label_map.Lookup(hk);
+	auto e = std::make_pair(t, idx);
+	case_label_type_list.push_back(e);
 
-	delete hk;
+	return true;
+	}
 
-	if ( ! label_idx )
-		return default_case_idx;
+std::pair<int, ID*> SwitchStmt::FindCaseLabelMatch(const Val* v) const
+	{
+	int label_idx = -1;
+	ID* label_id = 0;
+
+	// Find matching expression cases.
+	if ( case_label_value_map.Length() )
+		{
+		HashKey* hk = comp_hash->ComputeHash(v, 1);
+
+		if ( ! hk )
+			{
+			reporter->PushLocation(e->GetLocationInfo());
+			reporter->Error("switch expression type mismatch (%s/%s)",
+					type_name(v->Type()->Tag()), type_name(e->Type()->Tag()));
+			return std::make_pair(-1, nullptr);
+			}
+
+		if ( auto i = case_label_value_map.Lookup(hk) )
+			label_idx = *i;
+
+		delete hk;
+		}
+
+	// Find matching type cases.
+	for ( auto i : case_label_type_list )
+		{
+		auto id = i.first;
+		auto type = id->Type();
+
+		if ( can_cast_value_to_type(v, type) )
+			{
+			label_idx = i.second;
+			label_id = id;
+			break;
+			}
+		}
+
+	if ( label_idx < 0 )
+		return std::make_pair(default_case_idx, nullptr);
 	else
-		return *label_idx;
+		return std::make_pair(label_idx, label_id);
 	}
 
 Val* SwitchStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
 	{
 	Val* rval = 0;
 
-	int matching_label_idx = FindCaseLabelMatch(v);
+	auto m = FindCaseLabelMatch(v);
+	int matching_label_idx = m.first;
+	ID* matching_id = m.second;
 
 	if ( matching_label_idx == -1 )
 		return 0;
@@ -820,6 +960,12 @@ Val* SwitchStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
 		{
 		const Case* c = (*cases)[i];
 
+		if ( matching_id )
+			{
+			auto cv = cast_value_to_type(v, matching_id->Type());
+			f->SetElement(matching_id->Offset(), cv);
+			}
+
 		flow = FLOW_NEXT;
 		rval = c->Body()->Exec(f, flow);
 
@@ -841,7 +987,7 @@ int SwitchStmt::IsPure() const
 	loop_over_list(*cases, i)
 		{
 		Case* c = (*cases)[i];
-		if ( ! c->Cases()->IsPure() || ! c->Body()->IsPure() )
+		if ( ! c->ExprCases()->IsPure() || ! c->Body()->IsPure() )
 			return 0;
 		}
 
@@ -928,7 +1074,7 @@ bool SwitchStmt::DoUnserialize(UnserialInfo* info)
 
 	loop_over_list(*cases, i)
 		{
-		const ListExpr* le = (*cases)[i]->Cases();
+		const ListExpr* le = (*cases)[i]->ExprCases();
 
 		if ( ! le )
 			continue;
@@ -937,7 +1083,7 @@ bool SwitchStmt::DoUnserialize(UnserialInfo* info)
 
 		loop_over_list(exprs, j)
 			{
-			if ( ! AddCaseLabelMapping(exprs[j]->ExprVal(), i) )
+			if ( ! AddCaseLabelValueMapping(exprs[j]->ExprVal(), i) )
 				return false;
 			}
 		}
@@ -1293,6 +1439,9 @@ Val* ForStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
 		TableVal* tv = v->AsTableVal();
 		const PDict(TableEntryVal)* loop_vals = tv->AsTable();
 
+		if ( ! loop_vals->Length() )
+			return 0;
+
 		HashKey* k;
 		IterCookie* c = loop_vals->InitForIteration();
 		while ( loop_vals->NextEntry(k, c) )
@@ -1387,7 +1536,7 @@ void ForStmt::Describe(ODesc* d) const
 		if ( i > 0 )
 			d->Add(",");
 		}
-	
+
 	if ( loop_vars->length() )
 		d->Add("]");
 
diff --git a/src/Stmt.h b/src/Stmt.h
index 1c3bef2984..a6676d678d 100644
--- a/src/Stmt.h
+++ b/src/Stmt.h
@@ -23,15 +23,15 @@ class Stmt : public BroObj {
 public:
 	BroStmtTag Tag() const	{ return tag; }
 
-	virtual ~Stmt();
+	~Stmt() override;
 
 	virtual Val* Exec(Frame* f, stmt_flow_type& flow) const = 0;
 
 	Stmt* Ref()			{ ::Ref(this); return this; }
 
-	bool SetLocationInfo(const Location* loc)
+	bool SetLocationInfo(const Location* loc) override
 		{ return Stmt::SetLocationInfo(loc, loc); }
-	bool SetLocationInfo(const Location* start, const Location* end);
+	bool SetLocationInfo(const Location* start, const Location* end) override;
 
 	// True if the statement has no side effects, false otherwise.
 	virtual int IsPure() const;
@@ -58,7 +58,7 @@ public:
 	void AccessStats(ODesc* d) const;
 	uint32 GetAccessCount() const { return access_count; }
 
-	virtual void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 
 	virtual void IncrBPCount()	{ ++breakpoint_count; }
 	virtual void DecrBPCount()
@@ -78,7 +78,7 @@ public:
 
 protected:
 	Stmt()	{}
-	Stmt(BroStmtTag arg_tag);
+	explicit Stmt(BroStmtTag arg_tag);
 
 	void AddTag(ODesc* d) const;
 	void DescribeDone(ODesc* d) const;
@@ -97,18 +97,18 @@ class ExprListStmt : public Stmt {
 public:
 	const ListExpr* ExprList() const	{ return l; }
 
-	TraversalCode Traverse(TraversalCallback* cb) const;
+	TraversalCode Traverse(TraversalCallback* cb) const override;
 
 protected:
 	ExprListStmt()	{ l = 0; }
 	ExprListStmt(BroStmtTag t, ListExpr* arg_l);
 
-	virtual ~ExprListStmt();
+	~ExprListStmt() override;
 
-	Val* Exec(Frame* f, stmt_flow_type& flow) const;
+	Val* Exec(Frame* f, stmt_flow_type& flow) const override;
 	virtual Val* DoExec(val_list* vals, stmt_flow_type& flow) const = 0;
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 	void PrintVals(ODesc* d, val_list* vals, int offset) const;
 
 	DECLARE_ABSTRACT_SERIAL(ExprListStmt);
@@ -118,7 +118,7 @@ protected:
 
 class PrintStmt : public ExprListStmt {
 public:
-	PrintStmt(ListExpr* l) : ExprListStmt(STMT_PRINT, l)	{ }
+	explicit PrintStmt(ListExpr* l) : ExprListStmt(STMT_PRINT, l)	{ }
 
 protected:
 	friend class Stmt;
@@ -131,8 +131,8 @@ protected:
 
 class ExprStmt : public Stmt {
 public:
-	ExprStmt(Expr* e);
-	virtual ~ExprStmt();
+	explicit ExprStmt(Expr* e);
+	~ExprStmt() override;
 
 	Val* Exec(Frame* f, stmt_flow_type& flow) const override;
 
@@ -159,7 +159,7 @@ protected:
 class IfStmt : public ExprStmt {
 public:
 	IfStmt(Expr* test, Stmt* s1, Stmt* s2);
-	~IfStmt();
+	~IfStmt() override;
 
 	const Stmt* TrueBranch() const	{ return s1; }
 	const Stmt* FalseBranch() const	{ return s2; }
@@ -183,11 +183,14 @@ protected:
 
 class Case : public BroObj {
 public:
-	Case(ListExpr* c, Stmt* arg_s);
-	~Case();
+	Case(ListExpr* c, id_list* types, Stmt* arg_s);
+	~Case() override;
 
-	const ListExpr* Cases() const	{ return cases; }
-	ListExpr* Cases()		{ return cases; }
+	const ListExpr* ExprCases() const	{ return expr_cases; }
+	ListExpr* ExprCases()		{ return expr_cases; }
+
+	const id_list* TypeCases() const	{ return type_cases; }
+	id_list* TypeCases()		{ return type_cases; }
 
 	const Stmt* Body() const	{ return s; }
 	Stmt* Body()			{ return s; }
@@ -201,18 +204,19 @@ public:
 
 protected:
 	friend class Stmt;
-	Case()	{ cases = 0; s = 0; }
+	Case()	{ expr_cases = 0; type_cases = 0; s = 0; }
 
 	DECLARE_SERIAL(Case);
 
-	ListExpr* cases;
+	ListExpr* expr_cases;
+	id_list* type_cases;
 	Stmt* s;
 };
 
 class SwitchStmt : public ExprStmt {
 public:
 	SwitchStmt(Expr* index, case_list* cases);
-	~SwitchStmt();
+	~SwitchStmt() override;
 
 	const case_list* Cases() const	{ return cases; }
 
@@ -232,25 +236,32 @@ protected:
 	// Initialize composite hash and case label map.
 	void Init();
 
-	// Adds an entry in case_label_map for the given value to associate it
+	// Adds an entry in case_label_value_map for the given value to associate it
 	// with the given index in the cases list.  If the entry already exists,
 	// returns false, else returns true.
-	bool AddCaseLabelMapping(const Val* v, int idx);
+	bool AddCaseLabelValueMapping(const Val* v, int idx);
 
-	// Returns index of a case label that's equal to the value, or
-	// default_case_idx if no case label matches (which may be -1 if there's
-	// no default label).
-	int FindCaseLabelMatch(const Val* v) const;
+	// Adds an entry in case_label_type_map for the given type (w/ ID) to
+	// associate it with the given index in the cases list.  If an entry
+	// for the type already exists, returns false; else returns true.
+	bool AddCaseLabelTypeMapping(ID* t, int idx);
+
+	// Returns index of a case label that matches the value, or
+	// default_case_idx if no case label matches (which may be -1 if
+	// there's no default label). The second tuple element is the ID of
+	// the matching type-based case if it defines one.
+	std::pair<int, ID*> FindCaseLabelMatch(const Val* v) const;
 
 	case_list* cases;
 	int default_case_idx;
 	CompositeHash* comp_hash;
-	PDict(int) case_label_map;
+	PDict(int) case_label_value_map;
+	std::vector<std::pair<ID*, int>> case_label_type_list;
 };
 
 class AddStmt : public ExprStmt {
 public:
-	AddStmt(Expr* e);
+	explicit AddStmt(Expr* e);
 
 	int IsPure() const override;
 	Val* Exec(Frame* f, stmt_flow_type& flow) const override;
@@ -266,7 +277,7 @@ protected:
 
 class DelStmt : public ExprStmt {
 public:
-	DelStmt(Expr* e);
+	explicit DelStmt(Expr* e);
 
 	int IsPure() const override;
 	Val* Exec(Frame* f, stmt_flow_type& flow) const override;
@@ -282,7 +293,7 @@ protected:
 
 class EventStmt : public ExprStmt {
 public:
-	EventStmt(EventExpr* e);
+	explicit EventStmt(EventExpr* e);
 
 	Val* Exec(Frame* f, stmt_flow_type& flow) const override;
 
@@ -301,7 +312,7 @@ class WhileStmt : public Stmt {
 public:
 
 	WhileStmt(Expr* loop_condition, Stmt* body);
-	~WhileStmt();
+	~WhileStmt() override;
 
 	int IsPure() const override;
 
@@ -326,7 +337,7 @@ protected:
 class ForStmt : public ExprStmt {
 public:
 	ForStmt(id_list* loop_vars, Expr* loop_expr);
-	~ForStmt();
+	~ForStmt() override;
 
 	void AddBody(Stmt* arg_body)	{ body = arg_body; }
 
@@ -399,7 +410,7 @@ protected:
 
 class ReturnStmt : public ExprStmt {
 public:
-	ReturnStmt(Expr* e);
+	explicit ReturnStmt(Expr* e);
 
 	Val* Exec(Frame* f, stmt_flow_type& flow) const override;
 
@@ -415,7 +426,7 @@ protected:
 class StmtList : public Stmt {
 public:
 	StmtList();
-	~StmtList();
+	~StmtList() override;
 
 	Val* Exec(Frame* f, stmt_flow_type& flow) const override;
 
@@ -456,14 +467,14 @@ protected:
 
 class InitStmt : public Stmt {
 public:
-	InitStmt(id_list* arg_inits) : Stmt(STMT_INIT)
+	explicit InitStmt(id_list* arg_inits) : Stmt(STMT_INIT)
 		{
 		inits = arg_inits;
 		if ( arg_inits && arg_inits->length() )
 			SetLocationInfo((*arg_inits)[0]->GetLocationInfo());
 		}
 
-	~InitStmt();
+	~InitStmt() override;
 
 	Val* Exec(Frame* f, stmt_flow_type& flow) const override;
 
@@ -501,7 +512,7 @@ class WhenStmt : public Stmt {
 public:
 	// s2 is null if no timeout block given.
 	WhenStmt(Expr* cond, Stmt* s1, Stmt* s2, Expr* timeout, bool is_return);
-	~WhenStmt();
+	~WhenStmt() override;
 
 	Val* Exec(Frame* f, stmt_flow_type& flow) const override;
 	int IsPure() const override;
diff --git a/src/Tag.h b/src/Tag.h
index 224fdd40f3..efc3e359c2 100644
--- a/src/Tag.h
+++ b/src/Tag.h
@@ -132,7 +132,7 @@ protected:
 	 *
 	 * @param val An enum value of script type \c Analyzer::Tag.
 	 */
-	Tag(EnumVal* val);
+	explicit Tag(EnumVal* val);
 
 private:
 	type_t type;            // Main type.
diff --git a/src/Timer.cc b/src/Timer.cc
index f4370ed735..4fe998606b 100644
--- a/src/Timer.cc
+++ b/src/Timer.cc
@@ -6,6 +6,7 @@
 #include "Timer.h"
 #include "Desc.h"
 #include "Serializer.h"
+#include "broker/Manager.h"
 
 // Names of timers in same order than in TimerType.
 const char* TimerNames[] = {
@@ -103,6 +104,7 @@ int TimerMgr::Advance(double arg_t, int max_expire)
 	last_timestamp = 0;
 	num_expired = 0;
 	last_advance = timer_mgr->Time();
+	broker_mgr->AdvanceTime(arg_t);
 
 	return DoAdvance(t, max_expire);
 	}
diff --git a/src/Timer.h b/src/Timer.h
index e095421c30..ea410e5c7b 100644
--- a/src/Timer.h
+++ b/src/Timer.h
@@ -56,7 +56,7 @@ class Timer : public SerialObj, public PQ_Element {
 public:
 	Timer(double t, TimerType arg_type) : PQ_Element(t)
 		{ type = (char) arg_type; }
-	virtual ~Timer()	{ }
+	~Timer() override { }
 
 	TimerType Type() const	{ return (TimerType) type; }
 
@@ -118,7 +118,7 @@ public:
 	static unsigned int* CurrentTimers()	{ return current_timers; }
 
 protected:
- 	TimerMgr(const Tag& arg_tag)
+	explicit TimerMgr(const Tag& arg_tag)
  		{
  		t = 0.0;
  		num_expired = 0;
@@ -141,20 +141,19 @@ protected:
 
 class PQ_TimerMgr : public TimerMgr {
 public:
-	PQ_TimerMgr(const Tag& arg_tag);
-	~PQ_TimerMgr();
+	explicit PQ_TimerMgr(const Tag& arg_tag);
+	~PQ_TimerMgr() override;
 
-	void Add(Timer* timer);
-	void Expire();
+	void Add(Timer* timer) override;
+	void Expire() override;
 
-	int Size() const	{ return q->Size(); }
-	int PeakSize() const	{ return q->PeakSize(); }
-	uint64 CumulativeNum() const	{ return q->CumulativeNum(); }
-	unsigned int MemoryUsage() const;
+	int Size() const override { return q->Size(); }
+	int PeakSize() const override { return q->PeakSize(); }
+	uint64 CumulativeNum() const override { return q->CumulativeNum(); }
 
 protected:
-	int DoAdvance(double t, int max_expire);
-	void Remove(Timer* timer);
+	int DoAdvance(double t, int max_expire) override;
+	void Remove(Timer* timer) override;
 
 	Timer* Remove()			{ return (Timer*) q->Remove(); }
 	Timer* Top()			{ return (Timer*) q->Top(); }
@@ -164,20 +163,20 @@ protected:
 
 class CQ_TimerMgr : public TimerMgr {
 public:
-	CQ_TimerMgr(const Tag& arg_tag);
-	~CQ_TimerMgr();
+	explicit CQ_TimerMgr(const Tag& arg_tag);
+	~CQ_TimerMgr() override;
 
-	void Add(Timer* timer);
-	void Expire();
+	void Add(Timer* timer) override;
+	void Expire() override;
 
-	int Size() const	{ return cq_size(cq); }
-	int PeakSize() const	{ return cq_max_size(cq); }
-	uint64 CumulativeNum() const	{ return cq_cumulative_num(cq); }
+	int Size() const override { return cq_size(cq); }
+	int PeakSize() const override { return cq_max_size(cq); }
+	uint64 CumulativeNum() const override { return cq_cumulative_num(cq); }
 	unsigned int MemoryUsage() const;
 
 protected:
-	int DoAdvance(double t, int max_expire);
-	void Remove(Timer* timer);
+	int DoAdvance(double t, int max_expire) override;
+	void Remove(Timer* timer) override;
 
 	struct cq_handle *cq;
 };
diff --git a/src/Traverse.cc b/src/Traverse.cc
index 78eed27800..d19c6d3801 100644
--- a/src/Traverse.cc
+++ b/src/Traverse.cc
@@ -9,6 +9,10 @@ TraversalCode traverse_all(TraversalCallback* cb)
 	if ( ! global_scope() )
 		return TC_CONTINUE;
 
+	if ( ! stmts )
+		// May be null when parsing fails.
+		return TC_CONTINUE;
+
 	cb->current_scope = global_scope();
 
 	TraversalCode tc = global_scope()->Traverse(cb);
diff --git a/src/Trigger.cc b/src/Trigger.cc
index 772a991791..3867c607fd 100644
--- a/src/Trigger.cc
+++ b/src/Trigger.cc
@@ -136,12 +136,12 @@ Trigger::Trigger(Expr* arg_cond, Stmt* arg_body, Stmt* arg_timeout_stmts,
 
 	if ( timeout_val )
 		{
-		Unref(timeout_val);
 		timeout_value = timeout_val->AsInterval();
+		Unref(timeout_val);
 		}
 
 	// Make sure we don't get deleted if somebody calls a method like
-	// Timeout() while evaluating the trigger. 
+	// Timeout() while evaluating the trigger.
 	Ref(this);
 
 	if ( ! Eval() && timeout_value >= 0 )
diff --git a/src/Trigger.h b/src/Trigger.h
index 3af9ddf1b0..0f7889d19a 100644
--- a/src/Trigger.h
+++ b/src/Trigger.h
@@ -21,7 +21,7 @@ public:
 	// right away.
 	Trigger(Expr* cond, Stmt* body, Stmt* timeout_stmts, Expr* timeout,
 		Frame* f, bool is_return, const Location* loc);
-	~Trigger();
+	~Trigger() override;
 
 	// Evaluates the condition. If true, executes the body and deletes
 	// the object deleted.
@@ -57,16 +57,16 @@ public:
 
 	bool Disabled() const { return disabled; }
 
-	virtual void Describe(ODesc* d) const { d->Add("<trigger>"); }
-
+	void Describe(ODesc* d) const override
+		{ d->Add("<trigger>"); }
 	// Overidden from Notifier.  We queue the trigger and evaluate it
 	// later to avoid race conditions.
-	virtual void Access(ID* id, const StateAccess& sa)
+	void Access(ID* id, const StateAccess& sa) override
 		{ QueueTrigger(this); }
-	virtual void Access(Val* val, const StateAccess& sa)
+	void Access(Val* val, const StateAccess& sa) override
 		{ QueueTrigger(this); }
 
-	virtual const char* Name() const;
+	const char* Name() const override;
 
 	static void QueueTrigger(Trigger* trigger);
 
diff --git a/src/TunnelEncapsulation.cc b/src/TunnelEncapsulation.cc
index cb4b1eaabe..556de9382a 100644
--- a/src/TunnelEncapsulation.cc
+++ b/src/TunnelEncapsulation.cc
@@ -22,9 +22,9 @@ RecordVal* EncapsulatingConn::GetRecordVal() const
 
 	RecordVal* id_val = new RecordVal(conn_id);
 	id_val->Assign(0, new AddrVal(src_addr));
-	id_val->Assign(1, new PortVal(ntohs(src_port), proto));
+	id_val->Assign(1, port_mgr->Get(ntohs(src_port), proto));
 	id_val->Assign(2, new AddrVal(dst_addr));
-	id_val->Assign(3, new PortVal(ntohs(dst_port), proto));
+	id_val->Assign(3, port_mgr->Get(ntohs(dst_port), proto));
 	rv->Assign(0, id_val);
 	rv->Assign(1, new EnumVal(type, BifType::Enum::Tunnel::Type));
 
diff --git a/src/Type.cc b/src/Type.cc
index cce328d92b..7ddca8f907 100644
--- a/src/Type.cc
+++ b/src/Type.cc
@@ -545,7 +545,7 @@ bool IndexType::DoUnserialize(UnserialInfo* info)
 	DO_UNSERIALIZE(BroType);
 
 	UNSERIALIZE_OPTIONAL(yield_type, BroType::Unserialize(info));
-	indices = (TypeList*) BroType::Unserialize(info, TYPE_LIST);
+	indices = (TypeList*) BroType::Unserialize(info);
 	return indices != 0;
 	}
 
@@ -865,11 +865,11 @@ bool FuncType::DoUnserialize(UnserialInfo* info)
 
 	UNSERIALIZE_OPTIONAL(yield, BroType::Unserialize(info));
 
-	args = (RecordType*) BroType::Unserialize(info, TYPE_RECORD);
+	args = (RecordType*) BroType::Unserialize(info);
 	if ( ! args )
 		return false;
 
-	arg_types = (TypeList*) BroType::Unserialize(info, TYPE_LIST);
+	arg_types = (TypeList*) BroType::Unserialize(info);
 	if ( ! arg_types )
 		return false;
 
@@ -1185,7 +1185,14 @@ void RecordType::DescribeFieldsReST(ODesc* d, bool func_args) const
 		if ( d->FindType(td->type) )
 			d->Add("<recursion>");
 		else
-			td->DescribeReST(d);
+			{
+			if ( num_fields == 1 && streq(td->id, "va_args") &&
+			     td->type->Tag() == TYPE_ANY )
+				// This was a BIF using variable argument list
+				d->Add("...");
+			else
+				td->DescribeReST(d);
+			}
 
 		if ( func_args )
 			continue;
diff --git a/src/Type.h b/src/Type.h
index 5c8a05b3f6..9366548902 100644
--- a/src/Type.h
+++ b/src/Type.h
@@ -82,8 +82,8 @@ const int MATCHES_INDEX_VECTOR = 2;
 
 class BroType : public BroObj {
 public:
-	BroType(TypeTag tag, bool base_type = false);
-	~BroType() { }
+	explicit BroType(TypeTag tag, bool base_type = false);
+	~BroType() override { }
 
 	BroType* Clone() const;
 
@@ -249,7 +249,7 @@ public:
 
 	BroType* Ref()		{ ::Ref(this); return this; }
 
-	virtual void Describe(ODesc* d) const override;
+	void Describe(ODesc* d) const override;
 	virtual void DescribeReST(ODesc* d, bool roles_only = false) const;
 
 	virtual unsigned MemoryAllocation() const;
@@ -265,7 +265,7 @@ public:
 	static std::set<BroType*> GetAliases(const std::string& type_name)
 		{ return BroType::type_aliases[type_name]; }
 
-	static void AddAlias(const std::string type_name, BroType* type)
+	static void AddAlias(const std::string &type_name, BroType* type)
 		{ BroType::type_aliases[type_name].insert(type); }
 
 protected:
@@ -287,13 +287,13 @@ private:
 
 class TypeList : public BroType {
 public:
-	TypeList(BroType* arg_pure_type = 0) : BroType(TYPE_LIST)
+	explicit TypeList(BroType* arg_pure_type = 0) : BroType(TYPE_LIST)
 		{
 		pure_type = arg_pure_type;
 		if ( pure_type )
 			pure_type->Ref();
 		}
-	~TypeList();
+	~TypeList() override;
 
 	const type_list* Types() const	{ return &types; }
 	type_list* Types()		{ return &types; }
@@ -352,7 +352,7 @@ protected:
 		indices = arg_indices;
 		yield_type = arg_yield_type;
 		}
-	~IndexType();
+	~IndexType() override;
 
 	DECLARE_SERIAL(IndexType)
 
@@ -379,7 +379,7 @@ protected:
 class SetType : public TableType {
 public:
 	SetType(TypeList* ind, ListExpr* arg_elements);
-	~SetType();
+	~SetType() override;
 
 	ListExpr* SetElements() const	{ return elements; }
 
@@ -395,7 +395,7 @@ class FuncType : public BroType {
 public:
 	FuncType(RecordType* args, BroType* yield, function_flavor f);
 
-	~FuncType();
+	~FuncType() override;
 
 	RecordType* Args() const	{ return args; }
 	BroType* YieldType() override;
@@ -428,8 +428,8 @@ protected:
 
 class TypeType : public BroType {
 public:
-	TypeType(BroType* t) : BroType(TYPE_TYPE)	{ type = t->Ref(); }
-	~TypeType()	{ Unref(type); }
+	explicit TypeType(BroType* t) : BroType(TYPE_TYPE)	{ type = t->Ref(); }
+	~TypeType() override { Unref(type); }
 
 	BroType* Type()	{ return type; }
 
@@ -460,9 +460,9 @@ public:
 
 class RecordType : public BroType {
 public:
-	RecordType(type_decl_list* types);
+	explicit RecordType(type_decl_list* types);
 
-	~RecordType();
+	~RecordType() override;
 
 	int HasField(const char* field) const override;
 	BroType* FieldType(const char* field) const override;
@@ -512,8 +512,8 @@ protected:
 
 class FileType : public BroType {
 public:
-	FileType(BroType* yield_type);
-	~FileType();
+	explicit FileType(BroType* yield_type);
+	~FileType() override;
 
 	BroType* YieldType() override;
 
@@ -529,8 +529,8 @@ protected:
 
 class OpaqueType : public BroType {
 public:
-	OpaqueType(const string& name);
-	virtual ~OpaqueType() { };
+	explicit OpaqueType(const string& name);
+	~OpaqueType() override { };
 
 	const string& Name() const { return name; }
 
@@ -549,9 +549,9 @@ class EnumType : public BroType {
 public:
 	typedef std::list<std::pair<string, bro_int_t> > enum_name_list;
 
-	EnumType(EnumType* e);
-	EnumType(const string& arg_name);
-	~EnumType();
+	explicit EnumType(EnumType* e);
+	explicit EnumType(const string& arg_name);
+	~EnumType() override;
 
 	// The value of this name is next internal counter value, starting
 	// with zero. The internal counter is incremented.
@@ -598,8 +598,8 @@ protected:
 
 class VectorType : public BroType {
 public:
-	VectorType(BroType* t);
-	virtual ~VectorType();
+	explicit VectorType(BroType* t);
+	~VectorType() override;
 	BroType* YieldType() override;
 	const BroType* YieldType() const;
 
@@ -628,6 +628,7 @@ extern OpaqueType* cardinality_type;
 extern OpaqueType* topk_type;
 extern OpaqueType* bloomfilter_type;
 extern OpaqueType* x509_opaque_type;
+extern OpaqueType* ocsp_resp_opaque_type;
 
 // Returns the Bro basic (non-parameterized) type with the given type.
 // The reference count of the type is not increased.
diff --git a/src/UID.h b/src/UID.h
index 2cda02811f..642ecf4b48 100644
--- a/src/UID.h
+++ b/src/UID.h
@@ -28,7 +28,7 @@ public:
 	 * Construct a UID of a given bit-length, optionally from given values.
 	 * @see UID::Set
 	 */
-	UID(bro_uint_t bits, const uint64* v = 0, size_t n = 0)
+	explicit UID(bro_uint_t bits, const uint64* v = 0, size_t n = 0)
 		{ Set(bits, v, n); }
 
 	/**
@@ -59,9 +59,8 @@ public:
 	/**
 	 * @return false if the UID instance was created via the default ctor
 	 *         and not yet initialized w/ Set().
-	 * TODO: this would be better as an "explicit" conversion operator (C++11)
 	 */
-	operator bool() const
+	explicit operator bool() const
 		{ return initialized; }
 
 	/**
diff --git a/src/Val.cc b/src/Val.cc
index ca70e1f5df..7879d282b2 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -27,6 +27,8 @@
 #include "Reporter.h"
 #include "IPAddr.h"
 
+#include "broker/Data.h"
+
 Val::Val(Func* f)
 	{
 	val.func_val = f;
@@ -760,34 +762,92 @@ bool IntervalVal::DoUnserialize(UnserialInfo* info)
 	return true;
 	}
 
-PortVal::PortVal(uint32 p, TransportProto port_type) : Val(TYPE_PORT)
+PortManager::PortManager()
+	{
+	for ( auto i = 0u; i < ports.size(); ++i )
+		{
+		auto& arr = ports[i];
+		auto port_type = (TransportProto)i;
+
+		for ( auto j = 0u; j < arr.size(); ++j )
+			arr[j] = new PortVal(Mask(j, port_type), true);
+		}
+	}
+
+PortManager::~PortManager()
+	{
+	for ( auto& arr : ports )
+		for ( auto& pv : arr )
+			Unref(pv);
+	}
+
+PortVal* PortManager::Get(uint32 port_num) const
+	{
+	auto mask = port_num & PORT_SPACE_MASK;
+	port_num &= ~PORT_SPACE_MASK;
+
+	if ( mask == TCP_PORT_MASK )
+		return Get(port_num, TRANSPORT_TCP);
+	else if ( mask == UDP_PORT_MASK )
+		return Get(port_num, TRANSPORT_UDP);
+	else if ( mask == ICMP_PORT_MASK )
+		return Get(port_num, TRANSPORT_ICMP);
+	else
+		return Get(port_num, TRANSPORT_UNKNOWN);
+	}
+
+PortVal* PortManager::Get(uint32 port_num, TransportProto port_type) const
+	{
+	if ( port_num >= 65536 )
+		{
+		reporter->Warning("bad port number %d", port_num);
+		port_num = 0;
+		}
+
+	auto rval = ports[port_type][port_num];
+	::Ref(rval);
+	return rval;
+	}
+
+uint32 PortManager::Mask(uint32 port_num, TransportProto port_type) const
 	{
 	// Note, for ICMP one-way connections:
 	// src_port = icmp_type, dst_port = icmp_code.
 
-	if ( p >= 65536 )
+	if ( port_num >= 65536 )
 		{
-		InternalWarning("bad port number");
-		p = 0;
+		reporter->Warning("bad port number %d", port_num);
+		port_num = 0;
 		}
 
 	switch ( port_type ) {
 	case TRANSPORT_TCP:
-		p |= TCP_PORT_MASK;
+		port_num |= TCP_PORT_MASK;
 		break;
 
 	case TRANSPORT_UDP:
-		p |= UDP_PORT_MASK;
+		port_num |= UDP_PORT_MASK;
 		break;
 
 	case TRANSPORT_ICMP:
-		p |= ICMP_PORT_MASK;
+		port_num |= ICMP_PORT_MASK;
 		break;
 
 	default:
-		break;	// "other"
+		break;	// "unknown/other"
 	}
 
+	return port_num;
+	}
+
+PortVal::PortVal(uint32 p, TransportProto port_type) : Val(TYPE_PORT)
+	{
+	auto port_num = port_mgr->Mask(p, port_type);
+	val.uint_val = static_cast<bro_uint_t>(port_num);
+	}
+
+PortVal::PortVal(uint32 p, bool unused) : Val(TYPE_PORT)
+	{
 	val.uint_val = static_cast<bro_uint_t>(p);
 	}
 
@@ -856,6 +916,11 @@ AddrVal::AddrVal(const char* text) : Val(TYPE_ADDR)
 	val.addr_val = new IPAddr(text);
 	}
 
+AddrVal::AddrVal(const std::string& text) : Val(TYPE_ADDR)
+	{
+	val.addr_val = new IPAddr(text);
+	}
+
 AddrVal::AddrVal(uint32 addr) : Val(TYPE_ADDR)
 	{
 	// ### perhaps do gethostbyaddr here?
@@ -1641,9 +1706,11 @@ int TableVal::RemoveFrom(Val* val) const
 	HashKey* k;
 	while ( tbl->NextEntry(k, c) )
 		{
-		Val* index = RecoverIndex(k);
-
-		Unref(index);
+		// Not sure that this is 100% sound, since the HashKey
+		// comes from one table but is being used in another.
+		// OTOH, they are both the same type, so as long as
+		// we don't have hash keys that are keyed per dictionary,
+		// it should work ...
 		Unref(t->Delete(k));
 		delete k;
 		}
@@ -1651,6 +1718,91 @@ int TableVal::RemoveFrom(Val* val) const
 	return 1;
 	}
 
+TableVal* TableVal::Intersect(const TableVal* tv) const
+	{
+	TableVal* result = new TableVal(table_type);
+
+	const PDict(TableEntryVal)* t0 = AsTable();
+	const PDict(TableEntryVal)* t1 = tv->AsTable();
+	PDict(TableEntryVal)* t2 = result->AsNonConstTable();
+
+	// Figure out which is smaller; assign it to t1.
+	if ( t1->Length() > t0->Length() )
+		{ // Swap.
+		const PDict(TableEntryVal)* tmp = t1;
+		t1 = t0;
+		t0 = tmp;
+		}
+
+	IterCookie* c = t1->InitForIteration();
+	HashKey* k;
+	while ( t1->NextEntry(k, c) )
+		{
+		// Here we leverage the same assumption about consistent
+		// hashes as in TableVal::RemoveFrom above.
+		if ( t0->Lookup(k) )
+			t2->Insert(k, new TableEntryVal(0));
+
+		delete k;
+		}
+
+	return result;
+	}
+
+bool TableVal::EqualTo(const TableVal* tv) const
+	{
+	const PDict(TableEntryVal)* t0 = AsTable();
+	const PDict(TableEntryVal)* t1 = tv->AsTable();
+
+	if ( t0->Length() != t1->Length() )
+		return false;
+
+	IterCookie* c = t0->InitForIteration();
+	HashKey* k;
+	while ( t0->NextEntry(k, c) )
+		{
+		// Here we leverage the same assumption about consistent
+		// hashes as in TableVal::RemoveFrom above.
+		if ( ! t1->Lookup(k) )
+			{
+			delete k;
+			t0->StopIteration(c);
+			return false;
+			}
+
+		delete k;
+		}
+
+	return true;
+	}
+
+bool TableVal::IsSubsetOf(const TableVal* tv) const
+	{
+	const PDict(TableEntryVal)* t0 = AsTable();
+	const PDict(TableEntryVal)* t1 = tv->AsTable();
+
+	if ( t0->Length() > t1->Length() )
+		return false;
+
+	IterCookie* c = t0->InitForIteration();
+	HashKey* k;
+	while ( t0->NextEntry(k, c) )
+		{
+		// Here we leverage the same assumption about consistent
+		// hashes as in TableVal::RemoveFrom above.
+		if ( ! t1->Lookup(k) )
+			{
+			delete k;
+			t0->StopIteration(c);
+			return false;
+			}
+
+		delete k;
+		}
+
+	return true;
+	}
+
 int TableVal::ExpandAndInit(Val* index, Val* new_val)
 	{
 	BroType* index_type = index->Type();
@@ -2659,6 +2811,8 @@ unsigned int TableVal::MemoryAllocation() const
 		+ table_hash->MemoryAllocation();
 	}
 
+vector<RecordVal*> RecordVal::parse_time_records;
+
 RecordVal::RecordVal(RecordType* t) : MutableVal(t)
 	{
 	origin = 0;
@@ -2704,6 +2858,12 @@ RecordVal::RecordVal(RecordType* t) : MutableVal(t)
 		vl->append(def ? def->Ref() : 0);
 
 		Unref(def);
+
+		if ( is_parsing )
+			{
+			parse_time_records.emplace_back(this);
+			Ref();
+			}
 		}
 	}
 
@@ -2769,6 +2929,29 @@ Val* RecordVal::LookupWithDefault(int field) const
 	return record_type->FieldDefault(field);
 	}
 
+void RecordVal::ResizeParseTimeRecords()
+	{
+	for ( auto& rv : parse_time_records )
+		{
+		auto vs = rv->val.val_list_val;
+		auto rt = rv->record_type;
+		auto current_length = vs->length();
+		auto required_length = rt->NumFields();
+
+		if ( required_length > current_length )
+			{
+			vs->resize(required_length);
+
+			for ( auto i = current_length; i < required_length; ++i )
+				vs->replace(i, nullptr);
+			}
+
+		Unref(rv);
+		}
+
+	parse_time_records.clear();
+	}
+
 Val* RecordVal::Lookup(const char* field, bool with_default) const
 	{
 	int idx = record_type->FieldOffset(field);
@@ -3132,7 +3315,7 @@ bool VectorVal::AssignRepeat(unsigned int index, unsigned int how_many,
 	ResizeAtLeast(index + how_many);
 
 	for ( unsigned int i = index; i < index + how_many; ++i )
-		if ( ! Assign(i, element ) )
+		if ( ! Assign(i, element->Ref() ) )
 			return false;
 
 	return true;
@@ -3432,3 +3615,75 @@ void delete_vals(val_list* vals)
 		delete vals;
 		}
 	}
+
+Val* cast_value_to_type(Val* v, BroType* t)
+	{
+	// Note: when changing this function, adapt all three of
+	// cast_value_to_type()/can_cast_value_to_type()/can_cast_value_to_type().
+
+	if ( ! v )
+		return 0;
+
+	// Always allow casting to same type. This also covers casting 'any'
+	// to the actual type.
+	if ( same_type(v->Type(), t) )
+		return v->Ref();
+
+	if ( same_type(v->Type(), bro_broker::DataVal::ScriptDataType()) )
+		{
+		auto dv = v->AsRecordVal()->Lookup(0);
+
+		if ( ! dv )
+			return 0;
+
+		return static_cast<bro_broker::DataVal *>(dv)->castTo(t);
+		}
+
+	return 0;
+	}
+
+bool can_cast_value_to_type(const Val* v, BroType* t)
+	{
+	// Note: when changing this function, adapt all three of
+	// cast_value_to_type()/can_cast_value_to_type()/can_cast_value_to_type().
+
+	if ( ! v )
+		return false;
+
+	// Always allow casting to same type. This also covers casting 'any'
+	// to the actual type.
+	if ( same_type(v->Type(), t) )
+		return true;
+
+	if ( same_type(v->Type(), bro_broker::DataVal::ScriptDataType()) )
+		{
+		auto dv = v->AsRecordVal()->Lookup(0);
+
+		if ( ! dv )
+			return false;
+
+		return static_cast<const bro_broker::DataVal *>(dv)->canCastTo(t);
+		}
+
+	return false;
+	}
+
+bool can_cast_value_to_type(const BroType* s, BroType* t)
+	{
+	// Note: when changing this function, adapt all three of
+	// cast_value_to_type()/can_cast_value_to_type()/can_cast_value_to_type().
+
+	// Always allow casting to same type. This also covers casting 'any'
+	// to the actual type.
+	if ( same_type(s, t) )
+		return true;
+
+	if ( same_type(s, bro_broker::DataVal::ScriptDataType()) )
+		// As Broker is dynamically typed, we don't know if we will be able
+		// to convert the type as intended. We optimistically assume that we
+		// will.
+		return true;
+
+	return false;
+	}
+
diff --git a/src/Val.h b/src/Val.h
index 160eeafe64..bb18dceb4f 100644
--- a/src/Val.h
+++ b/src/Val.h
@@ -7,6 +7,7 @@
 
 #include <vector>
 #include <list>
+#include <array>
 
 #include "net_util.h"
 #include "Type.h"
@@ -130,11 +131,11 @@ public:
 #endif
 		}
 
-	Val(Func* f);
+	explicit Val(Func* f);
 
 	// Note, will unref 'f' when it's done, closing it unless
 	// class has ref'd it.
-	Val(BroFile* f);
+	explicit Val(BroFile* f);
 
 	Val(BroType* t, bool type_type) // Extra arg to differentiate from protected version.
 		{
@@ -153,7 +154,7 @@ public:
 #endif
 		}
 
-	virtual ~Val();
+	~Val() override;
 
 	Val* Ref()			{ ::Ref(this); return this; }
 	virtual Val* Clone() const;
@@ -364,7 +365,7 @@ protected:
 	virtual void ValDescribe(ODesc* d) const;
 	virtual void ValDescribeReST(ODesc* d) const;
 
-	Val(TypeTag t)
+	explicit Val(TypeTag t)
 		{
 		type = base_type(t);
 #ifdef DEBUG
@@ -372,7 +373,7 @@ protected:
 #endif
 		}
 
-	Val(BroType* t)
+	explicit Val(BroType* t)
 		{
 		type = t->Ref();
 #ifdef DEBUG
@@ -443,7 +444,7 @@ public:
 #endif
 		}
 
-	virtual uint64 LastModified() const override	{ return last_modified; }
+	uint64 LastModified() const override	{ return last_modified; }
 
 	// Mark value as changed.
 	void Modified()
@@ -452,10 +453,10 @@ public:
 		}
 
 protected:
-	MutableVal(BroType* t) : Val(t)
+	explicit MutableVal(BroType* t) : Val(t)
 		{ props = 0; id = 0; last_modified = SerialObj::ALWAYS; }
 	MutableVal()	{ props = 0; id = 0; last_modified = SerialObj::ALWAYS; }
-	~MutableVal();
+	~MutableVal() override;
 
 	friend class ID;
 	friend class Val;
@@ -503,11 +504,35 @@ protected:
 #define UDP_PORT_MASK	0x20000
 #define ICMP_PORT_MASK	0x30000
 
+class PortManager {
+public:
+	PortManager();
+	~PortManager();
+
+	// Port number given in host order.
+	PortVal* Get(uint32 port_num, TransportProto port_type) const;
+
+	// Host-order port number already masked with port space protocol mask.
+	PortVal* Get(uint32 port_num) const;
+
+	// Returns a masked port number
+	uint32 Mask(uint32 port_num, TransportProto port_type) const;
+
+private:
+	std::array<std::array<PortVal*, 65536>, NUM_PORT_SPACES> ports;
+};
+
+extern PortManager* port_mgr;
+
 class PortVal : public Val {
 public:
-	// Constructors - both take the port number in host order.
+	// Port number given in host order.
+	BRO_DEPRECATED("use port_mgr->Get() instead")
 	PortVal(uint32 p, TransportProto port_type);
-	PortVal(uint32 p);	// used for already-massaged port value.
+
+	// Host-order port number already masked with port space protocol mask.
+	BRO_DEPRECATED("use port_mgr->Get() instead")
+	explicit PortVal(uint32 p);
 
 	Val* SizeVal() const override	{ return new Val(val.uint_val, TYPE_INT); }
 
@@ -533,7 +558,9 @@ public:
 
 protected:
 	friend class Val;
+	friend class PortManager;
 	PortVal()	{}
+	PortVal(uint32 p, bool unused);
 
 	void ValDescribe(ODesc* d) const override;
 
@@ -542,36 +569,37 @@ protected:
 
 class AddrVal : public Val {
 public:
-	AddrVal(const char* text);
-	~AddrVal();
+	explicit AddrVal(const char* text);
+	explicit AddrVal(const std::string& text);
+	~AddrVal() override;
 
 	Val* SizeVal() const override;
 
 	// Constructor for address already in network order.
-	AddrVal(uint32 addr);          // IPv4.
-	AddrVal(const uint32 addr[4]); // IPv6.
-	AddrVal(const IPAddr& addr);
+	explicit AddrVal(uint32 addr);          // IPv4.
+	explicit AddrVal(const uint32 addr[4]); // IPv6.
+	explicit AddrVal(const IPAddr& addr);
 
 	unsigned int MemoryAllocation() const override;
 
 protected:
 	friend class Val;
 	AddrVal()	{}
-	AddrVal(TypeTag t) : Val(t)	{ }
-	AddrVal(BroType* t) : Val(t)	{ }
+	explicit AddrVal(TypeTag t) : Val(t)	{ }
+	explicit AddrVal(BroType* t) : Val(t)	{ }
 
 	DECLARE_SERIAL(AddrVal);
 };
 
 class SubNetVal : public Val {
 public:
-	SubNetVal(const char* text);
+	explicit SubNetVal(const char* text);
 	SubNetVal(const char* text, int width);
 	SubNetVal(uint32 addr, int width); // IPv4.
 	SubNetVal(const uint32 addr[4], int width); // IPv6.
 	SubNetVal(const IPAddr& addr, int width);
-	SubNetVal(const IPPrefix& prefix);
-	~SubNetVal();
+	explicit SubNetVal(const IPPrefix& prefix);
+	~SubNetVal() override;
 
 	Val* SizeVal() const override;
 
@@ -594,9 +622,9 @@ protected:
 
 class StringVal : public Val {
 public:
-	StringVal(BroString* s);
-	StringVal(const char* s);
-	StringVal(const string& s);
+	explicit StringVal(BroString* s);
+	explicit StringVal(const char* s);
+	explicit StringVal(const string& s);
 	StringVal(int length, const char* s);
 
 	Val* SizeVal() const override
@@ -626,8 +654,8 @@ protected:
 
 class PatternVal : public Val {
 public:
-	PatternVal(RE_Matcher* re);
-	~PatternVal();
+	explicit PatternVal(RE_Matcher* re);
+	~PatternVal() override;
 
 	int AddTo(Val* v, int is_first_init) const override;
 
@@ -648,8 +676,8 @@ protected:
 // element in their index.
 class ListVal : public Val {
 public:
-	ListVal(TypeTag t);
-	~ListVal();
+	explicit ListVal(TypeTag t);
+	~ListVal() override;
 
 	TypeTag BaseTag() const		{ return tag; }
 
@@ -695,7 +723,7 @@ extern double bro_start_network_time;
 
 class TableEntryVal {
 public:
-	TableEntryVal(Val* v)
+	explicit TableEntryVal(Val* v)
 		{
 		val = v;
 		last_access_time = network_time;
@@ -737,9 +765,9 @@ protected:
 class TableValTimer : public Timer {
 public:
 	TableValTimer(TableVal* val, double t);
-	~TableValTimer();
+	~TableValTimer() override;
 
-	virtual void Dispatch(double t, int is_expire);
+	void Dispatch(double t, int is_expire) override;
 
 	TableVal* Table()	{ return table; }
 
@@ -750,8 +778,8 @@ protected:
 class CompositeHash;
 class TableVal : public MutableVal {
 public:
-	TableVal(TableType* t, Attributes* attrs = 0);
-	~TableVal();
+	explicit TableVal(TableType* t, Attributes* attrs = 0);
+	~TableVal() override;
 
 	// Returns true if the assignment typechecked, false if not. The
 	// methods take ownership of new_val, but not of the index. Second
@@ -781,6 +809,22 @@ public:
 	// Returns true if the addition typechecked, false if not.
 	int RemoveFrom(Val* v) const override;
 
+	// Returns a new table that is the intersection of this
+	// table and the given table.  Intersection is just done
+	// on index, not on yield value, so this really only makes
+	// sense for sets.
+	TableVal* Intersect(const TableVal* v) const;
+
+	// Returns true if this set contains the same members as the
+	// given set.  Note that comparisons are done using hash keys,
+	// so errors can arise for compound sets such as sets-of-sets.
+	// See https://bro-tracker.atlassian.net/browse/BIT-1949.
+	bool EqualTo(const TableVal* v) const;
+
+	// Returns true if this set is a subset (not necessarily proper)
+	// of the given set.
+	bool IsSubsetOf(const TableVal* v) const;
+
 	// Expands any lists in the index into multiple initializations.
 	// Returns true if the initializations typecheck, false if not.
 	int ExpandAndInit(Val* index, Val* new_val);
@@ -892,8 +936,8 @@ protected:
 
 class RecordVal : public MutableVal {
 public:
-	RecordVal(RecordType* t);
-	~RecordVal();
+	explicit RecordVal(RecordType* t);
+	~RecordVal() override;
 
 	Val* SizeVal() const override
 		{ return new Val(record_type->NumFields(), TYPE_COUNT); }
@@ -937,6 +981,11 @@ public:
 	unsigned int MemoryAllocation() const override;
 	void DescribeReST(ODesc* d) const override;
 
+	// Extend the underlying arrays of record instances created during
+	// parsing to match the number of fields in the record type (they may
+	// mismatch as a result of parse-time record type redefinitions.
+	static void ResizeParseTimeRecords();
+
 protected:
 	friend class Val;
 	RecordVal()	{}
@@ -948,6 +997,8 @@ protected:
 
 	RecordType* record_type;
 	BroObj* origin;
+
+	static vector<RecordVal*> parse_time_records;
 };
 
 class EnumVal : public Val {
@@ -972,16 +1023,14 @@ protected:
 
 class VectorVal : public MutableVal {
 public:
-	VectorVal(VectorType* t);
-	~VectorVal();
+	explicit VectorVal(VectorType* t);
+	~VectorVal() override;
 
 	Val* SizeVal() const override
 		{ return new Val(uint32(val.vector_val->size()), TYPE_COUNT); }
 
 	// Returns false if the type of the argument was wrong.
 	// The vector will automatically grow to accomodate the index.
-	// 'assigner" is the expression that is doing the assignment;
-	// it's just used for pinpointing errors.
 	//
 	// Note: does NOT Ref() the element! Remember to do so unless
 	//       the element was just created and thus has refcount 1.
@@ -1034,8 +1083,8 @@ protected:
 // functions). See OpaqueVal.h for derived classes.
 class OpaqueVal : public Val {
 public:
-	OpaqueVal(OpaqueType* t);
-	virtual ~OpaqueVal();
+	explicit OpaqueVal(OpaqueType* t);
+	~OpaqueVal() override;
 
 protected:
 	friend class Val;
@@ -1066,4 +1115,22 @@ extern void delete_vals(val_list* vals);
 // True if the given Val* has a vector type.
 inline bool is_vector(Val* v)	{ return  v->Type()->Tag() == TYPE_VECTOR; }
 
+// Returns v casted to type T if the type supports that. Returns null if not.
+// The returned value will be ref'ed.
+//
+// Note: This implements the script-level cast operator.
+extern Val* cast_value_to_type(Val* v, BroType* t);
+
+// Returns true if v can be casted to type T. If so, check_and_cast() will
+// succeed as well.
+//
+// Note: This implements the script-level type comparision operator.
+extern bool can_cast_value_to_type(const Val* v, BroType* t);
+
+// Returns true if values of type s may support casting to type t. This is
+// purely static check to weed out cases early on that will never succeed.
+// However, even this function returns true, casting may still fail for a
+// specific instance later.
+extern bool can_cast_value_to_type(const BroType* s, BroType* t);
+
 #endif
diff --git a/src/Var.cc b/src/Var.cc
index e923e2ec37..009c2003a7 100644
--- a/src/Var.cc
+++ b/src/Var.cc
@@ -139,7 +139,12 @@ static void make_var(ID* id, BroType* t, init_class c, Expr* init,
 		{
 		if ( dt == VAR_CONST )
 			{
-			id->Error("&persistant/synchronized with constant");
+			id->Error("&persistent/synchronized with constant");
+			return;
+			}
+		else if ( dt == VAR_OPTION )
+			{
+			id->Error("&persistent/synchronized with option");
 			return;
 			}
 
@@ -207,6 +212,14 @@ static void make_var(ID* id, BroType* t, init_class c, Expr* init,
 		id->SetConst();
 		}
 
+	if ( dt == VAR_OPTION )
+		{
+		if ( ! init )
+			id->Error("option variable must be initialized");
+
+		id->SetOption();
+		}
+
 	id->UpdateValAttrs();
 
 	if ( t && t->Tag() == TYPE_FUNC &&
diff --git a/src/Var.h b/src/Var.h
index bcdd45dad2..831c10e90c 100644
--- a/src/Var.h
+++ b/src/Var.h
@@ -10,7 +10,7 @@
 class Func;
 class EventHandlerPtr;
 
-typedef enum { VAR_REGULAR, VAR_CONST, VAR_REDEF, } decl_type;
+typedef enum { VAR_REGULAR, VAR_CONST, VAR_REDEF, VAR_OPTION, } decl_type;
 
 extern void add_global(ID* id, BroType* t, init_class c, Expr* init,
 			attr_list* attr, decl_type dt);
diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h
index df77a990ce..a13df7e21e 100644
--- a/src/analyzer/Analyzer.h
+++ b/src/analyzer/Analyzer.h
@@ -102,7 +102,7 @@ public:
 	 *
 	 * @param conn The connection the analyzer is associated with.
 	 */
-	Analyzer(Connection* conn);
+	explicit Analyzer(Connection* conn);
 
 	/**
 	 * Destructor.
@@ -731,7 +731,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	virtual ~SupportAnalyzer() {}
+	~SupportAnalyzer() override {}
 
 	/**
 	 * Returns true if this is a support analyzer for the connection's
@@ -755,8 +755,8 @@ public:
 	*
 	* Parameters same as for Analyzer::ForwardPacket.
 	*/
-	virtual void ForwardPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
+	void ForwardPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
 
 	/**
 	* Passes stream input to the next sibling SupportAnalyzer if any, or
@@ -766,7 +766,7 @@ public:
 	*
 	* Parameters same as for Analyzer::ForwardStream.
 	*/
-	virtual void ForwardStream(int len, const u_char* data, bool orig);
+	void ForwardStream(int len, const u_char* data, bool orig) override;
 
 	/**
 	* Passes gap information to the next sibling SupportAnalyzer if any,
@@ -776,7 +776,7 @@ public:
 	*
 	* Parameters same as for Analyzer::ForwardPacket.
 	*/
-	virtual void ForwardUndelivered(uint64 seq, int len, bool orig);
+	void ForwardUndelivered(uint64 seq, int len, bool orig) override;
 
 protected:
 	friend class Analyzer;
@@ -814,7 +814,7 @@ public:
 	/**
 	 * Overridden from parent class.
 	 */
-	virtual void Done();
+	void Done() override;
 
 	/**
 	 * Returns true if the analyzer determines that in fact a new
diff --git a/src/analyzer/Component.h b/src/analyzer/Component.h
index cff79c2774..c52bf05fc6 100644
--- a/src/analyzer/Component.h
+++ b/src/analyzer/Component.h
@@ -61,7 +61,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	~Component();
+	~Component() override;
 
 	/**
 	 * Initialization function. This function has to be called before any
diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc
index 9858001c6f..4b5441f395 100644
--- a/src/analyzer/Manager.cc
+++ b/src/analyzer/Manager.cc
@@ -434,14 +434,16 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn)
 
 		if ( tcp_contents && ! reass )
 			{
-			PortVal dport(ntohs(conn->RespPort()), TRANSPORT_TCP);
+			auto dport = port_mgr->Get(ntohs(conn->RespPort()), TRANSPORT_TCP);
 			Val* result;
 
 			if ( ! reass )
-				reass = tcp_content_delivery_ports_orig->Lookup(&dport);
+				reass = tcp_content_delivery_ports_orig->Lookup(dport);
 
 			if ( ! reass )
-				reass = tcp_content_delivery_ports_resp->Lookup(&dport);
+				reass = tcp_content_delivery_ports_resp->Lookup(dport);
+
+			Unref(dport);
 			}
 
 		if ( reass )
diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h
index 2388a36219..d341940e7d 100644
--- a/src/analyzer/Manager.h
+++ b/src/analyzer/Manager.h
@@ -114,7 +114,7 @@ public:
 	bool DisableAnalyzer(Tag tag);
 
 	/**
-	 * Enables an analyzer type. Disabled analyzers will not be
+	 * Disables an analyzer type. Disabled analyzers will not be
 	 * instantiated for new connections.
 	 *
 	 * @param tag The analyzer's tag as an enum of script type \c
diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h
index 9ba04b2ef8..926196c747 100644
--- a/src/analyzer/Tag.h
+++ b/src/analyzer/Tag.h
@@ -42,11 +42,8 @@ public:
 	/**
 	 * Returns false if the tag represents an error value rather than a
 	 * legal analyzer type.
-	 * TODO: make this conversion operator "explicit" (C++11) or use a
-	 *       "safe bool" idiom (not necessary if "explicit" is available),
-	 *       otherwise this may allow nonsense/undesired comparison operations.
 	 */
-	operator bool() const	{ return *this != Tag(); }
+	explicit operator bool() const	{ return *this != Tag(); }
 
 	/**
 	 * Assignment operator.
@@ -102,14 +99,14 @@ protected:
 	 * @param subtype The sub type, which is left to an analyzer for
 	 * interpretation. By default it's set to zero.
 	 */
-	Tag(type_t type, subtype_t subtype = 0);
+	explicit Tag(type_t type, subtype_t subtype = 0);
 
 	/**
 	 * Constructor.
 	 *
 	 * @param val An enum value of script type \c Analyzer::Tag.
 	 */
-	Tag(EnumVal* val) : ::Tag(val) {}
+	explicit Tag(EnumVal* val) : ::Tag(val) {}
 };
 
 }
diff --git a/src/analyzer/protocol/arp/ARP.cc b/src/analyzer/protocol/arp/ARP.cc
index b9af26ecfa..83166bd149 100644
--- a/src/analyzer/protocol/arp/ARP.cc
+++ b/src/analyzer/protocol/arp/ARP.cc
@@ -140,7 +140,7 @@ void ARP_Analyzer::NextPacket(double t, const Packet* pkt)
 
 
 	// Check MAC src address = ARP sender MAC address.
-	if ( memcmp((const char*) (data+6), ar_sha(ah), ah->ar_hln) )
+	if ( memcmp(pkt->l2_src, ar_sha(ah), ah->ar_hln) )
 		{
 		BadARP(ah, "weird-arp-sha");
 		return;
@@ -149,12 +149,12 @@ void ARP_Analyzer::NextPacket(double t, const Packet* pkt)
 	// Check the code is supported.
 	switch ( ntohs(ah->ar_op) ) {
 	case ARPOP_REQUEST:
-		RREvent(arp_request, data+6, data,
+		RREvent(arp_request, pkt->l2_src, pkt->l2_dst,
 				ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah));
 		break;
 
 	case ARPOP_REPLY:
-		RREvent(arp_reply, data+6, data,
+		RREvent(arp_reply, pkt->l2_src, pkt->l2_dst,
 				ar_spa(ah), ar_sha(ah), ar_tpa(ah), ar_tha(ah));
 		break;
 
diff --git a/src/analyzer/protocol/arp/ARP.h b/src/analyzer/protocol/arp/ARP.h
index 1bdd382714..86ea14d694 100644
--- a/src/analyzer/protocol/arp/ARP.h
+++ b/src/analyzer/protocol/arp/ARP.h
@@ -36,11 +36,11 @@ namespace analyzer { namespace arp {
 class ARP_Analyzer : public BroObj {
 public:
 	ARP_Analyzer();
-	virtual ~ARP_Analyzer();
+	~ARP_Analyzer() override;
 
 	void NextPacket(double t, const Packet* pkt);
 
-	void Describe(ODesc* d) const;
+	void Describe(ODesc* d) const override;
 	void RREvent(EventHandlerPtr e, const u_char* src, const u_char* dst,
 			const char* spa, const char* sha,
 			const char* tpa, const char* tha);
diff --git a/src/analyzer/protocol/ayiya/AYIYA.cc b/src/analyzer/protocol/ayiya/AYIYA.cc
index a1e00e9b38..9c4ac237ab 100644
--- a/src/analyzer/protocol/ayiya/AYIYA.cc
+++ b/src/analyzer/protocol/ayiya/AYIYA.cc
@@ -1,7 +1,6 @@
 
 #include "AYIYA.h"
 #include "Func.h"
-#include "events.bif.h"
 
 using namespace analyzer::ayiya;
 
diff --git a/src/analyzer/protocol/ayiya/AYIYA.h b/src/analyzer/protocol/ayiya/AYIYA.h
index 6e8baa11f8..4deb98c560 100644
--- a/src/analyzer/protocol/ayiya/AYIYA.h
+++ b/src/analyzer/protocol/ayiya/AYIYA.h
@@ -7,7 +7,7 @@ namespace analyzer { namespace ayiya {
 
 class AYIYA_Analyzer : public analyzer::Analyzer {
 public:
-	AYIYA_Analyzer(Connection* conn);
+	explicit AYIYA_Analyzer(Connection* conn);
 	virtual ~AYIYA_Analyzer();
 
 	virtual void Done();
@@ -18,8 +18,6 @@ public:
 		{ return new AYIYA_Analyzer(conn); }
 
 protected:
-	void ExpireTimer(double t);
-
 	binpac::AYIYA::AYIYA_Conn* interp;
 };
 
diff --git a/src/analyzer/protocol/ayiya/CMakeLists.txt b/src/analyzer/protocol/ayiya/CMakeLists.txt
index ae23c25e2d..50113b72d7 100644
--- a/src/analyzer/protocol/ayiya/CMakeLists.txt
+++ b/src/analyzer/protocol/ayiya/CMakeLists.txt
@@ -5,6 +5,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 
 bro_plugin_begin(Bro AYIYA)
 bro_plugin_cc(AYIYA.cc Plugin.cc)
-bro_plugin_bif(events.bif)
 bro_plugin_pac(ayiya.pac ayiya-protocol.pac ayiya-analyzer.pac)
 bro_plugin_end()
diff --git a/src/analyzer/protocol/ayiya/ayiya-analyzer.pac b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac
index 56fcc794bc..1d8cbe90b6 100644
--- a/src/analyzer/protocol/ayiya/ayiya-analyzer.pac
+++ b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac
@@ -59,6 +59,11 @@ flow AYIYA_Flow
 		if ( result == 0 )
 			connection()->bro_analyzer()->ProtocolConfirmation();
 
+		else if ( result == -2 )
+			connection()->bro_analyzer()->ProtocolViolation(
+			    "AYIYA next header internal mismatch", (const char*)${pdu.packet}.data(),
+			     ${pdu.packet}.length());
+
 		else if ( result < 0 )
 			connection()->bro_analyzer()->ProtocolViolation(
 			    "Truncated AYIYA", (const char*) ${pdu.packet}.data(),
diff --git a/src/analyzer/protocol/ayiya/ayiya.pac b/src/analyzer/protocol/ayiya/ayiya.pac
index b1f3a6ef77..ff0af4d47c 100644
--- a/src/analyzer/protocol/ayiya/ayiya.pac
+++ b/src/analyzer/protocol/ayiya/ayiya.pac
@@ -2,10 +2,6 @@
 %include binpac.pac
 %include bro.pac
 
-%extern{
-#include "events.bif.h"
-%}
-
 analyzer AYIYA withcontext {
 	connection:	AYIYA_Conn;
 	flow:		AYIYA_Flow;
diff --git a/src/analyzer/protocol/backdoor/BackDoor.h b/src/analyzer/protocol/backdoor/BackDoor.h
index 151eb51670..c954d176d5 100644
--- a/src/analyzer/protocol/backdoor/BackDoor.h
+++ b/src/analyzer/protocol/backdoor/BackDoor.h
@@ -12,7 +12,7 @@ namespace analyzer { namespace backdoor {
 
 class BackDoorEndpoint {
 public:
-	BackDoorEndpoint(tcp::TCP_Endpoint* e);
+	explicit BackDoorEndpoint(tcp::TCP_Endpoint* e);
 
 	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
 		     const IP_Hdr* ip, const struct tcphdr* tp);
@@ -66,11 +66,11 @@ protected:
 
 class BackDoor_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	BackDoor_Analyzer(Connection* c);
-	~BackDoor_Analyzer();
+	explicit BackDoor_Analyzer(Connection* c);
+	~BackDoor_Analyzer() override;
 
-	virtual void Init();
-	virtual void Done();
+	void Init() override;
+	void Done() override;
 	void StatTimer(double t, int is_expire);
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
@@ -79,9 +79,9 @@ public:
 protected:
 	// We support both packet and stream input, and can be instantiated
 	// even if the TCP analyzer is not yet reassembling.
-	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
-	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
+	void DeliverPacket(int len, const u_char* data, bool is_orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
+	void DeliverStream(int len, const u_char* data, bool is_orig) override;
 
 	void StatEvent();
 	void RemoveEvent();
@@ -99,9 +99,9 @@ protected:
 class BackDoorTimer : public Timer {
 public:
 	BackDoorTimer(double t, BackDoor_Analyzer* a);
-	~BackDoorTimer();
+	~BackDoorTimer() override;
 
-	void Dispatch(double t, int is_expire);
+	void Dispatch(double t, int is_expire) override;
 
 protected:
 	BackDoor_Analyzer* analyzer;
diff --git a/src/analyzer/protocol/bittorrent/BitTorrent.h b/src/analyzer/protocol/bittorrent/BitTorrent.h
index f1cd90c727..eb0cf6188a 100644
--- a/src/analyzer/protocol/bittorrent/BitTorrent.h
+++ b/src/analyzer/protocol/bittorrent/BitTorrent.h
@@ -11,13 +11,13 @@ namespace analyzer { namespace bittorrent {
 
 class BitTorrent_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	BitTorrent_Analyzer(Connection* conn);
-	virtual ~BitTorrent_Analyzer();
+	explicit BitTorrent_Analyzer(Connection* conn);
+	~BitTorrent_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
-	virtual void EndpointEOF(bool is_orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
+	void EndpointEOF(bool is_orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new BitTorrent_Analyzer(conn); }
diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
index 43ee6a2b21..452fb0fe6c 100644
--- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
+++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
@@ -482,7 +482,7 @@ void BitTorrentTracker_Analyzer::ResponseBenc(int name_len, char* name,
 
 			RecordVal* peer = new RecordVal(bittorrent_peer);
 			peer->Assign(0, new AddrVal(ad));
-			peer->Assign(1, new PortVal(pt, TRANSPORT_TCP));
+			peer->Assign(1, port_mgr->Get(pt, TRANSPORT_TCP));
 			res_val_peers->Assign(peer, 0);
 
 			Unref(peer);
diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.h b/src/analyzer/protocol/bittorrent/BitTorrentTracker.h
index 532f7304fe..4f01d2a146 100644
--- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.h
+++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.h
@@ -44,13 +44,13 @@ enum btt_benc_states {
 
 class BitTorrentTracker_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	BitTorrentTracker_Analyzer(Connection* conn);
-	virtual ~BitTorrentTracker_Analyzer();
+	explicit BitTorrentTracker_Analyzer(Connection* conn);
+	~BitTorrentTracker_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
-	virtual void EndpointEOF(bool is_orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
+	void EndpointEOF(bool is_orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new BitTorrentTracker_Analyzer(conn); }
@@ -59,7 +59,7 @@ protected:
 	void ClientRequest(int len, const u_char* data);
 	void ServerReply(int len, const u_char* data);
 
-	void InitBencParser(void);
+	void InitBencParser();
 
 	void DeliverWeird(const char* msg, bool orig);
 
@@ -67,19 +67,19 @@ protected:
 	void RequestGet(char* uri);
 	void RequestHeader(char* name, char* value)
 		{ ParseHeader(name, value, true); }
-	void EmitRequest(void);
+	void EmitRequest();
 
 	bool ParseResponse(char* line);
 	void ResponseStatus(char* status);
 	void ResponseHeader(char* name, char* value)
 		{ ParseHeader(name, value, false); }
-	void ResponseBody(void);
+	void ResponseBody();
 	void ResponseBenc(int name_len, char* name, enum btt_benc_types type,
 				int value_len, char* value);
 	void ResponseBenc(int name_len, char* name, enum btt_benc_types type,
 				bro_int_t value);
-	int ResponseParseBenc(void);
-	void EmitResponse(void);
+	int ResponseParseBenc();
+	void EmitResponse();
 
 	void ParseHeader(char* name, char* value, bool is_request);
 
diff --git a/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac b/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac
index 3bc6d90230..6040577d39 100644
--- a/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac
+++ b/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac
@@ -222,7 +222,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
 				is_orig(),
-				new PortVal(listen_port, TRANSPORT_TCP));
+				port_mgr->Get(listen_port, TRANSPORT_TCP));
 			}
 
 		return true;
diff --git a/src/analyzer/protocol/conn-size/ConnSize.h b/src/analyzer/protocol/conn-size/ConnSize.h
index d8dff57a1b..b272f8539c 100644
--- a/src/analyzer/protocol/conn-size/ConnSize.h
+++ b/src/analyzer/protocol/conn-size/ConnSize.h
@@ -11,15 +11,15 @@ namespace analyzer { namespace conn_size {
 
 class ConnSize_Analyzer : public analyzer::Analyzer {
 public:
-	ConnSize_Analyzer(Connection* c);
-	virtual ~ConnSize_Analyzer();
+	explicit ConnSize_Analyzer(Connection* c);
+	~ConnSize_Analyzer() override;
 
-	virtual void Init();
-	virtual void Done();
+	void Init() override;
+	void Done() override;
 
 	// from Analyzer.h
-	virtual void UpdateConnVal(RecordVal *conn_val);
-	virtual void FlipRoles();
+	void UpdateConnVal(RecordVal *conn_val) override;
+	void FlipRoles() override;
 
 	void SetThreshold(uint64_t threshold, bool bytes, bool orig);
 	uint64 GetThreshold(bool bytes, bool orig);
@@ -28,8 +28,8 @@ public:
 		{ return new ConnSize_Analyzer(conn); }
 
 protected:
-	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
+	void DeliverPacket(int len, const u_char* data, bool is_orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
 	void CheckSizes(bool is_orig);
 
 	void ThresholdEvent(EventHandlerPtr f, uint64 threshold, bool is_orig);
diff --git a/src/analyzer/protocol/conn-size/functions.bif b/src/analyzer/protocol/conn-size/functions.bif
index a05359a17b..225e9db913 100644
--- a/src/analyzer/protocol/conn-size/functions.bif
+++ b/src/analyzer/protocol/conn-size/functions.bif
@@ -5,10 +5,7 @@ static analyzer::Analyzer* GetConnsizeAnalyzer(Val* cid)
 	{
 	Connection* c = sessions->FindConnection(cid);
 	if ( ! c )
-		{
-		reporter->Error("cannot find connection");
 		return 0;
-		}
 
 	analyzer::Analyzer* a = c->FindAnalyzer("CONNSIZE");
 	if ( ! a )
diff --git a/src/analyzer/protocol/dce-rpc/DCE_RPC.h b/src/analyzer/protocol/dce-rpc/DCE_RPC.h
index 498e055e0a..c3e7aa54a3 100644
--- a/src/analyzer/protocol/dce-rpc/DCE_RPC.h
+++ b/src/analyzer/protocol/dce-rpc/DCE_RPC.h
@@ -14,8 +14,8 @@ namespace analyzer { namespace dce_rpc {
 
 class DCE_RPC_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	DCE_RPC_Analyzer(Connection* conn);
-	~DCE_RPC_Analyzer();
+	explicit DCE_RPC_Analyzer(Connection* conn);
+	~DCE_RPC_Analyzer() override;
 
 	void Done() override;
 	void DeliverStream(int len, const u_char* data, bool orig) override;
diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
index 921b4ba51f..e610efcadc 100644
--- a/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
+++ b/src/analyzer/protocol/dce-rpc/dce_rpc-protocol.pac
@@ -17,9 +17,11 @@ enum dce_rpc_ptype {
 	DCE_RPC_BIND_NAK,
 	DCE_RPC_ALTER_CONTEXT,
 	DCE_RPC_ALTER_CONTEXT_RESP,
+	DCE_RPC_AUTH3,
 	DCE_RPC_SHUTDOWN,
 	DCE_RPC_CO_CANCEL,
 	DCE_RPC_ORPHANED,
+	DCE_RPC_RTS,
 };
 
 type uuid = bytestring &length = 16;
@@ -49,7 +51,7 @@ type NDR_Format = record {
 };
 
 type DCE_RPC_Header(is_orig: bool) = record {
-	rpc_vers       : uint8 &check(rpc_vers == 5);
+	rpc_vers       : uint8 &enforce(rpc_vers == 5);
 	rpc_vers_minor : uint8;
 	PTYPE          : uint8;
 	pfc_flags      : uint8;
@@ -180,9 +182,11 @@ flow DCE_RPC_Flow(is_orig: bool) {
 	# Fragment reassembly.
 	function reassemble_fragment(header: DCE_RPC_Header, frag: bytestring): bool
 		%{
+		auto it = fb.find(${header.call_id});
+
 		if ( ${header.firstfrag} )
 			{
-			if ( fb.count(${header.call_id}) > 0 )
+			if ( it != fb.end() )
 				{
 				// We already had a first frag earlier.
 				reporter->Weird(connection()->bro_analyzer()->Conn(),
@@ -199,9 +203,11 @@ flow DCE_RPC_Flow(is_orig: bool) {
 			else
 				{
 				// first frag, but not last so we start a flowbuffer
-				fb[${header.call_id}] = std::unique_ptr<FlowBuffer>(new FlowBuffer());
-				fb[${header.call_id}]->NewFrame(0, true);
-				fb[${header.call_id}]->BufferData(frag.begin(), frag.end());
+				auto it = fb.emplace(${header.call_id},
+				                     std::unique_ptr<FlowBuffer>(new FlowBuffer()));
+				auto& flowbuf = it.first->second;
+				flowbuf->NewFrame(0, true);
+				flowbuf->BufferData(frag.begin(), frag.end());
 
 				if ( fb.size() > BifConst::DCE_RPC::max_cmd_reassembly )
 					{
@@ -210,7 +216,7 @@ flow DCE_RPC_Flow(is_orig: bool) {
 					connection()->bro_analyzer()->SetSkip(true);
 					}
 
-				if ( fb[${header.call_id}]->data_length() > (int)BifConst::DCE_RPC::max_frag_data )
+				if ( flowbuf->data_length() > (int)BifConst::DCE_RPC::max_frag_data )
 					{
 					reporter->Weird(connection()->bro_analyzer()->Conn(),
 					                "too_much_dce_rpc_fragment_data");
@@ -220,12 +226,13 @@ flow DCE_RPC_Flow(is_orig: bool) {
 				return false;
 				}
 			}
-		else if ( fb.count(${header.call_id}) > 0 )
+		else if ( it != fb.end() )
 			{
 			// not the first frag, but we have a flow buffer so add to it
-			fb[${header.call_id}]->BufferData(frag.begin(), frag.end());
+			auto& flowbuf = it->second;
+			flowbuf->BufferData(frag.begin(), frag.end());
 
-			if ( fb[${header.call_id}]->data_length() > (int)BifConst::DCE_RPC::max_frag_data )
+			if ( flowbuf->data_length() > (int)BifConst::DCE_RPC::max_frag_data )
 				{
 				reporter->Weird(connection()->bro_analyzer()->Conn(),
 				                "too_much_dce_rpc_fragment_data");
@@ -247,12 +254,14 @@ flow DCE_RPC_Flow(is_orig: bool) {
 	function reassembled_body(h: DCE_RPC_Header, body: bytestring): const_bytestring
 		%{
 		const_bytestring bd = body;
+		auto it = fb.find(${h.call_id});
 
-		if ( fb.count(${h.call_id}) > 0 )
-			{
-			bd = const_bytestring(fb[${h.call_id}]->begin(), fb[${h.call_id}]->end());
-			fb.erase(${h.call_id});
-			}
+		if ( it == fb.end() )
+			return bd;
+
+		auto& flowbuf = it->second;
+		bd = const_bytestring(flowbuf->begin(), flowbuf->end());
+		fb.erase(it);
 
 		return bd;
 		%}
diff --git a/src/analyzer/protocol/dce-rpc/types.bif b/src/analyzer/protocol/dce-rpc/types.bif
index 251b53f952..abc6b110dc 100644
--- a/src/analyzer/protocol/dce-rpc/types.bif
+++ b/src/analyzer/protocol/dce-rpc/types.bif
@@ -18,9 +18,11 @@ enum PType %{
 	BIND_NAK,
 	ALTER_CONTEXT,
 	ALTER_CONTEXT_RESP,
+	AUTH3,
 	SHUTDOWN,
 	CO_CANCEL,
 	ORPHANED,
+	RTS,
 %}
 
 enum IfID %{
diff --git a/src/analyzer/protocol/dhcp/CMakeLists.txt b/src/analyzer/protocol/dhcp/CMakeLists.txt
index 646a11f9ab..6077adfeb6 100644
--- a/src/analyzer/protocol/dhcp/CMakeLists.txt
+++ b/src/analyzer/protocol/dhcp/CMakeLists.txt
@@ -6,5 +6,6 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 bro_plugin_begin(Bro DHCP)
 bro_plugin_cc(DHCP.cc Plugin.cc)
 bro_plugin_bif(events.bif)
-bro_plugin_pac(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac)
+bro_plugin_bif(types.bif)
+bro_plugin_pac(dhcp.pac dhcp-protocol.pac dhcp-analyzer.pac dhcp-options.pac)
 bro_plugin_end()
diff --git a/src/analyzer/protocol/dhcp/DHCP.cc b/src/analyzer/protocol/dhcp/DHCP.cc
index 78b1c6be69..11ecb91107 100644
--- a/src/analyzer/protocol/dhcp/DHCP.cc
+++ b/src/analyzer/protocol/dhcp/DHCP.cc
@@ -1,6 +1,7 @@
 #include "DHCP.h"
 
 #include "events.bif.h"
+#include "types.bif.h"
 
 using namespace analyzer::dhcp;
 
@@ -24,5 +25,14 @@ void DHCP_Analyzer::DeliverPacket(int len, const u_char* data,
 			bool orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
 	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
-	interp->NewData(orig, data, data + len);
+
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+		}
+
 	}
diff --git a/src/analyzer/protocol/dhcp/DHCP.h b/src/analyzer/protocol/dhcp/DHCP.h
index f8f0449878..462538db45 100644
--- a/src/analyzer/protocol/dhcp/DHCP.h
+++ b/src/analyzer/protocol/dhcp/DHCP.h
@@ -9,12 +9,12 @@ namespace analyzer { namespace dhcp {
 
 class DHCP_Analyzer : public analyzer::Analyzer {
 public:
-	DHCP_Analyzer(Connection* conn);
-	virtual ~DHCP_Analyzer();
+	explicit DHCP_Analyzer(Connection* conn);
+	~DHCP_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
+	void Done() override;
+	void DeliverPacket(int len, const u_char* data, bool orig,
+	                   uint64 seq, const IP_Hdr* ip, int caplen) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new DHCP_Analyzer(conn); }
diff --git a/src/analyzer/protocol/dhcp/dhcp-analyzer.pac b/src/analyzer/protocol/dhcp/dhcp-analyzer.pac
index a11412ce96..93966fabeb 100644
--- a/src/analyzer/protocol/dhcp/dhcp-analyzer.pac
+++ b/src/analyzer/protocol/dhcp/dhcp-analyzer.pac
@@ -1,227 +1,44 @@
-connection DHCP_Conn(bro_analyzer: BroAnalyzer) {
-	upflow = DHCP_Flow(true);
-	downflow = DHCP_Flow(false);
-};
-
-flow DHCP_Flow(is_orig: bool) {
-	datagram = DHCP_Message withcontext(connection, this);
 
+refine flow DHCP_Flow += {
 	%member{
-		BroVal dhcp_msg_val_;
+		RecordVal* options;
+		VectorVal* all_options;
 	%}
 
 	%init{
-		dhcp_msg_val_ = 0;
+		options = nullptr;
+		all_options = nullptr;
 	%}
 
 	%cleanup{
-		Unref(dhcp_msg_val_);
-		dhcp_msg_val_ = 0;
+		Unref(options);
+		options = nullptr;
+
+		Unref(all_options);
+		all_options = nullptr;
 	%}
 
-	function get_dhcp_msgtype(options: DHCP_Option[]): uint8
+	function init_options(): bool
 		%{
-		vector<DHCP_Option*>::const_iterator ptr;
-		uint8 type = 0;
-
-		// Leave the for loop if the message type is found.
-		bool parsed = false;
-
-		for ( ptr = options->begin();
-		      ptr != options->end() && ! (*ptr)->last(); ++ptr )
+		if ( ! options )
 			{
-			// We use a switch for future expandability.
-			switch ( (*ptr)->code() ) {
-			case MSG_TYPE_OPTION:
-				type = (*ptr)->info()->msg_type();
-				parsed = true;
-				break;
-			}
-
-			if ( parsed )
-				break;
-			}
-
-		if ( type == 0 )
-			connection()->bro_analyzer()->ProtocolViolation("no DHCP message type option");
-
-		return type;
-		%}
-
-	function parse_request(options: DHCP_Option[], type: uint8): bool
-		%{
-		vector<DHCP_Option*>::const_iterator ptr;
-
-		// Requested IP address to the server.
-		::uint32 req_addr = 0, serv_addr = 0;
-		StringVal* host_name = 0;
-
-		for ( ptr = options->begin();  ptr != options->end() && ! (*ptr)->last(); ++ptr )
-			{
-			switch ( (*ptr)->code() )
-				{
-				case REQ_IP_OPTION:
-					req_addr = htonl((*ptr)->info()->req_addr());
-					break;
-
-				case SERV_ID_OPTION:
-					serv_addr = htonl((*ptr)->info()->serv_addr());
-					break;
-
-				case HOST_NAME_OPTION:
-					Unref(host_name);
-					host_name = new StringVal((*ptr)->info()->host_name().length(),
-								  (const char*) (*ptr)->info()->host_name().begin());
-					break;
-				}
-			}
-
-		if ( host_name == 0 )
-			host_name = new StringVal("");
-
-		switch ( type )
-			{
-			case DHCPDISCOVER:
-				BifEvent::generate_dhcp_discover(connection()->bro_analyzer(),
-								 connection()->bro_analyzer()->Conn(),
-								 dhcp_msg_val_->Ref(), new AddrVal(req_addr), host_name);
-				break;
-
-			case DHCPREQUEST:
-				BifEvent::generate_dhcp_request(connection()->bro_analyzer(),
-								connection()->bro_analyzer()->Conn(),
-								dhcp_msg_val_->Ref(), new AddrVal(req_addr),
-								new AddrVal(serv_addr), host_name);
-				break;
-
-			case DHCPDECLINE:
-				BifEvent::generate_dhcp_decline(connection()->bro_analyzer(),
-								connection()->bro_analyzer()->Conn(),
-								dhcp_msg_val_->Ref(), host_name);
-				break;
-
-			case DHCPRELEASE:
-				BifEvent::generate_dhcp_release(connection()->bro_analyzer(),
-								connection()->bro_analyzer()->Conn(),
-								dhcp_msg_val_->Ref(), host_name);
-				break;
-
-			case DHCPINFORM:
-				BifEvent::generate_dhcp_inform(connection()->bro_analyzer(),
-							       connection()->bro_analyzer()->Conn(),
-							       dhcp_msg_val_->Ref(), host_name);
-				break;
-
-			default:
-				Unref(host_name);
-				break;
+			options = new RecordVal(BifType::Record::DHCP::Options);
+			all_options = new VectorVal(index_vec);
+			options->Assign(0, all_options->Ref());
 			}
 
 		return true;
 		%}
 
-	function parse_reply(options: DHCP_Option[], type: uint8): bool
+	function create_options(code: uint8): bool
 		%{
-		vector<DHCP_Option*>::const_iterator ptr;
+		init_options();
 
-		// RFC 1533 allows a list of router addresses.
-		TableVal* router_list = 0;
-
-		::uint32 subnet_mask = 0, serv_addr = 0;
-
-		uint32 lease = 0;
-		StringVal* host_name = 0;
-
-		for ( ptr = options->begin();
-		      ptr != options->end() && ! (*ptr)->last(); ++ptr )
-			{
-			switch ( (*ptr)->code() )
-				{
-				case SUBNET_OPTION:
-					subnet_mask = htonl((*ptr)->info()->mask());
-					break;
-
-				case ROUTER_OPTION:
-					// Let's hope there aren't multiple
-					// such options.
-					Unref(router_list);
-					router_list = new TableVal(dhcp_router_list);
-
-						{
-						int num_routers = (*ptr)->info()->router_list()->size();
-
-						for ( int i = 0; i < num_routers; ++i )
-							{
-							vector<uint32>* rlist = (*ptr)->info()->router_list();
-
-							uint32 raddr = (*rlist)[i];
-							::uint32 tmp_addr;
-							tmp_addr = htonl(raddr);
-
-							// index starting from 1
-							Val* index = new Val(i + 1, TYPE_COUNT);
-							router_list->Assign(index, new AddrVal(tmp_addr));
-							Unref(index);
-							}
-						}
-					break;
-
-				case LEASE_OPTION:
-					lease = (*ptr)->info()->lease();
-					break;
-
-				case SERV_ID_OPTION:
-					serv_addr = htonl((*ptr)->info()->serv_addr());
-					break;
-
-				case HOST_NAME_OPTION:
-					Unref(host_name);
-					host_name = new StringVal((*ptr)->info()->host_name().length(),
-								  (const char*) (*ptr)->info()->host_name().begin());
-					break;
-				}
-			}
-
-			if ( host_name == 0 )
-				host_name = new StringVal("");
-
-		switch ( type )
-			{
-			case DHCPOFFER:
-				if ( ! router_list )
-					router_list = new TableVal(dhcp_router_list);
-
-				BifEvent::generate_dhcp_offer(connection()->bro_analyzer(),
-							      connection()->bro_analyzer()->Conn(),
-							      dhcp_msg_val_->Ref(), new AddrVal(subnet_mask),
-							      router_list, lease, new AddrVal(serv_addr), host_name);
-				break;
-
-			case DHCPACK:
-				if ( ! router_list )
-					router_list = new TableVal(dhcp_router_list);
-
-				BifEvent::generate_dhcp_ack(connection()->bro_analyzer(),
-							    connection()->bro_analyzer()->Conn(),
-							    dhcp_msg_val_->Ref(), new AddrVal(subnet_mask),
-							    router_list, lease, new AddrVal(serv_addr), host_name);
-				break;
-
-			case DHCPNAK:
-				Unref(router_list);
-				BifEvent::generate_dhcp_nak(connection()->bro_analyzer(),
-							    connection()->bro_analyzer()->Conn(),
-							    dhcp_msg_val_->Ref(), host_name);
-				break;
-
-			default:
-				Unref(router_list);
-				Unref(host_name);
-				break;
-			}
+		if ( code != 255 )
+			all_options->Assign(all_options->Size(),
+			                    new Val(code, TYPE_COUNT));
 
 		return true;
-
 		%}
 
 	function process_dhcp_message(msg: DHCP_Message): bool
@@ -235,52 +52,67 @@ flow DHCP_Flow(is_orig: bool) {
 			return false;
 			}
 
-		Unref(dhcp_msg_val_);
-
-		std::string mac_str = fmt_mac(${msg.chaddr}.data(), ${msg.chaddr}.length());
-
-		RecordVal* r = new RecordVal(dhcp_msg);
-		r->Assign(0, new Val(${msg.op}, TYPE_COUNT));
-		r->Assign(1, new Val(${msg.type}, TYPE_COUNT));
-		r->Assign(2, new Val(${msg.xid}, TYPE_COUNT));
-		r->Assign(3, new StringVal(mac_str));
-		r->Assign(4, new AddrVal(${msg.ciaddr}));
-		r->Assign(5, new AddrVal(${msg.yiaddr}));
-
-		dhcp_msg_val_ = r;
-
-		switch ( ${msg.op} )
+		if ( dhcp_message )
 			{
-			case BOOTREQUEST:	// presumably from client to server
-				if ( ${msg.type} == DHCPDISCOVER ||
-			     	     ${msg.type} == DHCPREQUEST ||
-			     	     ${msg.type} == DHCPDECLINE ||
-			     	     ${msg.type} == DHCPRELEASE ||
-			     	     ${msg.type} == DHCPINFORM )
-					parse_request(${msg.options}, ${msg.type});
-				else
-					connection()->bro_analyzer()->ProtocolViolation(fmt("unknown DHCP message type option for BOOTREQUEST (%d)",
-											    ${msg.type}));
-				break;
+			std::string mac_str = fmt_mac(${msg.chaddr}.data(), ${msg.chaddr}.length());
+			double secs = static_cast<double>(${msg.secs});
 
-			case BOOTREPLY:		// presumably from server to client
-				if ( ${msg.type} == DHCPOFFER ||
-			     	     ${msg.type} == DHCPACK ||
-				     ${msg.type} == DHCPNAK )
-					parse_reply(${msg.options}, ${msg.type});
-				else
-					connection()->bro_analyzer()->ProtocolViolation(fmt("unknown DHCP message type option for BOOTREPLY (%d)",
-											    ${msg.type}));
+			auto dhcp_msg_val = new RecordVal(BifType::Record::DHCP::Msg);
+			dhcp_msg_val->Assign(0, new Val(${msg.op}, TYPE_COUNT));
+			dhcp_msg_val->Assign(1, new Val(${msg.type}, TYPE_COUNT));
+			dhcp_msg_val->Assign(2, new Val(${msg.xid}, TYPE_COUNT));
+			dhcp_msg_val->Assign(3, new Val(secs, TYPE_INTERVAL));
+			dhcp_msg_val->Assign(4, new Val(${msg.flags}, TYPE_COUNT));
+			dhcp_msg_val->Assign(5, new AddrVal(htonl(${msg.ciaddr})));
+			dhcp_msg_val->Assign(6, new AddrVal(htonl(${msg.yiaddr})));
+			dhcp_msg_val->Assign(7, new AddrVal(htonl(${msg.siaddr})));
+			dhcp_msg_val->Assign(8, new AddrVal(htonl(${msg.giaddr})));
+			dhcp_msg_val->Assign(9, new StringVal(mac_str));
 
-				break;
+			int last_non_null = 0;
 
-			default:
-				connection()->bro_analyzer()->ProtocolViolation(fmt("unknown DHCP message op code (%d). Known codes: 1=BOOTREQUEST, 2=BOOTREPLY",
-										${msg.op}));
-				break;
+			for ( int i = 0; i < ${msg.sname}.length(); ++i )
+				{
+				if ( *(${msg.sname}.begin() + i) != 0 )
+					last_non_null = i;
+				}
+
+			if ( last_non_null > 0 )
+				dhcp_msg_val->Assign(10, new StringVal(last_non_null + 1,
+				                                       reinterpret_cast<const char*>(${msg.sname}.begin())));
+
+			last_non_null = 0;
+
+			for ( int i = 0; i < ${msg.file_n}.length(); ++i )
+				{
+				if ( *(${msg.file_n}.begin() + i) != 0 )
+					last_non_null = i;
+				}
+
+			if ( last_non_null > 0 )
+				dhcp_msg_val->Assign(11, new StringVal(last_non_null + 1,
+				                                       reinterpret_cast<const char*>(${msg.file_n}.begin())));
+
+			init_options();
+
+			BifEvent::generate_dhcp_message(connection()->bro_analyzer(),
+			                                connection()->bro_analyzer()->Conn(),
+			                                ${msg.is_orig},
+			                                dhcp_msg_val,
+			                                options);
+
+			options = nullptr;
+			Unref(all_options);
+			all_options = nullptr;
 			}
 
+		// A single message reaching this point is enough to confirm the protocol
+		// because it's not uncommon to see a single DHCP message
+		// on a "connection".
+		// The binpac analyzer would have thrown an error before this point
+		// if there was a problem too (and subsequently called ProtocolViolation).
 		connection()->bro_analyzer()->ProtocolConfirmation();
+
 		return true;
 		%}
 };
@@ -288,3 +120,8 @@ flow DHCP_Flow(is_orig: bool) {
 refine typeattr DHCP_Message += &let {
 	proc_dhcp_message = $context.flow.process_dhcp_message(this);
 };
+
+refine typeattr Option += &let {
+	proc_create_options = $context.flow.create_options(code);
+};
+
diff --git a/src/analyzer/protocol/dhcp/dhcp-options.pac b/src/analyzer/protocol/dhcp/dhcp-options.pac
new file mode 100644
index 0000000000..c154498dbf
--- /dev/null
+++ b/src/analyzer/protocol/dhcp/dhcp-options.pac
@@ -0,0 +1,711 @@
+##############################
+# SUBNET OPTION
+##############################
+let SUBNET_OPTION = 1;
+
+# Parse the option
+refine casetype OptionValue += {
+	SUBNET_OPTION -> subnet : uint32;
+};
+
+refine flow DHCP_Flow += {
+	function process_subnet_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(1, new AddrVal(htonl(${v.subnet})));
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_subnet_option = $context.flow.process_subnet_option(info.value) &if(code==SUBNET_OPTION);
+};
+
+
+##############################
+# ROUTER OPTION
+##############################
+let ROUTER_OPTION = 3;
+
+# Parse the option
+refine casetype OptionValue += {
+	ROUTER_OPTION -> router_list : uint32[length/4];
+};
+
+refine flow DHCP_Flow += {
+	function process_router_option(v: OptionValue): bool
+		%{
+		VectorVal* router_list = new VectorVal(BifType::Vector::DHCP::Addrs);
+		int num_routers = ${v.router_list}->size();
+		vector<uint32>* rlist = ${v.router_list};
+
+		for ( int i = 0; i < num_routers; ++i )
+			{
+			uint32 raddr = (*rlist)[i];
+			router_list->Assign(i, new AddrVal(htonl(raddr)));
+			}
+
+		${context.flow}->options->Assign(2, router_list);
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_router_option = $context.flow.process_router_option(info.value) &if(code==ROUTER_OPTION);
+};
+
+
+##############################
+# DNS SERVER OPTION
+##############################
+let DNS_SERVER_OPTION = 6;
+
+# Parse the option
+refine casetype OptionValue += {
+	DNS_SERVER_OPTION -> dns_server_list : uint32[length/4];
+};
+
+refine flow DHCP_Flow += {
+	function process_dns_server_option(v: OptionValue): bool
+		%{
+		VectorVal* server_list = new VectorVal(BifType::Vector::DHCP::Addrs);
+		int num_servers = ${v.dns_server_list}->size();
+		vector<uint32>* rlist = ${v.dns_server_list};
+
+		for ( int i = 0; i < num_servers; ++i )
+			{
+			uint32 raddr = (*rlist)[i];
+			server_list->Assign(i, new AddrVal(htonl(raddr)));
+			}
+
+		${context.flow}->options->Assign(3, server_list);
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_dns_server_option = $context.flow.process_dns_server_option(info.value) &if(code==DNS_SERVER_OPTION);
+};
+
+
+##############################
+# HOST NAME OPTION
+##############################
+let HOST_NAME_OPTION = 12;
+
+# Parse the option
+refine casetype OptionValue += {
+	HOST_NAME_OPTION -> host_name : bytestring &length=length;
+};
+
+refine flow DHCP_Flow += {
+	function process_host_name_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(4, new StringVal(${v.host_name}.length(),
+		                                                  reinterpret_cast<const char*>(${v.host_name}.begin())));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_host_name_option = $context.flow.process_host_name_option(info.value) &if(code==HOST_NAME_OPTION);
+};
+
+
+##############################
+# DOMAIN NAME OPTION
+##############################
+let DOMAIN_NAME_OPTION = 15;
+
+# Parse the option
+refine casetype OptionValue += {
+	DOMAIN_NAME_OPTION -> domain_name : bytestring &length=length;
+};
+
+refine flow DHCP_Flow += {
+	function process_domain_name_option(v: OptionValue): bool
+		%{
+		int last_non_null = 0;
+
+		for ( int i = 0; i < ${v.domain_name}.length(); ++i )
+			{
+			if ( *(${v.domain_name}.begin() + i ) != 0 )
+				last_non_null = i;
+			}
+
+		${context.flow}->options->Assign(5, new StringVal(last_non_null == 0 ? 0 : last_non_null + 1,
+		                                                  reinterpret_cast<const char*>(${v.domain_name}.begin())));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_domain_name_option = $context.flow.process_domain_name_option(info.value) &if(code==DOMAIN_NAME_OPTION);
+};
+
+
+##############################
+# FORWARDING OPTION
+##############################
+let FORWARDING_OPTION = 19;
+
+# Parse the option
+refine casetype OptionValue += {
+	FORWARDING_OPTION -> forwarding : uint8;
+};
+
+refine flow DHCP_Flow += {
+	function process_forwarding_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(6, new Val(${v.forwarding} == 0 ? false : true, TYPE_BOOL));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_forwarding_option = $context.flow.process_forwarding_option(info.value) &if(code==FORWARDING_OPTION);
+};
+
+
+##############################
+# BROADCAST ADDRESS OPTION
+##############################
+let BROADCAST_ADDRESS_OPTION = 28;
+
+# Parse the option
+refine casetype OptionValue += {
+	BROADCAST_ADDRESS_OPTION -> broadcast_address : uint32;
+};
+
+refine flow DHCP_Flow += {
+	function process_broadcast_address_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(7, new AddrVal(htonl(${v.broadcast_address})));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_broadcast_address_option = $context.flow.process_broadcast_address_option(info.value) &if(code==BROADCAST_ADDRESS_OPTION);
+};
+
+
+##############################
+# VENDOR SPECIFIC OPTION
+##############################
+let VENDOR_SPECIFIC_OPTION = 43;
+
+# Parse the option
+refine casetype OptionValue += {
+	VENDOR_SPECIFIC_OPTION -> vendor_specific : bytestring &length=length;
+};
+
+refine flow DHCP_Flow += {
+	function process_vendor_specific_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(8, new StringVal(${v.vendor_specific}.length(),
+		                                                  reinterpret_cast<const char*>(${v.vendor_specific}.begin())));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_vendor_specific_option = $context.flow.process_vendor_specific_option(info.value) &if(code==VENDOR_SPECIFIC_OPTION);
+};
+
+
+##############################
+# NETBIOS NAME SERVER OPTION
+##############################
+let NBNS_OPTION = 44;
+
+# Parse the option
+refine casetype OptionValue += {
+	NBNS_OPTION -> nbns : uint32[length/4];
+};
+
+refine flow DHCP_Flow += {
+	function process_nbns_option(v: OptionValue): bool
+		%{
+		VectorVal* server_list = new VectorVal(BifType::Vector::DHCP::Addrs);
+		int num_servers = ${v.nbns}->size();
+		vector<uint32>* rlist = ${v.nbns};
+
+		for ( int i = 0; i < num_servers; ++i )
+			{
+			uint32 raddr = (*rlist)[i];
+			server_list->Assign(i, new AddrVal(htonl(raddr)));
+			}
+
+		${context.flow}->options->Assign(9, server_list);
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_nbns_option = $context.flow.process_nbns_option(info.value) &if(code==NBNS_OPTION);
+};
+
+
+##############################
+# ADDR REQUEST OPTION
+##############################
+let ADDR_REQUEST_OPTION = 50;
+
+# Parse the option
+refine casetype OptionValue += {
+	ADDR_REQUEST_OPTION -> addr_request : uint32;
+};
+
+refine flow DHCP_Flow += {
+	function process_addr_request_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(10, new AddrVal(htonl(${v.addr_request})));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_addr_request_option = $context.flow.process_addr_request_option(info.value) &if(code==ADDR_REQUEST_OPTION);
+};
+
+
+##############################
+# LEASE_OPTION OPTION
+##############################
+let LEASE_OPTION = 51;
+
+# Parse the option
+refine casetype OptionValue += {
+	LEASE_OPTION -> lease : uint32;
+};
+
+refine flow DHCP_Flow += {
+	function process_lease_option(v: OptionValue): bool
+		%{
+		double lease = static_cast<double>(${v.lease});
+		${context.flow}->options->Assign(11, new Val(lease, TYPE_INTERVAL));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_lease_option = $context.flow.process_lease_option(info.value) &if(code==LEASE_OPTION);
+};
+
+
+##############################
+# SERV_ID_OPTION OPTION
+##############################
+let SERV_ID_OPTION = 54;
+
+# Parse the option
+refine casetype OptionValue += {
+	SERV_ID_OPTION -> serv_addr : uint32;
+};
+
+refine flow DHCP_Flow += {
+	function process_serv_id_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(12, new AddrVal(htonl(${v.serv_addr})));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_serv_id_option = $context.flow.process_serv_id_option(info.value) &if(code==SERV_ID_OPTION);
+};
+
+
+##############################
+# PAR_REQ_LIST OPTION
+##############################
+let PAR_REQ_LIST_OPTION = 55;
+
+# Parse the option
+refine casetype OptionValue += {
+	PAR_REQ_LIST_OPTION -> par_req_list : uint8[length];
+};
+
+refine flow DHCP_Flow += {
+	function process_par_req_list_option(v: OptionValue): bool
+		%{
+		VectorVal* params = new VectorVal(index_vec);
+		int num_parms = ${v.par_req_list}->size();
+		vector<uint8>* plist = ${v.par_req_list};
+
+		for ( int i = 0; i < num_parms; ++i )
+			{
+			uint8 param = (*plist)[i];
+			params->Assign(i, new Val(param, TYPE_COUNT));
+			}
+
+		${context.flow}->options->Assign(13, params);
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_par_req_list_option = $context.flow.process_par_req_list_option(info.value) &if(code==PAR_REQ_LIST_OPTION);
+};
+
+
+##############################
+# MESSAGE OPTION
+##############################
+let MESSAGE_OPTION = 56;
+
+# Parse the option
+refine casetype OptionValue += {
+	MESSAGE_OPTION -> message : bytestring &length=length;
+};
+
+refine flow DHCP_Flow += {
+	function process_message_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(14, new StringVal(${v.message}.length(), 
+		                                                   reinterpret_cast<const char*>(${v.message}.begin())));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_message_option = $context.flow.process_message_option(info.value) &if(code==MESSAGE_OPTION);
+};
+
+
+##############################
+# MAX MESSAGE SIZE OPTION
+##############################
+let MAX_MESSAGE_SIZE_OPTION = 57;
+
+# Parse the option
+refine casetype OptionValue += {
+	MAX_MESSAGE_SIZE_OPTION -> max_msg_size : uint16;
+};
+
+refine flow DHCP_Flow += {
+	function process_max_message_size_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(15, new Val(${v.max_msg_size}, TYPE_COUNT));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_max_message_size_option = $context.flow.process_max_message_size_option(info.value) &if(code==MAX_MESSAGE_SIZE_OPTION);
+};
+
+
+##############################
+# RENEWAL_TIME_OPTION OPTION
+##############################
+let RENEWAL_TIME_OPTION = 58;
+
+# Parse the option
+refine casetype OptionValue += {
+	RENEWAL_TIME_OPTION -> renewal_time : uint32;
+};
+
+refine flow DHCP_Flow += {
+	function process_renewal_time_option(v: OptionValue): bool
+		%{
+		double renewal_time = static_cast<double>(${v.renewal_time});
+		${context.flow}->options->Assign(16, new Val(renewal_time, TYPE_INTERVAL));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_renewal_time_option = $context.flow.process_renewal_time_option(info.value) &if(code==RENEWAL_TIME_OPTION);
+};
+
+
+##############################
+# REBINDING_TIME_OPTION OPTION
+##############################
+let REBINDING_TIME_OPTION = 59;
+
+# Parse the option
+refine casetype OptionValue += {
+	REBINDING_TIME_OPTION -> rebinding_time : uint32;
+};
+
+refine flow DHCP_Flow += {
+	function process_rebinding_time_option(v: OptionValue): bool
+		%{
+		double rebinding_time = static_cast<double>(${v.rebinding_time});
+		${context.flow}->options->Assign(17, new Val(rebinding_time, TYPE_INTERVAL));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_rebinding_time_option = $context.flow.process_rebinding_time_option(info.value) &if(code==REBINDING_TIME_OPTION);
+};
+
+
+##############################
+# VENDOR CLASS OPTION
+##############################
+let VENDOR_CLASS_OPTION = 60;
+
+# Parse the option
+refine casetype OptionValue += {
+	VENDOR_CLASS_OPTION -> vendor_class : bytestring &length=length;
+};
+
+refine flow DHCP_Flow += {
+	function process_vendor_class_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(18, new StringVal(${v.vendor_class}.length(),
+		                                                   reinterpret_cast<const char*>(${v.vendor_class}.begin())));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_vendor_class_option = $context.flow.process_vendor_class_option(info.value) &if(code==VENDOR_CLASS_OPTION);
+};
+
+
+##############################
+# CLIENT_ID_OPTION OPTION
+##############################
+let CLIENT_ID_OPTION = 61;
+
+type Client_Identifier(length: uint8) = record {
+	hwtype : uint8;
+	hwaddr : bytestring &length = length - 1;
+};
+
+# Parse the option
+refine casetype OptionValue += {
+	CLIENT_ID_OPTION -> client_id : Client_Identifier(length);
+};
+
+refine flow DHCP_Flow += {
+	function process_client_id_option(v: OptionValue): bool
+		%{
+		RecordVal* client_id = new RecordVal(BifType::Record::DHCP::ClientID);
+		client_id->Assign(0, new Val(${v.client_id.hwtype}, TYPE_COUNT));
+		client_id->Assign(1, new StringVal(fmt_mac(${v.client_id.hwaddr}.begin(), ${v.client_id.hwaddr}.length())));
+
+		${context.flow}->options->Assign(19, client_id);
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_client_id_option = $context.flow.process_client_id_option(info.value) &if(code==CLIENT_ID_OPTION);
+};
+
+
+##############################
+# USER CLASS OPTION
+##############################
+let USER_CLASS_OPTION = 77;
+
+# Parse the option
+refine casetype OptionValue += {
+	USER_CLASS_OPTION -> user_class : bytestring &length=length;
+};
+
+refine flow DHCP_Flow += {
+	function process_user_class_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(20, new StringVal(${v.user_class}.length(),
+		                                                   reinterpret_cast<const char*>(${v.user_class}.begin())));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_user_class_option = $context.flow.process_user_class_option(info.value) &if(code==USER_CLASS_OPTION);
+};
+
+
+##############################
+# CLIENT FQDN OPTION
+##############################
+let CLIENT_FQDN_OPTION = 81;
+
+type Client_FQDN(length: uint8) = record {
+	flags       : uint8;
+	rcode1      : uint8;
+	rcode2      : uint8;
+	domain_name : bytestring &length=length-3;
+};
+
+# Parse the option
+refine casetype OptionValue += {
+	CLIENT_FQDN_OPTION -> client_fqdn : Client_FQDN(length);
+};
+
+refine flow DHCP_Flow += {
+	function process_client_fqdn_option(v: OptionValue): bool
+		%{
+		RecordVal* client_fqdn = new RecordVal(BifType::Record::DHCP::ClientFQDN);
+		client_fqdn->Assign(0, new Val(${v.client_fqdn.flags}, TYPE_COUNT));
+		client_fqdn->Assign(1, new Val(${v.client_fqdn.rcode1}, TYPE_COUNT));
+		client_fqdn->Assign(2, new Val(${v.client_fqdn.rcode2}, TYPE_COUNT));
+		const char* domain_name = reinterpret_cast<const char*>(${v.client_fqdn.domain_name}.begin());
+		client_fqdn->Assign(3, new StringVal(${v.client_fqdn.domain_name}.length(), domain_name));
+
+		${context.flow}->options->Assign(21, client_fqdn);
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_client_fqdn_option = $context.flow.process_client_fqdn_option(info.value) &if(code==CLIENT_FQDN_OPTION);
+};
+
+
+##############################
+# RELAY_AGENT_INF OPTION
+##############################
+let RELAY_AGENT_INF_OPTION = 82;
+
+type Relay_Agent_SubOption(tot_len: uint8) = record {
+	code   : uint8;
+	length : uint8;
+	value  : bytestring &length = length;
+} &let {
+	sum_len: uint8 = $context.flow.get_dhcp_sumlen(length + 2);
+	last: bool = (sum_len == tot_len);
+};
+
+# Parse the option
+refine casetype OptionValue += {
+	RELAY_AGENT_INF_OPTION -> relay_agent_inf : Relay_Agent_SubOption(length)[] &until($element.last);
+};
+
+refine flow DHCP_Flow += {
+	%member{
+		uint8 sum_len;
+	%}
+
+	%init{
+		sum_len = 0;
+	%}
+
+	%cleanup{
+		sum_len = 0;
+	%}
+
+	function get_dhcp_sumlen(len: uint8): uint8
+		%{
+		sum_len = len + sum_len;
+		return sum_len;
+		%}
+
+	function process_relay_agent_inf_option(v: OptionValue): bool
+		%{
+		VectorVal* relay_agent_sub_opt = new VectorVal(BifType::Vector::DHCP::SubOpts);
+
+		uint16 i = 0;
+
+		for ( auto ptrsubopt = ${v.relay_agent_inf}->begin();
+		      ptrsubopt != ${v.relay_agent_inf}->end(); ++ptrsubopt )
+			{
+			auto r = new RecordVal(BifType::Record::DHCP::SubOpt);
+			r->Assign(0, new Val((*ptrsubopt)->code(), TYPE_COUNT));
+			r->Assign(1, bytestring_to_val((*ptrsubopt)->value()));
+
+			relay_agent_sub_opt->Assign(i, r);
+			++i;
+			}
+
+		${context.flow}->options->Assign(22, relay_agent_sub_opt);
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_relay_agent_info_option = $context.flow.process_relay_agent_inf_option(info.value) &if(code==RELAY_AGENT_INF_OPTION);
+};
+
+
+##############################
+# AUTO_CONFIG OPTION
+##############################
+let AUTO_CONFIG_OPTION = 116;
+
+# Parse the option
+refine casetype OptionValue += {
+	AUTO_CONFIG_OPTION -> auto_config : uint8;
+};
+
+refine flow DHCP_Flow += {
+	function process_auto_config_option(v: OptionValue): bool
+		%{
+		${context.flow}->options->Assign(23, new Val(${v.auto_config} == 0 ? false : true, TYPE_BOOL));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_auto_config_option = $context.flow.process_auto_config_option(info.value) &if(code==AUTO_CONFIG_OPTION);
+};
+
+
+##############################
+# AUTO PROXY CONFIG OPTION
+##############################
+let AUTO_PROXY_CONFIG_OPTION = 252;
+
+# Parse the option
+refine casetype OptionValue += {
+	AUTO_PROXY_CONFIG_OPTION -> auto_proxy_config : bytestring &length=length;
+};
+
+refine flow DHCP_Flow += {
+	function process_auto_proxy_config_option(v: OptionValue): bool
+		%{
+		int string_len = ${v.auto_proxy_config}.length();
+
+		if ( string_len == 0 )
+			{
+			${context.flow}->options->Assign(24, new StringVal(0, ""));
+			return true;
+			}
+
+
+		const char* last_char = reinterpret_cast<const char*>(${v.auto_proxy_config}.begin() + string_len - 1);
+
+		bool has_newline = *last_char == '\x0a';
+
+		if ( has_newline )
+			--string_len;
+
+		${context.flow}->options->Assign(24, new StringVal(string_len,
+		                                                   reinterpret_cast<const char*>(${v.auto_proxy_config}.begin())));
+
+		return true;
+		%}
+};
+
+refine typeattr Option += &let {
+	proc_auto_proxy_config_option = $context.flow.process_auto_proxy_config_option(info.value) &if(code==AUTO_PROXY_CONFIG_OPTION);
+};
+
+
diff --git a/src/analyzer/protocol/dhcp/dhcp-protocol.pac b/src/analyzer/protocol/dhcp/dhcp-protocol.pac
index cf8cf69b26..af48a416c4 100644
--- a/src/analyzer/protocol/dhcp/dhcp-protocol.pac
+++ b/src/analyzer/protocol/dhcp/dhcp-protocol.pac
@@ -3,116 +3,73 @@
 # Refer to RFC 2131 for op types.
 enum OP_type {
 	BOOTREQUEST	= 1,
-	BOOTREPLY	= 2,
+	BOOTREPLY	= 2
 };
 
-# Refer to RFC 1533 for option types.
-# The option types are by no means complete.
-# Anyone can add a new option type in RFC 1533 to be parsed here.
-enum OPTION_type {
-	SUBNET_OPTION	 = 1,
-	ROUTER_OPTION	 = 3,
-	HOST_NAME_OPTION = 12,
-	REQ_IP_OPTION	 = 50,
-	LEASE_OPTION	 = 51,
-	MSG_TYPE_OPTION  = 53,
-	SERV_ID_OPTION	 = 54,	# Server address, actually :)
-	END_OPTION	 = 255,
+let MSG_TYPE_OPTION = 53;
+
+type OptionValue(code: uint8, length: uint8) = case code of {
+	# This is extended in dhcp-options.pac
+	MSG_TYPE_OPTION -> msg_type     : uint8;
+	default         -> other        : bytestring &length = length;
 };
 
-# Refer to RFC 1533 for message types (with option = 53).
-enum DHCP_message_type {
-	DHCPDISCOVER	= 1,
-	DHCPOFFER	= 2,
-	DHCPREQUEST	= 3,
-	DHCPDECLINE	= 4,
-	DHCPACK		= 5,
-	DHCPNAK		= 6,
-	DHCPRELEASE	= 7,
-	DHCPINFORM	= 8,
+type OptionValueWrapper(code: uint8) = record {
+	length : uint8;
+	value  : OptionValue(code, length);
 };
 
-type Option_Info(code: uint8)  = record {
-	length		: uint8;
-	value		: case code of {
-		SUBNET_OPTION	-> mask	: uint32;
-		ROUTER_OPTION	-> router_list : uint32[length/4];
-		REQ_IP_OPTION	-> req_addr	: uint32;
-		LEASE_OPTION	-> lease	: uint32;
-		MSG_TYPE_OPTION	-> msg_type	: uint8;
-		SERV_ID_OPTION	-> serv_addr	: uint32;
-		HOST_NAME_OPTION-> host_name	: bytestring &length = length;
-		default		-> other	: bytestring &length = length;
-	};
-};
-
-type DHCP_Option = record {
-	code		: uint8;
-	data		: case code of {
-		0, 255	-> none	: empty;
-		default	-> info	: Option_Info(code);
+type Option = record {
+	code   : uint8;
+	data   : case code of {
+		0, 255  -> none : empty;
+		default -> info : OptionValueWrapper(code);
 	};
 } &let {
-	last: bool	= (code == 255);   # Mark the end of a list of options
+	last = (code == 255); # Mark the end of a list of options
 };
 
-#    Message format according to RFC 2131
-#
-#                           1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 3
-#     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |     op (1)    |   htype (1)   |    hlen (1)   |     hops (1)    |
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |				   xid (4)			       |
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |		  secs (2)	     |		  flags (2)	       |
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |				  ciaddr (4)			       |
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |				  yiaddr (4)			       |
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |				  siaddr (4)			       |
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |				  giaddr (4)			       |
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |								       |
-#    |				  chaddr (16)			       |
-#    /								       /
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |								       |
-#    |				   sname (64)			       |
-#    /								       /
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |								       |
-#    |				   file  (128)			       |
-#    /								       /
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-#    |								       |
-#    |				 options (variable)		       |
-#    /								       /
-#    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-type DHCP_Message = record {
-	op	: uint8;
-	htype	: uint8;
-	hlen	: uint8;
-	hops	: uint8;
-	xid	: uint32;
-	secs	: uint16;
-	flags	: uint16;
-	ciaddr	: uint32;
-	yiaddr	: uint32;
-	siaddr	: uint32;
-	giaddr	: uint32;
+type DHCP_Message(is_orig: bool) = record {
+	op      : uint8;
+	htype   : uint8;
+	hlen    : uint8;
+	hops    : uint8;
+	xid     : uint32;
+	secs    : uint16;
+	flags   : uint16;
+	ciaddr  : uint32;
+	yiaddr  : uint32;
+	siaddr  : uint32;
+	giaddr  : uint32;
 	chaddr  : bytestring &length = 16;
-	sname	: bytestring &length = 64;
-	file	: bytestring &length = 128;
-
+	sname   : bytestring &length = 64;
+	file_n  : bytestring &length = 128;
 	# Cookie belongs to options in RFC 2131, but we separate
 	# them here for easy parsing.
 	cookie  : uint32;
-
-	options	: DHCP_Option[] &until($element.last);
+	options : Option[] &until($element.last);
 } &let {
-	type	: uint8 = $context.flow.get_dhcp_msgtype(options);
+	type = $context.flow.get_dhcp_msgtype(options);
 } &byteorder = bigendian;
+
+refine flow DHCP_Flow += {
+	function get_dhcp_msgtype(options: Option[]): uint8
+		%{
+		uint8 type = 0;
+		for ( auto ptr = options->begin();
+		      ptr != options->end() && ! (*ptr)->last(); ++ptr )
+			{
+			if ( (*ptr)->code() == MSG_TYPE_OPTION )
+				{
+				type = (*ptr)->info()->value()->msg_type();
+				break;
+				}
+			}
+
+		if ( type == 0 )
+			connection()->bro_analyzer()->ProtocolViolation("no DHCP message type option");
+
+		return type;
+		%}
+};
+
diff --git a/src/analyzer/protocol/dhcp/dhcp.pac b/src/analyzer/protocol/dhcp/dhcp.pac
index 706be31e10..ac88726b3c 100644
--- a/src/analyzer/protocol/dhcp/dhcp.pac
+++ b/src/analyzer/protocol/dhcp/dhcp.pac
@@ -2,6 +2,7 @@
 %include bro.pac
 
 %extern{
+#include "types.bif.h"
 #include "events.bif.h"
 %}
 
@@ -10,5 +11,15 @@ analyzer DHCP withcontext {
 	flow:		DHCP_Flow;
 };
 
+connection DHCP_Conn(bro_analyzer: BroAnalyzer) {
+	upflow = DHCP_Flow(true);
+	downflow = DHCP_Flow(false);
+};
+
+flow DHCP_Flow(is_orig: bool) {
+	datagram = DHCP_Message(is_orig) withcontext(connection, this);
+};
+
 %include dhcp-protocol.pac
 %include dhcp-analyzer.pac
+%include dhcp-options.pac
diff --git a/src/analyzer/protocol/dhcp/events.bif b/src/analyzer/protocol/dhcp/events.bif
index bbd27c71f7..1d2065d75e 100644
--- a/src/analyzer/protocol/dhcp/events.bif
+++ b/src/analyzer/protocol/dhcp/events.bif
@@ -1,164 +1,12 @@
-## Generated for DHCP messages of type *DHCPDISCOVER* (client broadcast to locate
-## available servers).
+## Generated for all DHCP messages.
 ##
 ## c: The connection record describing the underlying UDP flow.
 ##
-## msg: The parsed type-independent part of the DHCP message.
+## is_orig: Indicate if the message came in a packet from the
+##         originator/client of the udp flow or the responder/server.
 ##
-## req_addr: The specific address requested by the client.
+## msg: The parsed type-independent part of the DHCP message. The message
+##      type is indicated in this record.
 ##
-## host_name: The value of the host name option, if specified by the client.
-##
-## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_ack dhcp_nak
-##              dhcp_release dhcp_inform
-##
-## .. note:: Bro does not support broadcast packets (as used by the DHCP
-##    protocol). It treats broadcast addresses just like any other and
-##    associates packets into transport-level flows in the same way as usual.
-##
-event dhcp_discover%(c: connection, msg: dhcp_msg, req_addr: addr, host_name: string%);
-
-## Generated for DHCP messages of type *DHCPOFFER* (server to client in response
-## to DHCPDISCOVER with offer of configuration parameters).
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## mask: The subnet mask specified by the message.
-##
-## router: The list of routers specified by the message.
-##
-## lease: The least interval specified by the message.
-##
-## serv_addr: The server address specified by the message.
-##
-## host_name: Optional host name value. May differ from the host name requested
-##            from the client.
-##
-## .. bro:see:: dhcp_discover dhcp_request dhcp_decline dhcp_ack dhcp_nak
-##              dhcp_release dhcp_inform
-##
-## .. note:: Bro does not support broadcast packets (as used by the DHCP
-##    protocol). It treats broadcast addresses just like any other and
-##    associates packets into transport-level flows in the same way as usual.
-##
-event dhcp_offer%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string%);
-
-## Generated for DHCP messages of type *DHCPREQUEST* (Client message to servers either
-## (a) requesting offered parameters from one server and implicitly declining offers
-## from all others, (b) confirming correctness of previously allocated address after,
-## e.g., system reboot, or (c) extending the lease on a particular network address.)
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## req_addr: The client address specified by the message.
-##
-## serv_addr: The server address specified by the message.
-##
-## host_name: The value of the host name option, if specified by the client.
-##
-## .. bro:see:: dhcp_discover dhcp_offer dhcp_decline dhcp_ack dhcp_nak
-##              dhcp_release dhcp_inform
-##
-## .. note:: Bro does not support broadcast packets (as used by the DHCP
-##    protocol). It treats broadcast addresses just like any other and
-##    associates packets into transport-level flows in the same way as usual.
-##
-event dhcp_request%(c: connection, msg: dhcp_msg, req_addr: addr, serv_addr: addr, host_name: string%);
-
-## Generated for DHCP messages of type *DHCPDECLINE* (Client to server indicating
-## network address is already in use).
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## host_name: Optional host name value.
-##
-## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_ack dhcp_nak
-##              dhcp_release dhcp_inform
-##
-## .. note:: Bro does not support broadcast packets (as used by the DHCP
-##    protocol). It treats broadcast addresses just like any other and
-##    associates packets into transport-level flows in the same way as usual.
-##
-event dhcp_decline%(c: connection, msg: dhcp_msg, host_name: string%);
-
-## Generated for DHCP messages of type *DHCPACK* (Server to client with configuration
-## parameters, including committed network address).
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## mask: The subnet mask specified by the message.
-##
-## router: The list of routers specified by the message.
-##
-## lease: The least interval specified by the message.
-##
-## serv_addr: The server address specified by the message.
-##
-## host_name: Optional host name value. May differ from the host name requested
-##            from the client.
-##
-## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_nak
-##              dhcp_release dhcp_inform
-##
-event dhcp_ack%(c: connection, msg: dhcp_msg, mask: addr, router: dhcp_router_list, lease: interval, serv_addr: addr, host_name: string%);
-
-## Generated for DHCP messages of type *DHCPNAK* (Server to client indicating client's
-## notion of network address is incorrect (e.g., client has moved to new subnet) or
-## client's lease has expired).
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## host_name: Optional host name value.
-##
-## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_ack dhcp_release
-##              dhcp_inform
-##
-## .. note:: Bro does not support broadcast packets (as used by the DHCP
-##    protocol). It treats broadcast addresses just like any other and
-##    associates packets into transport-level flows in the same way as usual.
-##
-event dhcp_nak%(c: connection, msg: dhcp_msg, host_name: string%);
-
-## Generated for DHCP messages of type *DHCPRELEASE* (Client to server relinquishing
-## network address and cancelling remaining lease).
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## host_name: The value of the host name option, if specified by the client.
-##
-## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_ack dhcp_nak
-##              dhcp_inform
-##
-event dhcp_release%(c: connection, msg: dhcp_msg, host_name: string%);
-
-## Generated for DHCP messages of type *DHCPINFORM* (Client to server, asking only for
-## local configuration parameters; client already has externally configured network
-## address).
-##
-## c: The connection record describing the underlying UDP flow.
-##
-## msg: The parsed type-independent part of the DHCP message.
-##
-## host_name: The value of the host name option, if specified by the client.
-##
-## .. bro:see:: dhcp_discover dhcp_offer dhcp_request dhcp_decline dhcp_ack dhcp_nak
-##              dhcp_release
-##
-## .. note:: Bro does not support broadcast packets (as used by the DHCP
-##    protocol). It treats broadcast addresses just like any other and
-##    associates packets into transport-level flows in the same way as usual.
-##
-event dhcp_inform%(c: connection, msg: dhcp_msg, host_name: string%);
-
+## options: The full set of supported and parsed DHCP options.
+event dhcp_message%(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options%);
diff --git a/src/analyzer/protocol/dhcp/types.bif b/src/analyzer/protocol/dhcp/types.bif
new file mode 100644
index 0000000000..d0062e312c
--- /dev/null
+++ b/src/analyzer/protocol/dhcp/types.bif
@@ -0,0 +1,9 @@
+module DHCP;
+
+type Msg: record;
+type Addrs: vector;
+type SubOpt: record;
+type SubOpts: vector;
+type ClientFQDN: record;
+type ClientID: record;
+type Options: record;
diff --git a/src/analyzer/protocol/dnp3/DNP3.h b/src/analyzer/protocol/dnp3/DNP3.h
index aa4ef78479..4eaec3a214 100644
--- a/src/analyzer/protocol/dnp3/DNP3.h
+++ b/src/analyzer/protocol/dnp3/DNP3.h
@@ -11,7 +11,7 @@ namespace analyzer { namespace dnp3 {
 
 class DNP3_Base {
 public:
-	DNP3_Base(analyzer::Analyzer* analyzer);
+	explicit DNP3_Base(analyzer::Analyzer* analyzer);
 	virtual ~DNP3_Base();
 
 	binpac::DNP3::DNP3_Conn* Interpreter()	{ return interp; }
@@ -64,13 +64,13 @@ protected:
 
 class DNP3_TCP_Analyzer : public DNP3_Base, public tcp::TCP_ApplicationAnalyzer {
 public:
-	DNP3_TCP_Analyzer(Connection* conn);
-	virtual ~DNP3_TCP_Analyzer();
+	explicit DNP3_TCP_Analyzer(Connection* conn);
+	~DNP3_TCP_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
-	virtual void EndpointEOF(bool is_orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
+	void EndpointEOF(bool is_orig) override;
 
 	static Analyzer* Instantiate(Connection* conn)
 		{ return new DNP3_TCP_Analyzer(conn); }
@@ -78,11 +78,11 @@ public:
 
 class DNP3_UDP_Analyzer : public DNP3_Base, public analyzer::Analyzer {
 public:
-	DNP3_UDP_Analyzer(Connection* conn);
-	virtual ~DNP3_UDP_Analyzer();
+	explicit DNP3_UDP_Analyzer(Connection* conn);
+	~DNP3_UDP_Analyzer() override;
 
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-                    uint64 seq, const IP_Hdr* ip, int caplen);
+	void DeliverPacket(int len, const u_char* data, bool orig,
+                    uint64 seq, const IP_Hdr* ip, int caplen) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new DNP3_UDP_Analyzer(conn); }
diff --git a/src/analyzer/protocol/dnp3/dnp3-analyzer.pac b/src/analyzer/protocol/dnp3/dnp3-analyzer.pac
index 393ab82079..3edd839733 100644
--- a/src/analyzer/protocol/dnp3/dnp3-analyzer.pac
+++ b/src/analyzer/protocol/dnp3/dnp3-analyzer.pac
@@ -25,14 +25,14 @@ connection DNP3_Conn(bro_analyzer: BroAnalyzer) {
 flow DNP3_Flow(is_orig: bool) {
 	flowunit = DNP3_PDU(is_orig) withcontext (connection, this);
 
-	function get_dnp3_header_block(start: uint16, len: uint16, ctrl: uint8, dest_addr: uint16, src_addr: uint16): bool
+	function get_dnp3_header_block(len: uint16, ctrl: uint8, dest_addr: uint16, src_addr: uint16): bool
 		%{
 		if ( ::dnp3_header_block )
 			{
 			BifEvent::generate_dnp3_header_block(
 				connection()->bro_analyzer(),
 				connection()->bro_analyzer()->Conn(),
-				is_orig(), start, len, ctrl, dest_addr, src_addr);
+				is_orig(), len, ctrl, dest_addr, src_addr);
 			}
 
 		return true;
@@ -741,7 +741,7 @@ flow DNP3_Flow(is_orig: bool) {
 };
 
 refine typeattr Header_Block += &let {
-	get_header: bool =  $context.flow.get_dnp3_header_block(start, len, ctrl, dest_addr, src_addr);
+	get_header: bool =  $context.flow.get_dnp3_header_block(len, ctrl, dest_addr, src_addr);
 };
 
 refine typeattr DNP3_Application_Request_Header += &let {
diff --git a/src/analyzer/protocol/dnp3/dnp3-objects.pac b/src/analyzer/protocol/dnp3/dnp3-objects.pac
index 0d2b75df0d..3061500307 100644
--- a/src/analyzer/protocol/dnp3/dnp3-objects.pac
+++ b/src/analyzer/protocol/dnp3/dnp3-objects.pac
@@ -2,27 +2,13 @@
 
 type Prefix_Type(qualifier_field: uint8) = record {
 	prefix: case ( qualifier_field & 0xf0 ) of {
-		0x00 -> none: empty &check(qualifier_field == 0x01 ||
-						qualifier_field == 0x02 ||
-						qualifier_field == 0x03 ||
-						qualifier_field == 0x04 ||
-						qualifier_field == 0x05 ||
-						qualifier_field == 0x06 ||
-						qualifier_field == 0x07 ||
-						qualifier_field == 0x08 ||
-						qualifier_field == 0x09 );
-		0x10 -> prefix8: uint8 &check(qualifier_field == 0x17 ||
-						qualifier_field == 0x18 ||
-						qualifier_field == 0x19 );
-		0x20 -> prefix16: uint16 &check(qualifier_field == 0x27 ||
-						qualifier_field == 0x28 ||
-						qualifier_field == 0x29 );
-		0x30 -> prefix32: uint32 &check(qualifier_field == 0x37 ||
-						qualifier_field == 0x38 ||
-						qualifier_field == 0x39 );
-		0x40 -> object_size8: uint8 &check(qualifier_field == 0x4B);
-		0x50 -> object_size16: uint16 &check(qualifier_field == 0x5B);
-		0x60 -> object_size32: uint32 &check(qualifier_field == 0x6B);
+		0x00 -> none: empty;
+		0x10 -> prefix8: uint8; # &check(qualifier_field == 0x17 || qualifier_field == 0x18 || qualifier_field == 0x19 );
+		0x20 -> prefix16: uint16; # &check(qualifier_field == 0x27 || qualifier_field == 0x28 || qualifier_field == 0x29 );
+		0x30 -> prefix32: uint32; # &check(qualifier_field == 0x37 || qualifier_field == 0x38 || qualifier_field == 0x39 );
+		0x40 -> object_size8: uint8; # &check(qualifier_field == 0x4B);
+		0x50 -> object_size16: uint16; # &check(qualifier_field == 0x5B);
+		0x60 -> object_size32: uint32; # &check(qualifier_field == 0x6B);
 	 	default -> unknownprefix: empty;
 	};
 } &let{
@@ -117,10 +103,8 @@ type Request_Data_Object(function_code: uint8, qualifier_field: uint8, object_ty
 		0x0b02 -> boewatime: empty;
 
 	# binary output command g12
-		0x0c01 -> bocmd_CROB: CROB &check (function_code == SELECT || function_code == OPERATE ||
-							function_code == DIRECT_OPERATE || function_code == DIRECT_OPERATE_NR );
-		0x0c02 -> bocmd_PCB: PCB &check (function_code == SELECT || function_code == OPERATE ||
-							function_code == DIRECT_OPERATE || function_code == DIRECT_OPERATE_NR || function_code == WRITE );
+		0x0c01 -> bocmd_CROB: CROB; # &check (function_code == RESPONSE || function_code == SELECT || function_code == OPERATE || function_code == DIRECT_OPERATE || function_code == DIRECT_OPERATE_NR );
+		0x0c02 -> bocmd_PCB: PCB; # &check (function_code == RESPONSE || function_code == SELECT || function_code == OPERATE || function_code == DIRECT_OPERATE || function_code == DIRECT_OPERATE_NR || function_code == WRITE );
 		0x0c03 -> bocmd_PM: uint8;
 
 	# binary output command event g13
@@ -132,48 +116,48 @@ type Request_Data_Object(function_code: uint8, qualifier_field: uint8, object_ty
 		0x1400 -> counter_default: empty;
 		0x1401 -> counter_32_wflag: empty;
 		0x1402 -> counter_16_wflag: empty;
-		0x1403 -> counter_32_wflag_delta: empty &check (0); # obsolete situation; generate warning
-		0x1404 -> counter_16_wflag_delta: empty &check (0); # obsolete situations; generate warning
+		0x1403 -> counter_32_wflag_delta: empty; # obsolete situation; generate warning
+		0x1404 -> counter_16_wflag_delta: empty; # obsolete situations; generate warning
 		0x1405 -> counter_32_woflag: empty;
 		0x1406 -> counter_16_woflag: empty;
-		0x1407 -> counter_32_woflag_delta: empty &check (0); # obsolete
-		0x1408 -> counter_16_woflag_delta: empty &check (0); # obsolete
+		0x1407 -> counter_32_woflag_delta: empty; # obsolete
+		0x1408 -> counter_16_woflag_delta: empty; # obsolete
 	# frozen counter ; g21
 		0x1500 -> f_counter_default: empty;
 		0x1501 -> f_counter_32_wflag: empty;
 		0x1502 -> f_counter_16_wflag: empty;
-		0x1503 -> f_counter_32_wflag_delta: empty &check (0); # obsolete situation; generate warning
-		0x1504 -> f_counter_16_wflag_delta: empty &check (0); # obsolete situations; generate warning
+		0x1503 -> f_counter_32_wflag_delta: empty; # obsolete situation; generate warning
+		0x1504 -> f_counter_16_wflag_delta: empty; # obsolete situations; generate warning
 		0x1505 -> f_counter_32_wflag_time: empty;
 		0x1506 -> f_counter_16_wflag_time: empty;
-		0x1507 -> f_counter_32_wflag_time_delta: empty &check (0); # obsolete
-		0x1508 -> f_counter_16_wflag_time_delta: empty &check (0); # obsolete
+		0x1507 -> f_counter_32_wflag_time_delta: empty; # obsolete
+		0x1508 -> f_counter_16_wflag_time_delta: empty; # obsolete
 		0x1509 -> f_counter_32_woflag: empty;
 		0x150a -> f_counter_16_woflag: empty;
-		0x150b -> f_counter_32_woflag_delta: empty &check (0); # obsolete
-		0x150c -> f_counter_16_woflag_delta: empty &check (0); # obsolete
+		0x150b -> f_counter_32_woflag_delta: empty; # obsolete
+		0x150c -> f_counter_16_woflag_delta: empty; # obsolete
 
 	# counter event g22
 		0x1600 -> counter_event_default: empty;
 		0x1601 -> counter_event_32_wflag: empty;
 		0x1602 -> counter_event_16_wflag: empty;
-		0x1603 -> counter_event_32_wflag_delta: empty &check(0);
-		0x1604 -> counter_event_16_wflag_delta: empty &check(0);
+		0x1603 -> counter_event_32_wflag_delta: empty;
+		0x1604 -> counter_event_16_wflag_delta: empty;
 		0x1605 -> counter_event_32_wflag_time: empty;
 		0x1606 -> counter_event_16_wflag_time: empty;
-		0x1607 -> counter_event_32_wflag_time_delta: empty &check(0);
-		0x1608 -> counter_event_16_wflag_time_delat: empty &check(0);
+		0x1607 -> counter_event_32_wflag_time_delta: empty;
+		0x1608 -> counter_event_16_wflag_time_delat: empty;
 
 	# counter event g23
 		0x1700 -> f_counter_event_default: empty;
 		0x1701 -> f_counter_event_32_wflag: empty;
 		0x1702 -> f_counter_event_16_wflag: empty;
-		0x1703 -> f_counter_event_32_wflag_delta: empty &check(0);
-		0x1704 -> f_counter_event_16_wflag_delta: empty &check(0);
+		0x1703 -> f_counter_event_32_wflag_delta: empty;
+		0x1704 -> f_counter_event_16_wflag_delta: empty;
 		0x1705 -> f_counter_event_32_wflag_time: empty;
 		0x1706 -> f_counter_event_16_wflag_time: empty;
-		0x1707 -> f_counter_event_32_wflag_time_delta: empty &check(0);
-		0x1708 -> f_counter_event_16_wflag_time_delat: empty &check(0);
+		0x1707 -> f_counter_event_32_wflag_time_delta: empty;
+		0x1708 -> f_counter_event_16_wflag_time_delat: empty;
 
 	#analog input g30
 		0x1e00 -> ai_default: empty;
@@ -273,19 +257,15 @@ type Request_Data_Object(function_code: uint8, qualifier_field: uint8, object_ty
 		0x3402 -> time_fine: uint16;
 
 	# class objects g60
-		0x3C01 -> class0data: empty &check(object_header.qualifier_field == 0x06);
-		#0x3C02 -> class1data: uint8 &check(object_header.qualifier_field == 0x06);
-		0x3C02 -> class1data: empty &check(object_header.qualifier_field == 0x06 ||
-							object_header.qualifier_field == 0x07 || object_header.qualifier_field == 0x08);
-		0x3C03 -> class2data: empty &check(object_header.qualifier_field == 0x06 ||
-							object_header.qualifier_field == 0x07 || object_header.qualifier_field == 0x08);
-		0x3C04 -> class3data: empty &check(object_header.qualifier_field == 0x06 ||
-							object_header.qualifier_field == 0x07 || object_header.qualifier_field == 0x08);
+		0x3C01 -> class0data: empty; # &check(qualifier_field == 0x06);
+		#0x3C02 -> class1data: uint8; # &check(qualifier_field == 0x06);
+		0x3C02 -> class1data: empty; # &check(qualifier_field == 0x06 || qualifier_field == 0x07 || qualifier_field == 0x08);
+		0x3C03 -> class2data: empty; # &check(qualifier_field == 0x06 || qualifier_field == 0x07 || qualifier_field == 0x08);
+		0x3C04 -> class3data: empty; # &check(qualifier_field == 0x06 || qualifier_field == 0x07 || qualifier_field == 0x08);
 	# file control g70
-		0x4601 -> file_control_id: File_Control_ID &check(0);
+		0x4601 -> file_control_id: File_Control_ID;
 		0x4602 -> file_control_auth: File_Control_Auth_Wrap(function_code);
-		0x4603 -> file_control_cmd: File_Control_Cmd &check( file_control_cmd.op_mode == 0 || file_control_cmd.op_mode == 1 ||
-							  file_control_cmd.op_mode == 2 || file_control_cmd.op_mode == 3 );
+		0x4603 -> file_control_cmd: File_Control_Cmd; # &check( file_control_cmd.op_mode == 0 || file_control_cmd.op_mode == 1 || file_control_cmd.op_mode == 2 || file_control_cmd.op_mode == 3 );
 		#0x4604 -> file_control_cmd_status: File_Control_Cmd_Status_Wrap(function_code, prefix.prefix_value);  # example shown in P66
 		0x4604 -> file_control_cmd_status: File_Control_Cmd_Status(prefix.prefix_value);  # example shown in P66
 		0x4605 -> file_trans: File_Transport(prefix.prefix_value);
@@ -423,10 +403,8 @@ type Response_Data_Object(function_code: uint8, qualifier_field: uint8, object_t
 		0x0b02 -> boewatime: BinOutEveAtime;
 
 	# binary output command g12
-		0x0c01 -> bocmd_CROB: CROB &check (function_code == SELECT || function_code == OPERATE ||
-							function_code == DIRECT_OPERATE || function_code == DIRECT_OPERATE_NR );
-		0x0c02 -> bocmd_PCB: PCB &check (function_code == SELECT || function_code == OPERATE ||
-							function_code == DIRECT_OPERATE || function_code == DIRECT_OPERATE_NR || function_code == WRITE );
+		0x0c01 -> bocmd_CROB: CROB; # &check (function_code == RESPONSE || function_code == SELECT || function_code == OPERATE || function_code == DIRECT_OPERATE || function_code == DIRECT_OPERATE_NR );
+		0x0c02 -> bocmd_PCB: PCB; # &check (function_code == RESPONSE || function_code == SELECT || function_code == OPERATE || function_code == DIRECT_OPERATE || function_code == DIRECT_OPERATE_NR || function_code == WRITE );
 		0x0c03 -> bocmd_PM: uint8;
 
 	# binary output command event g13
@@ -436,46 +414,46 @@ type Response_Data_Object(function_code: uint8, qualifier_field: uint8, object_t
 	# counter ; g20
 		0x1401 -> counter_32_wflag: Counter32wFlag;
 		0x1402 -> counter_16_wflag: Counter16wFlag;
-		0x1403 -> counter_32_wflag_delta: Debug_Byte &check (0); # obsolete situation; generate warning
-		0x1404 -> counter_16_wflag_delta: Debug_Byte &check (0); # obsolete situations; generate warning
+		0x1403 -> counter_32_wflag_delta: Debug_Byte; # obsolete situation; generate warning
+		0x1404 -> counter_16_wflag_delta: Debug_Byte; # obsolete situations; generate warning
 		0x1405 -> counter_32_woflag: Counter32woFlag;
 		0x1406 -> counter_16_woflag: Counter16woFlag;
-		0x1407 -> counter_32_woflag_delta: Debug_Byte &check (0); # obsolete
-		0x1408 -> counter_16_woflag_delta: Debug_Byte &check (0); # obsolete
+		0x1407 -> counter_32_woflag_delta: Debug_Byte; # obsolete
+		0x1408 -> counter_16_woflag_delta: Debug_Byte; # obsolete
 	# frozen counter ; g21
 		#0x1500 -> f_counter_default: empty;
 		0x1501 -> f_counter_32_wflag: FrozenCounter32wFlag;
 		0x1502 -> f_counter_16_wflag: FrozenCounter16wFlag;
-		0x1503 -> f_counter_32_wflag_delta: Debug_Byte &check (0); # obsolete situation; generate warning
-		0x1504 -> f_counter_16_wflag_delta: Debug_Byte &check (0); # obsolete situations; generate warning
+		0x1503 -> f_counter_32_wflag_delta: Debug_Byte; # obsolete situation; generate warning
+		0x1504 -> f_counter_16_wflag_delta: Debug_Byte; # obsolete situations; generate warning
 		0x1505 -> f_counter_32_wflag_time: FrozenCounter32wFlagTime;
 		0x1506 -> f_counter_16_wflag_time: FrozenCounter16wFlagTime;
-		0x1507 -> f_counter_32_wflag_time_delta: Debug_Byte &check (0); # obsolete
-		0x1508 -> f_counter_16_wflag_time_delta: Debug_Byte &check (0); # obsolete
-		0x1509 -> f_counter_32_woflag: FrozenCounter32woFlag &check (f_counter_32_woflag.count_value == 23);
+		0x1507 -> f_counter_32_wflag_time_delta: Debug_Byte; # obsolete
+		0x1508 -> f_counter_16_wflag_time_delta: Debug_Byte; # obsolete
+		0x1509 -> f_counter_32_woflag: FrozenCounter32woFlag;
 		0x150a -> f_counter_16_woflag: FrozenCounter16woFlag;
-		0x150b -> f_counter_32_woflag_delta: Debug_Byte &check (0); # obsolete
-		0x150c -> f_counter_16_woflag_delta: Debug_Byte &check (0); # obsolete
+		0x150b -> f_counter_32_woflag_delta: Debug_Byte; # obsolete
+		0x150c -> f_counter_16_woflag_delta: Debug_Byte; # obsolete
 
 	# counter event g22
 		0x1601 -> counter_event_32_wflag: CounterEve32wFlag;
 		0x1602 -> counter_event_16_wflag: CounterEve16wFlag;
-		0x1603 -> counter_event_32_wflag_delta: Debug_Byte &check(0);
-		0x1604 -> counter_event_16_wflag_delta: Debug_Byte &check(0);
+		0x1603 -> counter_event_32_wflag_delta: Debug_Byte;
+		0x1604 -> counter_event_16_wflag_delta: Debug_Byte;
 		0x1605 -> counter_event_32_wflag_time: CounterEve32wFlagTime;
 		0x1606 -> counter_event_16_wflag_time: CounterEve16wFlagTime;
-		0x1607 -> counter_event_32_wflag_time_delta: Debug_Byte &check(0);
-		0x1608 -> counter_event_16_wflag_time_delat: Debug_Byte &check(0);
+		0x1607 -> counter_event_32_wflag_time_delta: Debug_Byte;
+		0x1608 -> counter_event_16_wflag_time_delat: Debug_Byte;
 
 	# counter event g23
 		0x1701 -> f_counter_event_32_wflag: CounterEve32wFlag;
 		0x1702 -> f_counter_event_16_wflag: CounterEve16wFlag;
-		0x1703 -> f_counter_event_32_wflag_delta: Debug_Byte &check(0);
-		0x1704 -> f_counter_event_16_wflag_delta: Debug_Byte &check(0);
+		0x1703 -> f_counter_event_32_wflag_delta: Debug_Byte;
+		0x1704 -> f_counter_event_16_wflag_delta: Debug_Byte;
 		0x1705 -> f_counter_event_32_wflag_time: CounterEve32wFlagTime;
 		0x1706 -> f_counter_event_16_wflag_time: CounterEve16wFlagTime;
-		0x1707 -> f_counter_event_32_wflag_time_delta: Debug_Byte &check(0);
-		0x1708 -> f_counter_event_16_wflag_time_delat: Debug_Byte &check(0);
+		0x1707 -> f_counter_event_32_wflag_time_delta: Debug_Byte;
+		0x1708 -> f_counter_event_16_wflag_time_delat: Debug_Byte;
 
 	# analog input g30
 		0x1e01 -> ai_32_wflag: AnalogInput32wFlag;
@@ -566,11 +544,9 @@ type Response_Data_Object(function_code: uint8, qualifier_field: uint8, object_t
 		0x3402 -> time_fine: uint16;
 
 	# file control g70
-		0x4601 -> file_control_id: File_Control_ID &check(0);
-		0x4602 -> file_control_auth: File_Control_Auth &check(file_control_auth.usr_name_size == 0 && file_control_auth.pwd_size == 0);
-		0x4603 -> file_control_cmd: File_Control_Cmd &check(file_control_cmd.name_size == 0 &&
-							( file_control_cmd.op_mode == 0 || file_control_cmd.op_mode == 1 ||
-							  file_control_cmd.op_mode == 2 || file_control_cmd.op_mode == 3) );
+		0x4601 -> file_control_id: File_Control_ID;
+		0x4602 -> file_control_auth: File_Control_Auth; # &check(file_control_auth.usr_name_size == 0 && file_control_auth.pwd_size == 0);
+		0x4603 -> file_control_cmd: File_Control_Cmd; # &check(file_control_cmd.name_size == 0 && ( file_control_cmd.op_mode == 0 || file_control_cmd.op_mode == 1 || file_control_cmd.op_mode == 2 || file_control_cmd.op_mode == 3) );
 		0x4604 -> file_control_cmd_status: File_Control_Cmd_Status(prefix.prefix_value);
 		0x4605 -> file_trans: File_Transport(prefix.prefix_value);
 		0x4606 -> file_trans_status: File_Transport_Status(prefix.prefix_value);
@@ -623,7 +599,7 @@ type Response_Data_Object(function_code: uint8, qualifier_field: uint8, object_t
 		0x7806 -> keyChange: AuthSessionKeyChange(prefix.prefix_value);
 		0x7807 -> error: AuthError(prefix.prefix_value);
 
-		#default -> unkonwndata: Debug_Byte &check( T );
+		#default -> unkonwndata: Debug_Byte; # &check( T );
 		default -> unmatched: Default_Wrap(object_type_field);
 	};
 }
@@ -697,8 +673,7 @@ type BinOutEveAtime = record {
 
 # g12v1 group: 12; variation: 1
 type CROB = record {
-	control_code: uint8 &check ( (control_code & 0xCF) == 0x00 || (control_code & 0xCF) == 0x01 || (control_code & 0xCF) == 0x03 || (control_code & 0xCF) == 0x04 ||
-					(control_code & 0xCF) == 0x41 || (control_code & 0xCF) == 0x81  );
+	control_code: uint8; # &check ( (control_code & 0xCF) == 0x00 || (control_code & 0xCF) == 0x01 || (control_code & 0xCF) == 0x03 || (control_code & 0xCF) == 0x04 || (control_code & 0xCF) == 0x41 || (control_code & 0xCF) == 0x81  );
 	count: uint8;
 	on_time: uint32;
 	off_time: uint32;
@@ -707,8 +682,7 @@ type CROB = record {
 
 # g12v2; same as g12v1
 type PCB = record {
-	control_code: uint8 &check ( (control_code & 0xCF) == 0x00 || (control_code & 0xCF) == 0x01 || (control_code & 0xCF) == 0x03 || (control_code & 0xCF) == 0x04 ||
-					(control_code & 0xCF) == 0x41 || (control_code & 0xCF) == 0x81  );
+	control_code: uint8; # &check ( (control_code & 0xCF) == 0x00 || (control_code & 0xCF) == 0x01 || (control_code & 0xCF) == 0x03 || (control_code & 0xCF) == 0x04 || (control_code & 0xCF) == 0x41 || (control_code & 0xCF) == 0x81  );
 	count: uint8;
 	on_time: uint32;
 	off_time: uint32;
@@ -1192,7 +1166,7 @@ type File_Control_ID = record {
 	end_rec: uint16;
 	file_size: uint32;
 	time_create: bytestring &length = 6;
-	permission: uint16 &check ( (permission & 0xFE00 ) == 0x0000);
+	permission: uint16; # &check ( (permission & 0xFE00 ) == 0x0000);
 	file_id: uint32;
 	owner_id: uint32;
 	group_id: uint32;
@@ -1205,7 +1179,7 @@ type File_Control_ID = record {
 # g70v2
 type File_Control_Auth_Wrap(fc: uint8) = record {
 	data: case(fc) of {
-		AUTHENTICATE_FILE -> auth_file: File_Control_Auth &check(auth_file.auth_key == 0) ;
+		AUTHENTICATE_FILE -> auth_file: File_Control_Auth; # &check(auth_file.auth_key == 0) ;
 		default -> null: empty;
 	};
 };
@@ -1224,7 +1198,7 @@ type File_Control_Auth = record {
 type File_Control_Cmd_Wrap(function_code: uint8) = record {
 	data_obj: case (function_code) of {
 		OPEN_FILE -> fc_cmd_open: File_Control_Cmd;
-		DELETE_FILE -> fc_cmd_del: File_Control_Cmd &check( fc_cmd_del.op_mode == 0 &&  fc_cmd_del.name_size == 0 && fc_cmd_del.time_create == 0x0);
+		DELETE_FILE -> fc_cmd_del: File_Control_Cmd; # &check( fc_cmd_del.op_mode == 0 &&  fc_cmd_del.name_size == 0 && fc_cmd_del.time_create == 0x0);
 		default -> null: empty;
 	};
 
@@ -1234,7 +1208,7 @@ type File_Control_Cmd = record {
 	name_offset: uint16;
 	name_size: uint16;
 	time_create: bytestring &length = 6;
-	permission: uint16 &check ( (permission & 0xFE00 ) == 0x0000);
+	permission: uint16; # &check ( (permission & 0xFE00 ) == 0x0000);
 	auth_key: uint32;
 	file_size: uint32;
 	op_mode: uint16;
@@ -1246,7 +1220,7 @@ type File_Control_Cmd = record {
 # g70v4
 type File_Control_Cmd_Status_Wrap(function_code: uint8, obj_size: uint32) = record {
 	data_obj: case (function_code) of {
-		ABORT_FILE -> abort: File_Control_Cmd_Status(obj_size) &check(abort.file_size == 0 && abort.max_block_size ==0 && abort.status_code ==0 );
+		ABORT_FILE -> abort: File_Control_Cmd_Status(obj_size); # &check(abort.file_size == 0 && abort.max_block_size ==0 && abort.status_code ==0 );
 		RESPONSE -> fc_cmd_status: File_Control_Cmd_Status(obj_size);
 		default -> null: empty;
 	};
@@ -1282,11 +1256,7 @@ type File_Transport_Status(obj_size: uint32) = record {
 # g70v7
 type File_Desc_Wrap(function_code: uint8) = record {
 	data: case(function_code) of {
-		GET_FILE_INFO -> get_file_info: File_Desc &check(get_file_info.type ==0 &&
-								get_file_info.f_size == 0 &&
-								get_file_info.time_create_low == 0 &&
-								get_file_info.time_create_high == 0 &&
-								get_file_info.permission == 0);
+		GET_FILE_INFO -> get_file_info: File_Desc; # &check(get_file_info.type ==0 && get_file_info.f_size == 0 && get_file_info.time_create_low == 0 && get_file_info.time_create_high == 0 && get_file_info.permission == 0);
 		default -> null: empty;
 	};
 } &byteorder = littleendian;
@@ -1298,7 +1268,7 @@ type File_Desc = record {
 	f_size: uint32;
 	time_create_low: uint32;
 	time_create_high: uint16;
-	permission: uint16 &check ( (permission & 0xFE00 ) == 0x0000);
+	permission: uint16; # &check ( (permission & 0xFE00 ) == 0x0000);
 	req_id: uint16;
 	f_name: bytestring &length = name_size;
 } &byteorder = littleendian;
diff --git a/src/analyzer/protocol/dnp3/dnp3-protocol.pac b/src/analyzer/protocol/dnp3/dnp3-protocol.pac
index 3cf2290c2c..7e1e7ad1af 100644
--- a/src/analyzer/protocol/dnp3/dnp3-protocol.pac
+++ b/src/analyzer/protocol/dnp3/dnp3-protocol.pac
@@ -8,7 +8,8 @@ type DNP3_PDU(is_orig: bool) = case is_orig of {
 } &byteorder = bigendian;
 
 type Header_Block = record {
-	start: uint16 &check(start == 0x0564);
+	start_1: uint8 &enforce(start_1 == 0x05);
+	start_2: uint8 &enforce(start_2 == 0x64);
 	len: uint8;
 	ctrl: uint8;
 	dest_addr: uint16;
@@ -34,11 +35,11 @@ type DNP3_Request = record {
 		FREEZE_AT_TIME_NR -> freeze_time_nr_requests: Request_Objects(app_header.function_code)[];
 		COLD_RESTART -> cold_restart: empty;
 		WARM_RESTART -> warm_restart: empty;
-		INITIALIZE_DATA -> initilize_data: empty &check(0);  # obsolete
+		INITIALIZE_DATA -> initilize_data: empty;  # obsolete
 		INITIALIZE_APPL -> initilize_appl: Request_Objects(app_header.function_code)[];
 		START_APPL -> start_appl: Request_Objects(app_header.function_code)[];
 		STOP_APPL -> stop_appl: Request_Objects(app_header.function_code)[];
-		SAVE_CONFIG -> save_config: empty &check(0);  # depracated
+		SAVE_CONFIG -> save_config: empty;  # depracated
 		ENABLE_UNSOLICITED -> enable_unsolicited: Request_Objects(app_header.function_code)[];
 		DISABLE_UNSOLICITED -> disable_unsolicited: Request_Objects(app_header.function_code)[];
 		ASSIGN_CLASS -> assign_class: Request_Objects(app_header.function_code)[];
@@ -91,20 +92,20 @@ type Request_Objects(function_code: uint8) = record {
 	object_header: Object_Header(function_code);
 	data: case (object_header.object_type_field) of {
 		0x0c03 -> bocmd_PM: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ ( object_header.number_of_item / 8 ) + 1*( object_header.number_of_item > ( (object_header.number_of_item / 8)*8 ) ) ];
-		0x3202 -> time_interval_ojbects: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item]
-							&check( object_header.qualifer_field == 0x0f && object_header.number_of_item == 0x01);
+		0x3202 -> time_interval_ojbects: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item];
+						# &check( object_header.qualifier_field == 0x0f && object_header.number_of_item == 0x01);
 		default -> ojbects: Request_Data_Object(function_code, object_header.qualifier_field, object_header.object_type_field )[ object_header.number_of_item];
 	};
 	# dump_data is always empty; I intend to use it for checking some conditions;
 	# However, in the current binpac implementation, &check is not implemented
 	dump_data: case (function_code) of {
-		OPEN_FILE -> open_file_dump: empty &check(object_header.object_type_field == 0x4603);
-		CLOSE_FILE -> close_file_dump: empty &check(object_header.object_type_field == 0x4604);
-		DELETE_FILE -> delete_file_dump: empty &check(object_header.object_type_field == 0x4603);
-		ABORT_FILE -> abort_file_dump: empty &check(object_header.object_type_field == 0x4604);
-		GET_FILE_INFO -> get_file_info: empty &check(object_header.object_type_field == 0x4607);
-		AUTHENTICATE_FILE  -> auth_file: empty &check(object_header.object_type_field == 0x4602);
-		ACTIVATE_CONFIG  -> active_config: empty &check(object_header.object_type_field == 0x4608 || (object_header.object_type_field & 0xFF00) == 0x6E00);
+		OPEN_FILE -> open_file_dump: empty; # &check(object_header.object_type_field == 0x4603);
+		CLOSE_FILE -> close_file_dump: empty; # &check(object_header.object_type_field == 0x4604);
+		DELETE_FILE -> delete_file_dump: empty; # &check(object_header.object_type_field == 0x4603);
+		ABORT_FILE -> abort_file_dump: empty; # &check(object_header.object_type_field == 0x4604);
+		GET_FILE_INFO -> get_file_info: empty; # &check(object_header.object_type_field == 0x4607);
+		AUTHENTICATE_FILE  -> auth_file: empty; # &check(object_header.object_type_field == 0x4602);
+		ACTIVATE_CONFIG  -> active_config: empty; # &check(object_header.object_type_field == 0x4608 || (object_header.object_type_field & 0xFF00) == 0x6E00);
 		default -> default_dump: empty;
 	};
 };
@@ -124,9 +125,9 @@ type Object_Header(function_code: uint8) = record {
 	object_type_field: uint16 ;
 	qualifier_field: uint8 ;
 	range_field: case ( qualifier_field & 0x0f ) of {
-		0 -> range_field_0: Range_Field_0 &check(range_field_0.stop_index >= range_field_0.start_index);
-		1 -> range_field_1: Range_Field_1 &check(range_field_1.stop_index >= range_field_1.start_index);
-		2 -> range_field_2: Range_Field_2 &check(range_field_2.stop_index >= range_field_2.start_index);
+		0 -> range_field_0: Range_Field_0; # &check(range_field_0.stop_index >= range_field_0.start_index);
+		1 -> range_field_1: Range_Field_1; # &check(range_field_1.stop_index >= range_field_1.start_index);
+		2 -> range_field_2: Range_Field_2; # &check(range_field_2.stop_index >= range_field_2.start_index);
 		3 -> range_field_3: Range_Field_3;
 		4 -> range_field_4: Range_Field_4;
 		5 -> range_field_5: Range_Field_5;
@@ -135,11 +136,11 @@ type Object_Header(function_code: uint8) = record {
 		8 -> range_field_8: uint16;
 		9 -> range_field_9: uint32;
 		0x0b -> range_field_b: uint8;
-		default -> unknown: bytestring &restofdata &check(0);
+		default -> unknown: bytestring &restofdata;
 	};
 	# dump_data is always empty; used to check dependency bw object_type_field and qualifier_field
 	dump_data: case ( object_type_field & 0xff00 ) of {
-		0x3C00 -> dump_3c: empty &check( (object_type_field == 0x3C01 || object_type_field == 0x3C02 || object_type_field == 0x3C03 || object_type_field == 0x3C04) && ( qualifier_field == 0x06 ) );
+		0x3C00 -> dump_3c: empty; # &check( (object_type_field == 0x3C01 || object_type_field == 0x3C02 || object_type_field == 0x3C03 || object_type_field == 0x3C04) && ( qualifier_field == 0x06 ) );
 		default -> dump_def: empty;
 	};
 }
diff --git a/src/analyzer/protocol/dnp3/events.bif b/src/analyzer/protocol/dnp3/events.bif
index abb735488e..34ea79ae1a 100644
--- a/src/analyzer/protocol/dnp3/events.bif
+++ b/src/analyzer/protocol/dnp3/events.bif
@@ -64,9 +64,6 @@ event dnp3_object_prefix%(c: connection, is_orig: bool, prefix_value: count%);
 ##
 ## is_orig: True if this reflects originator-side activity.
 ##
-## start: the first two bytes of the DNP3 Pseudo Link Layer; its value is fixed
-##        as 0x0564.
-##
 ## len:   the "length" field in the DNP3 Pseudo Link Layer.
 ##
 ## ctrl:  the "control" field in the DNP3 Pseudo Link Layer.
@@ -75,7 +72,7 @@ event dnp3_object_prefix%(c: connection, is_orig: bool, prefix_value: count%);
 ##
 ## src_addr: the "source" field in the DNP3 Pseudo Link Layer.
 ##
-event dnp3_header_block%(c: connection, is_orig: bool, start: count, len: count, ctrl: count, dest_addr: count, src_addr: count%);
+event dnp3_header_block%(c: connection, is_orig: bool, len: count, ctrl: count, dest_addr: count, src_addr: count%);
 
 ## Generated for a DNP3 "Response_Data_Object".
 ## The "Response_Data_Object" contains two parts: object prefix and object
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index 1fc94a80ba..145d19950f 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -182,7 +182,7 @@ int DNS_Interpreter::ParseQuestion(DNS_MsgInfo* msg,
 		return 0;
 		}
 
-	EventHandlerPtr dns_event = 0;
+	EventHandlerPtr dns_event = nullptr;
 
 	if ( msg->QR == 0 )
 		dns_event = dns_request;
diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h
index 87618cd18e..58a263637e 100644
--- a/src/analyzer/protocol/dns/DNS.h
+++ b/src/analyzer/protocol/dns/DNS.h
@@ -151,7 +151,7 @@ public:
 
 class DNS_Interpreter {
 public:
-	DNS_Interpreter(analyzer::Analyzer* analyzer);
+	explicit DNS_Interpreter(analyzer::Analyzer* analyzer);
 
 	int ParseMessage(const u_char* data, int len, int is_query);
 
@@ -239,14 +239,14 @@ typedef enum {
 class Contents_DNS : public tcp::TCP_SupportAnalyzer {
 public:
 	Contents_DNS(Connection* c, bool orig, DNS_Interpreter* interp);
-	~Contents_DNS();
+	~Contents_DNS() override;
 
 	void Flush();		///< process any partially-received data
 
 	TCP_DNS_state State() const	{ return state; }
 
 protected:
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
 	DNS_Interpreter* interp;
 
@@ -260,16 +260,16 @@ protected:
 // Works for both TCP and UDP.
 class DNS_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	DNS_Analyzer(Connection* conn);
-	~DNS_Analyzer();
+	explicit DNS_Analyzer(Connection* conn);
+	~DNS_Analyzer() override;
 
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
 
-	virtual void Init();
-	virtual void Done();
-	virtual void ConnectionClosed(tcp::TCP_Endpoint* endpoint,
-					tcp::TCP_Endpoint* peer, int gen_event);
+	void Init() override;
+	void Done() override;
+	void ConnectionClosed(tcp::TCP_Endpoint* endpoint,
+					tcp::TCP_Endpoint* peer, int gen_event) override;
 
 	void ExpireTimer(double t);
 
diff --git a/src/analyzer/protocol/file/File.h b/src/analyzer/protocol/file/File.h
index 8e611fe0c3..58073afa6e 100644
--- a/src/analyzer/protocol/file/File.h
+++ b/src/analyzer/protocol/file/File.h
@@ -13,11 +13,11 @@ class File_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	File_Analyzer(const char* name, Connection* conn);
 
-	virtual void Done();
+	void Done() override;
 
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
-	void Undelivered(uint64 seq, int len, bool orig);
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 //	static analyzer::Analyzer* Instantiate(Connection* conn)
 //		{ return new File_Analyzer(conn); }
@@ -34,7 +34,7 @@ protected:
 
 class IRC_Data : public File_Analyzer {
 public:
-	IRC_Data(Connection* conn)
+	explicit IRC_Data(Connection* conn)
 		: File_Analyzer("IRC_Data", conn)
 		{ }
 
@@ -44,7 +44,7 @@ public:
 
 class FTP_Data : public File_Analyzer {
 public:
-	FTP_Data(Connection* conn)
+	explicit FTP_Data(Connection* conn)
 		: File_Analyzer("FTP_Data", conn)
 		{ }
 
diff --git a/src/analyzer/protocol/finger/Finger.cc b/src/analyzer/protocol/finger/Finger.cc
index a9818ff7af..e1be27e795 100644
--- a/src/analyzer/protocol/finger/Finger.cc
+++ b/src/analyzer/protocol/finger/Finger.cc
@@ -17,9 +17,9 @@ Finger_Analyzer::Finger_Analyzer(Connection* conn)
 : tcp::TCP_ApplicationAnalyzer("FINGER", conn)
 	{
 	did_deliver = 0;
-	content_line_orig = new tcp::ContentLine_Analyzer(conn, true);
+	content_line_orig = new tcp::ContentLine_Analyzer(conn, true, 1000);
 	content_line_orig->SetIsNULSensitive(true);
-	content_line_resp = new tcp::ContentLine_Analyzer(conn, false);
+	content_line_resp = new tcp::ContentLine_Analyzer(conn, false, 1000);
 	AddSupportAnalyzer(content_line_orig);
 	AddSupportAnalyzer(content_line_resp);
 	}
diff --git a/src/analyzer/protocol/finger/Finger.h b/src/analyzer/protocol/finger/Finger.h
index c677f4c599..d7ea81f430 100644
--- a/src/analyzer/protocol/finger/Finger.h
+++ b/src/analyzer/protocol/finger/Finger.h
@@ -10,12 +10,12 @@ namespace analyzer { namespace finger {
 
 class Finger_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	Finger_Analyzer(Connection* conn);
-	virtual ~Finger_Analyzer()	{}
+	explicit Finger_Analyzer(Connection* conn);
+	~Finger_Analyzer() override {}
 
-	virtual void Done();
+	void Done() override;
 	// Line-based input.
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new Finger_Analyzer(conn); }
diff --git a/src/analyzer/protocol/ftp/FTP.h b/src/analyzer/protocol/ftp/FTP.h
index f829547f36..668e2da83e 100644
--- a/src/analyzer/protocol/ftp/FTP.h
+++ b/src/analyzer/protocol/ftp/FTP.h
@@ -10,10 +10,10 @@ namespace analyzer { namespace ftp {
 
 class FTP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	FTP_Analyzer(Connection* conn);
+	explicit FTP_Analyzer(Connection* conn);
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{
@@ -40,7 +40,7 @@ public:
 	    : SupportAnalyzer("FTP_ADAT", conn, arg_orig),
 	      first_token(true) { }
 
-	void DeliverStream(int len, const u_char* data, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
 protected:
 	// Used by the client-side analyzer to tell if it needs to peek at the
diff --git a/src/analyzer/protocol/ftp/functions.bif b/src/analyzer/protocol/ftp/functions.bif
index b57b24df20..9508061102 100644
--- a/src/analyzer/protocol/ftp/functions.bif
+++ b/src/analyzer/protocol/ftp/functions.bif
@@ -33,13 +33,13 @@ static Val* parse_port(const char* line)
 			}
 
 		r->Assign(0, new AddrVal(htonl(addr)));
-		r->Assign(1, new PortVal(port, TRANSPORT_TCP));
+		r->Assign(1, port_mgr->Get(port, TRANSPORT_TCP));
 		r->Assign(2, new Val(good, TYPE_BOOL));
 		}
 	else
 		{
 		r->Assign(0, new AddrVal(uint32(0)));
-		r->Assign(1, new PortVal(0, TRANSPORT_TCP));
+		r->Assign(1, port_mgr->Get(0, TRANSPORT_TCP));
 		r->Assign(2, new Val(0, TYPE_BOOL));
 		}
 
@@ -109,7 +109,7 @@ static Val* parse_eftp(const char* line)
 		}
 
 	r->Assign(0, new AddrVal(addr));
-	r->Assign(1, new PortVal(port, TRANSPORT_TCP));
+	r->Assign(1, port_mgr->Get(port, TRANSPORT_TCP));
 	r->Assign(2, new Val(good, TYPE_BOOL));
 
 	return r;
diff --git a/src/analyzer/protocol/gnutella/Gnutella.h b/src/analyzer/protocol/gnutella/Gnutella.h
index c2b161ec04..895116cfbb 100644
--- a/src/analyzer/protocol/gnutella/Gnutella.h
+++ b/src/analyzer/protocol/gnutella/Gnutella.h
@@ -36,11 +36,11 @@ public:
 
 class Gnutella_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	Gnutella_Analyzer(Connection* conn);
-	~Gnutella_Analyzer();
+	explicit Gnutella_Analyzer(Connection* conn);
+	~Gnutella_Analyzer() override;
 
-	virtual void Done ();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void Done () override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new Gnutella_Analyzer(conn); }
diff --git a/src/analyzer/protocol/gssapi/CMakeLists.txt b/src/analyzer/protocol/gssapi/CMakeLists.txt
index 222c3cdf4e..d826d36bf7 100644
--- a/src/analyzer/protocol/gssapi/CMakeLists.txt
+++ b/src/analyzer/protocol/gssapi/CMakeLists.txt
@@ -5,7 +5,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 
 bro_plugin_begin(Bro GSSAPI)
 bro_plugin_cc(GSSAPI.cc Plugin.cc)
-bro_plugin_bif(types.bif events.bif)
+bro_plugin_bif(events.bif)
 bro_plugin_pac(
     gssapi.pac 
     gssapi-protocol.pac
diff --git a/src/analyzer/protocol/gssapi/GSSAPI.h b/src/analyzer/protocol/gssapi/GSSAPI.h
index 2fd01a3ab5..e99eab2abd 100644
--- a/src/analyzer/protocol/gssapi/GSSAPI.h
+++ b/src/analyzer/protocol/gssapi/GSSAPI.h
@@ -15,8 +15,8 @@ class GSSAPI_Analyzer
 : public tcp::TCP_ApplicationAnalyzer {
 
 public:
-	GSSAPI_Analyzer(Connection* conn);
-	virtual ~GSSAPI_Analyzer();
+	explicit GSSAPI_Analyzer(Connection* conn);
+	~GSSAPI_Analyzer() override;
 
 	// Overriden from Analyzer.
 	void Done() override;
diff --git a/src/analyzer/protocol/gssapi/gssapi-analyzer.pac b/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
index 64e8dd5e50..3478e66c93 100644
--- a/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
+++ b/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
@@ -28,28 +28,29 @@ refine connection GSSAPI_Conn += {
 
 	function forward_blob(val: GSSAPI_NEG_TOKEN_MECH_TOKEN, is_orig: bool): bool
 		%{
-		if ( ${val.mech_token}.length() >= 7 &&
-		     memcmp("NTLMSSP", ${val.mech_token}.begin(), 7) == 0 )
+		if ( ${val.has_ntlm} &&
+		     ${val.ntlm}.length() >= 7 &&
+		     memcmp("NTLMSSP", ${val.ntlm}.begin(), 7) == 0 )
 			{
 			// ntlmssp
 			if ( ! ntlm )
 				ntlm = analyzer_mgr->InstantiateAnalyzer("NTLM", bro_analyzer()->Conn());
 
 			if ( ntlm )
-				ntlm->DeliverStream(${val.mech_token}.length(), ${val.mech_token}.begin(), is_orig);
+				ntlm->DeliverStream(${val.ntlm}.length(),
+				                    ${val.ntlm}.begin(), is_orig);
 			}
-		else if ( ${val.mech_token}.length() == 9 &&
-		          (memcmp("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02", ${val.mech_token}.begin(), ${val.mech_token}.length()) == 0 ||
-		           memcmp("\x2a\x86\x48\x82\xf7\x12\x01\x02\x02", ${val.mech_token}.begin(), ${val.mech_token}.length()) == 0 ) )
+
+		else if ( ${val.has_krb} )
 			{
-			// krb5 && ms-krb5
 			if ( ! krb5 )
 				krb5 = analyzer_mgr->InstantiateAnalyzer("KRB", bro_analyzer()->Conn());
 
-			// 0x0100 is a special marker
-			if ( krb5 && memcmp("\x01\x00", ${val.mech_token}.begin(), 2) == 0 )
+			if ( krb5 ) // accepting all KRB types (REQ, REP, etc)
 				{
-				krb5->DeliverPacket(${val.mech_token}.length()-2, ${val.mech_token}.begin()+2, is_orig, 0, 0, 0);
+				krb5->DeliverPacket(${val.krb.blob}.length(),
+				                    ${val.krb.blob}.begin(),
+				                    is_orig, 0, 0, 0);
 				}
 			}
 
diff --git a/src/analyzer/protocol/gssapi/gssapi-protocol.pac b/src/analyzer/protocol/gssapi/gssapi-protocol.pac
index abd58d7a4d..a2df047ffd 100644
--- a/src/analyzer/protocol/gssapi/gssapi-protocol.pac
+++ b/src/analyzer/protocol/gssapi/gssapi-protocol.pac
@@ -50,7 +50,23 @@ type GSSAPI_NEG_TOKEN_RESP_Arg = record {
 };
 
 type GSSAPI_NEG_TOKEN_MECH_TOKEN(is_orig: bool) = record {
-	meta       : ASN1EncodingMeta;
-	mech_token : bytestring &length=meta.length;
+	meta  : ASN1EncodingMeta;
+	token : bytestring &length=meta.length;
+} &let {
+	ntlm : bytestring withinput token &if($context.connection.is_first_byte(token, 0x4E)) &restofdata;
+	krb : KRB_BLOB withinput token &if($context.connection.is_first_byte(token, 0x60)) &restofdata;
 };
 
+type KRB_BLOB = record {
+	meta     : ASN1EncodingMeta;
+	oid      : ASN1OctetString;
+	token_id : uint16 &byteorder=littleendian;
+	blob     : bytestring &restofdata;
+};
+
+refine connection GSSAPI_Conn += {
+	function is_first_byte(token: bytestring, byte: uint8): bool
+		%{
+		return token[0] == byte;
+		%}
+};
diff --git a/src/analyzer/protocol/gssapi/gssapi.pac b/src/analyzer/protocol/gssapi/gssapi.pac
index 07759e8daa..55b7fe4255 100644
--- a/src/analyzer/protocol/gssapi/gssapi.pac
+++ b/src/analyzer/protocol/gssapi/gssapi.pac
@@ -5,7 +5,6 @@
 #include "analyzer/Manager.h"
 #include "analyzer/Analyzer.h"
 
-#include "types.bif.h"
 #include "events.bif.h"
 %}
 
diff --git a/src/analyzer/protocol/gssapi/types.bif b/src/analyzer/protocol/gssapi/types.bif
deleted file mode 100644
index 996cee9ad8..0000000000
--- a/src/analyzer/protocol/gssapi/types.bif
+++ /dev/null
@@ -1 +0,0 @@
-# Empty.
diff --git a/src/analyzer/protocol/gtpv1/GTPv1.h b/src/analyzer/protocol/gtpv1/GTPv1.h
index d8a04bc0b0..d7487a2881 100644
--- a/src/analyzer/protocol/gtpv1/GTPv1.h
+++ b/src/analyzer/protocol/gtpv1/GTPv1.h
@@ -7,7 +7,7 @@ namespace analyzer { namespace gtpv1 {
 
 class GTPv1_Analyzer : public analyzer::Analyzer {
 public:
-	GTPv1_Analyzer(Connection* conn);
+	explicit GTPv1_Analyzer(Connection* conn);
 	virtual ~GTPv1_Analyzer();
 
 	virtual void Done();
@@ -18,8 +18,6 @@ public:
 		{ return new GTPv1_Analyzer(conn); }
 
 protected:
-	void ExpireTimer(double t);
-
 	binpac::GTPv1::GTPv1_Conn* interp;
 };
 
diff --git a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
index 23281c1bb8..c0d9b6e32f 100644
--- a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
+++ b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
@@ -740,6 +740,9 @@ flow GTPv1_Flow(is_orig: bool)
 				a->ProtocolConfirmation();
 			}
 
+		else if ( result == -2 )
+			violate("Invalid IP version in wrapped packet", pdu);
+
 		else if ( result < 0 )
 			violate("Truncated GTPv1", pdu);
 
diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index c1f4320c04..4e1e5a2218 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -42,7 +42,7 @@ HTTP_Entity::HTTP_Entity(HTTP_Message *arg_message, MIME_Entity* parent_entity,
 	http_message = arg_message;
 	expect_body = arg_expect_body;
 	chunked_transfer_state = NON_CHUNKED_TRANSFER;
-	content_length = -1;	// unspecified
+	content_length = range_length = -1;	// unspecified
 	expect_data_length = 0;
 	body_length = 0;
 	header_length = 0;
@@ -357,21 +357,33 @@ void HTTP_Entity::SetPlainDelivery(int64_t length)
 
 void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
 	{
-	if ( mime::strcasecmp_n(h->get_name(), "content-length") == 0 )
+	if ( mime::istrequal(h->get_name(), "content-length") )
 		{
 		data_chunk_t vt = h->get_value_token();
 		if ( ! mime::is_null_data_chunk(vt) )
 			{
 			int64_t n;
 			if ( atoi_n(vt.length, vt.data, 0, 10, n) )
+				{
 				content_length = n;
+
+				if ( is_partial_content && range_length != content_length )
+					{
+					// Possible evasion attempt.
+					http_message->Weird("HTTP_range_not_matching_len");
+
+					// Take the maximum of both lengths to avoid evasions.
+					if ( range_length > content_length )
+						content_length = range_length;
+					}
+				}
 			else
 				content_length = 0;
 			}
 		}
 
 	// Figure out content-length for HTTP 206 Partial Content response
-	else if ( mime::strcasecmp_n(h->get_name(), "content-range") == 0 &&
+	else if ( mime::istrequal(h->get_name(), "content-range") &&
 		      http_message->MyHTTP_Analyzer()->HTTP_ReplyCode() == 206 )
 		{
 		data_chunk_t vt = h->get_value_token();
@@ -432,7 +444,22 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
 
 			is_partial_content = true;
 			offset = f;
-			content_length = len;
+			range_length = len;
+
+			if ( content_length > 0 )
+				{
+				if ( content_length != range_length )
+					{
+					// Possible evasion attempt.
+					http_message->Weird("HTTP_range_not_matching_len");
+
+					// Take the maximum of both lengths to avoid evasions.
+					if ( range_length > content_length )
+						content_length = range_length;
+					}
+				}
+			else
+				content_length = range_length;
 			}
 		else
 			{
@@ -441,19 +468,25 @@ void HTTP_Entity::SubmitHeader(mime::MIME_Header* h)
 			}
 		}
 
-	else if ( mime::strcasecmp_n(h->get_name(), "transfer-encoding") == 0 )
+	else if ( mime::istrequal(h->get_name(), "transfer-encoding") )
 		{
+		double http_version = 0;
+		if (http_message->analyzer->GetRequestOngoing())
+			http_version = http_message->analyzer->GetRequestVersion();
+		else // reply_ongoing
+			http_version = http_message->analyzer->GetReplyVersion();
+
 		data_chunk_t vt = h->get_value_token();
-		if ( mime::strcasecmp_n(vt, "chunked") == 0 )
+		if ( mime::istrequal(vt, "chunked") && http_version == 1.1 )
 			chunked_transfer_state = BEFORE_CHUNK;
 		}
 
-	else if ( mime::strcasecmp_n(h->get_name(), "content-encoding") == 0 )
+	else if ( mime::istrequal(h->get_name(), "content-encoding") )
 		{
 		data_chunk_t vt = h->get_value_token();
-		if ( mime::strcasecmp_n(vt, "gzip") == 0 )
+		if ( mime::istrequal(vt, "gzip") || mime::istrequal(vt, "x-gzip") )
 			encoding = GZIP;
-		if ( mime::strcasecmp_n(vt, "deflate") == 0 )
+		if ( mime::istrequal(vt, "deflate") )
 			encoding = DEFLATE;
 		}
 
@@ -822,6 +855,9 @@ HTTP_Analyzer::HTTP_Analyzer(Connection* conn)
 
 	connect_request = false;
 	pia = 0;
+	upgraded = false;
+	upgrade_connection = false;
+	upgrade_protocol.clear();
 
 	content_line_orig = new tcp::ContentLine_Analyzer(conn, true);
 	AddSupportAnalyzer(content_line_orig);
@@ -879,6 +915,9 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 	if ( TCP() && TCP()->IsPartial() )
 		return;
 
+	if ( upgraded )
+		return;
+
 	if ( pia )
 		{
 		// There will be a PIA instance if this connection has been identified
@@ -1468,15 +1507,35 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg)
 		unanswered_requests.pop();
 		}
 
-	reply_code = 0;
-
 	if ( reply_reason_phrase )
 		{
 		Unref(reply_reason_phrase);
 		reply_reason_phrase = 0;
 		}
 
-	if ( interrupted )
+	// unanswered requests = 1 because there is no pop after 101.
+	if ( reply_code == 101 && unanswered_requests.size() == 1 && upgrade_connection &&
+	     upgrade_protocol.size() )
+		{
+		// Upgraded connection that switches immediately - e.g. websocket.
+		upgraded = true;
+		RemoveSupportAnalyzer(content_line_orig);
+		RemoveSupportAnalyzer(content_line_resp);
+
+		if ( http_connection_upgrade )
+			{
+			val_list* vl = new val_list();
+			vl->append(BuildConnVal());
+			vl->append(new StringVal(upgrade_protocol));
+			ConnectionEvent(http_connection_upgrade, vl);
+			}
+		}
+
+	reply_code = 0;
+	upgrade_connection = false;
+	upgrade_protocol.clear();
+
+	if ( interrupted || upgraded )
 		reply_state = EXPECT_REPLY_NOTHING;
 	else
 		reply_state = EXPECT_REPLY_LINE;
@@ -1590,11 +1649,11 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h)
 	{
 #if 0
 	// ### Only call ParseVersion if we're tracking versions:
-	if ( strcasecmp_n(h->get_name(), "server") == 0 )
+	if ( istrequal(h->get_name(), "server") )
 		ParseVersion(h->get_value(),
 				(is_orig ? Conn()->OrigAddr() : Conn()->RespAddr()), false);
 
-	else if ( strcasecmp_n(h->get_name(), "user-agent") == 0 )
+	else if ( istrequal(h->get_name(), "user-agent") )
 		ParseVersion(h->get_value(),
 				(is_orig ? Conn()->OrigAddr() : Conn()->RespAddr()), true);
 #endif
@@ -1603,19 +1662,25 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h)
 	// side, and if seen assume the connection to be persistent.
 	// This seems fairly safe - at worst, the client does indeed
 	// send additional requests, and the server ignores them.
-	if ( is_orig && mime::strcasecmp_n(h->get_name(), "connection") == 0 )
+	if ( is_orig && mime::istrequal(h->get_name(), "connection") )
 		{
-		if ( mime::strcasecmp_n(h->get_value_token(), "keep-alive") == 0 )
+		if ( mime::istrequal(h->get_value_token(), "keep-alive") )
 			keep_alive = 1;
 		}
 
 	if ( ! is_orig &&
-	     mime::strcasecmp_n(h->get_name(), "connection") == 0 )
-	        {
-		if ( mime::strcasecmp_n(h->get_value_token(), "close") == 0 )
-		        connection_close = 1;
+	     mime::istrequal(h->get_name(), "connection") )
+		{
+		if ( mime::istrequal(h->get_value_token(), "close") )
+			connection_close = 1;
+		else if ( mime::istrequal(h->get_value_token(), "upgrade") )
+			upgrade_connection = true;
 		}
 
+	if ( ! is_orig &&
+	     mime::istrequal(h->get_name(), "upgrade") )
+	     upgrade_protocol.assign(h->get_value_token().data, h->get_value_token().length);
+
 	if ( http_header )
 		{
 		Rule::PatternType rule =
@@ -1843,13 +1908,23 @@ BroString* analyzer::http::unescape_URI(const u_char* line, const u_char* line_e
 
 			if ( line == line_end )
 				{
-				// How to deal with % at end of line?
-				// *URI_p++ = '%';
+				*URI_p++ = '%';
 				if ( analyzer )
 					analyzer->Weird("illegal_%_at_end_of_URI");
 				break;
 				}
 
+			else if ( line + 1 == line_end )
+				{
+				// % + one character at end of line. Log weird
+				// and just add to unescpaped URI.
+				*URI_p++ = '%';
+				*URI_p++ = *line;
+				if ( analyzer )
+					analyzer->Weird("partial_escape_at_end_of_URI");
+				break;
+				}
+
 			else if ( *line == '%' )
 				{
 				// Double '%' might be either due to
diff --git a/src/analyzer/protocol/http/HTTP.h b/src/analyzer/protocol/http/HTTP.h
index d55c10c4c1..743f9965e7 100644
--- a/src/analyzer/protocol/http/HTTP.h
+++ b/src/analyzer/protocol/http/HTTP.h
@@ -12,8 +12,6 @@
 #include "IPAddr.h"
 #include "analyzer/protocol/http/events.bif.h"
 
-#include "HTTP.h"
-
 namespace analyzer { namespace http {
 
 enum CHUNKED_TRANSFER_STATE {
@@ -34,14 +32,14 @@ class HTTP_Entity : public mime::MIME_Entity {
 public:
 	HTTP_Entity(HTTP_Message* msg, MIME_Entity* parent_entity,
 			int expect_body);
-	~HTTP_Entity()
+	~HTTP_Entity() override
 		{
 		if ( zip )
 			{ zip->Done(); delete zip; }
 		}
 
-	void EndOfData();
-	void Deliver(int len, const char* data, int trailing_CRLF);
+	void EndOfData() override;
+	void Deliver(int len, const char* data, int trailing_CRLF) override;
 	int Undelivered(int64_t len);
 	int64_t BodyLength() const 		{ return body_length; }
 	int64_t HeaderLength() const 	{ return header_length; }
@@ -55,6 +53,7 @@ protected:
 	HTTP_Message* http_message;
 	int chunked_transfer_state;
 	int64_t content_length;
+	int64_t range_length;
 	int64_t expect_data_length;
 	int expect_body;
 	int64_t body_length;
@@ -68,17 +67,17 @@ protected:
 	bool send_size; // whether to send size indication to FAF
 	std::string precomputed_file_id;
 
-	MIME_Entity* NewChildEntity() { return new HTTP_Entity(http_message, this, 1); }
+	MIME_Entity* NewChildEntity() override { return new HTTP_Entity(http_message, this, 1); }
 
 	void DeliverBody(int len, const char* data, int trailing_CRLF);
 	void DeliverBodyClear(int len, const char* data, int trailing_CRLF);
 
-	void SubmitData(int len, const char* buf);
+	void SubmitData(int len, const char* buf) override;
 
 	void SetPlainDelivery(int64_t length);
 
-	void SubmitHeader(mime::MIME_Header* h);
-	void SubmitAllHeaders();
+	void SubmitHeader(mime::MIME_Header* h) override;
+	void SubmitAllHeaders() override;
 };
 
 enum {
@@ -104,20 +103,20 @@ friend class HTTP_Entity;
 public:
 	HTTP_Message(HTTP_Analyzer* analyzer, tcp::ContentLine_Analyzer* cl,
 			 bool is_orig, int expect_body, int64_t init_header_length);
-	~HTTP_Message();
+	~HTTP_Message() override;
 	void Done(const int interrupted, const char* msg);
-	void Done() { Done(0, "message ends normally"); }
+	void Done() override { Done(0, "message ends normally"); }
 
 	int Undelivered(int64_t len);
 
-	void BeginEntity(mime::MIME_Entity* /* entity */);
-	void EndEntity(mime::MIME_Entity* entity);
-	void SubmitHeader(mime::MIME_Header* h);
-	void SubmitAllHeaders(mime::MIME_HeaderList& /* hlist */);
-	void SubmitData(int len, const char* buf);
-	int RequestBuffer(int* plen, char** pbuf);
+	void BeginEntity(mime::MIME_Entity* /* entity */) override;
+	void EndEntity(mime::MIME_Entity* entity) override;
+	void SubmitHeader(mime::MIME_Header* h) override;
+	void SubmitAllHeaders(mime::MIME_HeaderList& /* hlist */) override;
+	void SubmitData(int len, const char* buf) override;
+	int RequestBuffer(int* plen, char** pbuf) override;
 	void SubmitAllData();
-	void SubmitEvent(int event_type, const char* detail);
+	void SubmitEvent(int event_type, const char* detail) override;
 
 	void SubmitTrailingHeaders(mime::MIME_HeaderList& /* hlist */);
 	void SetPlainDelivery(int64_t length);
@@ -153,9 +152,7 @@ protected:
 class HTTP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	HTTP_Analyzer(Connection* conn);
-	~HTTP_Analyzer();
-
-	void Undelivered(tcp::TCP_Endpoint* sender, uint64 seq, int len);
+	~HTTP_Analyzer() override;
 
 	void HTTP_Header(int is_orig, mime::MIME_Header* h);
 	void HTTP_EntityData(int is_orig, BroString* entity_data);
@@ -169,15 +166,20 @@ public:
 	int HTTP_ReplyCode() const { return reply_code; };
 
 	// Overriden from Analyzer.
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 	// Overriden from tcp::TCP_ApplicationAnalyzer
-	virtual void EndpointEOF(bool is_orig);
-	virtual void ConnectionFinished(int half_finished);
-	virtual void ConnectionReset();
-	virtual void PacketWithRST();
+	void EndpointEOF(bool is_orig) override;
+	void ConnectionFinished(int half_finished) override;
+	void ConnectionReset() override;
+	void PacketWithRST() override;
+
+	double GetRequestVersion() { return request_version; };
+	double GetReplyVersion() { return reply_version; };
+	int GetRequestOngoing() { return request_ongoing; };
+	int GetReplyOngoing() { return reply_ongoing; };
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new HTTP_Analyzer(conn); }
@@ -234,6 +236,13 @@ protected:
 
 	bool connect_request;
 	pia::PIA_TCP *pia;
+	// set to true after a connection was upgraded
+	bool upgraded;
+	// set to true when encountering an "connection" header in a reply.
+	bool upgrade_connection;
+	// set to the protocol string when encountering an "upgrade" header
+	// in a reply.
+	std::string upgrade_protocol;
 
 	Val* request_method;
 
diff --git a/src/analyzer/protocol/http/events.bif b/src/analyzer/protocol/http/events.bif
index 7a509c6d54..ab005ba8d6 100644
--- a/src/analyzer/protocol/http/events.bif
+++ b/src/analyzer/protocol/http/events.bif
@@ -19,7 +19,7 @@
 ##
 ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data http_event http_header http_message_done http_reply http_stats
-##    truncate_http_URI
+##    truncate_http_URI http_connection_upgrade
 event http_request%(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string%);
 
 ## Generated for HTTP replies. Bro supports persistent and pipelined HTTP
@@ -40,7 +40,7 @@ event http_request%(c: connection, method: string, original_URI: string, unescap
 ##
 ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data http_event http_header http_message_done http_request
-##    http_stats
+##    http_stats http_connection_upgrade
 event http_reply%(c: connection, version: string, code: count, reason: string%);
 
 ## Generated for HTTP headers. Bro supports persistent and pipelined HTTP
@@ -60,7 +60,7 @@ event http_reply%(c: connection, version: string, code: count, reason: string%);
 ##
 ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data http_event  http_message_done http_reply http_request
-##    http_stats
+##    http_stats http_connection_upgrade
 ##
 ## .. note:: This event is also raised for headers found in nested body
 ##    entities.
@@ -83,6 +83,7 @@ event http_header%(c: connection, is_orig: bool, name: string, value: string%);
 ##
 ## .. bro:see::  http_begin_entity http_content_type http_end_entity http_entity_data
 ##    http_event http_header http_message_done http_reply http_request http_stats
+##    http_connection_upgrade
 ##
 ## .. note:: This event is also raised for headers found in nested body
 ##    entities.
@@ -104,7 +105,7 @@ event http_all_headers%(c: connection, is_orig: bool, hlist: mime_header_list%);
 ##
 ## .. bro:see:: http_all_headers  http_content_type http_end_entity http_entity_data
 ##    http_event http_header http_message_done http_reply http_request http_stats
-##    mime_begin_entity
+##    mime_begin_entity http_connection_upgrade
 event http_begin_entity%(c: connection, is_orig: bool%);
 
 ## Generated when finishing parsing an HTTP body entity. This event is generated
@@ -123,7 +124,7 @@ event http_begin_entity%(c: connection, is_orig: bool%);
 ##
 ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_entity_data
 ##    http_event http_header http_message_done http_reply http_request
-##    http_stats   mime_end_entity
+##    http_stats mime_end_entity http_connection_upgrade
 event http_end_entity%(c: connection, is_orig: bool%);
 
 ## Generated when parsing an HTTP body entity, passing on the data. This event
@@ -152,6 +153,7 @@ event http_end_entity%(c: connection, is_orig: bool%);
 ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_event http_header http_message_done http_reply http_request http_stats
 ##    mime_entity_data http_entity_data_delivery_size skip_http_data
+##    http_connection_upgrade
 event http_entity_data%(c: connection, is_orig: bool, length: count, data: string%);
 
 ## Generated for reporting an HTTP body's content type.  This event is
@@ -173,6 +175,7 @@ event http_entity_data%(c: connection, is_orig: bool, length: count, data: strin
 ##
 ## .. bro:see:: http_all_headers http_begin_entity  http_end_entity http_entity_data
 ##    http_event http_header http_message_done http_reply http_request http_stats
+##    http_connection_upgrade
 ##
 ## .. note:: This event is also raised for headers found in nested body
 ##    entities.
@@ -198,6 +201,7 @@ event http_content_type%(c: connection, is_orig: bool, ty: string, subty: string
 ##
 ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data http_event http_header  http_reply http_request http_stats
+##    http_connection_upgrade
 event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%);
 
 ## Generated for errors found when decoding HTTP requests or replies.
@@ -214,7 +218,7 @@ event http_message_done%(c: connection, is_orig: bool, stat: http_message_stat%)
 ##
 ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data  http_header http_message_done http_reply http_request
-##    http_stats mime_event
+##    http_stats mime_event http_connection_upgrade
 event http_event%(c: connection, event_type: string, detail: string%);
 
 ## Generated at the end of an HTTP session to report statistics about it. This
@@ -228,5 +232,18 @@ event http_event%(c: connection, event_type: string, detail: string%);
 ##
 ## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
 ##    http_entity_data http_event http_header http_message_done http_reply
-##    http_request
+##    http_request http_connection_upgrade
 event http_stats%(c: connection, stats: http_stats_rec%);
+
+## Generated when a HTTP session is upgraded to a different protocol (e.g. websocket).
+## This event is raised when a server replies with a HTTP 101 reply. No more HTTP events
+## will be raised after this event.
+##
+## c: The connection.
+##
+## protocol: The protocol to which the connection is switching.
+##
+## .. bro:see:: http_all_headers http_begin_entity http_content_type http_end_entity
+##    http_entity_data http_event http_header http_message_done http_reply
+##    http_request
+event http_connection_upgrade%(c: connection, protocol: string%);
diff --git a/src/analyzer/protocol/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICMP.cc
index 6a42e064d7..2dedca5ae1 100644
--- a/src/analyzer/protocol/icmp/ICMP.cc
+++ b/src/analyzer/protocol/icmp/ICMP.cc
@@ -352,9 +352,9 @@ RecordVal* ICMP_Analyzer::ExtractICMP4Context(int len, const u_char*& data)
 	RecordVal* id_val = new RecordVal(conn_id);
 
 	id_val->Assign(0, new AddrVal(src_addr));
-	id_val->Assign(1, new PortVal(src_port, proto));
+	id_val->Assign(1, port_mgr->Get(src_port, proto));
 	id_val->Assign(2, new AddrVal(dst_addr));
-	id_val->Assign(3, new PortVal(dst_port, proto));
+	id_val->Assign(3, port_mgr->Get(dst_port, proto));
 
 	iprec->Assign(0, id_val);
 	iprec->Assign(1, new Val(ip_len, TYPE_COUNT));
@@ -411,9 +411,9 @@ RecordVal* ICMP_Analyzer::ExtractICMP6Context(int len, const u_char*& data)
 	RecordVal* id_val = new RecordVal(conn_id);
 
 	id_val->Assign(0, new AddrVal(src_addr));
-	id_val->Assign(1, new PortVal(src_port, proto));
+	id_val->Assign(1, port_mgr->Get(src_port, proto));
 	id_val->Assign(2, new AddrVal(dst_addr));
-	id_val->Assign(3, new PortVal(dst_port, proto));
+	id_val->Assign(3, port_mgr->Get(dst_port, proto));
 
 	iprec->Assign(0, id_val);
 	iprec->Assign(1, new Val(ip_len, TYPE_COUNT));
diff --git a/src/analyzer/protocol/icmp/ICMP.h b/src/analyzer/protocol/icmp/ICMP.h
index 1de6a4afea..4fee289d5b 100644
--- a/src/analyzer/protocol/icmp/ICMP.h
+++ b/src/analyzer/protocol/icmp/ICMP.h
@@ -17,29 +17,25 @@ typedef enum {
 // RuleMatcherState to perform our own matching.
 class ICMP_Analyzer : public analyzer::TransportLayerAnalyzer {
 public:
-	ICMP_Analyzer(Connection* conn);
+	explicit ICMP_Analyzer(Connection* conn);
 
-	virtual void UpdateConnVal(RecordVal *conn_val);
+	void UpdateConnVal(RecordVal *conn_val) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new ICMP_Analyzer(conn); }
 
 protected:
-	ICMP_Analyzer(analyzer::Tag tag, Connection* conn);
-
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
-	virtual bool IsReuse(double t, const u_char* pkt);
-	virtual unsigned int MemoryAllocation() const;
+	void Done() override;
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
+	bool IsReuse(double t, const u_char* pkt) override;
+	unsigned int MemoryAllocation() const override;
 
 	void ICMP_Sent(const struct icmp* icmpp, int len, int caplen, int icmpv6,
 	               const u_char* data, const IP_Hdr* ip_hdr);
 
 	void Echo(double t, const struct icmp* icmpp, int len,
 			 int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
-	void Context(double t, const struct icmp* icmpp, int len,
-			 int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
 	void Redirect(double t, const struct icmp* icmpp, int len,
 			 int caplen, const u_char*& data, const IP_Hdr* ip_hdr);
 	void RouterAdvert(double t, const struct icmp* icmpp, int len,
diff --git a/src/analyzer/protocol/ident/Ident.cc b/src/analyzer/protocol/ident/Ident.cc
index f668be921c..27eafb5426 100644
--- a/src/analyzer/protocol/ident/Ident.cc
+++ b/src/analyzer/protocol/ident/Ident.cc
@@ -17,8 +17,8 @@ Ident_Analyzer::Ident_Analyzer(Connection* conn)
 	{
 	did_bad_reply = did_deliver = 0;
 
-	orig_ident = new tcp::ContentLine_Analyzer(conn, true);
-	resp_ident = new tcp::ContentLine_Analyzer(conn, false);
+	orig_ident = new tcp::ContentLine_Analyzer(conn, true, 1000);
+	resp_ident = new tcp::ContentLine_Analyzer(conn, false, 1000);
 
 	orig_ident->SetIsNULSensitive(true);
 	resp_ident->SetIsNULSensitive(true);
@@ -82,8 +82,8 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 
 		val_list* vl = new val_list;
 		vl->append(BuildConnVal());
-		vl->append(new PortVal(local_port, TRANSPORT_TCP));
-		vl->append(new PortVal(remote_port, TRANSPORT_TCP));
+		vl->append(port_mgr->Get(local_port, TRANSPORT_TCP));
+		vl->append(port_mgr->Get(remote_port, TRANSPORT_TCP));
 
 		ConnectionEvent(ident_request, vl);
 
@@ -143,8 +143,8 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 			{
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
-			vl->append(new PortVal(local_port, TRANSPORT_TCP));
-			vl->append(new PortVal(remote_port, TRANSPORT_TCP));
+			vl->append(port_mgr->Get(local_port, TRANSPORT_TCP));
+			vl->append(port_mgr->Get(remote_port, TRANSPORT_TCP));
 			vl->append(new StringVal(end_of_line - line, line));
 
 			ConnectionEvent(ident_error, vl);
@@ -177,8 +177,8 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 
 			val_list* vl = new val_list;
 			vl->append(BuildConnVal());
-			vl->append(new PortVal(local_port, TRANSPORT_TCP));
-			vl->append(new PortVal(remote_port, TRANSPORT_TCP));
+			vl->append(port_mgr->Get(local_port, TRANSPORT_TCP));
+			vl->append(port_mgr->Get(remote_port, TRANSPORT_TCP));
 			vl->append(new StringVal(end_of_line - line, line));
 			vl->append(new StringVal(sys_type_s));
 
diff --git a/src/analyzer/protocol/ident/Ident.h b/src/analyzer/protocol/ident/Ident.h
index 07fe8c116f..daaef3fb38 100644
--- a/src/analyzer/protocol/ident/Ident.h
+++ b/src/analyzer/protocol/ident/Ident.h
@@ -10,10 +10,10 @@ namespace analyzer { namespace ident {
 
 class Ident_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	Ident_Analyzer(Connection* conn);
-	virtual void Done();
+	explicit Ident_Analyzer(Connection* conn);
+	void Done() override;
 
-	virtual void DeliverStream(int length, const u_char* data, bool is_orig);
+	void DeliverStream(int length, const u_char* data, bool is_orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new Ident_Analyzer(conn); }
diff --git a/src/analyzer/protocol/imap/IMAP.h b/src/analyzer/protocol/imap/IMAP.h
index e71770d360..631660d452 100644
--- a/src/analyzer/protocol/imap/IMAP.h
+++ b/src/analyzer/protocol/imap/IMAP.h
@@ -13,15 +13,15 @@ namespace analyzer { namespace imap {
 
 class IMAP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	IMAP_Analyzer(Connection* conn);
-	virtual ~IMAP_Analyzer();
+	explicit IMAP_Analyzer(Connection* conn);
+	~IMAP_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 	// Overriden from tcp::TCP_ApplicationAnalyzer.
-	virtual void EndpointEOF(bool is_orig);
+	void EndpointEOF(bool is_orig) override;
 
 	void StartTLS();
 
diff --git a/src/analyzer/protocol/interconn/InterConn.h b/src/analyzer/protocol/interconn/InterConn.h
index 6ab7f138b2..04d5a2b5c6 100644
--- a/src/analyzer/protocol/interconn/InterConn.h
+++ b/src/analyzer/protocol/interconn/InterConn.h
@@ -11,7 +11,7 @@ namespace analyzer { namespace interconn {
 
 class InterConnEndpoint : public BroObj {
 public:
-	InterConnEndpoint(tcp::TCP_Endpoint* e);
+	explicit InterConnEndpoint(tcp::TCP_Endpoint* e);
 
 	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
 		     const IP_Hdr* ip, const struct tcphdr* tp);
@@ -42,11 +42,11 @@ protected:
 
 class InterConn_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	InterConn_Analyzer(Connection* c);
-	~InterConn_Analyzer();
+	explicit InterConn_Analyzer(Connection* c);
+	~InterConn_Analyzer() override;
 
-	virtual void Init();
-	virtual void Done();
+	void Init() override;
+	void Done() override;
 	void StatTimer(double t, int is_expire);
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
@@ -55,9 +55,9 @@ public:
 protected:
 	// We support both packet and stream input and can be put in place even
 	// if the TCP analyzer is not yet reassembling.
-	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
-	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
+	void DeliverPacket(int len, const u_char* data, bool is_orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
+	void DeliverStream(int len, const u_char* data, bool is_orig) override;
 
 	void StatEvent();
 	void RemoveEvent();
@@ -75,9 +75,9 @@ protected:
 class InterConnTimer : public Timer {
 public:
 	InterConnTimer(double t, InterConn_Analyzer* a);
-	~InterConnTimer();
+	~InterConnTimer() override;
 
-	void Dispatch(double t, int is_expire);
+	void Dispatch(double t, int is_expire) override;
 
 protected:
 	InterConn_Analyzer* analyzer;
diff --git a/src/analyzer/protocol/irc/IRC.cc b/src/analyzer/protocol/irc/IRC.cc
index a26045f250..a69674eb50 100644
--- a/src/analyzer/protocol/irc/IRC.cc
+++ b/src/analyzer/protocol/irc/IRC.cc
@@ -21,9 +21,9 @@ IRC_Analyzer::IRC_Analyzer(Connection* conn)
 	orig_zip_status = NO_ZIP;
 	resp_zip_status = NO_ZIP;
 	starttls = false;
-	cl_orig = new tcp::ContentLine_Analyzer(conn, true);
+	cl_orig = new tcp::ContentLine_Analyzer(conn, true, 1000);
 	AddSupportAnalyzer(cl_orig);
-	cl_resp = new tcp::ContentLine_Analyzer(conn, false);
+	cl_resp = new tcp::ContentLine_Analyzer(conn, false, 1000);
 	AddSupportAnalyzer(cl_resp);
 	}
 
diff --git a/src/analyzer/protocol/irc/IRC.h b/src/analyzer/protocol/irc/IRC.h
index 497225846d..8981d2ee65 100644
--- a/src/analyzer/protocol/irc/IRC.h
+++ b/src/analyzer/protocol/irc/IRC.h
@@ -17,7 +17,7 @@ public:
 	/**
 	* \brief Constructor, builds a new analyzer object.
 	*/
-	IRC_Analyzer(Connection* conn);
+	explicit IRC_Analyzer(Connection* conn);
 
 	/**
 	* \brief Called when connection is closed.
diff --git a/src/analyzer/protocol/krb/KRB.cc b/src/analyzer/protocol/krb/KRB.cc
index 0a123c3beb..4ee663dcf1 100644
--- a/src/analyzer/protocol/krb/KRB.cc
+++ b/src/analyzer/protocol/krb/KRB.cc
@@ -6,12 +6,52 @@
 
 using namespace analyzer::krb;
 
+bool KRB_Analyzer::krb_available = false;
+#ifdef USE_KRB5
+krb5_context KRB_Analyzer::krb_context = nullptr;
+krb5_keytab KRB_Analyzer::krb_keytab = nullptr;
+std::once_flag KRB_Analyzer::krb_initialized;
+#endif
+
 KRB_Analyzer::KRB_Analyzer(Connection* conn)
 	: Analyzer("KRB", conn)
 	{
 	interp = new binpac::KRB::KRB_Conn(this);
+#ifdef USE_KRB5
+	std::call_once(krb_initialized, Initialize_Krb);
+#endif
 	}
 
+#ifdef USE_KRB5
+void KRB_Analyzer::Initialize_Krb()
+	{
+	if ( BifConst::KRB::keytab->Len() == 0 )
+		return; // no keytab set
+
+	const char* keytab_filename = BifConst::KRB::keytab->CheckString();
+	if ( access(keytab_filename, R_OK) != 0 )
+		{
+		reporter->Warning("KRB: Can't access keytab (%s)", keytab_filename);
+		return;
+		}
+
+	krb5_error_code retval = krb5_init_context(&krb_context);
+	if ( retval )
+		{
+		reporter->Warning("KRB: Couldn't initialize the context (%s)", krb5_get_error_message(krb_context, retval));
+		return;
+		}
+
+	retval = krb5_kt_resolve(krb_context, keytab_filename, &krb_keytab);
+	if ( retval )
+		{
+		reporter->Warning("KRB: Couldn't resolve keytab (%s)", krb5_get_error_message(krb_context, retval));
+		return;
+		}
+	krb_available = true;
+	}
+#endif
+
 KRB_Analyzer::~KRB_Analyzer()
 	{
 	delete interp;
@@ -33,7 +73,64 @@ void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(e.c_msg());
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
+StringVal* KRB_Analyzer::GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype)
+	{
+#ifdef USE_KRB5
+	if ( !krb_available )
+		return nullptr;
+
+	BroString delim("/");
+	int pos = principal->FindSubstring(&delim);
+	if ( pos == -1 )
+		{
+		reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString());
+		return nullptr;
+		}
+	std::unique_ptr<BroString> service = unique_ptr<BroString>(principal->GetSubstring(0, pos));
+	std::unique_ptr<BroString> hostname = unique_ptr<BroString>(principal->GetSubstring(pos + 1, -1));
+	if ( !service || !hostname )
+		{
+		reporter->Warning("KRB: Couldn't parse principal (%s)", principal->CheckString());
+		return nullptr;
+		}
+	krb5_principal sprinc;
+	krb5_error_code retval = krb5_sname_to_principal(krb_context, hostname->CheckString(), service->CheckString(), KRB5_NT_SRV_HST, &sprinc);
+	if ( retval )
+		{
+		reporter->Warning("KRB: Couldn't generate principal name (%s)", krb5_get_error_message(krb_context, retval));
+		return nullptr;
+		}
+
+	krb5_ticket tkt;
+	tkt.server = sprinc;
+	tkt.enc_part.enctype = enctype;
+	tkt.enc_part.ciphertext.data = reinterpret_cast<char*>(ciphertext->Bytes());
+	tkt.enc_part.ciphertext.length = ciphertext->Len();
+
+	retval = krb5_server_decrypt_ticket_keytab(krb_context, krb_keytab, &tkt);
+	if ( retval )
+		{
+		reporter->Warning("KRB: Couldn't decrypt ticket (%s)", krb5_get_error_message(krb_context, retval));
+		return nullptr;
+		}
+
+	char* cp;
+	retval = krb5_unparse_name(krb_context, tkt.enc_part2->client, &cp);
+	if ( retval )
+		{
+		reporter->Warning("KRB: Couldn't unparse name (%s)", krb5_get_error_message(krb_context, retval));
+		return nullptr;
+		}
+	StringVal* ret = new StringVal(cp);
+
+	krb5_free_unparsed_name(krb_context, cp);
+
+	return ret;
+#else
+	return nullptr;
+#endif
+	}
diff --git a/src/analyzer/protocol/krb/KRB.h b/src/analyzer/protocol/krb/KRB.h
index 392df5c13d..7eee46d838 100644
--- a/src/analyzer/protocol/krb/KRB.h
+++ b/src/analyzer/protocol/krb/KRB.h
@@ -5,12 +5,16 @@
 
 #include "krb_pac.h"
 
+#ifdef USE_KRB5
+#include <krb5.h>
+#endif
+
 namespace analyzer { namespace krb {
 
 class KRB_Analyzer : public analyzer::Analyzer {
 
 public:
-	KRB_Analyzer(Connection* conn);
+	explicit KRB_Analyzer(Connection* conn);
 	virtual ~KRB_Analyzer();
 
 	virtual void Done();
@@ -20,9 +24,20 @@ public:
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new KRB_Analyzer(conn); }
 
+	StringVal* GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype);
+
 protected:
 
 	binpac::KRB::KRB_Conn* interp;
+
+private:
+	static bool krb_available;
+#ifdef USE_KRB5
+	static std::once_flag krb_initialized;
+	static void Initialize_Krb();
+	static krb5_context krb_context;
+	static krb5_keytab krb_keytab;
+#endif
 };
 
 } } // namespace analyzer::*
diff --git a/src/analyzer/protocol/krb/KRB_TCP.cc b/src/analyzer/protocol/krb/KRB_TCP.cc
index 865b3de1e4..27e964f2d7 100644
--- a/src/analyzer/protocol/krb/KRB_TCP.cc
+++ b/src/analyzer/protocol/krb/KRB_TCP.cc
@@ -53,7 +53,7 @@ void KRB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(e.c_msg());
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/krb/KRB_TCP.h b/src/analyzer/protocol/krb/KRB_TCP.h
index 0dcf99ca97..f6c679be63 100644
--- a/src/analyzer/protocol/krb/KRB_TCP.h
+++ b/src/analyzer/protocol/krb/KRB_TCP.h
@@ -12,15 +12,17 @@ namespace analyzer { namespace krb_tcp {
 class KRB_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 
 public:
-	KRB_Analyzer(Connection* conn);
-	virtual ~KRB_Analyzer();
+	explicit KRB_Analyzer(Connection* conn);
+	~KRB_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 	// Overriden from tcp::TCP_ApplicationAnalyzer.
-	virtual void EndpointEOF(bool is_orig);
+	void EndpointEOF(bool is_orig) override;
+
+	StringVal* GetAuthenticationInfo(const BroString* principal, const BroString* ciphertext, const bro_uint_t enctype) { return new StringVal(""); }
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new KRB_Analyzer(conn); }
diff --git a/src/analyzer/protocol/krb/krb-analyzer.pac b/src/analyzer/protocol/krb/krb-analyzer.pac
index 6390fb8fd0..7c59a6a99e 100644
--- a/src/analyzer/protocol/krb/krb-analyzer.pac
+++ b/src/analyzer/protocol/krb/krb-analyzer.pac
@@ -245,8 +245,12 @@ refine connection KRB_Conn += {
 			rv->Assign(0, new Val(${msg.ap_options.use_session_key}, TYPE_BOOL));
 			rv->Assign(1, new Val(${msg.ap_options.mutual_required}, TYPE_BOOL));
 
+			RecordVal* rvticket = proc_ticket(${msg.ticket});
+			StringVal* authenticationinfo = bro_analyzer()->GetAuthenticationInfo(rvticket->Lookup(2)->AsString(), rvticket->Lookup(4)->AsString(), rvticket->Lookup(3)->AsCount());
+			if ( authenticationinfo )
+				rvticket->Assign(5, authenticationinfo);
 			BifEvent::generate_krb_ap_request(bro_analyzer(), bro_analyzer()->Conn(),
-						      proc_ticket(${msg.ticket}), rv);
+						      rvticket, rv);
 			}
 		return true;
 		%}
diff --git a/src/analyzer/protocol/krb/krb-padata.pac b/src/analyzer/protocol/krb/krb-padata.pac
index b178239f4d..271958fcb4 100644
--- a/src/analyzer/protocol/krb/krb-padata.pac
+++ b/src/analyzer/protocol/krb/krb-padata.pac
@@ -75,8 +75,8 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a
 				string file_id = file_mgr->HashHandle(file_handle.Description());
 
 				file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
-			                 	 cert.length(), bro_analyzer->GetAnalyzerTag(),
-			                 	 bro_analyzer->Conn(), true, file_id);
+				                 cert.length(), bro_analyzer->GetAnalyzerTag(),
+				                 bro_analyzer->Conn(), true, file_id, "application/x-x509-user-cert");
 				file_mgr->EndOfFile(file_id);
 
 				break;
@@ -99,8 +99,8 @@ VectorVal* proc_padata(const KRB_PA_Data_Sequence* data, const BroAnalyzer bro_a
 				string file_id = file_mgr->HashHandle(file_handle.Description());
 
 				file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
-	                 			 cert.length(), bro_analyzer->GetAnalyzerTag(),
-			 	                 bro_analyzer->Conn(), false, file_id);
+				                 cert.length(), bro_analyzer->GetAnalyzerTag(),
+				                 bro_analyzer->Conn(), false, file_id, "application/x-x509-user-cert");
 				file_mgr->EndOfFile(file_id);
 
 				break;
diff --git a/src/analyzer/protocol/krb/krb-protocol.pac b/src/analyzer/protocol/krb/krb-protocol.pac
index a237f6b0fa..8f68bebe0d 100644
--- a/src/analyzer/protocol/krb/krb-protocol.pac
+++ b/src/analyzer/protocol/krb/krb-protocol.pac
@@ -136,8 +136,8 @@ type KRB_AP_REQ(is_orig: bool) = record {
 
 type KRB_AP_Options = record {
 	meta 	: SequenceElement(false);
-	flags	: uint32;
 		: padding[1];
+	flags	: uint32;
 } &let {
 	reserved	: bool = (flags & 0x80000000) > 0;
 	use_session_key	: bool = (flags & 0x40000000) > 0;
diff --git a/src/analyzer/protocol/krb/krb-types.pac b/src/analyzer/protocol/krb/krb-types.pac
index a5b2eb1041..3b3b9d1f09 100644
--- a/src/analyzer/protocol/krb/krb-types.pac
+++ b/src/analyzer/protocol/krb/krb-types.pac
@@ -95,6 +95,7 @@ RecordVal* proc_ticket(const KRB_Ticket* ticket)
 	rv->Assign(1, bytestring_to_val(ticket->realm()->data()->content()));
 	rv->Assign(2, GetStringFromPrincipalName(ticket->sname()));
 	rv->Assign(3, asn1_integer_to_val(ticket->enc_part()->data()->etype()->data(), TYPE_COUNT));
+	rv->Assign(4, bytestring_to_val(ticket->enc_part()->data()->ciphertext()->encoding()->content()));
 
 	return rv;
 }
@@ -161,7 +162,7 @@ type KRB_Encrypted_Data = record {
 		true   -> next_meta: ASN1EncodingMeta;
 		false  -> none_meta: empty;
 	};
-	ciphertext	: bytestring &length=have_kvno ? next_meta.length : kvno_meta.length;
+	ciphertext	: ASN1OctetString &length=have_kvno ? next_meta.length : kvno_meta.length;
 } &let {
 	have_kvno	: bool = kvno_meta.index == 1;
 };
diff --git a/src/analyzer/protocol/krb/krb.pac b/src/analyzer/protocol/krb/krb.pac
index 508fb78a7a..9a3b290ad1 100644
--- a/src/analyzer/protocol/krb/krb.pac
+++ b/src/analyzer/protocol/krb/krb.pac
@@ -4,14 +4,22 @@
 %extern{
 #include "types.bif.h"
 #include "events.bif.h"
+
+namespace analyzer { namespace krb { class KRB_Analyzer; } }
+namespace binpac { namespace KRB { class KRB_Conn; } }
+typedef analyzer::krb::KRB_Analyzer* KRBAnalyzer;
+
+#include "KRB.h"
 %}
 
+extern type KRBAnalyzer;
+
 analyzer KRB withcontext {
 	connection:	KRB_Conn;
 	flow:		KRB_Flow;
 };
 
-connection KRB_Conn(bro_analyzer: BroAnalyzer) {
+connection KRB_Conn(bro_analyzer: KRBAnalyzer) {
 	upflow = KRB_Flow(true);
 	downflow = KRB_Flow(false);
 };
diff --git a/src/analyzer/protocol/krb/krb_TCP.pac b/src/analyzer/protocol/krb/krb_TCP.pac
index 6748c5fcbb..6611a549e4 100644
--- a/src/analyzer/protocol/krb/krb_TCP.pac
+++ b/src/analyzer/protocol/krb/krb_TCP.pac
@@ -4,14 +4,22 @@
 %extern{
 #include "types.bif.h"
 #include "events.bif.h"
+
+namespace analyzer { namespace krb_tcp { class KRB_Analyzer; } }
+namespace binpac { namespace KRB_TCP { class KRB_Conn; } }
+typedef analyzer::krb_tcp::KRB_Analyzer* KRBTCPAnalyzer;
+
+#include "KRB_TCP.h"
 %}
 
+extern type KRBTCPAnalyzer;
+
 analyzer KRB_TCP withcontext {
 	connection:	KRB_Conn;
 	flow:		KRB_Flow;
 };
 
-connection KRB_Conn(bro_analyzer: BroAnalyzer) {
+connection KRB_Conn(bro_analyzer: KRBTCPAnalyzer) {
 	upflow = KRB_Flow(true);
 	downflow = KRB_Flow(false);
 };
diff --git a/src/analyzer/protocol/krb/types.bif b/src/analyzer/protocol/krb/types.bif
index 8393adbf3c..11a80781f8 100644
--- a/src/analyzer/protocol/krb/types.bif
+++ b/src/analyzer/protocol/krb/types.bif
@@ -1,5 +1,7 @@
 module KRB;
 
+const keytab: string;
+
 type Error_Msg: record;
 type SAFE_Msg: record;
 
diff --git a/src/analyzer/protocol/login/Login.h b/src/analyzer/protocol/login/Login.h
index 25d1b24005..a17b636685 100644
--- a/src/analyzer/protocol/login/Login.h
+++ b/src/analyzer/protocol/login/Login.h
@@ -24,16 +24,16 @@ typedef enum {
 class Login_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	Login_Analyzer(const char* name, Connection* conn);
-	~Login_Analyzer();
+	~Login_Analyzer() override;
 
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
-	virtual void SetEnv(bool orig, char* name, char* val);
+	void SetEnv(bool orig, char* name, char* val) override;
 
 	login_state LoginState() const		{ return state; }
 	void SetLoginState(login_state s)	{ state = s; }
 
-	virtual void EndpointEOF(bool is_orig);
+	void EndpointEOF(bool is_orig) override;
 
 protected:
 	void NewLine(bool orig, char* line);
diff --git a/src/analyzer/protocol/login/NVT.h b/src/analyzer/protocol/login/NVT.h
index 3bcadcdc8e..c967962953 100644
--- a/src/analyzer/protocol/login/NVT.h
+++ b/src/analyzer/protocol/login/NVT.h
@@ -61,19 +61,19 @@ protected:
 
 class TelnetTerminalOption : public TelnetOption {
 public:
-	TelnetTerminalOption(NVT_Analyzer* arg_endp)
+	explicit TelnetTerminalOption(NVT_Analyzer* arg_endp)
 		: TelnetOption(arg_endp, TELNET_OPTION_TERMINAL)	{ }
 
-	void RecvSubOption(u_char* data, int len);
+	void RecvSubOption(u_char* data, int len) override;
 };
 
 class TelnetEncryptOption : public TelnetOption {
 public:
-	TelnetEncryptOption(NVT_Analyzer* arg_endp)
+	explicit TelnetEncryptOption(NVT_Analyzer* arg_endp)
 		: TelnetOption(arg_endp, TELNET_OPTION_ENCRYPT)
 			{ did_encrypt_request = doing_encryption = 0; }
 
-	void RecvSubOption(u_char* data, int len);
+	void RecvSubOption(u_char* data, int len) override;
 
 	int DidRequest() const		{ return did_encrypt_request; }
 	int DoingEncryption() const	{ return doing_encryption; }
@@ -85,11 +85,11 @@ protected:
 
 class TelnetAuthenticateOption : public TelnetOption {
 public:
-	TelnetAuthenticateOption(NVT_Analyzer* arg_endp)
+	explicit TelnetAuthenticateOption(NVT_Analyzer* arg_endp)
 		: TelnetOption(arg_endp, TELNET_OPTION_AUTHENTICATE)
 			{ authentication_requested = 0; }
 
-	void RecvSubOption(u_char* data, int len);
+	void RecvSubOption(u_char* data, int len) override;
 
 	int DidRequestAuthentication() const
 		{ return authentication_requested; }
@@ -101,11 +101,11 @@ protected:
 
 class TelnetEnvironmentOption : public TelnetOption {
 public:
-	TelnetEnvironmentOption(NVT_Analyzer* arg_endp)
+	explicit TelnetEnvironmentOption(NVT_Analyzer* arg_endp)
 		: TelnetOption(arg_endp, TELNET_OPTION_ENVIRON)
 			{ }
 
-	void RecvSubOption(u_char* data, int len);
+	void RecvSubOption(u_char* data, int len) override;
 
 protected:
 	char* ExtractEnv(u_char*& data, int& len, int& code);
@@ -113,20 +113,20 @@ protected:
 
 class TelnetBinaryOption : public TelnetOption {
 public:
-	TelnetBinaryOption(NVT_Analyzer* arg_endp)
+	explicit TelnetBinaryOption(NVT_Analyzer* arg_endp)
 		: TelnetOption(arg_endp, TELNET_OPTION_BINARY)
 			{ }
 
-	void SetActive(int is_active);
+	void SetActive(int is_active) override;
 
 protected:
-	void InconsistentOption(unsigned int type);
+	void InconsistentOption(unsigned int type) override;
 };
 
 class NVT_Analyzer : public tcp::ContentLine_Analyzer {
 public:
 	NVT_Analyzer(Connection* conn, bool orig);
-	~NVT_Analyzer();
+	~NVT_Analyzer() override;
 
 	TelnetOption* FindOption(unsigned int code);
 	TelnetOption* FindPeerOption(unsigned int code);
@@ -146,7 +146,7 @@ public:
 		{ return authentication_has_been_accepted; }
 
 protected:
-	void DoDeliver(int len, const u_char* data);
+	void DoDeliver(int len, const u_char* data) override;
 
 	void ScanOption(int seq, int len, const u_char* data);
 	virtual void SawOption(unsigned int code);
diff --git a/src/analyzer/protocol/login/RSH.h b/src/analyzer/protocol/login/RSH.h
index 3f6e9851f1..44a9609a53 100644
--- a/src/analyzer/protocol/login/RSH.h
+++ b/src/analyzer/protocol/login/RSH.h
@@ -26,12 +26,12 @@ class Rsh_Analyzer;
 class Contents_Rsh_Analyzer : public tcp::ContentLine_Analyzer {
 public:
 	Contents_Rsh_Analyzer(Connection* conn, bool orig, Rsh_Analyzer* analyzer);
-	~Contents_Rsh_Analyzer();
+	~Contents_Rsh_Analyzer() override;
 
 	rsh_state RshSaveState() const	{ return save_state; }
 
 protected:
-	virtual void DoDeliver(int len, const u_char* data);
+	void DoDeliver(int len, const u_char* data) override;
 	void BadProlog();
 
 	rsh_state state, save_state;
@@ -42,9 +42,9 @@ protected:
 
 class Rsh_Analyzer : public Login_Analyzer {
 public:
-	Rsh_Analyzer(Connection* conn);
+	explicit Rsh_Analyzer(Connection* conn);
 
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
 	void ClientUserName(const char* s);
 	void ServerUserName(const char* s);
diff --git a/src/analyzer/protocol/login/Rlogin.h b/src/analyzer/protocol/login/Rlogin.h
index 0e8a7eb93b..ffce6214ea 100644
--- a/src/analyzer/protocol/login/Rlogin.h
+++ b/src/analyzer/protocol/login/Rlogin.h
@@ -35,7 +35,7 @@ class Contents_Rlogin_Analyzer : public tcp::ContentLine_Analyzer {
 public:
 	Contents_Rlogin_Analyzer(Connection* conn, bool orig,
 					Rlogin_Analyzer* analyzer);
-	~Contents_Rlogin_Analyzer();
+	~Contents_Rlogin_Analyzer() override;
 
 	void SetPeer(Contents_Rlogin_Analyzer* arg_peer)
 		{ peer = arg_peer; }
@@ -44,7 +44,7 @@ public:
 		{ return state; }
 
 protected:
-	void DoDeliver(int len, const u_char* data);
+	void DoDeliver(int len, const u_char* data) override;
 	void BadProlog();
 
 	rlogin_state state, save_state;
@@ -56,7 +56,7 @@ protected:
 
 class Rlogin_Analyzer : public Login_Analyzer {
 public:
-	Rlogin_Analyzer(Connection* conn);
+	explicit Rlogin_Analyzer(Connection* conn);
 
 	void ClientUserName(const char* s);
 	void ServerUserName(const char* s);
diff --git a/src/analyzer/protocol/login/Telnet.h b/src/analyzer/protocol/login/Telnet.h
index 936d7a8427..3bafff8e78 100644
--- a/src/analyzer/protocol/login/Telnet.h
+++ b/src/analyzer/protocol/login/Telnet.h
@@ -9,8 +9,8 @@ namespace analyzer { namespace login {
 
 class Telnet_Analyzer : public Login_Analyzer {
 public:
-	Telnet_Analyzer(Connection* conn);
-	virtual ~Telnet_Analyzer()	{}
+	explicit Telnet_Analyzer(Connection* conn);
+	~Telnet_Analyzer() override {}
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new Telnet_Analyzer(conn); }
diff --git a/src/analyzer/protocol/mime/MIME.cc b/src/analyzer/protocol/mime/MIME.cc
index bcdfe03248..19d3dbe5d3 100644
--- a/src/analyzer/protocol/mime/MIME.cc
+++ b/src/analyzer/protocol/mime/MIME.cc
@@ -146,9 +146,14 @@ void MIME_Mail::Undelivered(int len)
 	                              is_orig, cur_entity_id);
 	}
 
-int strcasecmp_n(data_chunk_t s, const char* t)
+bool istrequal(data_chunk_t s, const char* t)
 	{
-	return strncasecmp(s.data, t, s.length);
+	int len = strlen(t);
+
+	if ( s.length != len )
+		return false;
+
+	return strncasecmp(s.data, t, len) == 0;
 	}
 
 int MIME_count_leading_lws(int len, const char* data)
@@ -751,7 +756,7 @@ int MIME_Entity::LookupMIMEHeaderName(data_chunk_t name)
 	// header names are case-insensitive (RFC 822, 2822, 2045).
 
 	for ( int i = 0; MIMEHeaderName[i] != 0; ++i )
-		if ( strcasecmp_n(name, MIMEHeaderName[i]) == 0 )
+		if ( istrequal(name, MIMEHeaderName[i]) )
 			return i;
 	return -1;
 	}
@@ -876,7 +881,7 @@ int MIME_Entity::ParseFieldParameters(int len, const char* data)
 
 		if ( current_field_type == MIME_CONTENT_TYPE &&
 		     content_type == CONTENT_TYPE_MULTIPART &&
-		     strcasecmp_n(attr, "boundary") == 0 )
+		     istrequal(attr, "boundary") )
 			{
 			// token or quoted-string (and some lenience for characters
 			// not explicitly allowed by the RFC, but encountered in the wild)
@@ -915,13 +920,13 @@ void MIME_Entity::ParseContentType(data_chunk_t type, data_chunk_t sub_type)
 	{
 	int i;
 	for ( i = 0; MIMEContentTypeName[i]; ++i )
-		if ( strcasecmp_n(type, MIMEContentTypeName[i]) == 0 )
+		if ( istrequal(type, MIMEContentTypeName[i]) )
 			break;
 
 	content_type = i;
 
 	for ( i = 0; MIMEContentSubtypeName[i]; ++i )
-		if ( strcasecmp_n(sub_type, MIMEContentSubtypeName[i]) == 0 )
+		if ( istrequal(sub_type, MIMEContentSubtypeName[i]) )
 			break;
 
 	content_subtype = i;
@@ -942,8 +947,7 @@ void MIME_Entity::ParseContentEncoding(data_chunk_t encoding_mechanism)
 	{
 	int i;
 	for ( i = 0; MIMEContentEncodingName[i]; ++i )
-		if ( strcasecmp_n(encoding_mechanism,
-					MIMEContentEncodingName[i]) == 0 )
+		if ( istrequal(encoding_mechanism, MIMEContentEncodingName[i]) )
 			break;
 
 	content_encoding = i;
diff --git a/src/analyzer/protocol/mime/MIME.h b/src/analyzer/protocol/mime/MIME.h
index 8c7fdd4326..a9ef89b932 100644
--- a/src/analyzer/protocol/mime/MIME.h
+++ b/src/analyzer/protocol/mime/MIME.h
@@ -65,7 +65,7 @@ protected:
 
 class MIME_Header {
 public:
-	MIME_Header(MIME_Multiline* hl);
+	explicit MIME_Header(MIME_Multiline* hl);
 	~MIME_Header();
 
 	data_chunk_t get_name() const	{ return name; }
@@ -181,7 +181,7 @@ protected:
 
 class MIME_Message {
 public:
-	MIME_Message(analyzer::Analyzer* arg_analyzer)
+	explicit MIME_Message(analyzer::Analyzer* arg_analyzer)
 		{
 		// Cannot initialize top_level entity because we do
 		// not know its type yet (MIME_Entity / MIME_Mail /
@@ -231,17 +231,17 @@ protected:
 class MIME_Mail : public MIME_Message {
 public:
 	MIME_Mail(analyzer::Analyzer* mail_conn, bool is_orig, int buf_size = 0);
-	~MIME_Mail();
-	void Done();
+	~MIME_Mail() override;
+	void Done() override;
 
-	void BeginEntity(MIME_Entity* entity);
-	void EndEntity(MIME_Entity* entity);
-	void SubmitHeader(MIME_Header* h);
-	void SubmitAllHeaders(MIME_HeaderList& hlist);
-	void SubmitData(int len, const char* buf);
-	int RequestBuffer(int* plen, char** pbuf);
+	void BeginEntity(MIME_Entity* entity) override;
+	void EndEntity(MIME_Entity* entity) override;
+	void SubmitHeader(MIME_Header* h) override;
+	void SubmitAllHeaders(MIME_HeaderList& hlist) override;
+	void SubmitData(int len, const char* buf) override;
+	int RequestBuffer(int* plen, char** pbuf) override;
 	void SubmitAllData();
-	void SubmitEvent(int event_type, const char* detail);
+	void SubmitEvent(int event_type, const char* detail) override;
 	void Undelivered(int len);
 
 protected:
@@ -268,7 +268,7 @@ extern StringVal* new_string_val(int length, const char* data);
 extern StringVal* new_string_val(const char* data, const char* end_of_data);
 extern StringVal* new_string_val(const data_chunk_t buf);
 extern int fputs(data_chunk_t b, FILE* fp);
-extern int strcasecmp_n(data_chunk_t s, const char* t);
+extern bool istrequal(data_chunk_t s, const char* t);
 extern int is_lws(char ch);
 extern int MIME_is_field_name_char(char ch);
 extern int MIME_count_leading_lws(int len, const char* data);
@@ -283,6 +283,6 @@ extern int MIME_get_value(int len, const char* data, BroString*& buf,
 extern int MIME_get_field_name(int len, const char* data, data_chunk_t* name);
 extern BroString* MIME_decode_quoted_pairs(data_chunk_t buf);
 
-} } // namespace analyzer::* 
+} } // namespace analyzer::*
 
 #endif
diff --git a/src/analyzer/protocol/modbus/Modbus.h b/src/analyzer/protocol/modbus/Modbus.h
index b60331fea9..c871e37610 100644
--- a/src/analyzer/protocol/modbus/Modbus.h
+++ b/src/analyzer/protocol/modbus/Modbus.h
@@ -8,14 +8,14 @@ namespace analyzer { namespace modbus {
 
 class ModbusTCP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	ModbusTCP_Analyzer(Connection* conn);
-	virtual ~ModbusTCP_Analyzer();
+	explicit ModbusTCP_Analyzer(Connection* conn);
+	~ModbusTCP_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
-	virtual void Undelivered(uint64 seq, int len, bool orig);
-	virtual void EndpointEOF(bool is_orig);
+	void Undelivered(uint64 seq, int len, bool orig) override;
+	void EndpointEOF(bool is_orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new ModbusTCP_Analyzer(conn); }
diff --git a/src/analyzer/protocol/modbus/modbus-protocol.pac b/src/analyzer/protocol/modbus/modbus-protocol.pac
index e5b92169b4..e49b1c62e6 100644
--- a/src/analyzer/protocol/modbus/modbus-protocol.pac
+++ b/src/analyzer/protocol/modbus/modbus-protocol.pac
@@ -154,7 +154,7 @@ type Exception(header: ModbusTCP_TransportHeader) = record {
 # REQUEST FC=1
 type ReadCoilsRequest(header: ModbusTCP_TransportHeader) = record {
 	start_address:  uint16;
-	quantity:       uint16 &check(quantity <= 2000);
+	quantity:       uint16; # &check(quantity <= 2000);
 } &let {
 	deliver: bool = $context.flow.deliver_ReadCoilsRequest(header, this);
 } &byteorder=bigendian;
@@ -170,7 +170,7 @@ type ReadCoilsResponse(header: ModbusTCP_TransportHeader) = record {
 # REQUEST FC=2
 type ReadDiscreteInputsRequest(header: ModbusTCP_TransportHeader) = record {
 	start_address: uint16;
-	quantity:      uint16 &check(quantity <= 2000);
+	quantity:      uint16; # &check(quantity <= 2000);
 } &let {
 	deliver: bool = $context.flow.deliver_ReadDiscreteInputsRequest(header, this);
 } &byteorder=bigendian;
@@ -186,7 +186,7 @@ type ReadDiscreteInputsResponse(header: ModbusTCP_TransportHeader) = record {
 # REQUEST FC=3
 type ReadHoldingRegistersRequest(header: ModbusTCP_TransportHeader) = record {
 	start_address: uint16;
-	quantity:      uint16 &check(1 <= quantity && quantity <= 125);
+	quantity:      uint16; # &check(quantity <= 125);
 } &let {
 	deliver: bool = $context.flow.deliver_ReadHoldingRegistersRequest(header, this);
 } &byteorder=bigendian;
@@ -202,7 +202,7 @@ type ReadHoldingRegistersResponse(header: ModbusTCP_TransportHeader) = record {
 # REQUEST FC=4
 type ReadInputRegistersRequest(header: ModbusTCP_TransportHeader) = record {
 	start_address: uint16;
-	quantity:      uint16 &check(1 <= quantity && quantity <= 125);
+	quantity:      uint16; # &check(quantity <= 125);
 } &let {
 	deliver: bool = $context.flow.deliver_ReadInputRegistersRequest(header, this);
 } &byteorder=bigendian;
@@ -218,7 +218,7 @@ type ReadInputRegistersResponse(header: ModbusTCP_TransportHeader) = record {
 # REQUEST FC=5
 type WriteSingleCoilRequest(header: ModbusTCP_TransportHeader) = record {
 	address: uint16;
-	value:   uint16 &check(value == 0x0000 || value == 0xFF00);
+	value:   uint16; # &check(value == 0x0000 || value == 0xFF00);
 } &let {
 	deliver: bool = $context.flow.deliver_WriteSingleCoilRequest(header, this);
 } &byteorder=bigendian;
@@ -226,7 +226,7 @@ type WriteSingleCoilRequest(header: ModbusTCP_TransportHeader) = record {
 # RESPONSE FC=5
 type WriteSingleCoilResponse(header: ModbusTCP_TransportHeader) = record {
 	address: uint16;
-	value:   uint16 &check(value == 0x0000 || value == 0xFF00);
+	value:   uint16; # &check(value == 0x0000 || value == 0xFF00);
 } &let {
 	deliver: bool = $context.flow.deliver_WriteSingleCoilResponse(header, this);
 } &byteorder=bigendian;
@@ -250,8 +250,8 @@ type WriteSingleRegisterResponse(header: ModbusTCP_TransportHeader) = record {
 # REQUEST FC=15
 type WriteMultipleCoilsRequest(header: ModbusTCP_TransportHeader) = record {
 	start_address:    uint16;
-	quantity:         uint16     &check(quantity <= 0x07B0);
-	byte_count:       uint8      &check(byte_count == (quantity + 7)/8);
+	quantity:         uint16; #     &check(quantity <= 0x07B0);
+	byte_count:       uint8; #      &check(byte_count == (quantity + 7)/8);
 	coils:            bytestring &length=byte_count;
 } &let {
 	deliver: bool = $context.flow.deliver_WriteMultipleCoilsRequest(header, this);
@@ -260,7 +260,7 @@ type WriteMultipleCoilsRequest(header: ModbusTCP_TransportHeader) = record {
 # RESPONSE FC=15
 type WriteMultipleCoilsResponse(header: ModbusTCP_TransportHeader) = record {
 	start_address:   uint16;
-	quantity:        uint16 &check(quantity <= 0x07B0);
+	quantity:        uint16; # &check(quantity <= 0x07B0);
 } &let {
 	deliver: bool = $context.flow.deliver_WriteMultipleCoilsResponse(header, this);
 } &byteorder=bigendian;
@@ -287,15 +287,15 @@ type WriteMultipleRegistersResponse(header: ModbusTCP_TransportHeader) = record
 
 # Support data structure for following message type.
 type FileRecordRequest = record {
-	ref_type:   uint8  &check(ref_type == 6);
-	file_num:   uint16 &check(file_num > 0);
-	record_num: uint16 &check(record_num <= 0x270F);
+	ref_type:   uint8; #  &check(ref_type == 6);
+	file_num:   uint16; # &check(file_num > 0);
+	record_num: uint16; # &check(record_num <= 0x270F);
 	record_len: uint16;
 } &byteorder=bigendian;
 
 # REQUEST FC=20
 type ReadFileRecordRequest(header: ModbusTCP_TransportHeader) = record {
-	byte_count: uint8               &check(byte_count >= 0x07 && byte_count <= 0xF5);
+	byte_count: uint8; #               &check(byte_count <= 0xF5);
 	references: FileRecordRequest[] &length=byte_count;
 } &let {
 	deliver: bool = $context.flow.deliver_ReadFileRecordRequest(header, this);
@@ -303,14 +303,14 @@ type ReadFileRecordRequest(header: ModbusTCP_TransportHeader) = record {
 
 # Support data structure for the following message type.
 type FileRecordResponse = record {
-	file_len:    uint8    &check(file_len >= 0x07 && file_len <= 0xF5);
-	ref_type:    uint8    &check(ref_type == 6);
+	file_len:    uint8; #    &check(file_len >= 0x07 && file_len <= 0xF5);
+	ref_type:    uint8; #    &check(ref_type == 6);
 	record_data: uint16[file_len/2] &length=file_len;
 } &byteorder=bigendian;
 
 # RESPONSE FC=20
 type ReadFileRecordResponse(header: ModbusTCP_TransportHeader) = record {
-	byte_count: uint8 &check(byte_count >= 0x07 && byte_count <= 0xF5);
+	byte_count: uint8; # &check(byte_count >= 0x07 && byte_count <= 0xF5);
 	references: FileRecordResponse[] &length=byte_count;
 } &let {
 	deliver: bool = $context.flow.deliver_ReadFileRecordResponse(header, this);
@@ -362,9 +362,9 @@ type MaskWriteRegisterResponse(header: ModbusTCP_TransportHeader) = record {
 # REQUEST FC=23
 type ReadWriteMultipleRegistersRequest(header: ModbusTCP_TransportHeader) = record {
 	read_start_address:    uint16;
-	read_quantity:         uint16                 &check(read_quantity <= 125);
+	read_quantity:         uint16; #                 &check(read_quantity <= 125);
 	write_start_address:   uint16;
-	write_quantity:        uint16                 &check(write_quantity <= 100);
+	write_quantity:        uint16; #                 &check(write_quantity <= 100);
 	write_byte_count:      uint8;
 	write_register_values: uint16[write_quantity] &length=write_byte_count;
 } &let {
@@ -388,8 +388,8 @@ type ReadFIFOQueueRequest(header: ModbusTCP_TransportHeader) = record {
 
 # RESPONSE FC=24
 type ReadFIFOQueueResponse(header: ModbusTCP_TransportHeader) = record {
-	byte_count:    uint16             &check(byte_count <= 62);
-	fifo_count:    uint16             &check(fifo_count <= 31);
+	byte_count:    uint16; #             &check(byte_count <= 62);
+	fifo_count:    uint16; #             &check(fifo_count <= 31);
 	register_data: uint16[fifo_count] &length=fifo_count*2;
 } &let {
 	deliver: bool = $context.flow.deliver_ReadFIFOQueueResponse(header, this);
diff --git a/src/analyzer/protocol/mysql/MySQL.cc b/src/analyzer/protocol/mysql/MySQL.cc
index bfa2eb518b..af874ff5c2 100644
--- a/src/analyzer/protocol/mysql/MySQL.cc
+++ b/src/analyzer/protocol/mysql/MySQL.cc
@@ -53,7 +53,7 @@ void MySQL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		reporter->Weird(e.msg().c_str());
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/mysql/MySQL.h b/src/analyzer/protocol/mysql/MySQL.h
index 5512a80941..a82acdb6d1 100644
--- a/src/analyzer/protocol/mysql/MySQL.h
+++ b/src/analyzer/protocol/mysql/MySQL.h
@@ -15,17 +15,17 @@ class MySQL_Analyzer
 : public tcp::TCP_ApplicationAnalyzer {
 
 public:
-	MySQL_Analyzer(Connection* conn);
-	virtual ~MySQL_Analyzer();
+	explicit MySQL_Analyzer(Connection* conn);
+	~MySQL_Analyzer() override;
 
 	// Overriden from Analyzer.
-	virtual void Done();
+	void Done() override;
 
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 	// Overriden from tcp::TCP_ApplicationAnalyzer.
-	virtual void EndpointEOF(bool is_orig);
+	void EndpointEOF(bool is_orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new MySQL_Analyzer(conn); }
diff --git a/src/analyzer/protocol/mysql/events.bif b/src/analyzer/protocol/mysql/events.bif
index bd81e8b8a4..34cbc54b4b 100644
--- a/src/analyzer/protocol/mysql/events.bif
+++ b/src/analyzer/protocol/mysql/events.bif
@@ -38,6 +38,18 @@ event mysql_error%(c: connection, code: count, msg: string%);
 ## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake
 event mysql_ok%(c: connection, affected_rows: count%);
 
+## Generated for each MySQL ResultsetRow response packet.
+##
+## See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
+## for more information about the MySQL protocol.
+##
+## c: The connection.
+##
+## row: The result row data.
+##
+## .. bro:see:: mysql_command_request mysql_error mysql_server_version mysql_handshake mysql_ok
+event mysql_result_row%(c: connection, row: string_vec%);
+
 ## Generated for the initial server handshake packet, which includes the MySQL server version.
 ##
 ## See the MySQL `documentation <http://dev.mysql.com/doc/internals/en/client-server-protocol.html>`__
diff --git a/src/analyzer/protocol/mysql/mysql-analyzer.pac b/src/analyzer/protocol/mysql/mysql-analyzer.pac
index 66710fb2bb..24401c110e 100644
--- a/src/analyzer/protocol/mysql/mysql-analyzer.pac
+++ b/src/analyzer/protocol/mysql/mysql-analyzer.pac
@@ -67,10 +67,41 @@ refine flow MySQL_Flow += {
 
 	function proc_resultset(msg: Resultset): bool
 		%{
-		if ( mysql_ok )
-			BifEvent::generate_mysql_ok(connection()->bro_analyzer(),
-										connection()->bro_analyzer()->Conn(),
-										${msg.rows}->size());
+		if ( connection()->get_results_seen() == 1 )
+			{
+			// This is a bit fake...
+			if ( mysql_ok )
+				BifEvent::generate_mysql_ok(connection()->bro_analyzer(),
+				                            connection()->bro_analyzer()->Conn(),
+				                            0);
+			}
+
+		if ( ${msg.is_eof} )
+			return true;
+
+		if ( ! mysql_result_row )
+			return true;
+
+		auto vt = internal_type("string_vec")->AsVectorType();
+		auto vv = new VectorVal(vt);
+
+		auto& bstring = ${msg.row.first_field.val};
+		auto ptr = reinterpret_cast<const char*>(bstring.data());
+		vv->Assign(vv->Size(), new StringVal(bstring.length(), ptr));
+
+		auto& fields = *${msg.row.fields};
+
+		for ( auto& f : fields )
+			{
+			auto& bstring = f->val();
+			auto ptr = reinterpret_cast<const char*>(bstring.data());
+			vv->Assign(vv->Size(), new StringVal(bstring.length(), ptr));
+			}
+
+		BifEvent::generate_mysql_result_row(connection()->bro_analyzer(),
+		                                    connection()->bro_analyzer()->Conn(),
+		                                    vv);
+
 		return true;
 		%}
 
diff --git a/src/analyzer/protocol/mysql/mysql-protocol.pac b/src/analyzer/protocol/mysql/mysql-protocol.pac
index ec9efd4d40..e352de0d37 100644
--- a/src/analyzer/protocol/mysql/mysql-protocol.pac
+++ b/src/analyzer/protocol/mysql/mysql-protocol.pac
@@ -17,6 +17,10 @@ type LengthEncodedInteger = record {
 	integer : LengthEncodedIntegerLookahead(length);
 };
 
+type LengthEncodedIntegerArg(length: uint8) = record {
+	integer : LengthEncodedIntegerLookahead(length);
+};
+
 type LengthEncodedIntegerLookahead(length: uint8) = record {
 	val: case length of {
 		0xfb    -> i0        : empty;
@@ -33,6 +37,11 @@ type LengthEncodedString = record {
 	val: bytestring &length=to_int()(len);
 };
 
+type LengthEncodedStringArg(first_byte: uint8) = record {
+	len: LengthEncodedIntegerArg(first_byte);
+	val: bytestring &length=to_int()(len);
+};
+
 %header{
 	class to_int
 		{
@@ -56,6 +65,20 @@ type LengthEncodedString = record {
 				return 0;
 			}
 
+		int operator()(LengthEncodedIntegerArg* lei) const
+			{
+			if ( lei->length() < 0xfb )
+				return lei->length();
+			else if ( lei->length() == 0xfc )
+				return lei->integer()->i2();
+			else if ( lei->length() == 0xfd )
+				return to_int()(lei->integer()->i3());
+			else if ( lei->length() == 0xfe )
+				return lei->integer()->i4();
+			else
+				return 0;
+			}
+
 		int operator()(LengthEncodedIntegerLookahead* lei) const
 			{
 			if ( lei->length() < 0xfb )
@@ -107,7 +130,8 @@ enum command_consts {
 	COM_SET_OPTION          = 0x1b,
 	COM_STMT_FETCH          = 0x1c,
 	COM_DAEMON              = 0x1d,
-	COM_BINLOG_DUMP_GTID    = 0x1e
+	COM_BINLOG_DUMP_GTID    = 0x1e,
+	COM_RESET_CONNECTION    = 0x1f,
 };
 
 enum state {
@@ -119,11 +143,12 @@ enum Expected {
 	NO_EXPECTATION,
 	EXPECT_STATUS,
 	EXPECT_COLUMN_DEFINITION,
+	EXPECT_COLUMN_DEFINITION_OR_EOF,
 	EXPECT_COLUMN_COUNT,
-	EXPECT_EOF1,
-	EXPECT_EOF2,
+	EXPECT_EOF,
 	EXPECT_RESULTSET,
-	EXPECT_QUERY_RESPONSE,
+	EXPECT_REST_OF_PACKET,
+	EXPECT_AUTH_SWITCH,
 };
 
 type NUL_String = RE/[^\0]*/;
@@ -133,7 +158,7 @@ type NUL_String = RE/[^\0]*/;
 type MySQL_PDU(is_orig: bool) = record {
 	hdr		: Header;
 	msg		: case is_orig of {
-		false -> server_msg: Server_Message(hdr.seq_id);
+		false -> server_msg: Server_Message(hdr.seq_id, hdr.len);
 		true  -> client_msg: Client_Message(state);
 	} &requires(state);
 } &let {
@@ -147,9 +172,9 @@ type Header = record {
 	len   : uint32 = to_int()(le_len) + 4;
 } &length=4;
 
-type Server_Message(seq_id: uint8) = case seq_id of {
+type Server_Message(seq_id: uint8, pkt_len: uint32) = case seq_id of {
 	0       -> initial_handshake: Initial_Handshake_Packet;
-	default -> command_response : Command_Response;
+	default -> command_response : Command_Response(pkt_len);
 };
 
 type Client_Message(state: int) = case state of {
@@ -225,18 +250,20 @@ type Command_Request_Packet = record {
 	command			: uint8;
 	arg    			: bytestring &restofdata;
 } &let {
-	update_expectation	: bool = $context.connection.set_next_expected(EXPECT_COLUMN_COUNT);
+	update_expectation	: bool = $context.connection.set_next_expected_from_command(command);
 };
 
 # Command Response
 
-type Command_Response = case $context.connection.get_expectation() of {
+type Command_Response(pkt_len: uint32) = case $context.connection.get_expectation() of {
 	EXPECT_COLUMN_COUNT		-> col_count_meta	: ColumnCountMeta;
-	EXPECT_COLUMN_DEFINITION	-> col_defs		: ColumnDefinitions;
-	EXPECT_RESULTSET		-> resultset		: Resultset;
+	EXPECT_COLUMN_DEFINITION	-> col_def		: ColumnDefinition;
+	EXPECT_COLUMN_DEFINITION_OR_EOF	-> def_or_eof	: ColumnDefinitionOrEOF(pkt_len);
+	EXPECT_RESULTSET		-> resultset		: Resultset(pkt_len);
+	EXPECT_REST_OF_PACKET		-> rest		: bytestring &restofdata;
 	EXPECT_STATUS			-> status		: Command_Response_Status;
-	EXPECT_EOF1			-> eof1			: EOF1;
-	EXPECT_EOF2			-> eof2			: EOF2;
+	EXPECT_AUTH_SWITCH -> auth_switch : AuthSwitchRequest;
+	EXPECT_EOF			-> eof			: EOF1;
 	default				-> unknow		: empty;
 };
 
@@ -265,39 +292,55 @@ type ColumnCount(byte: uint8) = record {
 } &let {
 	col_num			: uint32 = to_int()(le_column_count);
 	update_col_num		: bool = $context.connection.set_col_count(col_num);
+	update_remain		: bool = $context.connection.set_remaining_cols(col_num);
 	update_expectation	: bool = $context.connection.set_next_expected(EXPECT_COLUMN_DEFINITION);
 };
 
-type ColumnDefinitions = record {
-	defs				: ColumnDefinition41[1];
+type ColumnDefinition = record {
+	dummy: uint8;
+	def				: ColumnDefinition41(dummy);
 } &let {
-	update_expectation	: bool = $context.connection.set_next_expected(EXPECT_EOF1);
+	update_remain	: bool = $context.connection.dec_remaining_cols();
+	update_expectation	: bool = $context.connection.set_next_expected($context.connection.get_remaining_cols() > 0 ? EXPECT_COLUMN_DEFINITION : EXPECT_EOF);
 };
 
+type ColumnDefinitionOrEOF(pkt_len: uint32) = record {
+	marker: uint8;
+	def_or_eof: case is_eof of {
+		true  -> eof: EOF_Packet;
+		false -> def: ColumnDefinition41(marker);
+	} &requires(is_eof);
+} &let {
+	is_eof: bool = (marker == 0xfe && pkt_len <= 9);
+};
+
+
 type EOF1 = record {
 	eof					: EOF_Packet;
 } &let {
+	update_result_seen	: bool = $context.connection.set_results_seen(0);
 	update_expectation	: bool = $context.connection.set_next_expected(EXPECT_RESULTSET);
 };
 
-type EOF2 = record {
-	eof					: EOF_Packet;
+type Resultset(pkt_len: uint32) = record {
+	marker: uint8;
+	row_or_eof: case is_eof of {
+		true  -> eof: EOF_Packet;
+		false -> row: ResultsetRow(marker);
+	} &requires(is_eof);
 } &let {
-	update_expectation	: bool = $context.connection.set_next_expected(NO_EXPECTATION);
+	is_eof: bool = (marker == 0xfe && pkt_len <= 9);
+	update_result_seen	: bool = $context.connection.inc_results_seen();
+	update_expectation	: bool = $context.connection.set_next_expected(is_eof ? NO_EXPECTATION : EXPECT_RESULTSET);
 };
 
-type Resultset = record {
-	rows				: ResultsetRow[] &until($input.length()==0);
-} &let {
-	update_expectation	: bool = $context.connection.set_next_expected(EXPECT_EOF2);
+type ResultsetRow(first_byte: uint8) = record {
+	first_field: LengthEncodedStringArg(first_byte);
+	fields: LengthEncodedString[$context.connection.get_col_count() - 1];
 };
 
-type ResultsetRow = record {
-	fields: LengthEncodedString[$context.connection.get_col_count()];
-};
-
-type ColumnDefinition41 = record {
-	catalog  : LengthEncodedString;
+type ColumnDefinition41(first_byte: uint8) = record {
+	catalog  : LengthEncodedStringArg(first_byte);
 	schema   : LengthEncodedString;
 	table    : LengthEncodedString;
 	org_table: LengthEncodedString;
@@ -312,6 +355,12 @@ type ColumnDefinition41 = record {
 	filler   : padding[2];
 };
 
+type AuthSwitchRequest = record {
+	status: uint8;
+	name: NUL_String;
+	data: bytestring &restofdata;
+};
+
 type ColumnDefinition320 = record {
 	table            : LengthEncodedString;
 	name             : LengthEncodedString;
@@ -352,6 +401,8 @@ refine connection MySQL_Conn += {
 		int state_;
 		Expected expected_;
 		uint32 col_count_;
+		uint32 remaining_cols_;
+		uint32 results_seen_;
 	%}
 
 	%init{
@@ -359,6 +410,8 @@ refine connection MySQL_Conn += {
 		state_ = CONNECTION_PHASE;
 		expected_ = EXPECT_STATUS;
 		col_count_ = 0;
+		remaining_cols_ = 0;
+		results_seen_ = 0;
 	%}
 
 	function get_version(): uint8
@@ -394,6 +447,112 @@ refine connection MySQL_Conn += {
 		return true;
 		%}
 
+	function set_next_expected_from_command(cmd: uint8): bool
+		%{
+		switch ( cmd ) {
+		case COM_SLEEP:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_QUIT:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_INIT_DB:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_QUERY:
+			expected_ = EXPECT_COLUMN_COUNT;
+			break;
+		case COM_FIELD_LIST:
+			expected_ = EXPECT_COLUMN_DEFINITION_OR_EOF;
+			break;
+		case COM_CREATE_DB:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_DROP_DB:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_REFRESH:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_SHUTDOWN:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_STATISTICS:
+			expected_ = EXPECT_REST_OF_PACKET;
+			break;
+		case COM_PROCESS_INFO:
+			expected_ = EXPECT_COLUMN_COUNT;
+			break;
+		case COM_CONNECT:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_PROCESS_KILL:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_DEBUG:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_PING:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_TIME:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_DELAYED_INSERT:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_CHANGE_USER:
+			expected_ = EXPECT_AUTH_SWITCH;
+			break;
+		case COM_BINLOG_DUMP:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_TABLE_DUMP:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_CONNECT_OUT:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_REGISTER_SLAVE:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_STMT_PREPARE:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_STMT_EXECUTE:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_STMT_SEND_LONG_DATA:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_STMT_CLOSE:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_STMT_RESET:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_SET_OPTION:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_STMT_FETCH:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_DAEMON:
+			expected_ = EXPECT_STATUS;
+			break;
+		case COM_BINLOG_DUMP_GTID:
+			expected_ = NO_EXPECTATION;
+			break;
+		case COM_RESET_CONNECTION:
+			expected_ = EXPECT_STATUS;
+			break;
+		default:
+			expected_ = NO_EXPECTATION;
+			break;
+		}
+		return true;
+		%}
+
 	function get_col_count(): uint32
 		%{
 		return col_count_;
@@ -404,4 +563,38 @@ refine connection MySQL_Conn += {
 		col_count_ = i;
 		return true;
 		%}
+
+	function get_remaining_cols(): uint32
+		%{
+		return remaining_cols_;
+		%}
+
+	function set_remaining_cols(i: uint32): bool
+		%{
+		remaining_cols_ = i;
+		return true;
+		%}
+
+	function dec_remaining_cols(): bool
+		%{
+		--remaining_cols_;
+		return true;
+		%}
+
+	function get_results_seen(): uint32
+		%{
+		return results_seen_;
+		%}
+
+	function set_results_seen(i: uint32): bool
+		%{
+		results_seen_ = i;
+		return true;
+		%}
+
+	function inc_results_seen(): bool
+		%{
+		++results_seen_;
+		return true;
+		%}
 };
diff --git a/src/analyzer/protocol/ncp/CMakeLists.txt b/src/analyzer/protocol/ncp/CMakeLists.txt
index bd06d4e426..1ec5cf2e67 100644
--- a/src/analyzer/protocol/ncp/CMakeLists.txt
+++ b/src/analyzer/protocol/ncp/CMakeLists.txt
@@ -5,6 +5,6 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 
 bro_plugin_begin(Bro NCP)
 bro_plugin_cc(NCP.cc Plugin.cc)
-bro_plugin_bif(events.bif)
+bro_plugin_bif(events.bif consts.bif)
 bro_plugin_pac(ncp.pac)
 bro_plugin_end()
diff --git a/src/analyzer/protocol/ncp/NCP.cc b/src/analyzer/protocol/ncp/NCP.cc
index 4605ad2bca..e8672e7ebe 100644
--- a/src/analyzer/protocol/ncp/NCP.cc
+++ b/src/analyzer/protocol/ncp/NCP.cc
@@ -9,6 +9,7 @@
 #include "NCP.h"
 
 #include "events.bif.h"
+#include "consts.bif.h"
 
 using namespace std;
 using namespace analyzer::ncp;
@@ -40,7 +41,7 @@ void NCP_Session::Deliver(int is_orig, int len, const u_char* data)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		analyzer->Weird(e.msg().c_str());
+		analyzer->ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
@@ -79,7 +80,7 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame)
 		}
 	}
 
-FrameBuffer::FrameBuffer(int header_length)
+FrameBuffer::FrameBuffer(size_t header_length)
 	{
 	hdr_len = header_length;
 	msg_buf = 0;
@@ -105,13 +106,12 @@ void FrameBuffer::Reset()
 	msg_len = 0;
 	}
 
-// Returns true if we have a complete frame
-bool FrameBuffer::Deliver(int &len, const u_char* &data)
+int FrameBuffer::Deliver(int &len, const u_char* &data)
 	{
 	ASSERT(buf_len >= hdr_len);
 
 	if ( len == 0 )
-		return false;
+		return -1;
 
 	if ( buf_n < hdr_len )
 		{
@@ -123,13 +123,16 @@ bool FrameBuffer::Deliver(int &len, const u_char* &data)
 			}
 
 		if ( buf_n < hdr_len )
-			return false;
+			return -1;
 
 		compute_msg_length();
 
 		if ( msg_len > buf_len )
 			{
-			buf_len = msg_len * 2;
+			if ( msg_len > BifConst::NCP::max_frame_size )
+				return 1;
+
+			buf_len = msg_len;
 			u_char* new_buf = new u_char[buf_len];
 			memcpy(new_buf, msg_buf, buf_n);
 			delete [] msg_buf;
@@ -143,7 +146,13 @@ bool FrameBuffer::Deliver(int &len, const u_char* &data)
 		++buf_n; ++data; --len;
 		}
 
-	return buf_n >= msg_len;
+	if ( buf_n < msg_len )
+		return -1;
+
+	if ( buf_n == msg_len )
+		return 0;
+
+	return 1;
 	}
 
 void NCP_FrameBuffer::compute_msg_length()
@@ -159,11 +168,7 @@ Contents_NCP_Analyzer::Contents_NCP_Analyzer(Connection* conn, bool orig, NCP_Se
 	{
 	session = arg_session;
 	resync = true;
-
-	tcp::TCP_Analyzer* tcp = static_cast<tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
-	if ( tcp )
-		resync = (orig ? tcp->OrigState() : tcp->RespState()) !=
-						tcp::TCP_ENDPOINT_ESTABLISHED;
+	resync_set = false;
 	}
 
 Contents_NCP_Analyzer::~Contents_NCP_Analyzer()
@@ -174,20 +179,23 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig
 	{
 	tcp::TCP_SupportAnalyzer::DeliverStream(len, data, orig);
 
-	tcp::TCP_Analyzer* tcp = static_cast<tcp::TCP_ApplicationAnalyzer*>(Parent())->TCP();
+	auto tcp = static_cast<NCP_Analyzer*>(Parent())->TCP();
+
+	if ( ! resync_set )
+		{
+		resync_set = true;
+		resync = (IsOrig() ? tcp->OrigState() : tcp->RespState()) !=
+						tcp::TCP_ENDPOINT_ESTABLISHED;
+		}
 
 	if ( tcp && tcp->HadGap(orig) )
 		return;
 
-	DEBUG_MSG("NCP deliver: len = %d resync = %d buffer.empty = %d\n",
-		len, resync, buffer.empty());
-
 	if ( buffer.empty() && resync )
 		{
 		// Assume NCP frames align with packet boundary.
 		if ( (IsOrig() && len < 22) || (! IsOrig() && len < 16) )
 			{ // ignore small fragmeents
-			DEBUG_MSG("NCP discard small pieces: %d\n", len);
 			return;
 			}
 
@@ -204,10 +212,27 @@ void Contents_NCP_Analyzer::DeliverStream(int len, const u_char* data, bool orig
 		resync = false;
 		}
 
-	while ( buffer.Deliver(len, data) )
+	for ( ; ; )
 		{
-		session->Deliver(IsOrig(), buffer.Len(), buffer.Data());
-		buffer.Reset();
+		auto result = buffer.Deliver(len, data);
+
+		if ( result < 0 )
+			break;
+
+		if ( result == 0 )
+			{
+			session->Deliver(IsOrig(), buffer.Len(), buffer.Data());
+			buffer.Reset();
+			}
+		else
+			{
+			// The rest of the data available in this delivery will
+			// be discarded and will need to resync to a new frame header.
+			Weird("ncp_large_frame");
+			buffer.Reset();
+			resync = true;
+			break;
+			}
 		}
 	}
 
@@ -224,13 +249,13 @@ NCP_Analyzer::NCP_Analyzer(Connection* conn)
 	{
 	session = new NCP_Session(this);
 	o_ncp = new Contents_NCP_Analyzer(conn, true, session);
+	AddSupportAnalyzer(o_ncp);
 	r_ncp = new Contents_NCP_Analyzer(conn, false, session);
+	AddSupportAnalyzer(r_ncp);
 	}
 
 NCP_Analyzer::~NCP_Analyzer()
 	{
 	delete session;
-	delete o_ncp;
-	delete r_ncp;
 	}
 
diff --git a/src/analyzer/protocol/ncp/NCP.h b/src/analyzer/protocol/ncp/NCP.h
index 11a7d6c6e2..ff64db9077 100644
--- a/src/analyzer/protocol/ncp/NCP.h
+++ b/src/analyzer/protocol/ncp/NCP.h
@@ -31,7 +31,7 @@ namespace analyzer { namespace ncp {
 
 class NCP_Session {
 public:
-	NCP_Session(analyzer::Analyzer* analyzer);
+	explicit NCP_Session(analyzer::Analyzer* analyzer);
 	virtual ~NCP_Session() {}
 
 	virtual void Deliver(int is_orig, int len, const u_char* data);
@@ -51,11 +51,12 @@ protected:
 
 class FrameBuffer {
 public:
-	FrameBuffer(int header_length);
+	explicit FrameBuffer(size_t header_length);
 	virtual ~FrameBuffer();
 
-	// Returns true if a frame is ready
-	bool Deliver(int& len, const u_char* &data);
+	// Returns -1 if frame is not ready, 0 if it else, and 1 if
+	// the frame would require too large of a buffer allocation.
+	int Deliver(int& len, const u_char* &data);
 
 	void Reset();
 
@@ -66,11 +67,11 @@ public:
 protected:
 	virtual void compute_msg_length() = 0;
 
-	int hdr_len;
+	size_t hdr_len;
 	u_char* msg_buf;
-	int msg_len;
-	int buf_n;	// number of bytes in msg_buf
-	int buf_len;	// size off msg_buf
+	uint64 msg_len;
+	size_t buf_n;	// number of bytes in msg_buf
+	size_t buf_len;	// size off msg_buf
 };
 
 #define NCP_TCPIP_HEADER_LENGTH 8
@@ -80,29 +81,30 @@ public:
 	NCP_FrameBuffer() : FrameBuffer(NCP_TCPIP_HEADER_LENGTH) {}
 
 protected:
-	void compute_msg_length();
+	void compute_msg_length() override;
 };
 
 class Contents_NCP_Analyzer : public tcp::TCP_SupportAnalyzer {
 public:
 	Contents_NCP_Analyzer(Connection* conn, bool orig, NCP_Session* session);
-	~Contents_NCP_Analyzer();
+	~Contents_NCP_Analyzer() override;
 
 protected:
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 	NCP_FrameBuffer buffer;
 	NCP_Session* session;
 
 	// Re-sync for partial connections (or after a content gap).
 	bool resync;
+	bool resync_set;
 };
 
 class NCP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	NCP_Analyzer(Connection* conn);
-	virtual ~NCP_Analyzer();
+	explicit NCP_Analyzer(Connection* conn);
+	~NCP_Analyzer() override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new NCP_Analyzer(conn); }
diff --git a/src/analyzer/protocol/ncp/consts.bif b/src/analyzer/protocol/ncp/consts.bif
new file mode 100644
index 0000000000..452dd9a2b6
--- /dev/null
+++ b/src/analyzer/protocol/ncp/consts.bif
@@ -0,0 +1 @@
+const NCP::max_frame_size: count;
diff --git a/src/analyzer/protocol/ncp/ncp.pac b/src/analyzer/protocol/ncp/ncp.pac
index d4d5734a54..205c8ee7bc 100644
--- a/src/analyzer/protocol/ncp/ncp.pac
+++ b/src/analyzer/protocol/ncp/ncp.pac
@@ -51,10 +51,10 @@ type ncp_over_tcpip_frame(is_orig: bool) = record {
 		};
 	ncp		: ncp_frame(is_orig, length - offsetof(ncp));
 } &byteorder = bigendian,
-  &length = length,
-  &check( ncp.frame_type == 0x1111 ||
-          ncp.frame_type == 0x2222 ||
-          ncp.frame_type == 0x3333 ||
-          ncp.frame_type == 0x5555 ||
-          ncp.frame_type == 0x7777 ||
-          ncp.frame_type == 0x9999 );
+  &length = length;
+  #&check( ncp.frame_type == 0x1111 ||
+  #        ncp.frame_type == 0x2222 ||
+  #        ncp.frame_type == 0x3333 ||
+  #        ncp.frame_type == 0x5555 ||
+  #        ncp.frame_type == 0x7777 ||
+  #        ncp.frame_type == 0x9999 );
diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.cc b/src/analyzer/protocol/netbios/NetbiosSSN.cc
index 5e6231de37..2153b9cad7 100644
--- a/src/analyzer/protocol/netbios/NetbiosSSN.cc
+++ b/src/analyzer/protocol/netbios/NetbiosSSN.cc
@@ -455,7 +455,7 @@ void Contents_NetbiosSSN::DeliverStream(int len, const u_char* data, bool orig)
 	}
 
 NetbiosSSN_Analyzer::NetbiosSSN_Analyzer(Connection* conn)
-: tcp::TCP_ApplicationAnalyzer("NETBIOS", conn)
+: tcp::TCP_ApplicationAnalyzer("NETBIOSSSN", conn)
 	{
 	//smb_session = new SMB_Session(this);
 	interp = new NetbiosSSN_Interpreter(this);
diff --git a/src/analyzer/protocol/netbios/NetbiosSSN.h b/src/analyzer/protocol/netbios/NetbiosSSN.h
index 1d7ad284e0..cfc15fceb1 100644
--- a/src/analyzer/protocol/netbios/NetbiosSSN.h
+++ b/src/analyzer/protocol/netbios/NetbiosSSN.h
@@ -64,7 +64,7 @@ struct NetbiosDGM_RawMsgHdr {
 
 class NetbiosSSN_Interpreter {
 public:
-	NetbiosSSN_Interpreter(Analyzer* analyzer);
+	explicit NetbiosSSN_Interpreter(Analyzer* analyzer);
 
 	int ParseMessage(unsigned int type, unsigned int flags,
 			const u_char* data, int len, int is_query);
@@ -117,7 +117,7 @@ class Contents_NetbiosSSN : public tcp::TCP_SupportAnalyzer {
 public:
 	Contents_NetbiosSSN(Connection* conn, bool orig,
 				NetbiosSSN_Interpreter* interp);
-	~Contents_NetbiosSSN();
+	~Contents_NetbiosSSN() override;
 
 	void Flush();	// process any partially-received data
 
@@ -141,8 +141,8 @@ protected:
 
 class NetbiosSSN_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	NetbiosSSN_Analyzer(Connection* conn);
-	~NetbiosSSN_Analyzer();
+	explicit NetbiosSSN_Analyzer(Connection* conn);
+	~NetbiosSSN_Analyzer() override;
 
 	void Done() override;
 	void DeliverPacket(int len, const u_char* data, bool orig,
diff --git a/src/analyzer/protocol/ntlm/NTLM.h b/src/analyzer/protocol/ntlm/NTLM.h
index 41117ac176..e8be2c809a 100644
--- a/src/analyzer/protocol/ntlm/NTLM.h
+++ b/src/analyzer/protocol/ntlm/NTLM.h
@@ -15,8 +15,8 @@ class NTLM_Analyzer
 : public tcp::TCP_ApplicationAnalyzer {
 
 public:
-	NTLM_Analyzer(Connection* conn);
-	virtual ~NTLM_Analyzer();
+	explicit NTLM_Analyzer(Connection* conn);
+	~NTLM_Analyzer() override;
 
 	// Overriden from Analyzer.
 	void Done() override;
diff --git a/src/analyzer/protocol/ntlm/ntlm-protocol.pac b/src/analyzer/protocol/ntlm/ntlm-protocol.pac
index 8862be1f22..f8784c74c7 100644
--- a/src/analyzer/protocol/ntlm/ntlm-protocol.pac
+++ b/src/analyzer/protocol/ntlm/ntlm-protocol.pac
@@ -171,7 +171,7 @@ type NTLM_Negotiate_Flags = record {
 	request_non_nt_session_key          : bool = (flags & 0x00400000) > 0;
 	negotiate_identify                  : bool = (flags & 0x00100000) > 0;
 
-	negotiate_extended_sessionsecurity  : bool = (flags & 0x00040000) > 0;
+	negotiate_extended_sessionsecurity  : bool = (flags & 0x00080000) > 0;
 	target_type_server                  : bool = (flags & 0x00020000) > 0;
 	target_type_domain                  : bool = (flags & 0x00010000) > 0;
 
@@ -179,14 +179,14 @@ type NTLM_Negotiate_Flags = record {
 	negotiate_oem_workstation_supplied  : bool = (flags & 0x00002000) > 0;
 	negotiate_oem_domain_supplied       : bool = (flags & 0x00001000) > 0;
 
-	negotiate_anonymous_connection      : bool = (flags & 0x00000400) > 0;
-	negotiate_ntlm                      : bool = (flags & 0x00000100) > 0;
+	negotiate_anonymous_connection      : bool = (flags & 0x00000800) > 0;
+	negotiate_ntlm                      : bool = (flags & 0x00000200) > 0;
 
 	negotiate_lm_key                    : bool = (flags & 0x00000080) > 0;
 	negotiate_datagram                  : bool = (flags & 0x00000040) > 0;
 	negotiate_seal                      : bool = (flags & 0x00000020) > 0;
+	negotiate_sign                      : bool = (flags & 0x00000010) > 0;
 
-	negotiate_sign                      : bool = (flags & 0x00000008) > 0;
 	request_target                      : bool = (flags & 0x00000004) > 0;
 	negotiate_oem                       : bool = (flags & 0x00000002) > 0;
 	negotiate_unicode                   : bool = (flags & 0x00000001) > 0;
diff --git a/src/analyzer/protocol/ntp/NTP.h b/src/analyzer/protocol/ntp/NTP.h
index 7987f3086d..5b5d3d7baa 100644
--- a/src/analyzer/protocol/ntp/NTP.h
+++ b/src/analyzer/protocol/ntp/NTP.h
@@ -38,15 +38,15 @@ struct ntpdata {
 
 class NTP_Analyzer : public analyzer::Analyzer {
 public:
-	NTP_Analyzer(Connection* conn);
+	explicit NTP_Analyzer(Connection* conn);
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new NTP_Analyzer(conn); }
 
 protected:
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
+	void Done() override;
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
 
 	int Request(const u_char* data, int len);
 	int Reply(const u_char* data, int len);
diff --git a/src/analyzer/protocol/pia/CMakeLists.txt b/src/analyzer/protocol/pia/CMakeLists.txt
index ff55bcf0aa..02397f7aff 100644
--- a/src/analyzer/protocol/pia/CMakeLists.txt
+++ b/src/analyzer/protocol/pia/CMakeLists.txt
@@ -5,5 +5,4 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 
 bro_plugin_begin(Bro PIA)
 bro_plugin_cc(PIA.cc Plugin.cc)
-bro_plugin_bif(events.bif)
 bro_plugin_end()
diff --git a/src/analyzer/protocol/pia/PIA.cc b/src/analyzer/protocol/pia/PIA.cc
index 7d73624dd0..8f5e23a1ce 100644
--- a/src/analyzer/protocol/pia/PIA.cc
+++ b/src/analyzer/protocol/pia/PIA.cc
@@ -3,8 +3,6 @@
 #include "analyzer/protocol/tcp/TCP_Flags.h"
 #include "analyzer/protocol/tcp/TCP_Reassembler.h"
 
-#include "events.bif.h"
-
 using namespace analyzer::pia;
 
 PIA::PIA(analyzer::Analyzer* arg_as_analyzer)
diff --git a/src/analyzer/protocol/pia/PIA.h b/src/analyzer/protocol/pia/PIA.h
index 85683289a9..924b405987 100644
--- a/src/analyzer/protocol/pia/PIA.h
+++ b/src/analyzer/protocol/pia/PIA.h
@@ -19,7 +19,7 @@ namespace analyzer { namespace pia {
 // PIAs and then each needs its own matching-state.
 class PIA : public RuleMatcherState {
 public:
-	PIA(analyzer::Analyzer* as_analyzer);
+	explicit PIA(analyzer::Analyzer* as_analyzer);
 	virtual ~PIA();
 
 	// Called when PIA wants to put an Analyzer in charge.  rule is the
@@ -90,43 +90,43 @@ private:
 // PIA for UDP.
 class PIA_UDP : public PIA, public analyzer::Analyzer {
 public:
-	PIA_UDP(Connection* conn)
+	explicit PIA_UDP(Connection* conn)
 	: PIA(this), Analyzer("PIA_UDP", conn)
 		{ SetConn(conn); }
-	virtual ~PIA_UDP()	{ }
+	~PIA_UDP() override { }
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new PIA_UDP(conn); }
 
 protected:
-	virtual void Done()
+	void Done() override
 		{
 		Analyzer::Done();
 		PIA_Done();
 		}
 
-	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					uint64 seq, const IP_Hdr* ip, int caplen)
+	void DeliverPacket(int len, const u_char* data, bool is_orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override
 		{
 		Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
 		PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, true);
 		}
 
-	virtual void ActivateAnalyzer(analyzer::Tag tag, const Rule* rule);
-	virtual void DeactivateAnalyzer(analyzer::Tag tag);
+	void ActivateAnalyzer(analyzer::Tag tag, const Rule* rule) override;
+	void DeactivateAnalyzer(analyzer::Tag tag) override;
 };
 
 // PIA for TCP.  Accepts both packet and stream input (and reassembles
 // packets before passing payload on to children).
 class PIA_TCP : public PIA, public tcp::TCP_ApplicationAnalyzer {
 public:
-	PIA_TCP(Connection* conn)
+	explicit PIA_TCP(Connection* conn)
 		: PIA(this), tcp::TCP_ApplicationAnalyzer("PIA_TCP", conn)
 		{ stream_mode = false; SetConn(conn); }
 
-	virtual ~PIA_TCP();
+	~PIA_TCP() override;
 
-	virtual void Init();
+	void Init() override;
 
 	// The first packet for each direction of a connection is passed
 	// in here.
@@ -144,25 +144,25 @@ public:
 		{ return new PIA_TCP(conn); }
 
 protected:
-	virtual void Done()
+	void Done() override
 		{
 		Analyzer::Done();
 		PIA_Done();
 		}
 
-	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					uint64 seq, const IP_Hdr* ip, int caplen)
+	void DeliverPacket(int len, const u_char* data, bool is_orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override
 		{
 		Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
 		PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, false);
 		}
 
-	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
-	virtual void Undelivered(uint64 seq, int len, bool is_orig);
+	void DeliverStream(int len, const u_char* data, bool is_orig) override;
+	void Undelivered(uint64 seq, int len, bool is_orig) override;
 
-	virtual void ActivateAnalyzer(analyzer::Tag tag,
-					const Rule* rule = 0);
-	virtual void DeactivateAnalyzer(analyzer::Tag tag);
+	void ActivateAnalyzer(analyzer::Tag tag,
+					const Rule* rule = 0) override;
+	void DeactivateAnalyzer(analyzer::Tag tag) override;
 
 private:
 	// FIXME: Not sure yet whether we need both pkt_buffer and stream_buffer.
diff --git a/src/analyzer/protocol/pop3/POP3.h b/src/analyzer/protocol/pop3/POP3.h
index 7b4b592810..9bc48a08f3 100644
--- a/src/analyzer/protocol/pop3/POP3.h
+++ b/src/analyzer/protocol/pop3/POP3.h
@@ -64,11 +64,11 @@ typedef enum {
 
 class POP3_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	POP3_Analyzer(Connection* conn);
-	~POP3_Analyzer();
+	explicit POP3_Analyzer(Connection* conn);
+	~POP3_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{
diff --git a/src/analyzer/protocol/radius/RADIUS.h b/src/analyzer/protocol/radius/RADIUS.h
index e91b13bbcb..b7dae6fbdd 100644
--- a/src/analyzer/protocol/radius/RADIUS.h
+++ b/src/analyzer/protocol/radius/RADIUS.h
@@ -14,13 +14,13 @@ namespace analyzer { namespace RADIUS {
 
 class RADIUS_Analyzer : public analyzer::Analyzer {
 public:
-	RADIUS_Analyzer(Connection* conn);
-	virtual ~RADIUS_Analyzer();
+	explicit RADIUS_Analyzer(Connection* conn);
+	~RADIUS_Analyzer() override;
 
 	// Overriden from Analyzer.
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
+	void Done() override;
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new RADIUS_Analyzer(conn); }
diff --git a/src/analyzer/protocol/rdp/RDP.h b/src/analyzer/protocol/rdp/RDP.h
index 9d4eda1db8..bc97e5999d 100644
--- a/src/analyzer/protocol/rdp/RDP.h
+++ b/src/analyzer/protocol/rdp/RDP.h
@@ -14,15 +14,14 @@ namespace analyzer { namespace rdp {
 class RDP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 
 public:
-	RDP_Analyzer(Connection* conn);
-	virtual ~RDP_Analyzer();
+	explicit RDP_Analyzer(Connection* conn);
+	~RDP_Analyzer() override;
 
 	// Overriden from Analyzer.
-	virtual void Done();
-	
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
-	virtual void EndpointEOF(bool is_orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
+	void EndpointEOF(bool is_orig) override;
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
 		{ return new RDP_Analyzer(conn); }
diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac
index 01b47e9478..1ba2c465d8 100644
--- a/src/analyzer/protocol/rdp/rdp-analyzer.pac
+++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac
@@ -142,7 +142,7 @@ refine flow RDP_Flow += {
 		                 connection()->bro_analyzer()->GetAnalyzerTag(),
 		                 connection()->bro_analyzer()->Conn(),
 		                 false, // It seems there are only server certs?
-		                 file_id);
+		                 file_id, "application/x-x509-user-cert");
 		file_mgr->EndOfFile(file_id);
 
 		return true;
diff --git a/src/analyzer/protocol/rfb/RFB.h b/src/analyzer/protocol/rfb/RFB.h
index 88a17eea5a..3b440e7740 100644
--- a/src/analyzer/protocol/rfb/RFB.h
+++ b/src/analyzer/protocol/rfb/RFB.h
@@ -15,17 +15,17 @@ class RFB_Analyzer
 : public tcp::TCP_ApplicationAnalyzer {
 
 public:
-	RFB_Analyzer(Connection* conn);
-	virtual ~RFB_Analyzer();
+	explicit RFB_Analyzer(Connection* conn);
+	~RFB_Analyzer() override;
 
 	// Overriden from Analyzer.
-	virtual void Done();
+	void Done() override;
 
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 	// Overriden from tcp::TCP_ApplicationAnalyzer.
-	virtual void EndpointEOF(bool is_orig);
+	void EndpointEOF(bool is_orig) override;
 
 
 	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
diff --git a/src/analyzer/protocol/rpc/CMakeLists.txt b/src/analyzer/protocol/rpc/CMakeLists.txt
index 5696a74cd6..c71c6ddd9a 100644
--- a/src/analyzer/protocol/rpc/CMakeLists.txt
+++ b/src/analyzer/protocol/rpc/CMakeLists.txt
@@ -4,6 +4,6 @@ include(BroPlugin)
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
 
 bro_plugin_begin(Bro RPC)
-bro_plugin_cc(RPC.cc NFS.cc Portmap.cc XDR.cc Plugin.cc)
+bro_plugin_cc(RPC.cc NFS.cc MOUNT.cc Portmap.cc XDR.cc Plugin.cc)
 bro_plugin_bif(events.bif)
 bro_plugin_end()
diff --git a/src/analyzer/protocol/rpc/MOUNT.cc b/src/analyzer/protocol/rpc/MOUNT.cc
new file mode 100644
index 0000000000..dd2fcdc959
--- /dev/null
+++ b/src/analyzer/protocol/rpc/MOUNT.cc
@@ -0,0 +1,313 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <algorithm>
+#include <vector>
+
+#include "bro-config.h"
+
+#include "NetVar.h"
+#include "XDR.h"
+#include "MOUNT.h"
+#include "Event.h"
+
+#include "events.bif.h"
+
+using namespace analyzer::rpc;
+
+int MOUNT_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
+	{
+	if ( c->Program() != 100005 )
+		Weird(fmt("bad_RPC_program (%d)", c->Program()));
+
+	uint32 proc = c->Proc();
+	// The call arguments, depends on the call type obviously ...
+	Val *callarg = 0;
+
+	switch ( proc ) {
+		case BifEnum::MOUNT3::PROC_NULL:
+		break;
+
+	case BifEnum::MOUNT3::PROC_MNT:
+		callarg = mount3_dirmntargs(buf, n);
+		break;
+
+	case BifEnum::MOUNT3::PROC_UMNT:
+		callarg = mount3_dirmntargs(buf, n);
+		break;
+
+	case BifEnum::MOUNT3::PROC_UMNT_ALL:
+		callarg = mount3_dirmntargs(buf, n);
+		break;
+
+	default:
+		callarg = 0;
+		if ( proc < BifEnum::MOUNT3::PROC_END_OF_PROCS )
+			{
+			// We know the procedure but haven't implemented it.
+			// Otherwise DeliverRPC would complain about
+			// excess_RPC.
+			n = 0;
+			}
+		else
+			Weird(fmt("unknown_MOUNT_request(%u)", proc));
+
+		// Return 1 so that replies to unprocessed calls will still
+		// be processed, and the return status extracted.
+		return 1;
+	}
+
+	if ( ! buf )
+		{
+		// There was a parse error while trying to extract the call
+		// arguments. However, we don't know where exactly it
+		// happened and whether Vals where already allocated (e.g., a
+		// RecordVal was allocated but we failed to fill it). So we
+		// Unref() the call arguments, and we are fine.
+		Unref(callarg);
+		callarg = 0;
+		return 0;
+		}
+
+	c->AddVal(callarg); // It's save to AddVal(0).
+
+	return 1;
+	}
+
+int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
+			       const u_char*& buf, int& n, double start_time,
+			       double last_time, int reply_len)
+	{
+	EventHandlerPtr event = 0;
+	Val* reply = 0;
+	BifEnum::MOUNT3::status_t mount_status = BifEnum::MOUNT3::MNT3_OK;
+	bool rpc_success = ( rpc_status == BifEnum::RPC_SUCCESS );
+
+	// Reply always starts with the MOUNT status.
+	if ( rpc_success )
+		{
+		if ( n >= 4 )
+			mount_status = (BifEnum::MOUNT3::status_t)extract_XDR_uint32(buf, n);
+		else
+			mount_status = BifEnum::MOUNT3::MOUNT3ERR_UNKNOWN;
+		}
+
+	if ( mount_reply_status )
+		{
+		val_list* vl = event_common_vl(c, rpc_status, mount_status,
+					   start_time, last_time, reply_len);
+		analyzer->ConnectionEvent(mount_reply_status, vl);
+		}
+
+	if ( ! rpc_success )
+		{
+		// We set the buffer to NULL, the function that extract the
+		// reply from the data stream will then return empty records.
+		//
+		buf = NULL;
+		n = 0;
+		}
+
+	switch ( c->Proc() ) {
+	case BifEnum::MOUNT3::PROC_NULL:
+		event = mount_proc_null;
+		break;
+
+	case BifEnum::MOUNT3::PROC_MNT:
+		reply = mount3_mnt_reply(buf, n, mount_status);
+		event = mount_proc_mnt;
+		break;
+
+	case BifEnum::MOUNT3::PROC_UMNT:
+		reply = 0;
+		n = 0;
+		mount_status = BifEnum::MOUNT3::MNT3_OK;
+		event = mount_proc_umnt;
+		break;
+
+	case BifEnum::MOUNT3::PROC_UMNT_ALL:
+		reply = 0;
+		n = 0;
+		mount_status = BifEnum::MOUNT3::MNT3_OK;
+		event = mount_proc_umnt;
+		break;
+
+	default:
+		if ( c->Proc() < BifEnum::MOUNT3::PROC_END_OF_PROCS )
+			{
+			// We know the procedure but haven't implemented it.
+			// Otherwise DeliverRPC would complain about
+			// excess_RPC.
+			n = 0;
+			reply = new EnumVal(c->Proc(), BifType::Enum::MOUNT3::proc_t);
+			event = mount_proc_not_implemented;
+			}
+		else
+			return 0;
+	}
+
+	if ( rpc_success && ! buf )
+		{
+		// There was a parse error. We have to unref the reply. (see
+		// also comments in RPC_BuildCall.
+		Unref(reply);
+		reply = 0;
+		return 0;
+		}
+
+	// Note: if reply == 0, it won't be added to the val_list for the
+	// event. While we can check for that on the policy layer it's kinda
+	// ugly, because it's contrary to the event prototype. But having
+	// this optional argument to the event is really helpful. Otherwise I
+	// have to let reply point to a RecordVal where all fields are
+	// optional and all are set to 0 ...
+	if ( event )
+		{
+		val_list* vl = event_common_vl(c, rpc_status, mount_status,
+					start_time, last_time, reply_len);
+
+		Val *request = c->TakeRequestVal();
+
+		if ( request )
+			vl->append(request);
+
+		if ( reply )
+			vl->append(reply);
+
+		analyzer->ConnectionEvent(event, vl);
+		}
+	else
+		Unref(reply);
+	return 1;
+	}
+
+val_list* MOUNT_Interp::event_common_vl(RPC_CallInfo *c, 
+		      BifEnum::rpc_status rpc_status,
+				      BifEnum::MOUNT3::status_t mount_status,
+				      double rep_start_time,
+				      double rep_last_time, int reply_len)
+	{
+	// Returns a new val_list that already has a conn_val, and mount3_info.
+	// These are the first parameters for each mount_* event ...
+	val_list *vl = new val_list;
+	vl->append(analyzer->BuildConnVal());
+	VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType());
+
+	for (size_t i = 0; i < c->AuxGIDs().size(); ++i)
+		{
+		auxgids->Assign(i, new Val(c->AuxGIDs()[i], TYPE_COUNT));
+		}
+
+	RecordVal* info = new RecordVal(BifType::Record::MOUNT3::info_t);
+	info->Assign(0, new EnumVal(rpc_status, BifType::Enum::rpc_status));
+	info->Assign(1, new EnumVal(mount_status, BifType::Enum::MOUNT3::status_t));
+	info->Assign(2, new Val(c->StartTime(), TYPE_TIME));
+	info->Assign(3, new Val(c->LastTime() - c->StartTime(), TYPE_INTERVAL));
+	info->Assign(4, new Val(c->RPCLen(), TYPE_COUNT));
+	info->Assign(5, new Val(rep_start_time, TYPE_TIME));
+	info->Assign(6, new Val(rep_last_time - rep_start_time, TYPE_INTERVAL));
+	info->Assign(7, new Val(reply_len, TYPE_COUNT));
+	info->Assign(8, new Val(c->Uid(), TYPE_COUNT));
+	info->Assign(9, new Val(c->Gid(), TYPE_COUNT));
+	info->Assign(10, new Val(c->Stamp(), TYPE_COUNT));
+	info->Assign(11, new StringVal(c->MachineName()));
+	info->Assign(12, auxgids);
+
+	vl->append(info);
+	return vl;
+	}
+
+EnumVal* MOUNT_Interp::mount3_auth_flavor(const u_char*& buf, int& n)
+    {
+	BifEnum::MOUNT3::auth_flavor_t t = (BifEnum::MOUNT3::auth_flavor_t)extract_XDR_uint32(buf, n);
+	return new EnumVal(t, BifType::Enum::MOUNT3::auth_flavor_t);
+    }
+
+StringVal* MOUNT_Interp::mount3_fh(const u_char*& buf, int& n)
+	{
+	int fh_n;
+	const u_char* fh = extract_XDR_opaque(buf, n, fh_n, 64);
+
+	if ( ! fh )
+		return 0;
+
+	return new StringVal(new BroString(fh, fh_n, 0));
+	}
+
+StringVal* MOUNT_Interp::mount3_filename(const u_char*& buf, int& n)
+	{
+	int name_len;
+	const u_char* name = extract_XDR_opaque(buf, n, name_len);
+
+	if ( ! name )
+		return 0;
+
+	return new StringVal(new BroString(name, name_len, 0));
+	}
+
+RecordVal* MOUNT_Interp::mount3_dirmntargs(const u_char*& buf, int& n)
+	{
+	RecordVal* dirmntargs = new RecordVal(BifType::Record::MOUNT3::dirmntargs_t);
+	dirmntargs->Assign(0, mount3_filename(buf, n));
+	return dirmntargs;
+	}
+
+RecordVal* MOUNT_Interp::mount3_mnt_reply(const u_char*& buf, int& n,
+		     BifEnum::MOUNT3::status_t status)
+	{
+	RecordVal* rep = new RecordVal(BifType::Record::MOUNT3::mnt_reply_t);
+
+	if ( status == BifEnum::MOUNT3::MNT3_OK )
+		{
+		rep->Assign(0, mount3_fh(buf,n));
+
+		auto auth_flavors_count_in_reply =  extract_XDR_uint32(buf, n);
+		auto auth_flavors_count = auth_flavors_count_in_reply;
+		const auto max_auth_flavors = 32u;
+
+		if ( auth_flavors_count_in_reply > max_auth_flavors )
+			{
+			Weird("excessive_MNT_auth_flavors");
+			auth_flavors_count = max_auth_flavors;
+			}
+
+		VectorType* enum_vector = new VectorType(base_type(TYPE_ENUM));
+		VectorVal* auth_flavors = new VectorVal(enum_vector);
+		Unref(enum_vector);
+
+		for ( auto i = 0u; i < auth_flavors_count; ++i )
+			auth_flavors->Assign(auth_flavors->Size(),
+			                     mount3_auth_flavor(buf, n));
+
+		if ( auth_flavors_count_in_reply > max_auth_flavors )
+			// Prevent further "excess RPC" weirds
+			n = 0;
+
+		rep->Assign(1, auth_flavors);
+		}
+	else
+		{
+		rep->Assign(0, 0);
+		rep->Assign(1, 0);
+		}
+
+	return rep;
+	}
+
+MOUNT_Analyzer::MOUNT_Analyzer(Connection* conn)
+	: RPC_Analyzer("MOUNT", conn, new MOUNT_Interp(this))
+	{
+	orig_rpc = resp_rpc = 0;
+	}
+
+void MOUNT_Analyzer::Init()
+	{
+	RPC_Analyzer::Init();
+
+	if ( Conn()->ConnTransport() == TRANSPORT_TCP )
+		{
+		orig_rpc = new Contents_RPC(Conn(), true, interp);
+		resp_rpc = new Contents_RPC(Conn(), false, interp);
+		AddSupportAnalyzer(orig_rpc);
+		AddSupportAnalyzer(resp_rpc);
+		}
+	}
diff --git a/src/analyzer/protocol/rpc/MOUNT.h b/src/analyzer/protocol/rpc/MOUNT.h
new file mode 100644
index 0000000000..42da4f61ed
--- /dev/null
+++ b/src/analyzer/protocol/rpc/MOUNT.h
@@ -0,0 +1,55 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef ANALYZER_PROTOCOL_RPC_MOUNT_H
+#define ANALYZER_PROTOCOL_RPC_MOUNT_H
+
+#include "RPC.h"
+#include "XDR.h"
+#include "Event.h"
+
+namespace analyzer { namespace rpc {
+
+class MOUNT_Interp : public RPC_Interpreter {
+public:
+	explicit MOUNT_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
+
+protected:
+	int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) override;
+	int RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
+				const u_char*& buf, int& n, double start_time,
+				double last_time, int reply_len) override;
+
+	// Returns a new val_list that already has a conn_val, rpc_status and
+	// mount_status. These are the first parameters for each mount_* event
+	// ...
+	val_list* event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
+				BifEnum::MOUNT3::status_t mount_status,
+				double rep_start_time, double rep_last_time,
+				int reply_len);
+
+	// These methods parse the appropriate MOUNTv3 "type" out of buf. If
+	// there are any errors (i.e., buffer to short, etc), buf will be set
+	// to 0. However, the methods might still return an allocated Val * !
+	// So, you might want to Unref() the Val if buf is 0. Method names
+	// are based on the type names of RFC 1813.
+	EnumVal*   mount3_auth_flavor(const u_char*& buf, int& n);
+	StringVal* mount3_fh(const u_char*& buf, int& n);
+	RecordVal* mount3_dirmntargs(const u_char*&buf, int &n);
+	StringVal* mount3_filename(const u_char*& buf, int& n);
+
+	RecordVal* mount3_mnt_reply(const u_char*& buf, int& n, BifEnum::MOUNT3::status_t status);
+};
+
+class MOUNT_Analyzer : public RPC_Analyzer {
+public:
+	explicit MOUNT_Analyzer(Connection* conn);
+	void Init() override;
+
+	static analyzer::Analyzer* Instantiate(Connection* conn)
+		{ return new MOUNT_Analyzer(conn); }
+};
+
+
+} } // namespace analyzer::*
+
+#endif
diff --git a/src/analyzer/protocol/rpc/NFS.cc b/src/analyzer/protocol/rpc/NFS.cc
index 8a2620e2e5..710282df96 100644
--- a/src/analyzer/protocol/rpc/NFS.cc
+++ b/src/analyzer/protocol/rpc/NFS.cc
@@ -1,6 +1,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include <algorithm>
+#include <vector>
 
 #include "bro-config.h"
 
@@ -30,6 +31,10 @@ int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
 		callarg = nfs3_fh(buf, n);
 		break;
 
+	case BifEnum::NFS3::PROC_SETATTR:
+		callarg = nfs3_sattrargs(buf, n);
+		break;
+
 	case BifEnum::NFS3::PROC_LOOKUP:
 		callarg = nfs3_diropargs(buf, n);
 		break;
@@ -42,6 +47,14 @@ int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
 		callarg = nfs3_fh(buf, n);
 		break;
 
+	case BifEnum::NFS3::PROC_SYMLINK:
+		callarg = nfs3_symlinkargs(buf, n);
+		break;
+
+	case BifEnum::NFS3::PROC_LINK:
+		callarg = nfs3_linkargs(buf, n);
+		break;
+
 	case BifEnum::NFS3::PROC_WRITE:
 		callarg = nfs3_writeargs(buf, n);
 		break;
@@ -68,6 +81,10 @@ int NFS_Interp::RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n)
 		callarg = nfs3_diropargs(buf, n);
 		break;
 
+	case BifEnum::NFS3::PROC_RENAME:
+		callarg = nfs3_renameopargs(buf, n);
+		break;
+
 	case BifEnum::NFS3::PROC_READDIR:
 		callarg = nfs3_readdirargs(false, buf, n);
 		break;
@@ -154,6 +171,11 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 		event = nfs_proc_getattr;
 		break;
 
+	case BifEnum::NFS3::PROC_SETATTR:
+		reply = nfs3_sattr_reply(buf, n, nfs_status);
+		event = nfs_proc_sattr;
+		break;
+
 	case BifEnum::NFS3::PROC_LOOKUP:
 		reply = nfs3_lookup_reply(buf, n, nfs_status);
 		event = nfs_proc_lookup;
@@ -171,6 +193,16 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 		event = nfs_proc_readlink;
 		break;
 
+	case BifEnum::NFS3::PROC_SYMLINK:
+		reply = nfs3_newobj_reply(buf, n, nfs_status);
+		event = nfs_proc_symlink;
+		break;
+
+	case BifEnum::NFS3::PROC_LINK:
+		reply = nfs3_link_reply(buf, n, nfs_status);
+		event = nfs_proc_link;
+		break;
+
 	case BifEnum::NFS3::PROC_WRITE:
 		reply = nfs3_write_reply(buf, n, nfs_status);
 		event = nfs_proc_write;
@@ -196,6 +228,11 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 		event = nfs_proc_rmdir;
 		break;
 
+	case BifEnum::NFS3::PROC_RENAME:
+		reply = nfs3_renameobj_reply(buf, n);
+		event = nfs_proc_rename;
+		break;
+
 	case BifEnum::NFS3::PROC_READDIR:
 		reply = nfs3_readdir_reply(false, buf, n, nfs_status);
 		event = nfs_proc_readdir;
@@ -250,8 +287,9 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 
 		analyzer->ConnectionEvent(event, vl);
 		}
+	else
+		Unref(reply);
 
-	Unref(reply);
 	return 1;
 	}
 
@@ -288,6 +326,10 @@ val_list* NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_s
 	// These are the first parameters for each nfs_* event ...
 	val_list *vl = new val_list;
 	vl->append(analyzer->BuildConnVal());
+	VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType());
+
+	for ( size_t i = 0; i < c->AuxGIDs().size(); ++i )
+		auxgids->Assign(i, new Val(c->AuxGIDs()[i], TYPE_COUNT));
 
 	RecordVal *info = new RecordVal(BifType::Record::NFS3::info_t);
 	info->Assign(0, new EnumVal(rpc_status, BifType::Enum::rpc_status));
@@ -298,6 +340,11 @@ val_list* NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_s
 	info->Assign(5, new Val(rep_start_time, TYPE_TIME));
 	info->Assign(6, new Val(rep_last_time-rep_start_time, TYPE_INTERVAL));
 	info->Assign(7, new Val(reply_len, TYPE_COUNT));
+	info->Assign(8, new Val(c->Uid(), TYPE_COUNT));
+	info->Assign(9, new Val(c->Gid(), TYPE_COUNT));
+	info->Assign(10, new Val(c->Stamp(), TYPE_COUNT));
+	info->Assign(11, new StringVal(c->MachineName()));
+	info->Assign(12, auxgids);
 
 	vl->append(info);
 	return vl;
@@ -314,6 +361,56 @@ StringVal* NFS_Interp::nfs3_fh(const u_char*& buf, int& n)
 	return new StringVal(new BroString(fh, fh_n, 0));
 	}
 
+
+RecordVal* NFS_Interp::nfs3_sattr(const u_char*& buf, int& n)
+	{
+	RecordVal* attrs = new RecordVal(BifType::Record::NFS3::sattr_t);
+
+	attrs->Assign(0, 0); // mode
+	int mode_set_it =  extract_XDR_uint32(buf, n);
+	if ( mode_set_it )
+		attrs->Assign(0, ExtractUint32(buf, n)); // mode
+
+	attrs->Assign(1, 0); // uid
+	int uid_set_it =  extract_XDR_uint32(buf, n);
+	if ( uid_set_it )
+		attrs->Assign(1, ExtractUint32(buf, n)); // uid
+
+	attrs->Assign(2, 0); // gid
+	int gid_set_it =  extract_XDR_uint32(buf, n);
+	if ( gid_set_it )
+		attrs->Assign(2, ExtractUint32(buf, n)); // gid
+
+	attrs->Assign(3, 0); // size
+	int size_set_it =  extract_XDR_uint32(buf, n);
+	if ( size_set_it )
+		attrs->Assign(3, ExtractTime(buf, n));	 // size
+
+	attrs->Assign(4, nfs3_time_how(buf, n)); // time_how
+
+	attrs->Assign(5, nfs3_time_how(buf, n)); // time_how
+
+	return attrs;
+	}
+
+RecordVal* NFS_Interp::nfs3_sattr_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
+	{
+	RecordVal* rep = new RecordVal(BifType::Record::NFS3::sattr_reply_t);
+
+	if ( status == BifEnum::NFS3::NFS3ERR_OK )
+		{
+		rep->Assign(0, nfs3_pre_op_attr(buf, n));
+		rep->Assign(1, nfs3_post_op_attr(buf, n));
+		}
+	else
+		{
+		rep->Assign(1, 0);
+		rep->Assign(2, 0);
+		}
+
+	return rep;
+	}
+
 RecordVal* NFS_Interp::nfs3_fattr(const u_char*& buf, int& n)
 	{
 	RecordVal* attrs = new RecordVal(BifType::Record::NFS3::fattr_t);
@@ -336,6 +433,12 @@ RecordVal* NFS_Interp::nfs3_fattr(const u_char*& buf, int& n)
 	return attrs;
 	}
 
+EnumVal* NFS_Interp::nfs3_time_how(const u_char*& buf, int& n)
+	{
+	BifEnum::NFS3::time_how_t t = (BifEnum::NFS3::time_how_t)extract_XDR_uint32(buf, n);
+	return new EnumVal(t, BifType::Enum::NFS3::time_how_t);
+	}
+
 EnumVal* NFS_Interp::nfs3_ftype(const u_char*& buf, int& n)
 	{
 	BifEnum::NFS3::file_type_t t = (BifEnum::NFS3::file_type_t)extract_XDR_uint32(buf, n);
@@ -374,6 +477,27 @@ RecordVal *NFS_Interp::nfs3_diropargs(const u_char*& buf, int& n)
 	return diropargs;
 	}
 
+RecordVal* NFS_Interp::nfs3_symlinkdata(const u_char*& buf, int& n)
+	{
+	RecordVal* symlinkdata = new RecordVal(BifType::Record::NFS3::symlinkdata_t);
+
+	symlinkdata->Assign(0, nfs3_sattr(buf, n));
+	symlinkdata->Assign(1, nfs3_nfspath(buf, n));
+
+	return symlinkdata;
+	}
+
+RecordVal *NFS_Interp::nfs3_renameopargs(const u_char*& buf, int& n)
+	{
+	RecordVal *renameopargs = new RecordVal(BifType::Record::NFS3::renameopargs_t);
+
+	renameopargs->Assign(0, nfs3_fh(buf, n));
+	renameopargs->Assign(1, nfs3_filename(buf, n));
+	renameopargs->Assign(2, nfs3_fh(buf, n));
+	renameopargs->Assign(3, nfs3_filename(buf, n));
+
+	return renameopargs;
+	}
 
 RecordVal* NFS_Interp::nfs3_post_op_attr(const u_char*& buf, int& n)
 	{
@@ -480,18 +604,64 @@ RecordVal* NFS_Interp::nfs3_readlink_reply(const u_char*& buf, int& n, BifEnum::
 	return rep;
 	}
 
+RecordVal* NFS_Interp::nfs3_link_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status)
+	{
+	RecordVal* rep = new RecordVal(BifType::Record::NFS3::link_reply_t);
+
+	if ( status == BifEnum::NFS3::NFS3ERR_OK )
+		{
+		rep->Assign(0, nfs3_post_op_attr(buf, n));
+
+		// wcc_data
+		rep->Assign(1, nfs3_pre_op_attr(buf, n));
+		rep->Assign(2, nfs3_post_op_attr(buf, n));
+		}
+
+	return rep;
+	}
+
+RecordVal* NFS_Interp::nfs3_symlinkargs(const u_char*& buf, int& n)
+	{
+	RecordVal* symlinkargs = new RecordVal(BifType::Record::NFS3::symlinkargs_t);
+
+	symlinkargs->Assign(0, nfs3_diropargs(buf, n));
+	symlinkargs->Assign(1, nfs3_symlinkdata(buf, n));
+
+	return symlinkargs;
+	}
+
+RecordVal* NFS_Interp::nfs3_sattrargs(const u_char*& buf, int& n)
+	{
+	RecordVal* sattrargs = new RecordVal(BifType::Record::NFS3::sattrargs_t);
+
+	sattrargs->Assign(0, nfs3_fh(buf, n));
+	sattrargs->Assign(1, nfs3_sattr(buf, n));
+
+	return sattrargs;
+	}
+
+RecordVal* NFS_Interp::nfs3_linkargs(const u_char*& buf, int& n)
+	{
+	RecordVal* linkargs = new RecordVal(BifType::Record::NFS3::linkargs_t);
+
+	linkargs->Assign(0, nfs3_fh(buf, n));
+	linkargs->Assign(1, nfs3_diropargs(buf, n));
+
+	return linkargs;
+	}
+
 RecordVal *NFS_Interp::nfs3_writeargs(const u_char*& buf, int& n)
 	{
 	uint32_t bytes;
 	uint64_t offset;
 	RecordVal *writeargs = new RecordVal(BifType::Record::NFS3::writeargs_t);
 
-	offset = extract_XDR_uint64(buf, n);
-	bytes = extract_XDR_uint32(buf, n);
-
 	writeargs->Assign(0, nfs3_fh(buf, n));
-	writeargs->Assign(1, new Val(offset, TYPE_COUNT));
-	writeargs->Assign(2, new Val(bytes, TYPE_COUNT));
+	offset = extract_XDR_uint64(buf, n);
+	writeargs->Assign(1, new Val(offset, TYPE_COUNT));  // offset
+	bytes = extract_XDR_uint32(buf, n);
+	writeargs->Assign(2, new Val(bytes, TYPE_COUNT));   // size
+
 	writeargs->Assign(3, nfs3_stable_how(buf, n));
 	writeargs->Assign(4, nfs3_file_data(buf, n, offset, bytes));
 
@@ -558,6 +728,19 @@ RecordVal* NFS_Interp::nfs3_delobj_reply(const u_char*& buf, int& n)
 	return rep;
 	}
 
+RecordVal* NFS_Interp::nfs3_renameobj_reply(const u_char*& buf, int& n)
+	{
+	RecordVal *rep = new RecordVal(BifType::Record::NFS3::renameobj_reply_t);
+
+	// wcc_data
+	rep->Assign(0, nfs3_pre_op_attr(buf, n));
+	rep->Assign(1, nfs3_post_op_attr(buf, n));
+	rep->Assign(2, nfs3_pre_op_attr(buf, n));
+	rep->Assign(3, nfs3_post_op_attr(buf, n));
+
+	return rep;
+	}
+
 RecordVal* NFS_Interp::nfs3_readdirargs(bool isplus, const u_char*& buf, int&n)
 	{
 	RecordVal *args = new RecordVal(BifType::Record::NFS3::readdirargs_t);
@@ -646,7 +829,7 @@ Val* NFS_Interp::ExtractBool(const u_char*& buf, int& n)
 
 
 NFS_Analyzer::NFS_Analyzer(Connection* conn)
-	: RPC_Analyzer("RPC", conn, new NFS_Interp(this))
+	: RPC_Analyzer("NFS", conn, new NFS_Interp(this))
 	{
 	orig_rpc = resp_rpc = 0;
 	}
diff --git a/src/analyzer/protocol/rpc/NFS.h b/src/analyzer/protocol/rpc/NFS.h
index ba6cab38e2..2ec4047946 100644
--- a/src/analyzer/protocol/rpc/NFS.h
+++ b/src/analyzer/protocol/rpc/NFS.h
@@ -11,13 +11,13 @@ namespace analyzer { namespace rpc {
 
 class NFS_Interp : public RPC_Interpreter {
 public:
-	NFS_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
+	explicit NFS_Interp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
 
 protected:
-	int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n);
+	int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) override;
 	int RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 				const u_char*& buf, int& n, double start_time,
-				double last_time, int reply_len);
+				double last_time, int reply_len) override;
 
 	// Returns a new val_list that already has a conn_val, rpc_status and
 	// nfs_status. These are the first parameters for each nfs_* event
@@ -34,10 +34,17 @@ protected:
 	// are based on the type names of RFC 1813.
 	StringVal* nfs3_fh(const u_char*& buf, int& n);
 	RecordVal* nfs3_fattr(const u_char*& buf, int& n);
+	RecordVal* nfs3_sattr(const u_char*& buf, int& n);
 	EnumVal* nfs3_ftype(const u_char*& buf, int& n);
+	EnumVal* nfs3_time_how(const u_char*& buf, int& n);
 	RecordVal* nfs3_wcc_attr(const u_char*& buf, int& n);
 	RecordVal* nfs3_diropargs(const u_char*&buf, int &n);
+	RecordVal* nfs3_symlinkdata(const u_char*& buf, int& n);
+	RecordVal* nfs3_renameopargs(const u_char*&buf, int &n);
 	StringVal* nfs3_filename(const u_char*& buf, int& n);
+	RecordVal* nfs3_linkargs(const u_char*& buf, int& n);
+	RecordVal* nfs3_symlinkargs(const u_char*& buf, int& n);
+	RecordVal* nfs3_sattrargs(const u_char*& buf, int& n);
 	StringVal* nfs3_nfspath(const u_char*& buf, int& n)
 		{
 		return nfs3_filename(buf,n);
@@ -45,15 +52,18 @@ protected:
 
 	RecordVal* nfs3_post_op_attr(const u_char*&buf, int &n);	// Return 0 or an fattr
 	RecordVal* nfs3_pre_op_attr(const u_char*&buf, int &n);	// Return 0 or an wcc_attr
+	RecordVal* nfs3_sattr_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
 	RecordVal* nfs3_lookup_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
 	RecordVal* nfs3_readargs(const u_char*& buf, int& n);
 	RecordVal* nfs3_read_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status, bro_uint_t offset);
 	RecordVal* nfs3_readlink_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
+	RecordVal* nfs3_link_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
 	RecordVal* nfs3_writeargs(const u_char*& buf, int& n);
 	EnumVal* nfs3_stable_how(const u_char*& buf, int& n);
 	RecordVal* nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
 	RecordVal* nfs3_newobj_reply(const u_char*& buf, int&n, BifEnum::NFS3::status_t status);
 	RecordVal* nfs3_delobj_reply(const u_char*& buf, int& n);
+	RecordVal* nfs3_renameobj_reply(const u_char*& buf, int& n);
 	StringVal* nfs3_post_op_fh(const u_char*& buf, int& n);
 	RecordVal* nfs3_readdirargs(bool isplus, const u_char*& buf, int&n);
 	RecordVal* nfs3_readdir_reply(bool isplus, const u_char*& buf, int&n, BifEnum::NFS3::status_t status);
@@ -64,7 +74,6 @@ protected:
 	//   * size is the amount of bytes read (or requested to be written),
 	StringVal* nfs3_file_data(const u_char*& buf, int& n, uint64_t offset, int size);
 
-	RecordVal* ExtractOptAttrs(const u_char*& buf, int& n);
 	Val* ExtractUint32(const u_char*& buf, int& n);
 	Val* ExtractUint64(const u_char*& buf, int& n);
 	Val* ExtractTime(const u_char*& buf, int& n);
@@ -74,8 +83,8 @@ protected:
 
 class NFS_Analyzer : public RPC_Analyzer {
 public:
-	NFS_Analyzer(Connection* conn);
-	virtual void Init();
+	explicit NFS_Analyzer(Connection* conn);
+	void Init() override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new NFS_Analyzer(conn); }
diff --git a/src/analyzer/protocol/rpc/Plugin.cc b/src/analyzer/protocol/rpc/Plugin.cc
index 15337f2d6e..abc2f679f2 100644
--- a/src/analyzer/protocol/rpc/Plugin.cc
+++ b/src/analyzer/protocol/rpc/Plugin.cc
@@ -5,6 +5,7 @@
 
 #include "RPC.h"
 #include "NFS.h"
+#include "MOUNT.h"
 #include "Portmap.h"
 
 namespace plugin {
@@ -15,6 +16,7 @@ public:
 	plugin::Configuration Configure()
 		{
 		AddComponent(new ::analyzer::Component("NFS", ::analyzer::rpc::NFS_Analyzer::Instantiate));
+		AddComponent(new ::analyzer::Component("MOUNT", ::analyzer::rpc::MOUNT_Analyzer::Instantiate));
 		AddComponent(new ::analyzer::Component("Portmapper", ::analyzer::rpc::Portmapper_Analyzer::Instantiate));
 		AddComponent(new ::analyzer::Component("Contents_RPC", 0));
 		AddComponent(new ::analyzer::Component("Contents_NFS", 0));
diff --git a/src/analyzer/protocol/rpc/Portmap.cc b/src/analyzer/protocol/rpc/Portmap.cc
index 5d7c980879..9f52394ac4 100644
--- a/src/analyzer/protocol/rpc/Portmap.cc
+++ b/src/analyzer/protocol/rpc/Portmap.cc
@@ -126,7 +126,7 @@ int PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status status
 
 			RecordVal* rv = c->RequestVal()->AsRecordVal();
 			Val* is_tcp = rv->Lookup(2);
-			reply = new PortVal(CheckPort(port),
+			reply = port_mgr->Get(CheckPort(port),
 					is_tcp->IsOne() ?
 						TRANSPORT_TCP : TRANSPORT_UDP);
 			event = pm_request_getport;
@@ -178,7 +178,7 @@ int PortmapperInterp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status status
 			if ( ! opaque_reply )
 				return 0;
 
-			reply = new PortVal(CheckPort(port), TRANSPORT_UDP);
+			reply = port_mgr->Get(CheckPort(port), TRANSPORT_UDP);
 			event = pm_request_callit;
 			}
 		else
@@ -202,7 +202,7 @@ Val* PortmapperInterp::ExtractMapping(const u_char*& buf, int& len)
 
 	int is_tcp = extract_XDR_uint32(buf, len) == IPPROTO_TCP;
 	uint32 port = extract_XDR_uint32(buf, len);
-	mapping->Assign(2, new PortVal(CheckPort(port),
+	mapping->Assign(2, port_mgr->Get(CheckPort(port),
 			is_tcp ? TRANSPORT_TCP : TRANSPORT_UDP));
 
 	if ( ! buf )
diff --git a/src/analyzer/protocol/rpc/Portmap.h b/src/analyzer/protocol/rpc/Portmap.h
index 3704bd8383..06eed3157d 100644
--- a/src/analyzer/protocol/rpc/Portmap.h
+++ b/src/analyzer/protocol/rpc/Portmap.h
@@ -9,13 +9,13 @@ namespace analyzer { namespace rpc {
 
 class PortmapperInterp : public RPC_Interpreter {
 public:
-	PortmapperInterp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
+	explicit PortmapperInterp(analyzer::Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }
 
 protected:
-	int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n);
+	int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n) override;
 	int RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status success,
 			   const u_char*& buf, int& n, double start_time,
-			   double last_time, int reply_len);
+			   double last_time, int reply_len) override;
 	uint32 CheckPort(uint32 port);
 
 	void Event(EventHandlerPtr f, Val* request, BifEnum::rpc_status status, Val* reply);
@@ -27,9 +27,9 @@ protected:
 
 class Portmapper_Analyzer : public RPC_Analyzer {
 public:
-	Portmapper_Analyzer(Connection* conn);
-	virtual ~Portmapper_Analyzer();
-	virtual void Init();
+	explicit Portmapper_Analyzer(Connection* conn);
+	~Portmapper_Analyzer() override;
+	void Init() override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new Portmapper_Analyzer(conn); }
diff --git a/src/analyzer/protocol/rpc/RPC.cc b/src/analyzer/protocol/rpc/RPC.cc
index aff6bfefc0..6ccd8008b8 100644
--- a/src/analyzer/protocol/rpc/RPC.cc
+++ b/src/analyzer/protocol/rpc/RPC.cc
@@ -40,7 +40,19 @@ RPC_CallInfo::RPC_CallInfo(uint32 arg_xid, const u_char*& buf, int& n, double ar
 	prog = extract_XDR_uint32(buf, n);
 	vers = extract_XDR_uint32(buf, n);
 	proc = extract_XDR_uint32(buf, n);
-	cred_flavor = skip_XDR_opaque_auth(buf, n);
+	cred_flavor = extract_XDR_uint32(buf, n);
+	int cred_opaque_n, machinename_n;
+	const u_char* cred_opaque = extract_XDR_opaque(buf, n, cred_opaque_n);
+	stamp = extract_XDR_uint32(cred_opaque, cred_opaque_n);
+	const u_char* tmp = extract_XDR_opaque(cred_opaque, cred_opaque_n, machinename_n);
+	machinename = std::string(reinterpret_cast<const char*>(tmp), machinename_n);
+	uid = extract_XDR_uint32(cred_opaque, cred_opaque_n);
+	gid = extract_XDR_uint32(cred_opaque, cred_opaque_n);
+	size_t number_of_gids = extract_XDR_uint32(cred_opaque, cred_opaque_n);
+
+	for ( auto i = 0u; i < number_of_gids; ++i )
+		auxgids.push_back(extract_XDR_uint32(cred_opaque, cred_opaque_n));
+
 	verf_flavor = skip_XDR_opaque_auth(buf, n);
 
 	header_len = call_n - n;
diff --git a/src/analyzer/protocol/rpc/RPC.h b/src/analyzer/protocol/rpc/RPC.h
index e87f8afa95..8fa19b8d53 100644
--- a/src/analyzer/protocol/rpc/RPC.h
+++ b/src/analyzer/protocol/rpc/RPC.h
@@ -62,6 +62,11 @@ public:
 	uint32 Program() const		{ return prog; }
 	uint32 Version() const		{ return vers; }
 	uint32 Proc() const		{ return proc; }
+	uint32 Uid() const { return uid; }
+	uint32 Gid() const { return gid; }
+	uint32 Stamp() const { return stamp; }
+	const std::string& MachineName() const { return machinename; }
+	const std::vector<int>& AuxGIDs() const { return auxgids; }
 
 	double StartTime() const	{ return start_time; }
 	void SetStartTime(double t)	{ start_time = t; }
@@ -78,8 +83,12 @@ public:
 
 protected:
 	uint32 xid, rpc_version, prog, vers, proc;
-	uint32 cred_flavor, verf_flavor;
+	uint32 cred_flavor, stamp;
+	uint32 uid, gid;
+	std::vector<int> auxgids;
+	uint32 verf_flavor;
 	u_char* call_buf;	// copy of original call buffer
+	std::string machinename;
 	double start_time;
 	double last_time;
 	int rpc_len;		// size of the full RPC call, incl. xid and msg_type
@@ -94,7 +103,7 @@ declare(PDict,RPC_CallInfo);
 
 class RPC_Interpreter {
 public:
-	RPC_Interpreter(analyzer::Analyzer* analyzer);
+	explicit RPC_Interpreter(analyzer::Analyzer* analyzer);
 	virtual ~RPC_Interpreter();
 
 	// Delivers the given RPC.  Returns true if "len" bytes were
@@ -181,7 +190,7 @@ protected:
 class Contents_RPC : public tcp::TCP_SupportAnalyzer {
 public:
 	Contents_RPC(Connection* conn, bool orig, RPC_Interpreter* interp);
-	virtual ~Contents_RPC();
+	~Contents_RPC() override;
 
 protected:
 	typedef enum {
@@ -200,10 +209,10 @@ protected:
 		RESYNC_INIT,
 	} resync_state_t;
 
-	virtual void Init();
+	void Init() override;
 	virtual bool CheckResync(int& len, const u_char*& data, bool orig);
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 	virtual void NeedResync() {
 		resync_state = NEED_RESYNC;
@@ -228,13 +237,13 @@ class RPC_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
 	RPC_Analyzer(const char* name, Connection* conn,
 			RPC_Interpreter* arg_interp);
-	virtual ~RPC_Analyzer();
+	~RPC_Analyzer() override;
 
-	virtual void Done();
+	void Done() override;
 
 protected:
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
 
 	void ExpireTimer(double t);
 
diff --git a/src/analyzer/protocol/rpc/events.bif b/src/analyzer/protocol/rpc/events.bif
index fc42aac6a6..b811a60cda 100644
--- a/src/analyzer/protocol/rpc/events.bif
+++ b/src/analyzer/protocol/rpc/events.bif
@@ -49,6 +49,34 @@ event nfs_proc_null%(c: connection, info: NFS3::info_t%);
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_getattr%(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t%);
 
+## Generated for NFSv3 request/reply dialogues of type *sattr*. The event is
+## generated once we have either seen both the request and its corresponding
+## reply, or an unanswered request has timed out.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## req:  The arguments passed in the request.
+##
+## rep: The attributes returned in the reply. The values may not be
+##      valid if the request was unsuccessful.
+##
+## .. bro:see:: nfs_proc_create  nfs_proc_lookup nfs_proc_mkdir
+##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+##    rpc_call rpc_dialogue rpc_reply file_mode
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event nfs_proc_sattr%(c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t, rep: NFS3::sattr_reply_t%);
+
 ## Generated for NFSv3 request/reply dialogues of type *lookup*. The event is
 ## generated once we have either seen both the request and its corresponding
 ## reply, or an unanswered request has timed out.
@@ -124,8 +152,8 @@ event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, r
 ##
 ## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
 ##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
-##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
-##    rpc_dialogue rpc_reply
+##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+##    nfs_proc_symlink rpc_call rpc_dialogue rpc_reply
 ##
 ## .. todo:: Bro's current default configuration does not activate the protocol
 ##    analyzer that generates this event; the corresponding script has not yet
@@ -133,6 +161,62 @@ event nfs_proc_read%(c: connection, info: NFS3::info_t, req: NFS3::readargs_t, r
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_readlink%(c: connection, info: NFS3::info_t, fh: string, rep: NFS3::readlink_reply_t%);
 
+## Generated for NFSv3 request/reply dialogues of type *symlink*. The event is
+## generated once we have either seen both the request and its corresponding
+## reply, or an unanswered request has timed out.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## req:  The arguments passed in the request.
+##
+## rep: The attributes returned in the reply. The values may not be
+##      valid if the request was unsuccessful.
+##
+## .. bro:see:: nfs_proc_create  nfs_proc_lookup nfs_proc_mkdir
+##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+##    nfs_proc_readlink nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status
+##    nfs_proc_link rpc_call rpc_dialogue rpc_reply file_mode
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event nfs_proc_symlink%(c: connection, info: NFS3::info_t, req: NFS3::symlinkargs_t, rep: NFS3::newobj_reply_t%);
+
+## Generated for NFSv3 request/reply dialogues of type *link*. The event is
+## generated once we have either seen both the request and its corresponding
+## reply, or an unanswered request has timed out.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## req:  The arguments passed in the request.
+##
+## rep: The response returned in the reply. The values may not be valid if the
+##      request was unsuccessful.
+##
+## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+##    nfs_proc_remove nfs_proc_rmdir nfs_proc_write nfs_reply_status rpc_call
+##    nfs_proc_symlink rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event nfs_proc_link%(c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, rep: NFS3::link_reply_t%);
+
 ## Generated for NFSv3 request/reply dialogues of type *write*. The event is
 ## generated once we have either seen both the request and its corresponding
 ## reply, or an unanswered request has timed out.
@@ -274,6 +358,34 @@ event nfs_proc_remove%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t
 ##    register a port for it or add a DPD payload signature.
 event nfs_proc_rmdir%(c: connection, info: NFS3::info_t, req: NFS3::diropargs_t, rep: NFS3::delobj_reply_t%);
 
+## Generated for NFSv3 request/reply dialogues of type *rename*. The event is
+## generated once we have either seen both the request and its corresponding
+## reply, or an unanswered request has timed out.
+##
+## NFS is a service running on top of RPC. See `Wikipedia
+## <http://en.wikipedia.org/wiki/Network_File_System_(protocol)>`__ for more
+## information about the service.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## req: TODO.
+##
+## rep: The response returned in the reply. The values may not be valid if the
+##      request was unsuccessful.
+##
+## .. bro:see:: nfs_proc_create nfs_proc_getattr nfs_proc_lookup nfs_proc_mkdir
+##    nfs_proc_not_implemented nfs_proc_null nfs_proc_read nfs_proc_readdir
+##    nfs_proc_readlink nfs_proc_remove nfs_proc_rename nfs_proc_write
+##    nfs_reply_status rpc_call rpc_dialogue rpc_reply
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event nfs_proc_rename%(c: connection, info: NFS3::info_t, req: NFS3::renameopargs_t, rep: NFS3::renameobj_reply_t%);
+
 ## Generated for NFSv3 request/reply dialogues of type *readdir*. The event is
 ## generated once we have either seen both the request and its corresponding
 ## reply, or an unanswered request has timed out.
@@ -737,3 +849,118 @@ event rpc_call%(c: connection, xid: count, prog: count, ver: count, proc: count,
 ##    call to :bro:see:`Analyzer::register_for_ports` or a DPD payload
 ##    signature.
 event rpc_reply%(c: connection, xid: count, status: rpc_status, reply_len: count%);
+
+## Generated for MOUNT3 request/reply dialogues of type *null*. The event is
+## generated once we have either seen both the request and its corresponding
+## reply, or an unanswered request has timed out.
+## MOUNT is a service running on top of RPC.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## .. bro:see:: mount_proc_mnt mount_proc_umnt
+##    mount_proc_umnt_all mount_proc_not_implemented
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event mount_proc_null%(c: connection, info: MOUNT3::info_t%);
+
+## Generated for MOUNT3 request/reply dialogues of type *mnt*. The event is
+## generated once we have either seen both the request and its corresponding
+## reply, or an unanswered request has timed out.
+## MOUNT is a service running on top of RPC.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## req:  The arguments passed in the request.
+##
+## rep: The response returned in the reply. The values may not be valid if the
+##      request was unsuccessful.
+##
+## .. bro:see:: mount_proc_mnt mount_proc_umnt
+##    mount_proc_umnt_all mount_proc_not_implemented
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event mount_proc_mnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t, rep: MOUNT3::mnt_reply_t%);
+
+## Generated for MOUNT3 request/reply dialogues of type *umnt*. The event is
+## generated once we have either seen both the request and its corresponding
+## reply, or an unanswered request has timed out.
+## MOUNT is a service running on top of RPC.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## req:  The arguments passed in the request.
+##
+## .. bro:see:: mount_proc_mnt mount_proc_umnt
+##    mount_proc_umnt_all mount_proc_not_implemented
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event mount_proc_umnt%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t%);
+
+## Generated for MOUNT3 request/reply dialogues of type *umnt_all*. The event is
+## generated once we have either seen both the request and its corresponding
+## reply, or an unanswered request has timed out.
+## MOUNT is a service running on top of RPC.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## req:  The arguments passed in the request.
+##
+## .. bro:see:: mount_proc_mnt mount_proc_umnt
+##    mount_proc_umnt_all mount_proc_not_implemented
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event mount_proc_umnt_all%(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t%);
+
+## Generated for MOUNT3 request/reply dialogues of a type that Bro's MOUNTv3
+## analyzer does not implement.
+##
+## c: The RPC connection.
+##
+## info: Reports the status of the dialogue, along with some meta information.
+##
+## proc: The procedure called that Bro does not implement.
+##
+## .. bro:see:: mount_proc_mnt mount_proc_umnt
+##    mount_proc_umnt_all mount_proc_not_implemented
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event mount_proc_not_implemented%(c: connection, info: MOUNT3::info_t, proc: MOUNT3::proc_t%);
+
+## Generated for each MOUNT3 reply message received, reporting just the
+## status included.
+##
+## n: The connection.
+##
+## info: Reports the status included in the reply.
+##
+## .. bro:see:: mount_proc_mnt mount_proc_umnt
+##    mount_proc_umnt_all mount_proc_not_implemented
+##
+## .. todo:: Bro's current default configuration does not activate the protocol
+##    analyzer that generates this event; the corresponding script has not yet
+##    been ported to Bro 2.x. To still enable this event, one needs to
+##    register a port for it or add a DPD payload signature.
+event mount_reply_status%(n: connection, info: MOUNT3::info_t%);
diff --git a/src/analyzer/protocol/sip/SIP.h b/src/analyzer/protocol/sip/SIP.h
index 130e70f46a..4e4496f2cb 100644
--- a/src/analyzer/protocol/sip/SIP.h
+++ b/src/analyzer/protocol/sip/SIP.h
@@ -10,14 +10,14 @@ namespace analyzer { namespace SIP {
 
 class SIP_Analyzer : public analyzer::Analyzer {
 public:
-	SIP_Analyzer(Connection* conn);
-	virtual ~SIP_Analyzer();
+	explicit SIP_Analyzer(Connection* conn);
+	~SIP_Analyzer() override;
 
 	// Overridden from Analyzer
 
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-				   	   uint64 seq, const IP_Hdr* ip, int caplen);
+	void Done() override;
+	void DeliverPacket(int len, const u_char* data, bool orig,
+				   	   uint64 seq, const IP_Hdr* ip, int caplen) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 	{ return new SIP_Analyzer(conn); }
diff --git a/src/analyzer/protocol/sip/SIP_TCP.cc b/src/analyzer/protocol/sip/SIP_TCP.cc
index 464c650bd9..23cc654fdb 100644
--- a/src/analyzer/protocol/sip/SIP_TCP.cc
+++ b/src/analyzer/protocol/sip/SIP_TCP.cc
@@ -55,8 +55,7 @@ void SIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		printf("BinPAC Exception: %s\n", e.c_msg());
-		ProtocolViolation(e.c_msg());
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/sip/SIP_TCP.h b/src/analyzer/protocol/sip/SIP_TCP.h
index f2a4dad479..b96e1db069 100644
--- a/src/analyzer/protocol/sip/SIP_TCP.h
+++ b/src/analyzer/protocol/sip/SIP_TCP.h
@@ -14,15 +14,15 @@ namespace analyzer { namespace sip_tcp {
 
 class SIP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	SIP_Analyzer(Connection* conn);
-	virtual ~SIP_Analyzer();
+	explicit SIP_Analyzer(Connection* conn);
+	~SIP_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 	// Overriden from tcp::TCP_ApplicationAnalyzer.
-	virtual void EndpointEOF(bool is_orig);
+	void EndpointEOF(bool is_orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new SIP_Analyzer(conn); }
diff --git a/src/analyzer/protocol/sip/sip-analyzer.pac b/src/analyzer/protocol/sip/sip-analyzer.pac
index 829904aa3a..3174e6a977 100644
--- a/src/analyzer/protocol/sip/sip-analyzer.pac
+++ b/src/analyzer/protocol/sip/sip-analyzer.pac
@@ -8,7 +8,7 @@ refine flow SIP_Flow += {
 
 	%init{
 		content_length = 0;
-		build_headers = (sip_all_headers != 0);
+		build_headers = bool(sip_all_headers);
 	%}
 
 	function get_content_length(): int
diff --git a/src/analyzer/protocol/smb/CMakeLists.txt b/src/analyzer/protocol/smb/CMakeLists.txt
index bf44501b96..cc5d690dfd 100644
--- a/src/analyzer/protocol/smb/CMakeLists.txt
+++ b/src/analyzer/protocol/smb/CMakeLists.txt
@@ -18,7 +18,9 @@ bro_plugin_bif(
 	smb1_com_read_andx.bif
 	smb1_com_session_setup_andx.bif
 	smb1_com_transaction.bif
+	smb1_com_transaction_secondary.bif
 	smb1_com_transaction2.bif
+	smb1_com_transaction2_secondary.bif
 	smb1_com_tree_connect_andx.bif
 	smb1_com_tree_disconnect.bif
 	smb1_com_write_andx.bif
@@ -65,6 +67,7 @@ bro_plugin_pac(
 	smb1-com-transaction-secondary.pac
 	smb1-com-transaction.pac
 	smb1-com-transaction2.pac
+	smb1-com-transaction2-secondary.pac
 	smb1-com-tree-connect-andx.pac
 	smb1-com-tree-disconnect.pac
 	smb1-com-write-andx.pac
diff --git a/src/analyzer/protocol/smb/SMB.h b/src/analyzer/protocol/smb/SMB.h
index ea9ec2e6a5..37aaa071a5 100644
--- a/src/analyzer/protocol/smb/SMB.h
+++ b/src/analyzer/protocol/smb/SMB.h
@@ -8,8 +8,8 @@ namespace analyzer { namespace smb {
 
 class SMB_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	SMB_Analyzer(Connection* conn);
-	virtual ~SMB_Analyzer();
+	explicit SMB_Analyzer(Connection* conn);
+	~SMB_Analyzer() override;
 
 	void Done() override;
 	void DeliverStream(int len, const u_char* data, bool orig) override;
diff --git a/src/analyzer/protocol/smb/smb-pipe.pac b/src/analyzer/protocol/smb/smb-pipe.pac
index 2407c63dd3..4dd4c7e754 100644
--- a/src/analyzer/protocol/smb/smb-pipe.pac
+++ b/src/analyzer/protocol/smb/smb-pipe.pac
@@ -4,7 +4,7 @@
 
 refine connection SMB_Conn += {
 	%member{
-		map<uint16,bool> tree_is_pipe_map;
+		map<uint32,bool> tree_is_pipe_map;
 		map<uint64,analyzer::dce_rpc::DCE_RPC_Analyzer*> fid_to_analyzer_map;
 	%}
 
@@ -20,18 +20,23 @@ refine connection SMB_Conn += {
 			}
 	%}
 
-	function get_tree_is_pipe(tree_id: uint16): bool
+	function get_tree_is_pipe(tree_id: uint32): bool
 		%{
-		return ( tree_is_pipe_map.count(tree_id) > 0 );
+		auto it = tree_is_pipe_map.find(tree_id);
+
+		if ( it == tree_is_pipe_map.end() )
+			return false;
+
+		return it->second;
 		%}
 
-	function unset_tree_is_pipe(tree_id: uint16): bool
+	function unset_tree_is_pipe(tree_id: uint32): bool
 		%{
 		tree_is_pipe_map.erase(tree_id);
 		return true;
 		%}
 
-	function set_tree_is_pipe(tree_id: uint16): bool
+	function set_tree_is_pipe(tree_id: uint32): bool
 		%{
 		tree_is_pipe_map[tree_id] = true;
 		return true;
@@ -39,10 +44,14 @@ refine connection SMB_Conn += {
 
 	function forward_dce_rpc(pipe_data: bytestring, fid: uint64, is_orig: bool): bool
 		%{
-		analyzer::dce_rpc::DCE_RPC_Analyzer *pipe_dcerpc;
-		if ( fid_to_analyzer_map.count(fid) == 0 )
+		analyzer::dce_rpc::DCE_RPC_Analyzer *pipe_dcerpc = nullptr;
+		auto it = fid_to_analyzer_map.find(fid);
+
+		if ( it == fid_to_analyzer_map.end() )
 			{
-			pipe_dcerpc = (analyzer::dce_rpc::DCE_RPC_Analyzer *)analyzer_mgr->InstantiateAnalyzer("DCE_RPC", bro_analyzer()->Conn());
+			auto tmp_analyzer = analyzer_mgr->InstantiateAnalyzer("DCE_RPC", bro_analyzer()->Conn());
+			pipe_dcerpc = static_cast<analyzer::dce_rpc::DCE_RPC_Analyzer *>(tmp_analyzer);
+
 			if ( pipe_dcerpc )
 				{
 				pipe_dcerpc->SetFileID(fid);
@@ -51,7 +60,7 @@ refine connection SMB_Conn += {
 			}
 		else
 			{
-			pipe_dcerpc = fid_to_analyzer_map.at(fid);
+			pipe_dcerpc = it->second;
 			}
 
 		if ( pipe_dcerpc )
diff --git a/src/analyzer/protocol/smb/smb-time.pac b/src/analyzer/protocol/smb/smb-time.pac
index 0ad97d20a3..52654c7a2b 100644
--- a/src/analyzer/protocol/smb/smb-time.pac
+++ b/src/analyzer/protocol/smb/smb-time.pac
@@ -30,6 +30,7 @@ function time_from_lanman(t: SMB_time, d: SMB_date, tz: uint16): Val
 	lTime.tm_mday = ${d.day};
 	lTime.tm_mon = ${d.month};
 	lTime.tm_year = 1980 + ${d.year};
+    lTime.tm_isdst = -1;
 	double lResult = mktime(&lTime);
 	return new Val(lResult + tz, TYPE_TIME);
 	%}
diff --git a/src/analyzer/protocol/smb/smb.pac b/src/analyzer/protocol/smb/smb.pac
index 156037f614..a21101faaa 100644
--- a/src/analyzer/protocol/smb/smb.pac
+++ b/src/analyzer/protocol/smb/smb.pac
@@ -24,7 +24,9 @@
 #include "smb1_com_read_andx.bif.h"
 #include "smb1_com_session_setup_andx.bif.h"
 #include "smb1_com_transaction.bif.h"
+#include "smb1_com_transaction_secondary.bif.h"
 #include "smb1_com_transaction2.bif.h"
+#include "smb1_com_transaction2_secondary.bif.h"
 #include "smb1_com_tree_connect_andx.bif.h"
 #include "smb1_com_tree_disconnect.bif.h"
 #include "smb1_com_write_andx.bif.h"
@@ -74,6 +76,7 @@ connection SMB_Conn(bro_analyzer: BroAnalyzer) {
 %include smb1-com-transaction-secondary.pac
 %include smb1-com-transaction.pac
 %include smb1-com-transaction2.pac
+%include smb1-com-transaction2-secondary.pac
 %include smb1-com-tree-connect-andx.pac
 %include smb1-com-tree-disconnect.pac
 %include smb1-com-write-andx.pac
diff --git a/src/analyzer/protocol/smb/smb1-com-query-information.pac b/src/analyzer/protocol/smb/smb1-com-query-information.pac
index f2215fadc2..4566d1ff74 100644
--- a/src/analyzer/protocol/smb/smb1-com-query-information.pac
+++ b/src/analyzer/protocol/smb/smb1-com-query-information.pac
@@ -34,7 +34,7 @@ type SMB1_query_information_response(header: SMB_Header) = record {
 	last_write_time : SMB_time;
 	file_size       : uint32;
 	reserved        : uint16[5];
-	byte_count      : uint16 &check($element == 0);
+	byte_count      : uint16;
 } &let {
 	proc : bool = $context.connection.proc_smb1_query_information_response(header, this);
 };
diff --git a/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac b/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac
index ee96c08d86..854290d0d0 100644
--- a/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac
+++ b/src/analyzer/protocol/smb/smb1-com-session-setup-andx.pac
@@ -99,7 +99,7 @@ refine connection SMB_Conn += {
 					response->Assign(1, new Val(${val.ntlm.is_guest}, TYPE_BOOL));
 					response->Assign(2, smb_string2stringval(${val.ntlm.native_os}));
 					response->Assign(3, smb_string2stringval(${val.ntlm.native_lanman}));
-					response->Assign(4, smb_string2stringval(${val.ntlm.primary_domain}));
+					//response->Assign(4, smb_string2stringval(${val.ntlm.primary_domain}));
 					//response->Assign(5, bytestring_to_val(${val.ntlm.security_blob}));
 					break;
 				default: // Error!
@@ -242,7 +242,6 @@ type SMB1_session_setup_andx_response_ntlm(header: SMB_Header, offset: uint16) =
 	# offset + 1 due to word_count in the parent type
 	native_os            : SMB_string(header.unicode, offsetof(native_os) + 1);
 	native_lanman        : SMB_string(header.unicode, offsetof(native_lanman) + 1);
-	primary_domain       : SMB_string(header.unicode, offsetof(primary_domain) + 1);
 
 	extra_byte_parameters : bytestring &transient &length=(andx.offset == 0 || andx.offset >= (offset+offsetof(extra_byte_parameters))+2) ? 0 : (andx.offset-(offset+offsetof(extra_byte_parameters)));
 
diff --git a/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac b/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac
index bcd9ba91bb..e5314d798b 100644
--- a/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac
+++ b/src/analyzer/protocol/smb/smb1-com-transaction-secondary.pac
@@ -1,3 +1,61 @@
+refine connection SMB_Conn += {
+
+	function proc_smb1_transaction_secondary_request(header: SMB_Header, val: SMB1_transaction_secondary_request): bool
+	%{
+	if ( ! smb1_transaction_secondary_request )
+		return false;
+
+	RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans_Sec_Args);
+	args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT));
+	args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT));
+	args->Assign(2, new Val(${val.param_count}, TYPE_COUNT));
+	args->Assign(3, new Val(${val.param_offset}, TYPE_COUNT));
+	args->Assign(4, new Val(${val.param_displacement}, TYPE_COUNT));
+	args->Assign(5, new Val(${val.data_count}, TYPE_COUNT));
+	args->Assign(6, new Val(${val.data_offset}, TYPE_COUNT));
+	args->Assign(7, new Val(${val.data_displacement}, TYPE_COUNT));
+
+	StringVal* parameters = new StringVal(${val.parameters}.length(),
+	                                      (const char*)${val.parameters}.data());
+	StringVal* payload_str = nullptr;
+	SMB1_transaction_data* payload = nullptr;
+
+	if ( ${val.data_count} > 0 )
+		{
+		payload = ${val.data};
+		}
+
+	if ( payload )
+		{
+		switch ( payload->trans_type() ) {
+		case SMB_PIPE:
+			payload_str = new StringVal(${val.data_count}, (const char*)${val.data.pipe_data}.data());
+			break;
+		case SMB_UNKNOWN:
+			payload_str = new StringVal(${val.data_count}, (const char*)${val.data.unknown}.data());
+			break;
+		default:
+			payload_str = new StringVal(${val.data_count}, (const char*)${val.data.data}.data());
+			break;
+		}
+		}
+
+	if ( ! payload_str )
+		{
+		payload_str = new StringVal("");
+		}
+
+	BifEvent::generate_smb1_transaction_secondary_request(bro_analyzer(),
+	                                                      bro_analyzer()->Conn(),
+	                                                      BuildHeaderVal(header),
+	                                                      args,
+	                                                      parameters,
+	                                                      payload_str);
+
+	return true;
+	%}
+};
+
 type SMB1_transaction_secondary_request(header: SMB_Header) = record {
 	word_count          : uint8;
 	total_param_count   : uint16;
@@ -14,4 +72,6 @@ type SMB1_transaction_secondary_request(header: SMB_Header) = record {
 	parameters          : bytestring &length = param_count;
 	pad2                : padding to data_offset - SMB_Header_length;
 	data                : SMB1_transaction_data(header, true, data_count, 0, SMB_UNKNOWN, false);
+} &let {
+  proc : bool = $context.connection.proc_smb1_transaction_secondary_request(header, this);
 };
diff --git a/src/analyzer/protocol/smb/smb1-com-transaction.pac b/src/analyzer/protocol/smb/smb1-com-transaction.pac
index d199b9062c..c06a7c8cb0 100644
--- a/src/analyzer/protocol/smb/smb1-com-transaction.pac
+++ b/src/analyzer/protocol/smb/smb1-com-transaction.pac
@@ -31,18 +31,90 @@ refine connection SMB_Conn += {
 
 	function proc_smb1_transaction_request(header: SMB_Header, val: SMB1_transaction_request): bool
 		%{
-		if ( smb1_transaction_request )
-			BifEvent::generate_smb1_transaction_request(bro_analyzer(),
-			                                            bro_analyzer()->Conn(),
-			                                            BuildHeaderVal(header),
-			                                            smb_string2stringval(${val.name}),
-			                                            ${val.sub_cmd});
+		if ( ! smb1_transaction_request )
+			return false;
+
+		StringVal* parameters = new StringVal(${val.parameters}.length(),
+		                                      (const char*)${val.parameters}.data());
+		StringVal* payload_str = nullptr;
+		SMB1_transaction_data* payload = nullptr;
+
+		if ( ${val.data_count} > 0 )
+			{
+			payload = ${val.data};
+			}
+
+		if ( payload )
+			{
+			switch ( payload->trans_type() ) {
+			case SMB_PIPE:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data.pipe_data}.data());
+				break;
+			case SMB_UNKNOWN:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data.unknown}.data());
+				break;
+			default:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data.data}.data());
+				break;
+			}
+			}
+
+		if ( ! payload_str )
+			{
+			payload_str = new StringVal("");
+			}
+
+		BifEvent::generate_smb1_transaction_request(bro_analyzer(),
+		                                            bro_analyzer()->Conn(),
+		                                            BuildHeaderVal(header),
+		                                            smb_string2stringval(${val.name}),
+		                                            ${val.sub_cmd},
+		                                            parameters,
+		                                            payload_str);
 
 		return true;
 		%}
 
 	function proc_smb1_transaction_response(header: SMB_Header, val: SMB1_transaction_response): bool
 		%{
+		if ( ! smb1_transaction_response )
+			return false;
+
+		StringVal* parameters = new StringVal(${val.parameters}.length(),
+		                                      (const char*)${val.parameters}.data());
+		StringVal* payload_str = nullptr;
+		SMB1_transaction_data* payload = nullptr;
+
+		if ( ${val.data_count} > 0 )
+			{
+			payload = ${val.data[0]};
+			}
+
+		if ( payload )
+			{
+			switch ( payload->trans_type() ) {
+			case SMB_PIPE:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].pipe_data}.data());
+				break;
+			case SMB_UNKNOWN:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].unknown}.data());
+				break;
+			default:
+				payload_str = new StringVal(${val.data_count}, (const char*)${val.data[0].data}.data());
+				break;
+			}
+			}
+
+		if ( ! payload_str )
+			{
+			payload_str = new StringVal("");
+			}
+
+		BifEvent::generate_smb1_transaction_response(bro_analyzer(),
+		                                             bro_analyzer()->Conn(),
+		                                             BuildHeaderVal(header),
+		                                             parameters,
+		                                             payload_str);
 		return true;
 		%}
 };
@@ -54,17 +126,12 @@ type SMB1_transaction_data(header: SMB_Header, is_orig: bool, count: uint16, sub
 #	SMB_MAILSLOT_LANMAN -> lanman    : SMB_MailSlot_message(header.unicode, count);
 #	SMB_RAP             -> rap       : SMB_Pipe_message(header.unicode, count);
 	SMB_PIPE            -> pipe_data : bytestring &restofdata;
-	SMB_UNKNOWN         -> unknown   : bytestring &restofdata &transient;
-	default             -> data      : bytestring &restofdata &transient;
+	SMB_UNKNOWN         -> unknown   : bytestring &restofdata;
+	default             -> data      : bytestring &restofdata;
 } &let {
 	pipe_proc : bool = $context.connection.forward_dce_rpc(pipe_data, 0, is_orig) &if(trans_type == SMB_PIPE);
 };
 
-type SMB1_transaction_setup = record {
-	op_code : uint16;
-	file_id : uint16;
-}
-
 type SMB1_transaction_request(header: SMB_Header) = record {
 	word_count          : uint8;
 	total_param_count   : uint16;
@@ -83,7 +150,7 @@ type SMB1_transaction_request(header: SMB_Header) = record {
 	setup_count         : uint8;
 	reserved3           : uint8;
 	# word_count 16 is a different dialect that behaves a bit differently.
-	setup               : SMB1_transaction_setup[word_count == 16 ? 1 : setup_count];
+	setup               : uint16[setup_count];
 
 	byte_count          : uint16;
 	name                : SMB_string(header.unicode, offsetof(name));
@@ -92,7 +159,7 @@ type SMB1_transaction_request(header: SMB_Header) = record {
 	pad2                : padding to data_offset - SMB_Header_length;
 	data                : SMB1_transaction_data(header, true, data_count, sub_cmd, transtype, is_pipe);
 } &let {
-	sub_cmd : uint16 = (sizeof(setup) && word_count != 16) > 0 ? setup[0].op_code : 0;
+	sub_cmd : uint16 = (sizeof(setup) && word_count != 16) > 0 ? setup[0] : 0;
 	transtype : int = determine_transaction_type(header, name);
 	is_pipe : bool = (transtype == SMB_PIPE || (transtype == SMB_UNKNOWN && $context.connection.get_tree_is_pipe(header.tid)));
 
diff --git a/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac b/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac
new file mode 100644
index 0000000000..0383687651
--- /dev/null
+++ b/src/analyzer/protocol/smb/smb1-com-transaction2-secondary.pac
@@ -0,0 +1,52 @@
+refine connection SMB_Conn += {
+
+	function proc_smb1_transaction2_secondary_request(header: SMB_Header, val: SMB1_transaction2_secondary_request): bool
+	%{
+	if ( ! smb1_transaction2_secondary_request )
+		return false;
+
+	RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans2_Sec_Args);
+	args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT));
+	args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT));
+	args->Assign(2, new Val(${val.param_count}, TYPE_COUNT));
+	args->Assign(3, new Val(${val.param_offset}, TYPE_COUNT));
+	args->Assign(4, new Val(${val.param_displacement}, TYPE_COUNT));
+	args->Assign(5, new Val(${val.data_count}, TYPE_COUNT));
+	args->Assign(6, new Val(${val.data_offset}, TYPE_COUNT));
+	args->Assign(7, new Val(${val.data_displacement}, TYPE_COUNT));
+	args->Assign(8, new Val(${val.FID}, TYPE_COUNT));
+
+	StringVal* parameters = new StringVal(${val.parameters}.length(), (const char*)${val.parameters}.data());
+	StringVal* payload = new StringVal(${val.data}.length(), (const char*)${val.data}.data());
+
+	BifEvent::generate_smb1_transaction2_secondary_request(bro_analyzer(),
+	                                                       bro_analyzer()->Conn(),
+	                                                       BuildHeaderVal(header),
+	                                                       args,
+	                                                       parameters,
+	                                                       payload);
+
+	return true;
+	%}
+};
+
+type SMB1_transaction2_secondary_request(header: SMB_Header) = record {
+	word_count          : uint8;
+	total_param_count   : uint16;
+	total_data_count    : uint16;
+	param_count         : uint16;
+	param_offset        : uint16;
+	param_displacement  : uint16;
+	data_count          : uint16;
+	data_offset         : uint16;
+	data_displacement   : uint16;
+	FID                 : uint16;
+
+	byte_count          : uint16;
+	pad1                : padding to (param_offset - SMB_Header_length);
+	parameters          : bytestring &length = param_count;
+	pad2                : padding to (data_offset - SMB_Header_length);
+	data                : bytestring &length=data_count;
+} &let {
+	proc : bool = $context.connection.proc_smb1_transaction2_secondary_request(header, this);
+};
diff --git a/src/analyzer/protocol/smb/smb1-com-transaction2.pac b/src/analyzer/protocol/smb/smb1-com-transaction2.pac
index 1025e89dc2..5e77489d10 100644
--- a/src/analyzer/protocol/smb/smb1-com-transaction2.pac
+++ b/src/analyzer/protocol/smb/smb1-com-transaction2.pac
@@ -23,7 +23,23 @@ refine connection SMB_Conn += {
 	function proc_smb1_transaction2_request(header: SMB_Header, val: SMB1_transaction2_request): bool
 		%{
 		if ( smb1_transaction2_request )
-			BifEvent::generate_smb1_transaction2_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), ${val.sub_cmd});
+			{
+			RecordVal* args = new RecordVal(BifType::Record::SMB1::Trans2_Args);
+			args->Assign(0, new Val(${val.total_param_count}, TYPE_COUNT));
+			args->Assign(1, new Val(${val.total_data_count}, TYPE_COUNT));
+			args->Assign(2, new Val(${val.max_param_count}, TYPE_COUNT));
+			args->Assign(3, new Val(${val.max_data_count}, TYPE_COUNT));
+			args->Assign(4, new Val(${val.max_setup_count}, TYPE_COUNT));
+			args->Assign(5, new Val(${val.flags}, TYPE_COUNT));
+			args->Assign(6, new Val(${val.timeout}, TYPE_COUNT));
+			args->Assign(7, new Val(${val.param_count}, TYPE_COUNT));
+			args->Assign(8, new Val(${val.param_offset}, TYPE_COUNT));
+			args->Assign(9, new Val(${val.data_count}, TYPE_COUNT));
+			args->Assign(10, new Val(${val.data_offset}, TYPE_COUNT));
+			args->Assign(11, new Val(${val.setup_count}, TYPE_COUNT));
+
+			BifEvent::generate_smb1_transaction2_request(bro_analyzer(), bro_analyzer()->Conn(), BuildHeaderVal(header), args, ${val.sub_cmd});
+			}
 
 		return true;
 		%}
diff --git a/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac b/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac
index 526febce39..1f29b878fa 100644
--- a/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac
+++ b/src/analyzer/protocol/smb/smb1-com-tree-connect-andx.pac
@@ -13,20 +13,19 @@ refine connection SMB_Conn += {
 
 	function proc_smb1_tree_connect_andx_response(header: SMB_Header, val: SMB1_tree_connect_andx_response): bool
 		%{
-		if ( strncmp((const char*) smb_string2stringval(${val.service})->Bytes(),
-		     "IPC", 3) == 0 )
-			{
+		auto service_string = smb_string2stringval(${val.service});
+		auto s = reinterpret_cast<const char*>(service_string->Bytes());
+		if ( strncmp(s, "IPC", 3) == 0 )
 			set_tree_is_pipe(${header.tid});
-			}
-		
+
 		if ( smb1_tree_connect_andx_response )
-			{
 			BifEvent::generate_smb1_tree_connect_andx_response(bro_analyzer(),
 			                                                   bro_analyzer()->Conn(),
 			                                                   BuildHeaderVal(header),
-			                                                   smb_string2stringval(${val.service}),
+			                                                   service_string,
 			                                                   ${val.byte_count} > ${val.service.a}->size() ? smb_string2stringval(${val.native_file_system[0]}) : new StringVal(""));
-			}
+		else
+			Unref(service_string);
 
 		return true;
 		%}
diff --git a/src/analyzer/protocol/smb/smb1-protocol.pac b/src/analyzer/protocol/smb/smb1-protocol.pac
index 4b38feefcb..75db898f73 100644
--- a/src/analyzer/protocol/smb/smb1-protocol.pac
+++ b/src/analyzer/protocol/smb/smb1-protocol.pac
@@ -170,7 +170,7 @@ type SMB_Message_Request(header: SMB_Header, offset: uint16, command: uint8, is_
 #	#SMB_COM_QUERY_INFORMATION2       -> query_information2     : SMB_query_information2_request(header);
 	SMB_COM_LOCKING_ANDX             -> locking_andx           : SMB1_locking_andx_request(header, offset);
 	SMB_COM_TRANSACTION              -> transaction            : SMB1_transaction_request(header);
-#	SMB_COM_TRANSACTION_SECONDARY    -> transaction_secondary  : SMB1_transaction_secondary_request(header);
+	SMB_COM_TRANSACTION_SECONDARY     -> transaction_secondary  : SMB1_transaction_secondary_request(header);
 #	#SMB_COM_IOCTL                    -> ioctl                  : SMB_ioctl_request(header);
 #	#SMB_COM_IOCTL_SECONDARY          -> ioctl_secondary        : SMB_ioctl_secondary_request(header);
 #	#SMB_COM_COPY                     -> copy                   : SMB_copy_request(header);
@@ -179,7 +179,7 @@ type SMB_Message_Request(header: SMB_Header, offset: uint16, command: uint8, is_
 #	#SMB_COM_WRITE_AND_CLOSE          -> write_and_close        : SMB_write_and_close_request(header);
 #	#SMB_COM_NEW_FILE_SIZE            -> new_file_size          : SMB_new_file_size_request(header);
 #	#SMB_COM_CLOSE_AND_TREE_DISC      -> close_and_tree_disc    : SMB_close_and_tree_disc_request(header);
-#	#SMB_COM_TRANSACTION2_SECONDARY   -> transaction2_secondary : SMB1_transaction2_secondary_request(header);
+	SMB_COM_TRANSACTION2_SECONDARY   -> transaction2_secondary : SMB1_transaction2_secondary_request(header);
 #	#SMB_COM_FIND_CLOSE2              -> find_close2            : SMB_find_close2_request(header);
 #	#SMB_COM_FIND_NOTIFY_CLOSE        -> find_notify_close      : SMB_find_notify_close_request(header);
 #	#SMB_COM_TREE_CONNECT             -> tree_connect           : SMB_tree_connect_request(header);
diff --git a/src/analyzer/protocol/smb/smb1_com_transaction.bif b/src/analyzer/protocol/smb/smb1_com_transaction.bif
index 8811cc3e92..0c411b55c3 100644
--- a/src/analyzer/protocol/smb/smb1_com_transaction.bif
+++ b/src/analyzer/protocol/smb/smb1_com_transaction.bif
@@ -3,7 +3,7 @@
 ## Transaction Subprotocol Commands. These commands operate on mailslots and named pipes,
 ## which are interprocess communication endpoints within the CIFS file system.
 ##
-## For more information, see MS-CIFS:2.2.4.33
+## For more information, see MS-CIFS:2.2.4.33.1
 ##
 ## c: The connection.
 ##
@@ -14,5 +14,25 @@
 ##
 ## sub_cmd: The sub command, some may be parsed and have their own events.
 ##
+## parameters: content of the SMB_Data.Trans_Parameters field
+##
+## data: content of the SMB_Data.Trans_Data field
+##
 ## .. bro:see:: smb1_message smb1_transaction2_request
-event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count%);
+event smb1_transaction_request%(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string%);
+
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *transaction*. This command serves as the transport for the
+## Transaction Subprotocol Commands. These commands operate on mailslots and named pipes,
+## which are interprocess communication endpoints within the CIFS file system.
+##
+## For more information, see MS-CIFS:2.2.4.33.2
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+##
+## parameters: content of the SMB_Data.Trans_Parameters field
+##
+## data: content of the SMB_Data.Trans_Data field
+event smb1_transaction_response%(c: connection, hdr: SMB1::Header, parameters: string, data: string%);
diff --git a/src/analyzer/protocol/smb/smb1_com_transaction2.bif b/src/analyzer/protocol/smb/smb1_com_transaction2.bif
index 0daf5fcdd9..aa30aeebe1 100644
--- a/src/analyzer/protocol/smb/smb1_com_transaction2.bif
+++ b/src/analyzer/protocol/smb/smb1_com_transaction2.bif
@@ -17,7 +17,7 @@
 ##
 ## .. bro:see:: smb1_message smb1_trans2_find_first2_request smb1_trans2_query_path_info_request
 ##    smb1_trans2_get_dfs_referral_request smb1_transaction_request
-event smb1_transaction2_request%(c: connection, hdr: SMB1::Header, sub_cmd: count%);
+event smb1_transaction2_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Args, sub_cmd: count%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
 ## version 1 *transaction2* requests of subtype *find first2*. This transaction is used to begin
@@ -92,6 +92,6 @@ event smb1_trans2_get_dfs_referral_request%(c: connection, hdr: SMB1::Header, fi
 
 
 ### Types
-
 type SMB1::Find_First2_Request_Args: record;
-type SMB1::Find_First2_Response_Args: record;
\ No newline at end of file
+type SMB1::Find_First2_Response_Args: record;
+type SMB1::Trans2_Args: record;
diff --git a/src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif b/src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif
new file mode 100644
index 0000000000..7d02628de9
--- /dev/null
+++ b/src/analyzer/protocol/smb/smb1_com_transaction2_secondary.bif
@@ -0,0 +1,19 @@
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *transaction2 secondary*.
+##
+## For more information, see MS-CIFS:2.2.4.47.1
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)`
+##      version 1 message.
+##
+## args: arguments of the message (SMB_Parameters.Words)
+##
+## parameters: content of the SMB_Data.Trans_Parameters field
+##
+## data: content of the SMB_Data.Trans_Data field
+event smb1_transaction2_secondary_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Sec_Args, parameters: string, data: string%);
+
+### Types
+type SMB1::Trans2_Sec_Args: record;
diff --git a/src/analyzer/protocol/smb/smb1_com_transaction_secondary.bif b/src/analyzer/protocol/smb/smb1_com_transaction_secondary.bif
new file mode 100644
index 0000000000..bd3644ffb3
--- /dev/null
+++ b/src/analyzer/protocol/smb/smb1_com_transaction_secondary.bif
@@ -0,0 +1,19 @@
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 1 requests of type *transaction_secondary*. This command
+## serves as an additional request data container for the
+## Transaction Subprotocol Commands (carried by *transaction* requests).
+##
+## For more information, see MS-CIFS:2.2.4.34
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 1 message.
+##
+## parameters: the SMB_Data.Trans_Parameters field content
+##
+## data: the SMB_Data.Trans_Data field content
+##
+event smb1_transaction_secondary_request%(c: connection, hdr: SMB1::Header, args: SMB1::Trans_Sec_Args, parameters: string, data: string%);
+
+### Types
+type SMB1::Trans_Sec_Args: record;
diff --git a/src/analyzer/protocol/smb/smb2-com-create.pac b/src/analyzer/protocol/smb/smb2-com-create.pac
index 4d7c70bbe7..1cc97fb0bd 100644
--- a/src/analyzer/protocol/smb/smb2-com-create.pac
+++ b/src/analyzer/protocol/smb/smb2-com-create.pac
@@ -13,10 +13,14 @@ refine connection SMB_Conn += {
 
 		if ( smb2_create_request )
 			{
+			RecordVal* requestinfo = new RecordVal(BifType::Record::SMB2::CreateRequest);
+			requestinfo->Assign(0, filename);
+			requestinfo->Assign(1, new Val(${val.disposition}, TYPE_COUNT));
+			requestinfo->Assign(2, new Val(${val.create_options}, TYPE_COUNT));
 			BifEvent::generate_smb2_create_request(bro_analyzer(),
 			                                       bro_analyzer()->Conn(),
 			                                       BuildSMB2HeaderVal(h),
-			                                       filename);
+			                                       requestinfo);
 			}
 		else
 			{
@@ -30,16 +34,19 @@ refine connection SMB_Conn += {
 		%{
 		if ( smb2_create_response )
 			{
+			RecordVal* responseinfo = new RecordVal(BifType::Record::SMB2::CreateResponse);
+			responseinfo->Assign(0, BuildSMB2GUID(${val.file_id}));
+			responseinfo->Assign(1, new Val(${val.eof}, TYPE_COUNT));
+			responseinfo->Assign(2, SMB_BuildMACTimes(${val.last_write_time},
+			                                          ${val.last_access_time},
+			                                          ${val.creation_time},
+			                                          ${val.change_time}));
+			responseinfo->Assign(3, smb2_file_attrs_to_bro(${val.file_attrs}));
+			responseinfo->Assign(4, new Val(${val.create_action}, TYPE_COUNT));
 			BifEvent::generate_smb2_create_response(bro_analyzer(),
 			                                        bro_analyzer()->Conn(),
 			                                        BuildSMB2HeaderVal(h),
-			                                        BuildSMB2GUID(${val.file_id}),
-			                                        ${val.eof},
-			                                        SMB_BuildMACTimes(${val.last_write_time},
-			                                                          ${val.last_access_time},
-			                                                          ${val.creation_time},
-			                                                          ${val.change_time}),
-			                                        smb2_file_attrs_to_bro(${val.file_attrs}));
+			                                        responseinfo);
 			}
 
 		return true;
diff --git a/src/analyzer/protocol/smb/smb2-com-ioctl.pac b/src/analyzer/protocol/smb/smb2-com-ioctl.pac
index e5abeefc82..8d65312f9d 100644
--- a/src/analyzer/protocol/smb/smb2-com-ioctl.pac
+++ b/src/analyzer/protocol/smb/smb2-com-ioctl.pac
@@ -5,14 +5,14 @@ refine connection SMB_Conn += {
 
 	function get_ioctl_fid(message_id: uint64): uint64
 		%{
-		if ( smb2_ioctl_fids.count(message_id) == 0 )
+		auto it = smb2_ioctl_fids.find(message_id);
+
+		if ( it == smb2_ioctl_fids.end() )
 			return 0;
-		else
-			{
-			uint64 fid = smb2_ioctl_fids[message_id];
-			smb2_ioctl_fids.erase(message_id);
-			return fid;
-			}
+
+		uint64 fid = it->second;
+		smb2_ioctl_fids.erase(it);
+		return fid;
 		%}
 
 	function proc_smb2_ioctl_request(val: SMB2_ioctl_request) : bool
diff --git a/src/analyzer/protocol/smb/smb2-com-read.pac b/src/analyzer/protocol/smb/smb2-com-read.pac
index cf5d2ae065..bce9ba2ca9 100644
--- a/src/analyzer/protocol/smb/smb2-com-read.pac
+++ b/src/analyzer/protocol/smb/smb2-com-read.pac
@@ -3,20 +3,23 @@ refine connection SMB_Conn += {
 	%member{
 		// Track read offsets to provide correct
 		// offsets for file manager.
-		std::map<uint16,uint64> smb2_read_offsets;
+		std::map<uint64,uint64> smb2_read_offsets;
 		std::map<uint64,uint64> smb2_read_fids;
 	%}
 
-	function get_file_id(message_id: uint64): uint64
+	function get_file_id(message_id: uint64, forget: bool): uint64
 		%{
-		if ( smb2_read_fids.count(message_id) == 0 )
+		auto it = smb2_read_fids.find(message_id);
+
+		if ( it == smb2_read_fids.end() )
 			return 0;
-		else
-			{
-			uint64 fid = smb2_read_fids[message_id];
-			smb2_read_fids.erase(message_id);
-			return fid;
-			}
+
+		uint64 fid = it->second;
+
+		if ( forget )
+			smb2_read_fids.erase(it);
+
+		return fid;
 		%}
 
 	function proc_smb2_read_request(h: SMB2_Header, val: SMB2_read_request) : bool
@@ -40,7 +43,10 @@ refine connection SMB_Conn += {
 	function proc_smb2_read_response(h: SMB2_Header, val: SMB2_read_response) : bool
 		%{
 		uint64 offset = smb2_read_offsets[${h.message_id}];
-		smb2_read_offsets.erase(${h.message_id});
+
+		// If a PENDING status was received, keep this around.
+		if ( ${h.status} != 0x00000103 )
+			smb2_read_offsets.erase(${h.message_id});
 
 		if ( ! ${h.is_pipe} && ${val.data_len} > 0 )
 			{
@@ -83,7 +89,8 @@ type SMB2_read_response(header: SMB2_Header) = record {
 	pad               : padding to data_offset - header.head_length;
 	data              : bytestring &length=data_len;
 } &let {
-	fid       : uint64 = $context.connection.get_file_id(header.message_id);
+	# If a reply is has a pending status, let it remain.
+	fid       : uint64 = $context.connection.get_file_id(header.message_id, header.status != 0x00000103);
 	pipe_proc : bool   = $context.connection.forward_dce_rpc(data, fid, false) &if(header.is_pipe);
 
 	proc: bool = $context.connection.proc_smb2_read_response(header, this);
diff --git a/src/analyzer/protocol/smb/smb2-com-set-info.pac b/src/analyzer/protocol/smb/smb2-com-set-info.pac
index 379c919d7d..6874808da9 100644
--- a/src/analyzer/protocol/smb/smb2-com-set-info.pac
+++ b/src/analyzer/protocol/smb/smb2-com-set-info.pac
@@ -6,12 +6,29 @@ enum smb2_set_info_type {
 };
 
 enum smb_file_info_type {
+	SMB2_FILE_BASIC_INFO        = 0x04,
 	SMB2_FILE_RENAME_INFO       = 0x0a,
 	SMB2_FILE_DISPOSITION_INFO = 0x0d,
 }
 
 refine connection SMB_Conn += {
 
+	function proc_smb2_set_info_request_file(val: SMB2_file_basic_info): bool
+		%{
+		if ( smb2_file_sattr )
+			BifEvent::generate_smb2_file_sattr(bro_analyzer(),
+			                                      bro_analyzer()->Conn(),
+			                                      BuildSMB2HeaderVal(${val.sir.header}),
+			                                      BuildSMB2GUID(${val.sir.file_id}),
+			                                      SMB_BuildMACTimes(${val.last_write_time},
+			                                                        ${val.last_access_time},
+			                                                        ${val.creation_time},
+			                                                        ${val.change_time}),
+			                                      smb2_file_attrs_to_bro(${val.file_attrs}));
+
+		return true;
+		%}
+
 	function proc_smb2_set_info_request_file_rename(val: SMB2_file_rename_info): bool
 		%{
 		if ( smb2_file_rename )
@@ -38,6 +55,16 @@ refine connection SMB_Conn += {
 
 };
 
+type SMB2_file_basic_info(sir: SMB2_set_info_request) = record {
+	creation_time    : SMB_timestamp;
+	last_access_time : SMB_timestamp;
+	last_write_time  : SMB_timestamp;
+	change_time      : SMB_timestamp;
+	file_attrs       : SMB2_file_attributes;
+} &let {
+	proc: bool = $context.connection.proc_smb2_set_info_request_file(this);
+};
+
 type SMB2_file_rename_info(sir: SMB2_set_info_request) = record {
 	replace_if_exists : uint8;
 	reserved          : uint8[7];
@@ -55,6 +82,7 @@ type SMB2_file_disposition_info(sir: SMB2_set_info_request) = record {
 };
 
 type SMB2_set_info_file_class(sir: SMB2_set_info_request) = case sir.info_level of {
+	SMB2_FILE_BASIC_INFO       -> file_basic          : SMB2_file_basic_info(sir);
 	SMB2_FILE_RENAME_INFO      -> file_rename         : SMB2_file_rename_info(sir);
 	SMB2_FILE_DISPOSITION_INFO -> file_disposition    : SMB2_file_disposition_info(sir);
 	default                    -> info_file_unhandled : empty;
diff --git a/src/analyzer/protocol/smb/smb2-protocol.pac b/src/analyzer/protocol/smb/smb2-protocol.pac
index 1cad6e130e..20414c5a9a 100644
--- a/src/analyzer/protocol/smb/smb2-protocol.pac
+++ b/src/analyzer/protocol/smb/smb2-protocol.pac
@@ -94,6 +94,12 @@ type SMB2_Message_Response(header: SMB2_Header) = case header.command of {
 
 refine connection SMB_Conn += {
 
+	%member{
+		// Track tree_ids given in requests.  Sometimes the server doesn't
+		// reply with the tree_id.  Index is message_id, yield is tree_id
+		std::map<uint64,uint64> smb2_request_tree_id;
+	%}
+
 	function BuildSMB2HeaderVal(hdr: SMB2_Header): BroVal
 		%{
 		RecordVal* r = new RecordVal(BifType::Record::SMB2::Header);
@@ -124,8 +130,20 @@ refine connection SMB_Conn += {
 
 	function proc_smb2_message(h: SMB2_Header, is_orig: bool): bool
 		%{
-		//if ( ${h.command} == SMB2_READ )
-		//	printf("got a read %s command\n", is_orig ? "request" : "response");
+		if ( is_orig )
+			{
+			// Store the tree_id
+			smb2_request_tree_id[${h.message_id}] = ${h.tree_id};
+			}
+		else
+			{
+			// Remove the stored tree_id unless the reply is pending.  It will
+			// have already been used by the time this code is reached.
+			if ( ${h.status} != 0x00000103 )
+				{
+				smb2_request_tree_id.erase(${h.message_id});
+				}
+			}
 
 		if ( smb2_message )
 			{
@@ -135,6 +153,17 @@ refine connection SMB_Conn += {
 			}
 		return true;
 		%}
+
+	function get_request_tree_id(message_id: uint64): uint64
+		%{
+		// This is stored at the request and used at the reply.
+		auto it = smb2_request_tree_id.find(message_id);
+
+		if ( it == smb2_request_tree_id.end() )
+			return 0;
+
+		return it->second;
+		%}
 };
 
 function smb2_file_attrs_to_bro(val: SMB2_file_attributes): BroVal
@@ -199,7 +228,8 @@ type SMB2_Header(is_orig: bool) = record {
 	related  = (flags >> 26) & 1;
 	msigned  = (flags >> 27) & 1;
 	dfs      = (flags) & 1;
-	is_pipe: bool = $context.connection.get_tree_is_pipe(tree_id);
+	request_tree_id = $context.connection.get_request_tree_id(message_id);
+	is_pipe: bool = $context.connection.get_tree_is_pipe(is_orig ? tree_id : request_tree_id);
 	proc : bool = $context.connection.proc_smb2_message(this, is_orig);
 } &byteorder=littleendian;
 
diff --git a/src/analyzer/protocol/smb/smb2_com_create.bif b/src/analyzer/protocol/smb/smb2_com_create.bif
index dea5b118ca..9a77878e9f 100644
--- a/src/analyzer/protocol/smb/smb2_com_create.bif
+++ b/src/analyzer/protocol/smb/smb2_com_create.bif
@@ -8,10 +8,10 @@
 ##
 ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
-## file_name: The name of the file being requested.
+## request: A record with more information related to the request.
 ##
 ## .. bro:see:: smb2_message smb2_create_response
-event smb2_create_request%(c: connection, hdr: SMB2::Header, file_name: string%);
+event smb2_create_request%(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
 ## version 2 responses of type *create*. This is sent by the server to notify the client of
@@ -23,13 +23,12 @@ event smb2_create_request%(c: connection, hdr: SMB2::Header, file_name: string%)
 ##
 ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
-## file_id: The SMB2 GUID for the file.
-##
-## size: Size of the file.
-##
-## times: Timestamps associated with the file in question.
-##
-## attrs: File attributes.
+## response: A record with more information related to the response.
 ##
 ## .. bro:see:: smb2_message smb2_create_request
-event smb2_create_response%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, size: count, times: SMB::MACTimes, attrs: SMB2::FileAttrs%);
+event smb2_create_response%(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse%);
+
+#### Types
+
+type SMB2::CreateRequest: record;
+type SMB2::CreateResponse: record;
diff --git a/src/analyzer/protocol/smb/smb2_com_set_info.bif b/src/analyzer/protocol/smb/smb2_com_set_info.bif
index 3aeeb579fe..1f6d9386f8 100644
--- a/src/analyzer/protocol/smb/smb2_com_set_info.bif
+++ b/src/analyzer/protocol/smb/smb2_com_set_info.bif
@@ -11,7 +11,7 @@
 ##
 ## dst_filename: The filename to rename the file into.
 ##
-## .. bro:see:: smb2_message smb2_file_delete
+## .. bro:see:: smb2_message smb2_file_delete smb2_file_sattr
 event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, dst_filename: string%);
 
 ## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
@@ -23,12 +23,32 @@ event smb2_file_rename%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, d
 ##
 ## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
 ##
+## file_id: The SMB2 GUID for the file.
+##
 ## delete_pending: A boolean value to indicate that a file should be deleted 
 ##                 when it's closed if set to T.
 ##
-## .. bro:see:: smb2_message smb2_file_rename
+## .. bro:see:: smb2_message smb2_file_rename smb2_file_sattr
 event smb2_file_delete%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, delete_pending: bool%);
 
+## Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
+## version 2 requests of type *set_info* of the *file* subtype
+##
+## For more infomation, see MS-SMB2:2.2.39
+##
+## c: The connection.
+##
+## hdr: The parsed header of the :abbr:`SMB (Server Message Block)` version 2 message.
+##
+## file_id: The SMB2 GUID for the file.
+##
+## times: Timestamps associated with the file in question.
+##
+## attrs: File attributes.
+##
+## .. bro:see:: smb2_message smb2_file_rename smb2_file_delete
+event smb2_file_sattr%(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs%);
+
 # TODO - Not implemented
 
 # Generated for :abbr:`SMB (Server Message Block)`/:abbr:`CIFS (Common Internet File System)`
diff --git a/src/analyzer/protocol/smtp/SMTP.h b/src/analyzer/protocol/smtp/SMTP.h
index b4396f28f7..846e21e57e 100644
--- a/src/analyzer/protocol/smtp/SMTP.h
+++ b/src/analyzer/protocol/smtp/SMTP.h
@@ -39,13 +39,13 @@ typedef enum {
 
 class SMTP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	SMTP_Analyzer(Connection* conn);
-	~SMTP_Analyzer();
+	explicit SMTP_Analyzer(Connection* conn);
+	~SMTP_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void ConnectionFinished(int half_finished);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void ConnectionFinished(int half_finished) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 	void SkipData()	{ skip_data = 1; }	// skip delivery of data lines
 
diff --git a/src/analyzer/protocol/snmp/SNMP.cc b/src/analyzer/protocol/snmp/SNMP.cc
index 36282087fa..c34c4d596e 100644
--- a/src/analyzer/protocol/snmp/SNMP.cc
+++ b/src/analyzer/protocol/snmp/SNMP.cc
@@ -35,6 +35,6 @@ void SNMP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(e.c_msg());
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
diff --git a/src/analyzer/protocol/snmp/SNMP.h b/src/analyzer/protocol/snmp/SNMP.h
index d01704d2ae..3d709d362a 100644
--- a/src/analyzer/protocol/snmp/SNMP.h
+++ b/src/analyzer/protocol/snmp/SNMP.h
@@ -11,7 +11,7 @@ class SNMP_Analyzer : public analyzer::Analyzer {
 
 public:
 
-	SNMP_Analyzer(Connection* conn);
+	explicit SNMP_Analyzer(Connection* conn);
 	virtual ~SNMP_Analyzer();
 
 	virtual void Done();
diff --git a/src/analyzer/protocol/socks/SOCKS.h b/src/analyzer/protocol/socks/SOCKS.h
index 841f2ee2ab..eaec5c7ee2 100644
--- a/src/analyzer/protocol/socks/SOCKS.h
+++ b/src/analyzer/protocol/socks/SOCKS.h
@@ -16,15 +16,15 @@ namespace analyzer { namespace socks {
 
 class SOCKS_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	SOCKS_Analyzer(Connection* conn);
-	~SOCKS_Analyzer();
+	explicit SOCKS_Analyzer(Connection* conn);
+	~SOCKS_Analyzer() override;
 
 	void EndpointDone(bool orig);
 
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
-	virtual void EndpointEOF(bool is_orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
+	void EndpointEOF(bool is_orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new SOCKS_Analyzer(conn); }
diff --git a/src/analyzer/protocol/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac
index b8c4165a54..0f13335785 100644
--- a/src/analyzer/protocol/socks/socks-analyzer.pac
+++ b/src/analyzer/protocol/socks/socks-analyzer.pac
@@ -32,7 +32,7 @@ refine connection SOCKS_Conn += {
 		                                 4,
 		                                 ${request.command},
 		                                 sa,
-		                                 new PortVal(${request.port} | TCP_PORT_MASK),
+		                                 port_mgr->Get(${request.port} | TCP_PORT_MASK),
 		                                 array_to_string(${request.user}));
 
 		static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(true);
@@ -50,7 +50,7 @@ refine connection SOCKS_Conn += {
 		                               4,
 		                               ${reply.status},
 		                               sa,
-		                               new PortVal(${reply.port} | TCP_PORT_MASK));
+		                               port_mgr->Get(${reply.port} | TCP_PORT_MASK));
 
 		bro_analyzer()->ProtocolConfirmation();
 		static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(false);
@@ -102,7 +102,7 @@ refine connection SOCKS_Conn += {
 		                                 5,
 		                                 ${request.command},
 		                                 sa,
-		                                 new PortVal(${request.port} | TCP_PORT_MASK),
+		                                 port_mgr->Get(${request.port} | TCP_PORT_MASK),
 		                                 new StringVal(""));
 
 		static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(true);
@@ -141,7 +141,7 @@ refine connection SOCKS_Conn += {
 		                               5,
 		                               ${reply.reply},
 		                               sa,
-		                               new PortVal(${reply.port} | TCP_PORT_MASK));
+		                               port_mgr->Get(${reply.port} | TCP_PORT_MASK));
 
 		bro_analyzer()->ProtocolConfirmation();
 		static_cast<analyzer::socks::SOCKS_Analyzer*>(bro_analyzer())->EndpointDone(false);
diff --git a/src/analyzer/protocol/ssh/SSH.h b/src/analyzer/protocol/ssh/SSH.h
index dc3a7c5e39..36a8919722 100644
--- a/src/analyzer/protocol/ssh/SSH.h
+++ b/src/analyzer/protocol/ssh/SSH.h
@@ -13,16 +13,16 @@ namespace analyzer {
 		class SSH_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 
 		public:
-			SSH_Analyzer(Connection* conn);
-			virtual ~SSH_Analyzer();
+			explicit SSH_Analyzer(Connection* conn);
+			~SSH_Analyzer() override;
 
 			// Overriden from Analyzer.
-			virtual void Done();
-			virtual void DeliverStream(int len, const u_char* data, bool orig);
-			virtual void Undelivered(uint64 seq, int len, bool orig);
+			void Done() override;
+			void DeliverStream(int len, const u_char* data, bool orig) override;
+			void Undelivered(uint64 seq, int len, bool orig) override;
 
 			// Overriden from tcp::TCP_ApplicationAnalyzer.
-			virtual void EndpointEOF(bool is_orig);
+			void EndpointEOF(bool is_orig) override;
 
 			static analyzer::Analyzer* Instantiate(Connection* conn)
 				{ return new SSH_Analyzer(conn); }
diff --git a/src/analyzer/protocol/ssh/ssh-analyzer.pac b/src/analyzer/protocol/ssh/ssh-analyzer.pac
index 598dc869ab..0ee0b92569 100644
--- a/src/analyzer/protocol/ssh/ssh-analyzer.pac
+++ b/src/analyzer/protocol/ssh/ssh-analyzer.pac
@@ -173,6 +173,18 @@ refine flow SSH_Flow += {
 		connection()->bro_analyzer()->ProtocolConfirmation();
 		return true;
 		%}
+
+	function get_kex_length(v: int, packet_length: uint32): int
+		%{
+		switch (v) {
+			case SSH1:
+				return packet_length + 4 + 8 - (packet_length % 8);
+			case SSH2:
+				return packet_length + 4;
+			default:
+				return 1; //currently causes the rest of the packet to dump
+		}
+		%}
 };
 
 refine typeattr SSH_Version += &let {
diff --git a/src/analyzer/protocol/ssh/ssh-protocol.pac b/src/analyzer/protocol/ssh/ssh-protocol.pac
index 28b0379999..bf09f6e168 100644
--- a/src/analyzer/protocol/ssh/ssh-protocol.pac
+++ b/src/analyzer/protocol/ssh/ssh-protocol.pac
@@ -22,21 +22,23 @@ type SSH_Version(is_orig: bool) = record {
 	update_version : bool = $context.connection.update_version(version, is_orig);
 };
 
-type SSH_Key_Exchange(is_orig: bool) = case $context.connection.get_version() of {
-	SSH1 -> ssh1_msg : SSH1_Key_Exchange(is_orig);
-	SSH2 -> ssh2_msg : SSH2_Key_Exchange(is_orig);
-};
+type SSH_Key_Exchange(is_orig: bool) = record {
+	packet_length: uint32;
+	key_ex: case $context.connection.get_version() of {
+		SSH1 -> ssh1_msg : SSH1_Key_Exchange(is_orig, packet_length);
+		SSH2 -> ssh2_msg : SSH2_Key_Exchange(is_orig, packet_length);
+	};
+} &length = $context.flow.get_kex_length($context.connection.get_version(), packet_length);
 
 # SSH1 constructs
 #################
 
-type SSH1_Key_Exchange(is_orig: bool) = record {
-	packet_length : uint32;
+type SSH1_Key_Exchange(is_orig: bool, packet_length: uint32) = record {
 	pad_fill      : bytestring &length = 8 - (packet_length % 8);
 	msg_type      : uint8;
 	message       : SSH1_Message(is_orig, msg_type, packet_length - 5);
 	crc           : uint32;
-} &length = packet_length + 4 + 8 - (packet_length % 8);
+} &length = $context.flow.get_kex_length($context.connection.get_version(), packet_length) - 4;
 
 type SSH1_Message(is_orig: bool, msg_type: uint8, length: uint32) = case msg_type of {
 	SSH_SMSG_PUBLIC_KEY  -> public_key  : SSH1_PUBLIC_KEY(length);
@@ -73,8 +75,7 @@ type ssh1_mp_int = record {
 
 ## SSH2
 
-type SSH2_Header(is_orig: bool) = record {
-	packet_length  : uint32;
+type SSH2_Header(is_orig: bool, packet_length: uint32) = record {
 	padding_length : uint8;
 	msg_type       : uint8;
 } &let {
@@ -82,11 +83,11 @@ type SSH2_Header(is_orig: bool) = record {
 	detach         : bool = $context.connection.update_state(ENCRYPTED, is_orig) &if(msg_type == MSG_NEWKEYS);
 };
 
-type SSH2_Key_Exchange(is_orig: bool) = record {
-	header   : SSH2_Header(is_orig);
+type SSH2_Key_Exchange(is_orig: bool, packet_length: uint32) = record {
+	header   : SSH2_Header(is_orig, packet_length);
 	payload  : SSH2_Message(is_orig, header.msg_type, header.payload_length);
 	pad      : bytestring &length=header.padding_length;
-} &length=header.packet_length + 4;
+} &length=packet_length;
 
 type SSH2_Message(is_orig: bool, msg_type: uint8, length: uint32) = case $context.connection.get_state(is_orig) of {
 	KEX_INIT   -> kex        : SSH2_KEXINIT(length, is_orig);
@@ -410,7 +411,7 @@ refine connection SSH_Conn += {
 						return true;
 					if ( update_kex_state_if_equal("ecmqv-sha2", KEX_ECC) )
 						return true;
-					if ( update_kex_state_if_equal("curve25519-sha256@libssh.org", KEX_ECC) )
+					if ( update_kex_state_if_startswith("curve25519-sha256", KEX_ECC) )
 						return true;
 
 
diff --git a/src/analyzer/protocol/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt
index 0f45aa1f32..14e41892c8 100644
--- a/src/analyzer/protocol/ssl/CMakeLists.txt
+++ b/src/analyzer/protocol/ssl/CMakeLists.txt
@@ -12,6 +12,7 @@ bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyz
 	proc-client-hello.pac
 	proc-server-hello.pac
 	proc-certificate.pac
+	tls-handshake-signed_certificate_timestamp.pac
 )
 bro_plugin_pac(ssl.pac ssl-dtls-analyzer.pac ssl-analyzer.pac ssl-dtls-protocol.pac ssl-protocol.pac ssl-defs.pac
 	proc-client-hello.pac
diff --git a/src/analyzer/protocol/ssl/DTLS.h b/src/analyzer/protocol/ssl/DTLS.h
index 6611a6974e..fc862707fd 100644
--- a/src/analyzer/protocol/ssl/DTLS.h
+++ b/src/analyzer/protocol/ssl/DTLS.h
@@ -13,14 +13,14 @@ namespace analyzer { namespace dtls {
 
 class DTLS_Analyzer : public analyzer::Analyzer {
 public:
-	DTLS_Analyzer(Connection* conn);
-	virtual ~DTLS_Analyzer();
+	explicit DTLS_Analyzer(Connection* conn);
+	~DTLS_Analyzer() override;
 
 	// Overriden from Analyzer.
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
-	virtual void EndOfData(bool is_orig);
+	void Done() override;
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
+	void EndOfData(bool is_orig) override;
 
 	void SendHandshake(uint8 msg_type, uint32 length, const u_char* begin, const u_char* end, bool orig);
 
diff --git a/src/analyzer/protocol/ssl/SSL.h b/src/analyzer/protocol/ssl/SSL.h
index 4d3bceaec1..4119d72a91 100644
--- a/src/analyzer/protocol/ssl/SSL.h
+++ b/src/analyzer/protocol/ssl/SSL.h
@@ -13,13 +13,13 @@ namespace analyzer { namespace ssl {
 
 class SSL_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	SSL_Analyzer(Connection* conn);
-	virtual ~SSL_Analyzer();
+	explicit SSL_Analyzer(Connection* conn);
+	~SSL_Analyzer() override;
 
 	// Overriden from Analyzer.
-	virtual void Done();
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
+	void Done() override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
 
 	void SendHandshake(const u_char* begin, const u_char* end, bool orig);
 
@@ -27,7 +27,7 @@ public:
 	void StartEncryption();
 
 	// Overriden from tcp::TCP_ApplicationAnalyzer.
-	virtual void EndpointEOF(bool is_orig);
+	void EndpointEOF(bool is_orig) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new SSL_Analyzer(conn); }
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 9bf2706ef0..41b5693fa6 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -30,6 +30,8 @@
 ## .. bro:see:: ssl_alert ssl_established ssl_extension ssl_server_hello
 ##    ssl_session_ticket_handshake x509_certificate ssl_handshake_message
 ##    ssl_change_cipher_spec
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+##    ssl_rsa_client_pms
 event ssl_client_hello%(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec%);
 
 ## Generated for an SSL/TLS server's initial *hello* message. SSL/TLS sessions
@@ -67,6 +69,8 @@ event ssl_client_hello%(c: connection, version: count, possible_ts: time, client
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_extension
 ##    ssl_session_ticket_handshake x509_certificate ssl_server_curve
 ##    ssl_dh_server_params ssl_handshake_message ssl_change_cipher_spec
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+##    ssl_rsa_client_pms
 event ssl_server_hello%(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count%);
 
 ## Generated for SSL/TLS extensions seen in an initial handshake.  SSL/TLS
@@ -90,6 +94,7 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, server
 ##    ssl_session_ticket_handshake ssl_extension_ec_point_formats
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_extension_signature_algorithm ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
 event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 
 ## Generated for an SSL/TLS Elliptic Curves extension. This TLS extension is
@@ -106,7 +111,9 @@ event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm
-##    ssl_extension_key_share
+##    ssl_extension_key_share ssl_rsa_client_pms ssl_server_signature
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
 event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
 
 ## Generated for an SSL/TLS Supported Point Formats extension. This TLS extension
@@ -125,6 +132,9 @@ event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_server_curve ssl_extension_signature_algorithm
 ##    ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+##    ssl_rsa_client_pms ssl_server_signature
 event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
 
 ## Generated for an Signature Algorithms extension. This TLS extension
@@ -142,6 +152,9 @@ event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_format
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_server_curve ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+##    ssl_rsa_client_pms ssl_server_signature
 event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature_algorithms: signature_and_hashalgorithm_vec%);
 
 ## Generated for a Key Share extension. This TLS extension is defined in TLS1.3-draft16
@@ -158,6 +171,9 @@ event ssl_extension_signature_algorithm%(c: connection, is_orig: bool, signature
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_server_curve
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+##    ssl_rsa_client_pms ssl_server_signature
 event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%);
 
 ## Generated if a named curve is chosen by the server for an SSL/TLS connection.
@@ -168,14 +184,35 @@ event ssl_extension_key_share%(c: connection, is_orig: bool, curves: index_vec%)
 ##
 ## curve: The curve.
 ##
+## .. note:: This event is deprecated and superseded by the ssl_ecdh_server_params
+##           event. This event will be removed in a future version of Bro.
+##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_server_name ssl_extension_key_share
-event ssl_server_curve%(c: connection, curve: count%);
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+##    ssl_rsa_client_pms ssl_server_signature
+event ssl_server_curve%(c: connection, curve: count%) &deprecated;
+
+## Generated if a server uses an ECDH-anon or ECDHE cipher suite using a named curve
+## This event contains the named curve name and the server ECDH parameters contained
+## in the ServerKeyExchange message as defined in :rfc:`4492`.
+##
+## c: The connection.
+##
+## curve: The curve parameters.
+##
+## point: The server's ECDH public key.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_server_curve ssl_server_signature
+##    ssl_dh_client_params ssl_ecdh_client_params ssl_rsa_client_pms
+event ssl_ecdh_server_params%(c: connection, curve: count, point: string%);
 
 ## Generated if a server uses a DH-anon or DHE cipher suite. This event contains
-## the server DH parameters, which are sent in the ServerKeyExchange message as
+## the server DH parameters, contained in the ServerKeyExchange message as
 ## defined in :rfc:`5246`.
 ##
 ## c: The connection.
@@ -187,15 +224,78 @@ event ssl_server_curve%(c: connection, curve: count%);
 ## Ys: The server's DH public key.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
-##    ssl_session_ticket_handshake ssl_server_curve
+##    ssl_session_ticket_handshake ssl_server_curve ssl_server_signature
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+##    ssl_rsa_client_pms
 event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
 
+## Generated if a server uses a non-anonymous DHE or ECDHE cipher suite. This event
+## contains the server signature over the key exchange parameters contained in
+## the ServerKeyExchange message as defined in :rfc:`4492` and :rfc:`5246`.
+##
+## c: The connection.
+##
+## signature_and_hashalgorithm: signature and hash algorithm used for the
+##                              digitally_signed struct. This field is only present
+##                              starting with TLSv1.2 and DTLSv1.2. Earlier versions
+##                              used a hardcoded hash algorithm. For protocol versions
+##                              below D(TLS)v1.2 this field is filled with an dummy
+##                              value of 256.
+##
+## signature: Signature part of the digitally_signed struct. The private key
+##            corresponding to the certified public key in the server's certificate
+##            message is used for signing.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_server_curve ssl_rsa_client_pms
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+event ssl_server_signature%(c: connection, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%);
+
+## Generated if a client uses an ECDH-anon or ECDHE cipher suite. This event
+## contains the client ECDH public value contained in the ClientKeyExchange
+## message as defined in :rfc:`4492`.
+##
+## c: The connection.
+##
+## point: The client's ECDH public key.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_server_curve ssl_server_signature
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_rsa_client_pms
+event ssl_ecdh_client_params%(c: connection, point: string%);
+
+## Generated if a client uses a DH-anon or DHE cipher suite. This event contains
+## the client DH parameters contained in the ClientKeyExchange message as
+## defined in :rfc:`5246`.
+##
+## c: The connection.
+##
+## Yc: The client's DH public key.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_server_curve ssl_server_signature
+##    ssl_ecdh_server_params ssl_ecdh_client_params ssl_rsa_client_pms
+event ssl_dh_client_params%(c: connection, Yc: string%);
+
+## Generated if a client uses RSA key exchange. This event contains the client
+## encrypted pre-master secret which is encrypted using the public key of the
+## server's certificate as defined in :rfc:`5246`.
+##
+## c: The connection.
+##
+## pms: The encrypted pre-master secret.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_server_curve ssl_server_signature
+##    ssl_dh_client_params ssl_ecdh_server_params ssl_ecdh_client_params
+event ssl_rsa_client_pms%(c: connection, pms: string%);
+
 ## Generated for an SSL/TLS Application-Layer Protocol Negotiation extension.
 ## This TLS extension is defined in draft-ietf-tls-applayerprotoneg and sent in
 ## the initial handshake. It contains the list of client supported application
 ## protocols by the client or the server, respectively.
 ##
-## At the moment it is mostly used to negotiate the use of SPDY / HTTP2-drafts.
+## At the moment it is mostly used to negotiate the use of SPDY / HTTP2.
 ##
 ## c: The connection.
 ##
@@ -207,6 +307,8 @@ event ssl_dh_server_params%(c: connection, p: string, q: string, Ys: string%);
 ##    ssl_session_ticket_handshake ssl_extension
 ##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
 ##    ssl_extension_server_name ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_extension_signed_certificate_timestamp
 event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%);
 
 ## Generated for an SSL/TLS Server Name extension. This SSL/TLS extension is
@@ -226,8 +328,76 @@ event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_or
 ##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
 ##    ssl_extension_application_layer_protocol_negotiation
 ##    ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_extension_signed_certificate_timestamp
 event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%);
 
+## Generated for the signed_certificate_timestamp TLS extension as defined in
+## :rfc:`6962`. The extension is used to transmit signed proofs that are
+## used for Certificate Transparency.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## version: the version of the protocol to which the SCT conforms. Always
+##          should be 0 (representing version 1)
+##
+## logid: 32 bit key id
+##
+## timestamp: the NTP Time when the entry was logged measured since
+##            the epoch, ignoring leap seconds, in milliseconds.
+##
+## signature_and_hashalgorithm: signature and hash algorithm used for the
+##                              digitally_signed struct
+##
+## signature: signature part of the digitally_signed struct
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+##    ssl_extension_server_name ssl_extension_key_share
+##    ssl_extension_psk_key_exchange_modes ssl_extension_supported_versions
+##    ssl_extension_application_layer_protocol_negotiation
+##    x509_ocsp_ext_signed_certificate_timestamp sct_verify
+event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%);
+
+## Generated for an TLS Supported Versions extension. This TLS extension
+## is defined in the TLS 1.3 rfc and sent by the client in the initial handshake.
+## It contains the TLS versions that it supports. This informaion can be used by
+## the server to choose the best TLS version o use.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## versions: List of supported TLS versions.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+##    ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_key_share ssl_extension_server_name
+##    ssl_extension_psk_key_exchange_modes ssl_extension_signed_certificate_timestamp
+event ssl_extension_supported_versions%(c: connection, is_orig: bool, versions: index_vec%);
+
+## Generated for an TLS Pre-Shared Key Exchange Modes extension. This TLS extension is defined
+## in the TLS 1.3 rfc and sent by the client in the initial handshake. It contains the
+## list of Pre-Shared Key Exchange Modes that it supports.
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## versions: List of supported Pre-Shared Key Exchange Modes.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+##    ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_key_share ssl_extension_server_name
+##    ssl_extension_supported_versions ssl_extension_signed_certificate_timestamp
+event ssl_extension_psk_key_exchange_modes%(c: connection, is_orig: bool, modes: index_vec%);
+
 ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
 ## an unencrypted handshake, and Bro extracts as much information out of that
 ## as it can. This event signals the time when an SSL/TLS has finished the
diff --git a/src/analyzer/protocol/ssl/functions.bif b/src/analyzer/protocol/ssl/functions.bif
index f7fa76ca36..17720bcbb1 100644
--- a/src/analyzer/protocol/ssl/functions.bif
+++ b/src/analyzer/protocol/ssl/functions.bif
@@ -1,6 +1,7 @@
 
 %%{
 #include "analyzer/protocol/ssl/SSL.h"
+#include <openssl/x509.h>
 %%}
 
 ## Sets if the SSL analyzer should consider the connection established (handshake
diff --git a/src/analyzer/protocol/ssl/proc-certificate.pac b/src/analyzer/protocol/ssl/proc-certificate.pac
index c2353e3a88..7c57f31744 100644
--- a/src/analyzer/protocol/ssl/proc-certificate.pac
+++ b/src/analyzer/protocol/ssl/proc-certificate.pac
@@ -9,6 +9,9 @@
 		common.AddRaw(is_orig ? "T" : "F", 1);
 		bro_analyzer()->Conn()->IDString(&common);
 
+		static const string user_mime = "application/x-x509-user-cert";
+		static const string ca_mime = "application/x-x509-ca-cert";
+
 		for ( unsigned int i = 0; i < certificates->size(); ++i )
 			{
 			const bytestring& cert = (*certificates)[i];
@@ -21,7 +24,7 @@
 
 			file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
 			                 cert.length(), bro_analyzer()->GetAnalyzerTag(),
-			                 bro_analyzer()->Conn(), is_orig, file_id);
+			                 bro_analyzer()->Conn(), is_orig, file_id, i == 0 ? user_mime : ca_mime);
 			file_mgr->EndOfFile(file_id);
 			}
 		return true;
diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac
index 405ec34fbf..26eb29bfc5 100644
--- a/src/analyzer/protocol/ssl/ssl-defs.pac
+++ b/src/analyzer/protocol/ssl/ssl-defs.pac
@@ -150,6 +150,10 @@ enum SSLExtensions {
 	EXT_EARLY_DATA = 42,
 	EXT_SUPPORTED_VERSIONS = 43,
 	EXT_COOKIE = 44,
+	EXT_PSK_KEY_EXCHANGE_MODES = 45,
+	EXT_TICKET_EARLY_DATA_INFO = 46,
+	EXT_CERTIFICATE_AUTHORITIES = 47,
+	EXT_OID_FILTERS = 48,
 	EXT_NEXT_PROTOCOL_NEGOTIATION = 13172,
 	EXT_ORIGIN_BOUND_CERTIFICATES = 13175,
 	EXT_ENCRYPTED_CLIENT_CERTIFICATES = 13180,
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index ed0900d6b3..982a8791ce 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -189,6 +189,49 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 
+	function proc_supported_versions(rec: HandshakeRecord, versions_list: uint16[]) : bool
+		%{
+		VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType());
+
+		if ( versions_list )
+			{
+			for ( unsigned int i = 0; i < versions_list->size(); ++i )
+				versions->Assign(i, new Val((*versions_list)[i], TYPE_COUNT));
+			}
+
+		BifEvent::generate_ssl_extension_supported_versions(bro_analyzer(), bro_analyzer()->Conn(),
+			${rec.is_orig}, versions);
+
+		return true;
+		%}
+
+	function proc_one_supported_version(rec: HandshakeRecord, version: uint16) : bool
+		%{
+		VectorVal* versions = new VectorVal(internal_type("index_vec")->AsVectorType());
+		versions->Assign(0u, new Val(version, TYPE_COUNT));
+
+		BifEvent::generate_ssl_extension_supported_versions(bro_analyzer(), bro_analyzer()->Conn(),
+			${rec.is_orig}, versions);
+
+		return true;
+		%}
+
+	function proc_psk_key_exchange_modes(rec: HandshakeRecord, mode_list: uint8[]) : bool
+		%{
+		VectorVal* modes = new VectorVal(internal_type("index_vec")->AsVectorType());
+
+		if ( mode_list )
+			{
+			for ( unsigned int i = 0; i < mode_list->size(); ++i )
+				modes->Assign(i, new Val((*mode_list)[i], TYPE_COUNT));
+			}
+
+		BifEvent::generate_ssl_extension_psk_key_exchange_modes(bro_analyzer(), bro_analyzer()->Conn(),
+			${rec.is_orig}, modes);
+
+		return true;
+		%}
+
 	function proc_v3_certificate(is_orig: bool, cl : X509Certificate[]) : bool
 		%{
 		vector<X509Certificate*>* certs = cl;
@@ -211,27 +254,144 @@ refine connection Handshake_Conn += {
 
 	function proc_certificate_status(rec : HandshakeRecord, status_type: uint8, response: bytestring) : bool
 		%{
-		 if ( status_type == 1 ) // ocsp
+		ODesc common;
+		common.AddRaw("Analyzer::ANALYZER_SSL");
+		common.Add(bro_analyzer()->Conn()->StartTime());
+		common.AddRaw("F");
+		bro_analyzer()->Conn()->IDString(&common);
+
+		if ( status_type == 1 ) // ocsp
 			{
+			ODesc file_handle;
+			file_handle.Add(common.Description());
+			file_handle.Add("ocsp");
+
+			string file_id = file_mgr->HashHandle(file_handle.Description());
+
+			file_mgr->DataIn(reinterpret_cast<const u_char*>(response.data()),
+			                 response.length(), bro_analyzer()->GetAnalyzerTag(),
+			                 bro_analyzer()->Conn(), false, file_id, "application/ocsp-response");
+
 			BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(),
 							    bro_analyzer()->Conn(), ${rec.is_orig},
 							    new StringVal(response.length(),
 							    (const char*) response.data()));
+
+			file_mgr->EndOfFile(file_id);
 			}
 
 		return true;
 		%}
 
-	function proc_ec_server_key_exchange(rec: HandshakeRecord, curve_type: uint8, curve: uint16) : bool
+	function proc_ecdhe_server_key_exchange(kex: EcdheServerKeyExchange) : bool
 		%{
-		if ( curve_type == NAMED_CURVE )
-			BifEvent::generate_ssl_server_curve(bro_analyzer(),
-			  bro_analyzer()->Conn(), curve);
+		if ( ${kex.curve_type} != NAMED_CURVE )
+			return true;
+
+		BifEvent::generate_ssl_server_curve(bro_analyzer(),
+			bro_analyzer()->Conn(), ${kex.params.curve});
+		BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
+			bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));
+
+		RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
+		if ( ${kex.signed_params.uses_signature_and_hashalgorithm} )
+			{
+			ha->Assign(0, new Val(${kex.signed_params.algorithm.HashAlgorithm}, TYPE_COUNT));
+			ha->Assign(1, new Val(${kex.signed_params.algorithm.SignatureAlgorithm}, TYPE_COUNT));
+			}
+			else
+			{
+			// set to impossible value
+			ha->Assign(0, new Val(256, TYPE_COUNT));
+			ha->Assign(1, new Val(256, TYPE_COUNT));
+			}
+
+		BifEvent::generate_ssl_server_signature(bro_analyzer(),
+			bro_analyzer()->Conn(), ha, new StringVal(${kex.signed_params.signature}.length(), (const char*)(${kex.signed_params.signature}).data()));
 
 		return true;
 		%}
 
-	function proc_dh_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool
+	function proc_ecdh_anon_server_key_exchange(kex: EcdhAnonServerKeyExchange) : bool
+		%{
+		if ( ${kex.curve_type} != NAMED_CURVE )
+			return true;
+
+		BifEvent::generate_ssl_server_curve(bro_analyzer(),
+			bro_analyzer()->Conn(), ${kex.params.curve});
+		BifEvent::generate_ssl_ecdh_server_params(bro_analyzer(),
+			bro_analyzer()->Conn(), ${kex.params.curve}, new StringVal(${kex.params.point}.length(), (const char*)${kex.params.point}.data()));
+
+		return true;
+		%}
+
+	function proc_rsa_client_key_exchange(rec: HandshakeRecord, rsa_pms: bytestring) : bool
+		%{
+		BifEvent::generate_ssl_rsa_client_pms(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(rsa_pms.length(), (const char*)rsa_pms.data()));
+		return true;
+		%}
+
+	function proc_dh_client_key_exchange(rec: HandshakeRecord, Yc: bytestring) : bool
+		%{
+		BifEvent::generate_ssl_dh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(Yc.length(), (const char*)Yc.data()));
+		return true;
+		%}
+
+	function proc_ecdh_client_key_exchange(rec: HandshakeRecord, point: bytestring) : bool
+		%{
+		BifEvent::generate_ssl_ecdh_client_params(bro_analyzer(), bro_analyzer()->Conn(), new StringVal(point.length(), (const char*)point.data()));
+		return true;
+		%}
+
+	function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool
+		%{
+		RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
+		ha->Assign(0, new Val(digitally_signed_algorithms->HashAlgorithm(), TYPE_COUNT));
+		ha->Assign(1, new Val(digitally_signed_algorithms->SignatureAlgorithm(), TYPE_COUNT));
+
+		BifEvent::generate_ssl_extension_signed_certificate_timestamp(bro_analyzer(),
+			bro_analyzer()->Conn(), ${rec.is_orig},
+			version,
+			new StringVal(logid.length(), reinterpret_cast<const char*>(logid.begin())),
+			timestamp,
+			ha,
+			new StringVal(digitally_signed_signature.length(), reinterpret_cast<const char*>(digitally_signed_signature.begin()))
+		);
+
+		return true;
+		%}
+
+	function proc_dhe_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring, signed_params: ServerKeyExchangeSignature) : bool
+		%{
+		BifEvent::generate_ssl_dh_server_params(bro_analyzer(),
+			bro_analyzer()->Conn(),
+		  new StringVal(p.length(), (const char*) p.data()),
+		  new StringVal(g.length(), (const char*) g.data()),
+		  new StringVal(Ys.length(), (const char*) Ys.data())
+		  );
+
+		RecordVal* ha = new RecordVal(BifType::Record::SSL::SignatureAndHashAlgorithm);
+		if ( ${signed_params.uses_signature_and_hashalgorithm} )
+			{
+			ha->Assign(0, new Val(${signed_params.algorithm.HashAlgorithm}, TYPE_COUNT));
+			ha->Assign(1, new Val(${signed_params.algorithm.SignatureAlgorithm}, TYPE_COUNT));
+			}
+			else
+			{
+			// set to impossible value
+			ha->Assign(0, new Val(256, TYPE_COUNT));
+			ha->Assign(1, new Val(256, TYPE_COUNT));
+			}
+
+		BifEvent::generate_ssl_server_signature(bro_analyzer(),
+			bro_analyzer()->Conn(), ha,
+		  new StringVal(${signed_params.signature}.length(), (const char*)(${signed_params.signature}).data())
+		  );
+
+		return true;
+		%}
+
+	function proc_dh_anon_server_key_exchange(rec: HandshakeRecord, p: bytestring, g: bytestring, Ys: bytestring) : bool
 		%{
 		BifEvent::generate_ssl_dh_server_params(bro_analyzer(),
 			bro_analyzer()->Conn(),
@@ -251,7 +411,6 @@ refine connection Handshake_Conn += {
 		return true;
 		%}
 
-
 };
 
 refine typeattr ClientHello += &let {
@@ -321,15 +480,50 @@ refine typeattr CertificateStatus += &let {
 	proc : bool = $context.connection.proc_certificate_status(rec, status_type, response);
 };
 
-refine typeattr EcServerKeyExchange += &let {
-	proc : bool = $context.connection.proc_ec_server_key_exchange(rec, curve_type, curve);
+refine typeattr EcdheServerKeyExchange += &let {
+	proc : bool = $context.connection.proc_ecdhe_server_key_exchange(this);
 };
 
-refine typeattr DhServerKeyExchange += &let {
-	proc : bool = $context.connection.proc_dh_server_key_exchange(rec, dh_p, dh_g, dh_Ys);
+refine typeattr EcdhAnonServerKeyExchange += &let {
+	proc : bool = $context.connection.proc_ecdh_anon_server_key_exchange(this);
+};
+
+refine typeattr DheServerKeyExchange += &let {
+	proc : bool = $context.connection.proc_dhe_server_key_exchange(rec, dh_p, dh_g, dh_Ys, signed_params);
+};
+
+refine typeattr DhAnonServerKeyExchange += &let {
+	proc : bool = $context.connection.proc_dh_anon_server_key_exchange(rec, dh_p, dh_g, dh_Ys);
+};
+
+refine typeattr RsaClientKeyExchange += &let {
+	proc : bool = $context.connection.proc_rsa_client_key_exchange(rec, rsa_pms);
+};
+
+refine typeattr DhClientKeyExchange += &let {
+	proc : bool = $context.connection.proc_dh_client_key_exchange(rec, dh_Yc);
+};
+
+refine typeattr EcdhClientKeyExchange += &let {
+	proc : bool = $context.connection.proc_ecdh_client_key_exchange(rec, point);
+};
+
+refine typeattr SupportedVersions += &let {
+	proc : bool = $context.connection.proc_supported_versions(rec, versions);
+};
+
+refine typeattr OneSupportedVersion += &let {
+	proc : bool = $context.connection.proc_one_supported_version(rec, version);
+};
+
+refine typeattr PSKKeyExchangeModes += &let {
+	proc : bool = $context.connection.proc_psk_key_exchange_modes(rec, modes);
 };
 
 refine typeattr Handshake += &let {
 	proc : bool = $context.connection.proc_handshake(rec.is_orig, rec.msg_type, rec.msg_length);
 };
 
+refine typeattr SignedCertificateTimestamp += &let {
+	proc : bool = $context.connection.proc_signedcertificatetimestamp(rec, version, logid, timestamp, digitally_signed_algorithms, digitally_signed_signature);
+};
diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
index da01a27f1d..762f271ffa 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac
@@ -78,9 +78,9 @@ type ClientHello(rec: HandshakeRecord) = record {
 		DTLSv10, DTLSv12 -> cookie: ClientHelloCookie(rec);
 		default -> nothing: bytestring &length=0;
 	};
-	csuit_len : uint16 &check(csuit_len > 1 && csuit_len % 2 == 0);
+	csuit_len : uint16; # &check(csuit_len > 1 && csuit_len % 2 == 0);
 	csuits : uint16[csuit_len/2];
-	cmeth_len : uint8 &check(cmeth_len > 0);
+	cmeth_len : uint8; # &check(cmeth_len > 0);
 	cmeths : uint8[cmeth_len];
 	# This weirdness is to deal with the possible existence or absence
 	# of the following fields.
@@ -112,6 +112,7 @@ type ServerHelloChoice(rec: HandshakeRecord) = record {
 		0x7F -> 0x7F00; # map any draft version to 00
 		default -> server_version;
 	};
+	version_set : bool = $context.connection.set_version(server_version);
 };
 
 type ServerHello(rec: HandshakeRecord, server_version: uint16) = record {
@@ -176,13 +177,349 @@ type CertificateStatus(rec: HandshakeRecord) = record {
 # V3 Server Key Exchange Message (7.4.3.)
 ######################################################################
 
-# Usually, the server key exchange does not contain any information
-# that we are interested in.
-#
-# The exception is when we are using an ECDHE, DHE or DH-Anon suite.
-# In this case, we can extract information about the chosen cipher from
-# here.
+# The server key exchange contains the server public key exchange values, and a
+# signature over those values for non-anonymous exchanges. The server key
+# exchange messages is only sent for ECDHE, ECDH-anon, DHE, and DH-anon cipher
+# suites.
 type ServerKeyExchange(rec: HandshakeRecord) = case $context.connection.chosen_cipher() of {
+	# ECDHE suites
+	TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+	TLS_ECDHE_RSA_WITH_NULL_SHA,
+	TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	TLS_ECDHE_PSK_WITH_RC4_128_SHA,
+	TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
+	TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
+	TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
+	TLS_ECDHE_PSK_WITH_NULL_SHA,
+	TLS_ECDHE_PSK_WITH_NULL_SHA256,
+	TLS_ECDHE_PSK_WITH_NULL_SHA384,
+	TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
+	TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
+	TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
+	TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
+	TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
+	TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
+	TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
+	TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
+	TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
+	TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
+	TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+	TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
+	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+		-> ecdhe_server_key_exchange : EcdheServerKeyExchange(rec);
+
+	# ECDH-anon suites
+	TLS_ECDH_ANON_WITH_NULL_SHA,
+	TLS_ECDH_ANON_WITH_RC4_128_SHA,
+	TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA,
+	TLS_ECDH_ANON_WITH_AES_128_CBC_SHA,
+	TLS_ECDH_ANON_WITH_AES_256_CBC_SHA
+	# ECDH non-anon suites do not send a ServerKeyExchange
+		-> ecdh_anon_server_key_exchange : EcdhAnonServerKeyExchange(rec);
+
+	# DHE suites
+	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DHE_DSS_WITH_DES_CBC_SHA,
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+	TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DHE_RSA_WITH_DES_CBC_SHA,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+	TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
+	TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
+	TLS_DHE_DSS_WITH_RC4_128_SHA,
+	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
+	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+	TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD,
+	TLS_DHE_DSS_WITH_AES_128_CBC_RMD,
+	TLS_DHE_DSS_WITH_AES_256_CBC_RMD,
+	TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD,
+	TLS_DHE_RSA_WITH_AES_128_CBC_RMD,
+	TLS_DHE_RSA_WITH_AES_256_CBC_RMD,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+	TLS_DHE_PSK_WITH_RC4_128_SHA,
+	TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
+	TLS_DHE_DSS_WITH_SEED_CBC_SHA,
+	TLS_DHE_RSA_WITH_SEED_CBC_SHA,
+	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+	TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
+	TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
+	TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
+	TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
+	TLS_DHE_PSK_WITH_NULL_SHA256,
+	TLS_DHE_PSK_WITH_NULL_SHA384,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+	TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256,
+	TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384,
+	TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
+	TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
+	TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
+	TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
+	TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256,
+	TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
+	TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
+	TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
+	TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
+	TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_DHE_RSA_WITH_AES_128_CCM,
+	TLS_DHE_RSA_WITH_AES_256_CCM,
+	TLS_DHE_RSA_WITH_AES_128_CCM_8,
+	TLS_DHE_RSA_WITH_AES_256_CCM_8,
+	TLS_DHE_PSK_WITH_AES_128_CCM,
+	TLS_DHE_PSK_WITH_AES_256_CCM,
+	TLS_PSK_DHE_WITH_AES_128_CCM_8,
+	TLS_PSK_DHE_WITH_AES_256_CCM_8,
+	TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+		-> dhe_server_key_exchange : DheServerKeyExchange(rec);
+
+	# DH-anon suites
+	TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5,
+	TLS_DH_ANON_WITH_RC4_128_MD5,
+	TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_DH_ANON_WITH_DES_CBC_SHA,
+	TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_128_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_256_CBC_SHA,
+	TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_128_CBC_SHA256,
+	TLS_DH_ANON_WITH_AES_256_CBC_SHA256,
+	TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA,
+	TLS_DH_ANON_WITH_SEED_CBC_SHA,
+	TLS_DH_ANON_WITH_AES_128_GCM_SHA256,
+	TLS_DH_ANON_WITH_AES_256_GCM_SHA384,
+	TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256,
+	TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256,
+	TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384,
+	TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256,
+	TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384,
+	TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384
+	# DH non-anon suites do not send a ServerKeyExchange
+		-> dh_anon_server_key_exchange : DhAnonServerKeyExchange(rec);
+
+	default
+		-> key : bytestring &restofdata &transient;
+};
+
+# Parse an ECDHE ServerKeyExchange message, which contains a signature over the
+# parameters. Parsing explicit curve parameters from the server is not
+# currently supported.
+type EcdheServerKeyExchange(rec: HandshakeRecord) = record {
+	curve_type: uint8;
+	named_curve: case curve_type of {
+		NAMED_CURVE -> params: ServerECDHParamsAndSignature;
+		default -> data: bytestring &restofdata &transient;
+	};
+	signature: case curve_type of {
+		NAMED_CURVE -> signed_params: ServerKeyExchangeSignature;
+		default -> nothing: bytestring &length=0;
+	};
+};
+
+type ServerKeyExchangeSignature = record {
+	alg: case uses_signature_and_hashalgorithm of {
+		true -> algorithm: SignatureAndHashAlgorithm;
+		false -> nothing: bytestring &length=0;
+	} &requires(uses_signature_and_hashalgorithm);
+	signature_length: uint16;
+	signature: bytestring &length=signature_length;
+} &let {
+	uses_signature_and_hashalgorithm : bool =
+		($context.connection.chosen_version() > TLSv11) &&
+		($context.connection.chosen_version() != DTLSv10);
+};
+
+# Parse an ECDH-anon ServerKeyExchange message, which does not contain a
+# signature over the parameters. Parsing explicit curve parameters from the
+# server is not currently supported.
+type EcdhAnonServerKeyExchange(rec: HandshakeRecord) = record {
+	curve_type: uint8;
+	named_curve: case curve_type of {
+		NAMED_CURVE -> params: ServerECDHParamsAndSignature;
+		default -> data: bytestring &restofdata &transient;
+	};
+};
+
+type ServerECDHParamsAndSignature() = record {
+	curve: uint16;
+	point_length: uint8;
+	point: bytestring &length=point_length;
+};
+
+# Parse a DHE ServerKeyExchange message, which contains a signature over the
+# parameters.
+type DheServerKeyExchange(rec: HandshakeRecord) = record {
+	dh_p_length: uint16;
+	dh_p: bytestring &length=dh_p_length;
+	dh_g_length: uint16;
+	dh_g: bytestring &length=dh_g_length;
+	dh_Ys_length: uint16;
+	dh_Ys: bytestring &length=dh_Ys_length;
+	signed_params: ServerKeyExchangeSignature;
+};
+
+# Parse a DH-anon ServerKeyExchange message, which does not contain a
+# signature over the parameters.
+type DhAnonServerKeyExchange(rec: HandshakeRecord) = record {
+	dh_p_length: uint16;
+	dh_p: bytestring &length=dh_p_length;
+	dh_g_length: uint16;
+	dh_g: bytestring &length=dh_g_length;
+	dh_Ys_length: uint16;
+	dh_Ys: bytestring &length=dh_Ys_length;
+	data: bytestring &restofdata &transient;
+};
+
+######################################################################
+# V3 Certificate Request (7.4.4.)
+######################################################################
+
+# For now, ignore Certificate Request Details; just eat up message.
+type CertificateRequest(rec: HandshakeRecord) = record {
+	cont : bytestring &restofdata &transient;
+};
+
+
+######################################################################
+# V3 Server Hello Done (7.4.5.)
+######################################################################
+
+# Server Hello Done is empty
+type ServerHelloDone(rec: HandshakeRecord) = empty;
+
+
+######################################################################
+# V3 Client Certificate (7.4.6.)
+######################################################################
+
+# Client Certificate is identical to Server Certificate;
+# no further definition here
+
+
+######################################################################
+# V3 Client Key Exchange Message (7.4.7.)
+######################################################################
+
+# Parse a ClientKeyExchange message. For RSA cipher suites, this consists of an
+# encrypted pre-master secret. For DH, DH-anon, and DHE cipher suites, this
+# consists of the client public finite-field Diffie-Hellman value. For ECDH,
+# ECDH-anon, and ECDHE cipher suites, this consists of the client public
+# elliptic curve point.
+type ClientKeyExchange(rec: HandshakeRecord) = case $context.connection.chosen_cipher() of {
+	# RSA suites
+	TLS_RSA_WITH_NULL_MD5,
+	TLS_RSA_WITH_NULL_SHA,
+	TLS_RSA_EXPORT_WITH_RC4_40_MD5,
+	TLS_RSA_WITH_RC4_128_MD5,
+	TLS_RSA_WITH_RC4_128_SHA,
+	TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+	TLS_RSA_WITH_IDEA_CBC_SHA,
+	TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	TLS_RSA_WITH_DES_CBC_SHA,
+	TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+	TLS_RSA_WITH_AES_128_CBC_SHA,
+	TLS_RSA_WITH_AES_256_CBC_SHA,
+	TLS_RSA_WITH_NULL_SHA256,
+	TLS_RSA_WITH_AES_128_CBC_SHA256,
+	TLS_RSA_WITH_AES_256_CBC_SHA256,
+	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+	TLS_RSA_EXPORT1024_WITH_RC4_56_MD5,
+	TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
+	TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
+	TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
+	TLS_RSA_WITH_3DES_EDE_CBC_RMD,
+	TLS_RSA_WITH_AES_128_CBC_RMD,
+	TLS_RSA_WITH_AES_256_CBC_RMD,
+	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+	TLS_RSA_PSK_WITH_RC4_128_SHA,
+	TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
+	TLS_RSA_PSK_WITH_AES_128_CBC_SHA,
+	TLS_RSA_PSK_WITH_AES_256_CBC_SHA,
+	TLS_RSA_WITH_SEED_CBC_SHA,
+	TLS_RSA_WITH_AES_128_GCM_SHA256,
+	TLS_RSA_WITH_AES_256_GCM_SHA384,
+	TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
+	TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
+	TLS_RSA_PSK_WITH_NULL_SHA256,
+	TLS_RSA_PSK_WITH_NULL_SHA384,
+	TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+	TLS_RSA_WITH_ARIA_128_CBC_SHA256,
+	TLS_RSA_WITH_ARIA_256_CBC_SHA384,
+	TLS_RSA_WITH_ARIA_128_GCM_SHA256,
+	TLS_RSA_WITH_ARIA_256_GCM_SHA384,
+	TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
+	TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
+	TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
+	TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
+	TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+	TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+	TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+	TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+	TLS_RSA_WITH_AES_128_CCM,
+	TLS_RSA_WITH_AES_256_CCM,
+	TLS_RSA_WITH_AES_128_CCM_8,
+	TLS_RSA_WITH_AES_256_CCM_8
+		-> rsa_client_key_exchange: RsaClientKeyExchange(rec);
+
+	#ECHDE
 	TLS_ECDH_ECDSA_WITH_NULL_SHA,
 	TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
 	TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
@@ -275,7 +612,7 @@ type ServerKeyExchange(rec: HandshakeRecord) = case $context.connection.chosen_c
 	TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
 	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
-		-> ec_server_key_exchange : EcServerKeyExchange(rec);
+		-> ecdh_client_key_exchange : EcdhClientKeyExchange(rec);
 
 	# DHE suites
 	TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
@@ -377,72 +714,24 @@ type ServerKeyExchange(rec: HandshakeRecord) = case $context.connection.chosen_c
 	TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384,
 	TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256,
 	TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384
-	# DH non-anon suites do not send a ServerKeyExchange
-		-> dh_server_key_exchange : DhServerKeyExchange(rec);
+		-> dh_server_key_exchange : DhClientKeyExchange(rec);
 
 	default
 		-> key : bytestring &restofdata &transient;
 };
 
-# For the moment, we really only are interested in the curve name. If it
-# is not set (if the server sends explicit parameters), we do not bother.
-# We also do not parse the actual signature data following the named curve.
-type EcServerKeyExchange(rec: HandshakeRecord) = record {
-	curve_type: uint8;
-	curve: uint16; # only if curve_type = 3 (NAMED_CURVE)
-	data: bytestring &restofdata &transient;
+type RsaClientKeyExchange(rec: HandshakeRecord) = record {
+	rsa_pms : bytestring &restofdata;
 };
 
-# For both, dh_anon and dhe the ServerKeyExchange starts with a ServerDHParams
-# structure. After that, they start to differ, but we do not care about that.
-type DhServerKeyExchange(rec: HandshakeRecord) = record {
-	dh_p_length: uint16;
-	dh_p: bytestring &length=dh_p_length;
-	dh_g_length: uint16;
-	dh_g: bytestring &length=dh_g_length;
-	dh_Ys_length: uint16;
-	dh_Ys: bytestring &length=dh_Ys_length;
-	data: bytestring &restofdata &transient;
+type DhClientKeyExchange(rec: HandshakeRecord) = record {
+	dh_Yc : bytestring &restofdata;
 };
 
-
-######################################################################
-# V3 Certificate Request (7.4.4.)
-######################################################################
-
-# For now, ignore Certificate Request Details; just eat up message.
-type CertificateRequest(rec: HandshakeRecord) = record {
-	cont : bytestring &restofdata &transient;
+type EcdhClientKeyExchange(rec: HandshakeRecord) = record {
+	point : bytestring &restofdata;
 };
 
-
-######################################################################
-# V3 Server Hello Done (7.4.5.)
-######################################################################
-
-# Server Hello Done is empty
-type ServerHelloDone(rec: HandshakeRecord) = empty;
-
-
-######################################################################
-# V3 Client Certificate (7.4.6.)
-######################################################################
-
-# Client Certificate is identical to Server Certificate;
-# no further definition here
-
-
-######################################################################
-# V3 Client Key Exchange Message (7.4.7.)
-######################################################################
-
-# For now ignore details of ClientKeyExchange (most of it is
-# encrypted anyway); just eat up message.
-type ClientKeyExchange(rec: HandshakeRecord) = record {
-	key : bytestring &restofdata &transient;
-};
-
-
 ######################################################################
 # V3 Certificate Verify (7.4.8.)
 ######################################################################
@@ -485,11 +774,35 @@ type SSLExtension(rec: HandshakeRecord) = record {
 #		EXT_STATUS_REQUEST -> status_request: StatusRequest(rec)[] &until($element == 0 || $element != 0);
 		EXT_SERVER_NAME -> server_name: ServerNameExt(rec)[] &until($element == 0 || $element != 0);
 		EXT_SIGNATURE_ALGORITHMS -> signature_algorithm: SignatureAlgorithm(rec)[] &until($element == 0 || $element != 0);
+		EXT_SIGNED_CERTIFICATE_TIMESTAMP -> certificate_timestamp: SignedCertificateTimestampList(rec)[] &until($element == 0 || $element != 0);
 		EXT_KEY_SHARE -> key_share: KeyShare(rec)[] &until($element == 0 || $element != 0);
+		EXT_SUPPORTED_VERSIONS -> supported_versions_selector: SupportedVersionsSelector(rec, data_len)[] &until($element == 0 || $element != 0);
+		EXT_PSK_KEY_EXCHANGE_MODES -> psk_key_exchange_modes: PSKKeyExchangeModes(rec)[] &until($element == 0 || $element != 0);
 		default -> data: bytestring &restofdata;
 	};
 } &length=data_len+4 &exportsourcedata;
 
+%include tls-handshake-signed_certificate_timestamp.pac
+
+type SupportedVersionsSelector(rec: HandshakeRecord, data_len: uint16) = case rec.is_orig of {
+	true -> a: SupportedVersions(rec);
+	false -> b: OneSupportedVersion(rec);
+}
+
+type SupportedVersions(rec: HandshakeRecord) = record {
+	length: uint8;
+	versions: uint16[] &until($input.length() == 0);
+} &length=length+1;
+
+type OneSupportedVersion(rec: HandshakeRecord) = record {
+	version: uint16;
+};
+
+type PSKKeyExchangeModes(rec: HandshakeRecord) = record {
+	length: uint8;
+	modes: uint8[] &until($input.length() == 0);
+} &length=length+1;
+
 type ServerNameHostName() = record {
 	length: uint16;
 	host_name: bytestring &length=length;
@@ -551,11 +864,6 @@ type KeyShare(rec: HandshakeRecord) = case rec.msg_type of {
 	default -> other : bytestring &restofdata &transient;
 };
 
-type SignatureAndHashAlgorithm() = record {
-	HashAlgorithm: uint8;
-	SignatureAlgorithm: uint8;
-}
-
 type SignatureAlgorithm(rec: HandshakeRecord) = record {
 	length: uint16;
 	supported_signature_algorithms: SignatureAndHashAlgorithm[] &until($input.length() == 0);
@@ -580,10 +888,12 @@ refine connection Handshake_Conn += {
 
 	%member{
 		uint32 chosen_cipher_;
+		uint16 chosen_version_;
 	%}
 
 	%init{
 		chosen_cipher_ = NO_CHOSEN_CIPHER;
+		chosen_version_ = UNKNOWN_VERSION;
 	%}
 
 	function chosen_cipher() : int %{ return chosen_cipher_; %}
@@ -593,6 +903,14 @@ refine connection Handshake_Conn += {
 		chosen_cipher_ = cipher;
 		return true;
 		%}
+
+	function chosen_version() : int %{ return chosen_version_; %}
+
+	function set_version(version: uint16) : bool
+		%{
+		chosen_version_ = version;
+		return true;
+		%}
 };
 
 
diff --git a/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac
new file mode 100644
index 0000000000..f921db0790
--- /dev/null
+++ b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac
@@ -0,0 +1,28 @@
+# We keep this extension separate, because it also can be included in X.509 certificates.
+# If included there, it uses the exact same syntax and we just symlink it from the X.509
+# file analyzer tree.
+
+type SignatureAndHashAlgorithm() = record {
+	HashAlgorithm: uint8;
+	SignatureAlgorithm: uint8;
+}
+
+type SignedCertificateTimestampList(rec: HandshakeRecord) = record {
+	length: uint16;
+	SCTs: SignedCertificateTimestamp(rec)[] &until($input.length() == 0);
+} &length=length+2;
+
+type SignedCertificateTimestamp(rec: HandshakeRecord) = record {
+	# before - framing
+	length: uint16;
+	# from here: SignedCertificateTimestamp
+	version: uint8;
+	logid: bytestring &length=32;
+	timestamp: uint64;
+	extensions_length: uint16; # extensions are not actually defined yet, so we cannot parse them
+	extensions: bytestring &length=extensions_length;
+	digitally_signed_algorithms: SignatureAndHashAlgorithm;
+	digitally_signed_signature_length: uint16;
+	digitally_signed_signature: bytestring &length=digitally_signed_signature_length;
+} &length=length+2;
+
diff --git a/src/analyzer/protocol/stepping-stone/SteppingStone.h b/src/analyzer/protocol/stepping-stone/SteppingStone.h
index c0b06d79e7..b9ebd1ff8b 100644
--- a/src/analyzer/protocol/stepping-stone/SteppingStone.h
+++ b/src/analyzer/protocol/stepping-stone/SteppingStone.h
@@ -19,7 +19,7 @@ declare(PDict,SteppingStoneEndpoint);
 class SteppingStoneEndpoint : public BroObj {
 public:
 	SteppingStoneEndpoint(tcp::TCP_Endpoint* e, SteppingStoneManager* m);
-	~SteppingStoneEndpoint();
+	~SteppingStoneEndpoint() override;
 	void Done();
 
 	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
@@ -47,11 +47,11 @@ protected:
 
 class SteppingStone_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	SteppingStone_Analyzer(Connection* c);
-	virtual ~SteppingStone_Analyzer() {};
+	explicit SteppingStone_Analyzer(Connection* c);
+	~SteppingStone_Analyzer() override {};
 
-	virtual void Init();
-	virtual void Done();
+	void Init() override;
+	void Done() override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new SteppingStone_Analyzer(conn); }
@@ -59,9 +59,9 @@ public:
 protected:
 	// We support both packet and stream input and can be put in place even
 	// if the TCP analyzer is not yet reassebmling.
-	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
-	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
+	void DeliverPacket(int len, const u_char* data, bool is_orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
+	void DeliverStream(int len, const u_char* data, bool is_orig) override;
 
 	int orig_stream_pos;
 	int resp_stream_pos;
diff --git a/src/analyzer/protocol/syslog/Syslog.h b/src/analyzer/protocol/syslog/Syslog.h
index f1568e0b6f..8701277497 100644
--- a/src/analyzer/protocol/syslog/Syslog.h
+++ b/src/analyzer/protocol/syslog/Syslog.h
@@ -11,19 +11,17 @@ namespace analyzer { namespace syslog {
 
 class Syslog_Analyzer : public analyzer::Analyzer {
 public:
-	Syslog_Analyzer(Connection* conn);
-	virtual ~Syslog_Analyzer();
+	explicit Syslog_Analyzer(Connection* conn);
+	~Syslog_Analyzer() override;
 
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
+	void Done() override;
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new Syslog_Analyzer(conn); }
 
 protected:
-	void ExpireTimer(double t);
-
 	int did_session_done;
 
 	binpac::Syslog::Syslog_Conn* interp;
diff --git a/src/analyzer/protocol/syslog/syslog-protocol.pac b/src/analyzer/protocol/syslog/syslog-protocol.pac
index a2bf8a31da..c1502fc534 100644
--- a/src/analyzer/protocol/syslog/syslog-protocol.pac
+++ b/src/analyzer/protocol/syslog/syslog-protocol.pac
@@ -4,9 +4,9 @@ type Syslog_Message = record {
 } &byteorder = littleendian;
 
 type Syslog_Priority = record {
-	lt    : uint8 &check(lt == "<");
+	lt    : uint8; # &check(lt == 60); # '<'
 	val   : RE/[[:digit:]]+/;
-	gt    : uint8 &check(gt == ">");
+	gt    : uint8; # &check(gt == 62); # '>'
 } &let {
 	val_length: int = sizeof(val) - 1;
 	int_val: int = bytestring_to_int(val, 10);
diff --git a/src/analyzer/protocol/tcp/ContentLine.cc b/src/analyzer/protocol/tcp/ContentLine.cc
index f5dd7aaf07..7fc8085246 100644
--- a/src/analyzer/protocol/tcp/ContentLine.cc
+++ b/src/analyzer/protocol/tcp/ContentLine.cc
@@ -7,14 +7,14 @@
 
 using namespace analyzer::tcp;
 
-ContentLine_Analyzer::ContentLine_Analyzer(Connection* conn, bool orig)
-: TCP_SupportAnalyzer("CONTENTLINE", conn, orig)
+ContentLine_Analyzer::ContentLine_Analyzer(Connection* conn, bool orig, int max_line_length)
+: TCP_SupportAnalyzer("CONTENTLINE", conn, orig), max_line_length(max_line_length)
 	{
 	InitState();
 	}
 
-ContentLine_Analyzer::ContentLine_Analyzer(const char* name, Connection* conn, bool orig)
-: TCP_SupportAnalyzer(name, conn, orig)
+ContentLine_Analyzer::ContentLine_Analyzer(const char* name, Connection* conn, bool orig, int max_line_length)
+: TCP_SupportAnalyzer(name, conn, orig), max_line_length(max_line_length)
 	{
 	InitState();
 	}
@@ -229,6 +229,12 @@ int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data)
 	return seq_len; \
 	}
 
+		if ( offset >= max_line_length )
+			{
+			Weird("contentline_size_exceeded");
+			EMIT_LINE
+			}
+
 		switch ( c ) {
 		case '\r':
 			// Look ahead for '\n'.
@@ -250,6 +256,16 @@ int ContentLine_Analyzer::DoDeliverOnce(int len, const u_char* data)
 		case '\n':
 			if ( last_char == '\r' )
 				{
+				// Weird corner-case:
+				// this can happen if we see a \r at the end of a packet where crlf is
+				// set to CR_as_EOL | LF_as_EOL, with the packet causing crlf to be set to
+				// 0 and the next packet beginning with a \n. In this case we just swallow
+				// the character and re-set last_char.
+				if ( offset == 0 )
+					{
+					last_char = c;
+					break;
+					}
 				--offset; // remove '\r'
 				EMIT_LINE
 				}
diff --git a/src/analyzer/protocol/tcp/ContentLine.h b/src/analyzer/protocol/tcp/ContentLine.h
index 7a5a6b996e..f225db8029 100644
--- a/src/analyzer/protocol/tcp/ContentLine.h
+++ b/src/analyzer/protocol/tcp/ContentLine.h
@@ -10,10 +10,13 @@ namespace analyzer { namespace tcp {
 #define CR_as_EOL 1
 #define LF_as_EOL 2
 
+// Slightly smaller than 16MB so that the buffer is not unnecessarily resized to 32M.
+#define DEFAULT_MAX_LINE_LENGTH 16 * 1024 * 1024 - 100
+
 class ContentLine_Analyzer : public TCP_SupportAnalyzer {
 public:
-	ContentLine_Analyzer(Connection* conn, bool orig);
-	~ContentLine_Analyzer();
+	ContentLine_Analyzer(Connection* conn, bool orig, int max_line_length=DEFAULT_MAX_LINE_LENGTH);
+	~ContentLine_Analyzer() override;
 
 	void SupressWeirds(bool enable)
 		{ suppress_weirds = enable; }
@@ -60,11 +63,11 @@ public:
 		{ return seq + length <= seq_to_skip; }
 
 protected:
-	ContentLine_Analyzer(const char* name, Connection* conn, bool orig);
+	ContentLine_Analyzer(const char* name, Connection* conn, bool orig, int max_line_length=DEFAULT_MAX_LINE_LENGTH);
 
-	virtual void DeliverStream(int len, const u_char* data, bool is_orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
-	virtual void EndpointEOF(bool is_orig);
+	void DeliverStream(int len, const u_char* data, bool is_orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
+	void EndpointEOF(bool is_orig) override;
 
 	class State;
 	void InitState();
@@ -80,6 +83,7 @@ protected:
 	int offset;	// where we are in buf
 	int buf_len;	// how big buf is, total
 	unsigned int last_char;	// last (non-option) character scanned
+	int max_line_length; // how large of a line to accumulate before emitting and raising a weird
 
 	uint64_t seq;	// last seq number
 	uint64_t seq_to_skip;
diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc
index 791cf9f779..08dd56190c 100644
--- a/src/analyzer/protocol/tcp/TCP.cc
+++ b/src/analyzer/protocol/tcp/TCP.cc
@@ -459,7 +459,7 @@ bool TCP_Analyzer::ValidateChecksum(const struct tcphdr* tp,
 	     ! endpoint->ValidChecksum(tp, len) )
 		{
 		Weird("bad_TCP_checksum");
-		endpoint->CheckHistory(HIST_CORRUPT_PKT, 'C');
+		endpoint->ChecksumError();
 		return false;
 		}
 	else
@@ -579,16 +579,38 @@ static void init_window(TCP_Endpoint* endpoint, TCP_Endpoint* peer,
 static void update_window(TCP_Endpoint* endpoint, unsigned int window,
                           uint32 base_seq, uint32 ack_seq, TCP_Flags flags)
 	{
-	// Note, the offered window on an initial SYN is unscaled, even
-	// if the SYN includes scaling, so we need to do the following
-	// test *before* updating the scaling information below.  (Hmmm,
-	// how does this work for windows on SYN/ACKs? ###)
+	// Note, applying scaling here would be incorrect for an initial SYN,
+	// whose window value is always unscaled.  However, we don't
+	// check the window's value for recision in that case anyway, so
+	// no-harm-no-foul.
 	int scale = endpoint->window_scale;
 	window = window << scale;
 
+	// Zero windows are boring if either (1) they come with a RST packet
+	// or after a RST packet, or (2) they come after the peer has sent
+	// a FIN (because there's no relevant window at that point anyway).
+	// (They're also boring if they come after the peer has sent a RST,
+	// but *nothing* should be sent in response to a RST, so we ignore
+	// that case.)
+	//
+	// However, they *are* potentially interesting if sent by an
+	// endpoint that's already sent a FIN, since that FIN meant "I'm
+	// not going to send any more", but doesn't mean "I won't receive
+	// any more".
+	if ( window == 0 && ! flags.RST() &&
+	     endpoint->peer->state != TCP_ENDPOINT_CLOSED &&
+	     endpoint->state != TCP_ENDPOINT_RESET )
+		endpoint->ZeroWindow();
+
 	// Don't analyze window values off of SYNs, they're sometimes
-	// immediately rescinded.
-	if ( ! flags.SYN() )
+	// immediately rescinded.  Also don't do so for FINs or RSTs,
+	// or if the connection has already been partially closed, since
+	// such recisions occur frequently in practice, probably as the
+	// receiver loses buffer memory due to its process going away.
+
+	if ( ! flags.SYN() && ! flags.FIN() && ! flags.RST() &&
+	     endpoint->state != TCP_ENDPOINT_CLOSED &&
+	     endpoint->state != TCP_ENDPOINT_RESET )
 		{
 		// ### Decide whether to accept new window based on Active
 		// Mapping policy.
@@ -601,21 +623,12 @@ static void update_window(TCP_Endpoint* endpoint, unsigned int window,
 
 			if ( advance < 0 )
 				{
-				// A window recision.  We don't report these
-				// for FINs or RSTs, or if the connection
-				// has already been partially closed, since
-				// such recisions occur frequently in practice,
-				// probably as the receiver loses buffer memory
-				// due to its process going away.
-				//
-				// We also, for window scaling, allow a bit
-				// of slop ###.  This is because sometimes
-				// there will be an apparent recision due
-				// to the granularity of the scaling.
-				if ( ! flags.FIN() && ! flags.RST() &&
-				     endpoint->state != TCP_ENDPOINT_CLOSED &&
-				     endpoint->state != TCP_ENDPOINT_RESET &&
-				     (-advance) >= (1 << scale) )
+				// An apparent window recision.  Allow a
+				// bit of slop for window scaling.  This is
+				// because sometimes there will be an
+				// apparent recision due to the granularity
+				// of the scaling.
+				if ( (-advance) >= (1 << scale) )
 					endpoint->Conn()->Weird("window_recision");
 				}
 
@@ -1206,7 +1219,7 @@ static int32 update_last_seq(TCP_Endpoint* endpoint, uint32 last_seq,
 		endpoint->UpdateLastSeq(last_seq);
 
 	else if ( delta_last < 0 && len > 0 )
-		endpoint->CheckHistory(HIST_RXMIT, 'T');
+		endpoint->DidRxmit();
 
 	return delta_last;
 	}
diff --git a/src/analyzer/protocol/tcp/TCP.h b/src/analyzer/protocol/tcp/TCP.h
index e5589b01a3..69f3482ae0 100644
--- a/src/analyzer/protocol/tcp/TCP.h
+++ b/src/analyzer/protocol/tcp/TCP.h
@@ -4,7 +4,6 @@
 #define ANALYZER_PROTOCOL_TCP_TCP_H
 
 #include "analyzer/Analyzer.h"
-#include "analyzer/protocol/tcp/TCP.h"
 #include "PacketDumper.h"
 #include "IPAddr.h"
 #include "TCP_Endpoint.h"
@@ -26,8 +25,8 @@ class TCP_Reassembler;
 
 class TCP_Analyzer : public analyzer::TransportLayerAnalyzer {
 public:
-	TCP_Analyzer(Connection* conn);
-	virtual ~TCP_Analyzer();
+	explicit TCP_Analyzer(Connection* conn);
+	~TCP_Analyzer() override;
 
 	void EnableReassembly();
 
@@ -35,8 +34,8 @@ public:
 	// independently of whether we do any reassembly.
 	void AddChildPacketAnalyzer(analyzer::Analyzer* a);
 
-	virtual Analyzer* FindChild(ID id);
-	virtual Analyzer* FindChild(Tag tag);
+	Analyzer* FindChild(ID id) override;
+	Analyzer* FindChild(Tag tag) override;
 
 	// True if the connection has closed in some sense, false otherwise.
 	int IsClosed() const	{ return orig->did_close || resp->did_close; }
@@ -62,8 +61,8 @@ public:
 	// the test is whether it has any outstanding, un-acked data.
 	int DataPending(TCP_Endpoint* closing_endp);
 
-	virtual void SetContentsFile(unsigned int direction, BroFile* f);
-	virtual BroFile* GetContentsFile(unsigned int direction) const;
+	void SetContentsFile(unsigned int direction, BroFile* f) override;
+	BroFile* GetContentsFile(unsigned int direction) const override;
 
 	// Callback to process a TCP option.
 	typedef int (*proc_tcp_option_t)(unsigned int opt, unsigned int optlen,
@@ -71,7 +70,7 @@ public:
 			bool is_orig, void* cookie);
 
 	// From Analyzer.h
-	virtual void UpdateConnVal(RecordVal *conn_val);
+	void UpdateConnVal(RecordVal *conn_val) override;
 
 	// Needs to be static because it's passed as a pointer-to-function
 	// rather than pointer-to-member-function.
@@ -88,13 +87,13 @@ protected:
 	friend class analyzer::pia::PIA_TCP;
 
 	// Analyzer interface.
-	virtual void Init();
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen);
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
-	virtual void Undelivered(uint64 seq, int len, bool orig);
-	virtual void FlipRoles();
-	virtual bool IsReuse(double t, const u_char* pkt);
+	void Init() override;
+	void Done() override;
+	void DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen) override;
+	void DeliverStream(int len, const u_char* data, bool orig) override;
+	void Undelivered(uint64 seq, int len, bool orig) override;
+	void FlipRoles() override;
+	bool IsReuse(double t, const u_char* pkt) override;
 
 	// Returns the TCP header pointed to by data (which we assume is
 	// aligned), updating data, len & caplen.  Returns nil if the header
@@ -205,11 +204,11 @@ public:
 	: Analyzer(name, conn)
 		{ tcp = 0; }
 
-	TCP_ApplicationAnalyzer(Connection* conn)
+	explicit TCP_ApplicationAnalyzer(Connection* conn)
 	: Analyzer(conn)
 		{ tcp = 0; }
 
-	virtual ~TCP_ApplicationAnalyzer()	{ }
+	~TCP_ApplicationAnalyzer() override { }
 
 	// This may be nil if we are not directly associated with a TCP
 	// analyzer (e.g., we're part of a tunnel decapsulation pipeline).
@@ -238,14 +237,14 @@ public:
 	// of ConnectionReset is delayed.
 	virtual void PacketWithRST();
 
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
-	virtual void Init();
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
+	void Init() override;
 
 	// This suppresses violations if the TCP connection wasn't
 	// fully established.
-	virtual void ProtocolViolation(const char* reason,
-					const char* data = 0, int len = 0);
+	void ProtocolViolation(const char* reason,
+					const char* data = 0, int len = 0) override;
 
 	// "name" and "val" both now belong to this object, which needs to
 	//  delete them when done with them.
@@ -260,7 +259,7 @@ public:
 	TCP_SupportAnalyzer(const char* name, Connection* conn, bool arg_orig)
 		: analyzer::SupportAnalyzer(name, conn, arg_orig)	{ }
 
-	virtual ~TCP_SupportAnalyzer() {}
+	~TCP_SupportAnalyzer() override {}
 
 	// These are passed on from TCP_Analyzer.
 	virtual void EndpointEOF(bool is_orig)	{ }
@@ -274,7 +273,7 @@ public:
 
 class TCPStats_Endpoint {
 public:
-	TCPStats_Endpoint(TCP_Endpoint* endp);
+	explicit TCPStats_Endpoint(TCP_Endpoint* endp);
 
 	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
 			const IP_Hdr* ip, const struct tcphdr* tp);
@@ -296,18 +295,18 @@ protected:
 
 class TCPStats_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	TCPStats_Analyzer(Connection* c);
-	~TCPStats_Analyzer();
+	explicit TCPStats_Analyzer(Connection* c);
+	~TCPStats_Analyzer() override;
 
-	virtual void Init();
-	virtual void Done();
+	void Init() override;
+	void Done() override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new TCPStats_Analyzer(conn); }
 
 protected:
-	virtual void DeliverPacket(int len, const u_char* data, bool is_orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
+	void DeliverPacket(int len, const u_char* data, bool is_orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
 
 	TCPStats_Endpoint* orig_stats;
 	TCPStats_Endpoint* resp_stats;
diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.cc b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
index 7c359623f3..fb736d80f1 100644
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
@@ -32,6 +32,9 @@ TCP_Endpoint::TCP_Endpoint(TCP_Analyzer* arg_analyzer, int arg_is_orig)
 	tcp_analyzer = arg_analyzer;
 	is_orig = arg_is_orig;
 
+	chk_cnt = rxmt_cnt = win0_cnt = 0;
+	chk_thresh = rxmt_thresh = win0_thresh = 1;
+
 	hist_last_SYN = hist_last_FIN = hist_last_RST = 0;
 
 	src_addr = is_orig ? Conn()->RespAddr() : Conn()->OrigAddr();
@@ -229,7 +232,7 @@ int TCP_Endpoint::DataSent(double t, uint64 seq, int len, int caplen,
 		if ( fwrite(data, 1, len, f) < unsigned(len) )
 			{
 			char buf[256];
-			strerror_r(errno, buf, sizeof(buf));
+			bro_strerror_r(errno, buf, sizeof(buf));
 			reporter->Error("TCP contents write failed: %s", buf);
 
 			if ( contents_file_write_failure )
@@ -284,3 +287,29 @@ void TCP_Endpoint::AddHistory(char code)
 	Conn()->AddHistory(code);
 	}
 
+void TCP_Endpoint::ChecksumError()
+	{
+	uint32 t = chk_thresh;
+	if ( Conn()->ScaledHistoryEntry(IsOrig() ? 'C' : 'c',
+	                                chk_cnt, chk_thresh) )
+		Conn()->HistoryThresholdEvent(tcp_multiple_checksum_errors,
+		                              IsOrig(), t);
+	}
+
+void TCP_Endpoint::DidRxmit()
+	{
+	uint32 t = rxmt_thresh;
+	if ( Conn()->ScaledHistoryEntry(IsOrig() ? 'T' : 't',
+	                                rxmt_cnt, rxmt_thresh) )
+		Conn()->HistoryThresholdEvent(tcp_multiple_retransmissions,
+		                              IsOrig(), t);
+	}
+
+void TCP_Endpoint::ZeroWindow()
+	{
+	uint32 t = win0_thresh;
+	if ( Conn()->ScaledHistoryEntry(IsOrig() ? 'W' : 'w',
+	                                win0_cnt, win0_thresh) )
+		Conn()->HistoryThresholdEvent(tcp_multiple_zero_windows,
+		                              IsOrig(), t);
+	}
diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.h b/src/analyzer/protocol/tcp/TCP_Endpoint.h
index 2e8a8a041e..4c38aadd93 100644
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.h
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.h
@@ -166,6 +166,15 @@ public:
 
 	int ValidChecksum(const struct tcphdr* tp, int len) const;
 
+	// Called to inform endpoint that it has generated a checksum error.
+	void ChecksumError();
+
+	// Called to inform endpoint that it has generated a retransmission.
+	void DidRxmit();
+
+	// Called to inform endpoint that it has offered a zero window.
+	void ZeroWindow();
+
 	// Returns true if the data was used (and hence should be recorded
 	// in the save file), false otherwise.
 	int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data,
@@ -188,6 +197,7 @@ public:
 #define HIST_MULTI_FLAG_PKT 0x40
 #define HIST_CORRUPT_PKT 0x80
 #define HIST_RXMIT 0x100
+#define HIST_WIN0 0x200
 	int CheckHistory(uint32 mask, char code);
 	void AddHistory(char code);
 
@@ -202,7 +212,7 @@ public:
 	double start_time, last_time;
 	IPAddr src_addr; // the other endpoint
 	IPAddr dst_addr; // this endpoint
-	uint32 window; // current congestion window (*scaled*, not pre-scaling)
+	uint32 window; // current advertised window (*scaled*, not pre-scaling)
 	int window_scale;  // from the TCP option
 	uint32 window_ack_seq; // at which ack_seq number did we record 'window'
 	uint32 window_seq; // at which sending sequence number did we record 'window'
@@ -225,6 +235,11 @@ protected:
 	uint32 last_seq, ack_seq;	// in host order
 	uint32 seq_wraps, ack_wraps;	// Number of times 32-bit TCP sequence space
 					// has wrapped around (overflowed).
+
+	// Performance history accounting.
+	uint32 chk_cnt, chk_thresh;
+	uint32 rxmt_cnt, rxmt_thresh;
+	uint32 win0_cnt, win0_thresh;
 };
 
 #define ENDIAN_UNKNOWN 0
diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.cc b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
index b1d7dca012..787ffc989c 100644
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
@@ -38,18 +38,19 @@ TCP_Reassembler::TCP_Reassembler(analyzer::Analyzer* arg_dst_analyzer,
 
 	if ( ::tcp_contents )
 		{
-		// Val dst_port_val(ntohs(Conn()->RespPort()), TYPE_PORT);
-		PortVal dst_port_val(ntohs(tcp_analyzer->Conn()->RespPort()),
+		auto dst_port_val = port_mgr->Get(ntohs(tcp_analyzer->Conn()->RespPort()),
 					TRANSPORT_TCP);
 		TableVal* ports = IsOrig() ?
 			tcp_content_delivery_ports_orig :
 			tcp_content_delivery_ports_resp;
-		Val* result = ports->Lookup(&dst_port_val);
+		Val* result = ports->Lookup(dst_port_val);
 
 		if ( (IsOrig() && tcp_content_deliver_all_orig) ||
 		     (! IsOrig() && tcp_content_deliver_all_resp) ||
 		     (result && result->AsBool()) )
 			deliver_tcp_contents = 1;
+
+		Unref(dst_port_val);
 		}
 	}
 
@@ -500,7 +501,7 @@ int TCP_Reassembler::DataSent(double t, uint64 seq, int len,
 		}
 
 	if ( tcp_excessive_data_without_further_acks &&
-	     NumUndeliveredBytes() > static_cast<uint64>(tcp_excessive_data_without_further_acks) )
+	     size_of_all_blocks > static_cast<uint64>(tcp_excessive_data_without_further_acks) )
 		{
 		tcp_analyzer->Weird("excessive_data_without_further_acks");
 		ClearBlocks();
diff --git a/src/analyzer/protocol/tcp/TCP_Reassembler.h b/src/analyzer/protocol/tcp/TCP_Reassembler.h
index 2e85e48e2f..bacfa663e0 100644
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.h
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.h
@@ -22,7 +22,7 @@ public:
 	TCP_Reassembler(Analyzer* arg_dst_analyzer, TCP_Analyzer* arg_tcp_analyzer,
 	                Type arg_type, TCP_Endpoint* arg_endp);
 
-	virtual ~TCP_Reassembler();
+	~TCP_Reassembler() override;
 
 	void Done();
 
diff --git a/src/analyzer/protocol/tcp/events.bif b/src/analyzer/protocol/tcp/events.bif
index 5cf2710804..d93ebe4819 100644
--- a/src/analyzer/protocol/tcp/events.bif
+++ b/src/analyzer/protocol/tcp/events.bif
@@ -290,6 +290,43 @@ event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%)
 ## TODO.
 event tcp_rexmit%(c: connection, is_orig: bool, seq: count, len: count, data_in_flight: count, window: count%);
 
+## Generated if a TCP flow crosses a checksum-error threshold, per
+## 'C'/'c' history reporting.
+##
+## c: The connection record for the TCP connection.
+##
+## is_orig: True if the event is raised for the originator side.
+##
+## threshold: the threshold that was crossed
+##
+## .. bro:see::  udp_multiple_checksum_errors
+##    tcp_multiple_zero_windows tcp_multiple_retransmissions
+event tcp_multiple_checksum_errors%(c: connection, is_orig: bool, threshold: count%);
+
+## Generated if a TCP flow crosses a zero-window threshold, per
+## 'W'/'w' history reporting.
+##
+## c: The connection record for the TCP connection.
+##
+## is_orig: True if the event is raised for the originator side.
+##
+## threshold: the threshold that was crossed
+##
+## .. bro:see::  tcp_multiple_checksum_errors tcp_multiple_retransmissions
+event tcp_multiple_zero_windows%(c: connection, is_orig: bool, threshold: count%);
+
+## Generated if a TCP flow crosses a retransmission threshold, per
+## 'T'/'t' history reporting.
+##
+## c: The connection record for the TCP connection.
+##
+## is_orig: True if the event is raised for the originator side.
+##
+## threshold: the threshold that was crossed
+##
+## .. bro:see::  tcp_multiple_checksum_errors tcp_multiple_zero_windows
+event tcp_multiple_retransmissions%(c: connection, is_orig: bool, threshold: count%);
+
 ## Generated when failing to write contents of a TCP stream to a file.
 ##
 ## c: The connection whose contents are being recorded.
diff --git a/src/analyzer/protocol/teredo/Teredo.cc b/src/analyzer/protocol/teredo/Teredo.cc
index 6ad00a82dc..3d7fb397fb 100644
--- a/src/analyzer/protocol/teredo/Teredo.cc
+++ b/src/analyzer/protocol/teredo/Teredo.cc
@@ -130,7 +130,7 @@ RecordVal* TeredoEncapsulation::BuildVal(const IP_Hdr* inner) const
 		RecordVal* teredo_origin = new RecordVal(teredo_origin_type);
 		uint16 port = ntohs(*((uint16*)(origin_indication + 2))) ^ 0xFFFF;
 		uint32 addr = ntohl(*((uint32*)(origin_indication + 4))) ^ 0xFFFFFFFF;
-		teredo_origin->Assign(0, new PortVal(port, TRANSPORT_UDP));
+		teredo_origin->Assign(0, port_mgr->Get(port, TRANSPORT_UDP));
 		teredo_origin->Assign(1, new AddrVal(htonl(addr)));
 		teredo_hdr->Assign(1, teredo_origin);
 		}
@@ -195,7 +195,7 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig,
 	else
 		{
 		delete inner;
-		ProtocolViolation("Truncated Teredo", (const char*) data, len);
+		ProtocolViolation("Truncated Teredo or invalid inner IP version", (const char*) data, len);
 		return;
 		}
 
diff --git a/src/analyzer/protocol/teredo/Teredo.h b/src/analyzer/protocol/teredo/Teredo.h
index 4882dd97ca..29eeadc968 100644
--- a/src/analyzer/protocol/teredo/Teredo.h
+++ b/src/analyzer/protocol/teredo/Teredo.h
@@ -9,17 +9,17 @@ namespace analyzer { namespace teredo {
 
 class Teredo_Analyzer : public analyzer::Analyzer {
 public:
-	Teredo_Analyzer(Connection* conn) : Analyzer("TEREDO", conn),
+	explicit Teredo_Analyzer(Connection* conn) : Analyzer("TEREDO", conn),
 	                                    valid_orig(false), valid_resp(false)
 		{}
 
-	virtual ~Teredo_Analyzer()
+	~Teredo_Analyzer() override
 		{}
 
-	virtual void Done();
+	void Done() override;
 
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new Teredo_Analyzer(conn); }
@@ -49,15 +49,13 @@ public:
 		}
 
 protected:
-	void ExpireTimer(double t);
-
 	bool valid_orig;
 	bool valid_resp;
 };
 
 class TeredoEncapsulation {
 public:
-	TeredoEncapsulation(const Teredo_Analyzer* ta)
+	explicit TeredoEncapsulation(const Teredo_Analyzer* ta)
 		: inner_ip(0), origin_indication(0), auth(0), analyzer(ta)
 		{}
 
diff --git a/src/analyzer/protocol/udp/UDP.cc b/src/analyzer/protocol/udp/UDP.cc
index 3bd3736b2a..b3a334b76b 100644
--- a/src/analyzer/protocol/udp/UDP.cc
+++ b/src/analyzer/protocol/udp/UDP.cc
@@ -20,6 +20,9 @@ UDP_Analyzer::UDP_Analyzer(Connection* conn)
 	conn->EnableStatusUpdateTimer();
 	conn->SetInactivityTimeout(udp_inactivity_timeout);
 	request_len = reply_len = -1;	// -1 means "haven't seen any activity"
+
+	req_chk_cnt = rep_chk_cnt = 0;
+	req_chk_thresh = rep_chk_thresh = 1;
 	}
 
 UDP_Analyzer::~UDP_Analyzer()
@@ -77,9 +80,19 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 			Weird("bad_UDP_checksum");
 
 			if ( is_orig )
-				Conn()->CheckHistory(HIST_ORIG_CORRUPT_PKT, 'C');
+				{
+				uint32 t = req_chk_thresh;
+				if ( Conn()->ScaledHistoryEntry('C', req_chk_cnt,
+				                                req_chk_thresh) )
+					ChecksumEvent(is_orig, t);
+				}
 			else
-				Conn()->CheckHistory(HIST_RESP_CORRUPT_PKT, 'c');
+				{
+				uint32 t = rep_chk_thresh;
+				if ( Conn()->ScaledHistoryEntry('c', rep_chk_cnt,
+				                                rep_chk_thresh) )
+					ChecksumEvent(is_orig, t);
+				}
 
 			return;
 			}
@@ -97,14 +110,14 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 
 	if ( udp_contents )
 		{
-		PortVal port_val(ntohs(up->uh_dport), TRANSPORT_UDP);
+		auto port_val = port_mgr->Get(ntohs(up->uh_dport), TRANSPORT_UDP);
 		Val* result = 0;
 		bool do_udp_contents = false;
 
 		if ( is_orig )
 			{
 			result = udp_content_delivery_ports_orig->Lookup(
-								&port_val);
+								port_val);
 			if ( udp_content_deliver_all_orig ||
 			     (result && result->AsBool()) )
 				do_udp_contents = true;
@@ -112,7 +125,7 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 		else
 			{
 			result = udp_content_delivery_ports_resp->Lookup(
-								&port_val);
+								port_val);
 			if ( udp_content_deliver_all_resp ||
 			     (result && result->AsBool()) )
 				do_udp_contents = true;
@@ -126,6 +139,8 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 			vl->append(new StringVal(len, (const char*) data));
 			ConnectionEvent(udp_contents, vl);
 			}
+
+		Unref(port_val);
 		}
 
 	if ( is_orig )
@@ -207,6 +222,12 @@ unsigned int UDP_Analyzer::MemoryAllocation() const
 	return Analyzer::MemoryAllocation() + padded_sizeof(*this) - 24;
 	}
 
+void UDP_Analyzer::ChecksumEvent(bool is_orig, uint32 threshold)
+	{
+	Conn()->HistoryThresholdEvent(udp_multiple_checksum_errors,
+	                              is_orig, threshold);
+	}
+
 bool UDP_Analyzer::ValidateChecksum(const IP_Hdr* ip, const udphdr* up, int len)
 	{
 	uint32 sum;
diff --git a/src/analyzer/protocol/udp/UDP.h b/src/analyzer/protocol/udp/UDP.h
index ae00a4c61e..7e07902a7e 100644
--- a/src/analyzer/protocol/udp/UDP.h
+++ b/src/analyzer/protocol/udp/UDP.h
@@ -15,22 +15,23 @@ typedef enum {
 
 class UDP_Analyzer : public analyzer::TransportLayerAnalyzer {
 public:
-	UDP_Analyzer(Connection* conn);
-	virtual ~UDP_Analyzer();
+	explicit UDP_Analyzer(Connection* conn);
+	~UDP_Analyzer() override;
 
-	virtual void Init();
-
-	virtual void UpdateConnVal(RecordVal *conn_val);
+	void Init() override;
+	void UpdateConnVal(RecordVal *conn_val) override;
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)
 		{ return new UDP_Analyzer(conn); }
 
 protected:
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig,
-					uint64 seq, const IP_Hdr* ip, int caplen);
-	virtual bool IsReuse(double t, const u_char* pkt);
-	virtual unsigned int MemoryAllocation() const;
+	void Done() override;
+	void DeliverPacket(int len, const u_char* data, bool orig,
+					uint64 seq, const IP_Hdr* ip, int caplen) override;
+	bool IsReuse(double t, const u_char* pkt) override;
+	unsigned int MemoryAllocation() const override;
+
+	void ChecksumEvent(bool is_orig, uint32 threshold);
 
 	// Returns true if the checksum is valid, false if not
 	static bool ValidateChecksum(const IP_Hdr* ip, const struct udphdr* up,
@@ -45,6 +46,10 @@ private:
 #define HIST_RESP_DATA_PKT 0x2
 #define HIST_ORIG_CORRUPT_PKT 0x4
 #define HIST_RESP_CORRUPT_PKT 0x8
+
+	// For tracking checksum history.
+	uint32 req_chk_cnt, req_chk_thresh;
+	uint32 rep_chk_cnt, rep_chk_thresh;
 };
 
 } } // namespace analyzer::* 
diff --git a/src/analyzer/protocol/udp/events.bif b/src/analyzer/protocol/udp/events.bif
index 394181cf5d..afcace330b 100644
--- a/src/analyzer/protocol/udp/events.bif
+++ b/src/analyzer/protocol/udp/events.bif
@@ -36,3 +36,16 @@ event udp_reply%(u: connection%);
 ##    udp_content_deliver_all_orig udp_content_deliver_all_resp
 ##    udp_content_delivery_ports_orig udp_content_delivery_ports_resp
 event udp_contents%(u: connection, is_orig: bool, contents: string%);
+
+## Generated if a UDP flow crosses a checksum-error threshold, per
+## 'C'/'c' history reporting.
+##
+## u: The connection record for the corresponding UDP flow.
+##
+## is_orig: True if the event is raised for the originator side.
+##
+## threshold: the threshold that was crossed
+##
+## .. bro:see::  udp_reply udp_request udp_session_done
+##    tcp_multiple_checksum_errors
+event udp_multiple_checksum_errors%(u: connection, is_orig: bool, threshold: count%);
diff --git a/src/analyzer/protocol/xmpp/XMPP.h b/src/analyzer/protocol/xmpp/XMPP.h
index 202403748a..595a86d56b 100644
--- a/src/analyzer/protocol/xmpp/XMPP.h
+++ b/src/analyzer/protocol/xmpp/XMPP.h
@@ -11,8 +11,8 @@ namespace analyzer { namespace xmpp {
 
 class XMPP_Analyzer : public tcp::TCP_ApplicationAnalyzer {
 public:
-	XMPP_Analyzer(Connection* conn);
-	virtual ~XMPP_Analyzer();
+	explicit XMPP_Analyzer(Connection* conn);
+	~XMPP_Analyzer() override;
 
 	void Done() override;
 	void DeliverStream(int len, const u_char* data, bool orig) override;
diff --git a/src/analyzer/protocol/zip/CMakeLists.txt b/src/analyzer/protocol/zip/CMakeLists.txt
index 814119f9f7..40c64afd6e 100644
--- a/src/analyzer/protocol/zip/CMakeLists.txt
+++ b/src/analyzer/protocol/zip/CMakeLists.txt
@@ -5,5 +5,4 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DI
 
 bro_plugin_begin(Bro ZIP)
 bro_plugin_cc(ZIP.cc Plugin.cc)
-bro_plugin_bif(events.bif)
 bro_plugin_end()
diff --git a/src/analyzer/protocol/zip/ZIP.cc b/src/analyzer/protocol/zip/ZIP.cc
index d14df95673..d44c6353cd 100644
--- a/src/analyzer/protocol/zip/ZIP.cc
+++ b/src/analyzer/protocol/zip/ZIP.cc
@@ -2,8 +2,6 @@
 
 #include "ZIP.h"
 
-#include "events.bif.h"
-
 using namespace analyzer::zip;
 
 ZIP_Analyzer::ZIP_Analyzer(Connection* conn, bool orig, Method arg_method)
diff --git a/src/analyzer/protocol/zip/ZIP.h b/src/analyzer/protocol/zip/ZIP.h
index 580235ec63..de22803b26 100644
--- a/src/analyzer/protocol/zip/ZIP.h
+++ b/src/analyzer/protocol/zip/ZIP.h
@@ -15,11 +15,11 @@ public:
 	enum Method { GZIP, DEFLATE };
 
 	ZIP_Analyzer(Connection* conn, bool orig, Method method = GZIP);
-	~ZIP_Analyzer();
+	~ZIP_Analyzer() override;
 
-	virtual void Done();
+	void Done() override;
 
-	virtual void DeliverStream(int len, const u_char* data, bool orig);
+	void DeliverStream(int len, const u_char* data, bool orig) override;
 
 protected:
 	enum { NONE, ZIP_OK, ZIP_FAIL };
diff --git a/src/bif_arg.cc b/src/bif_arg.cc
deleted file mode 100644
index f5e25f3746..0000000000
--- a/src/bif_arg.cc
+++ /dev/null
@@ -1,83 +0,0 @@
-#include "bro-config.h"
-
-#include <set>
-#include <string>
-using namespace std;
-
-#include <string.h>
-
-#include "bif_arg.h"
-
-static struct {
-	const char* bif_type;
-	const char* bro_type;
-	const char* c_type;
-	const char* accessor;
-	const char* constructor;
-} builtin_func_arg_type[] = {
-#define DEFINE_BIF_TYPE(id, bif_type, bro_type, c_type, accessor, constructor) \
-	{bif_type, bro_type, c_type, accessor, constructor},
-#include "bif_type.def"
-#undef DEFINE_BIF_TYPE
-};
-
-extern const char* arg_list_name;
-
-BuiltinFuncArg::BuiltinFuncArg(const char* arg_name, int arg_type)
-	{
-	name = arg_name;
-	type = arg_type;
-	type_str = "";
-	attr_str = "";
-	}
-
-BuiltinFuncArg::BuiltinFuncArg(const char* arg_name, const char* arg_type_str,
-                               const char* arg_attr_str)
-	{
-	name = arg_name;
-	type = TYPE_OTHER;
-	type_str = arg_type_str;
-	attr_str = arg_attr_str;
-
-	for ( int i = 0; builtin_func_arg_type[i].bif_type[0] != '\0'; ++i )
-		if ( ! strcmp(builtin_func_arg_type[i].bif_type, arg_type_str) )
-			{
-			type = i;
-			type_str = "";
-			}
-	}
-
-void BuiltinFuncArg::PrintBro(FILE* fp)
-	{
-	fprintf(fp, "%s: %s%s %s", name, builtin_func_arg_type[type].bro_type,
-	        type_str, attr_str);
-	}
-
-void BuiltinFuncArg::PrintCDef(FILE* fp, int n)
-	{
-	fprintf(fp,
-		"\t%s %s = (%s) (",
-		builtin_func_arg_type[type].c_type,
-		name,
-		builtin_func_arg_type[type].c_type);
-
-	char buf[1024];
-	snprintf(buf, sizeof(buf), "(*%s)[%d]", arg_list_name, n);
-	// Print the accessor expression.
-	fprintf(fp, builtin_func_arg_type[type].accessor, buf);
-
-	fprintf(fp, ");\n");
-	}
-
-void BuiltinFuncArg::PrintCArg(FILE* fp, int n)
-	{
-	const char* ctype = builtin_func_arg_type[type].c_type;
-	char buf[1024];
-
-	fprintf(fp, "%s %s", ctype, name);
-	}
-
-void BuiltinFuncArg::PrintBroValConstructor(FILE* fp)
-	{
-	fprintf(fp, builtin_func_arg_type[type].constructor, name);
-	}
diff --git a/src/bif_arg.h b/src/bif_arg.h
deleted file mode 100644
index 906cfd9c6a..0000000000
--- a/src/bif_arg.h
+++ /dev/null
@@ -1,51 +0,0 @@
-#ifndef bif_arg_h
-#define bif_arg_h
-
-#include <stdio.h>
-
-enum builtin_func_arg_type {
-#define DEFINE_BIF_TYPE(id, bif_type, bro_type, c_type, accessor, constructor) \
-	id,
-#include "bif_type.def"
-#undef DEFINE_BIF_TYPE
-/*
-	TYPE_ANY,
-	TYPE_BOOL,
-	TYPE_COUNT,
-	TYPE_INT,
-	TYPE_STRING,
-	TYPE_PATTERN,
-	TYPE_PORT,
-	TYPE_OTHER,
-*/
-};
-
-extern const char* builtin_func_arg_type_bro_name[];
-
-class BuiltinFuncArg {
-public:
-	BuiltinFuncArg(const char* arg_name, int arg_type);
-	BuiltinFuncArg(const char* arg_name, const char* arg_type_str,
-	               const char* arg_attr_str = "");
-
-	void SetAttrStr(const char* arg_attr_str)
-		{
-		attr_str = arg_attr_str;
-		};
-
-	const char* Name() const	{ return name; }
-	int Type() const		{ return type; }
-
-	void PrintBro(FILE* fp);
-	void PrintCDef(FILE* fp, int n);
-	void PrintCArg(FILE* fp, int n);
-	void PrintBroValConstructor(FILE* fp);
-
-protected:
-	const char* name;
-	int type;
-	const char* type_str;
-	const char* attr_str;
-};
-
-#endif
diff --git a/src/bif_type.def b/src/bif_type.def
deleted file mode 100644
index c30ffeb49b..0000000000
--- a/src/bif_type.def
+++ /dev/null
@@ -1,22 +0,0 @@
-// DEFINE_BIF_TYPE(id, bif_type, bro_type, c_type, accessor, constructor)
-
-DEFINE_BIF_TYPE(TYPE_ADDR, 	"addr", "addr", "AddrVal*", 		"%s->AsAddrVal()", 	"%s")
-DEFINE_BIF_TYPE(TYPE_ANY, 	"any", "any", "Val*", 			"%s", 			"%s")
-DEFINE_BIF_TYPE(TYPE_BOOL, 	"bool", "bool", "int", 			"%s->AsBool()", 	"new Val(%s, TYPE_BOOL)")
-DEFINE_BIF_TYPE(TYPE_CONN_ID, 	"conn_id", "conn_id", "Val*", 		"%s", 			"%s")
-DEFINE_BIF_TYPE(TYPE_CONNECTION, "connection", "connection", "Connection*", "%s->AsRecordVal()->GetOrigin()", "%s->BuildConnVal()")
-DEFINE_BIF_TYPE(TYPE_COUNT, 	"count", "count", "bro_uint_t", 	"%s->AsCount()", 	"new Val(%s, TYPE_COUNT)")
-DEFINE_BIF_TYPE(TYPE_DOUBLE, 	"double", "double", "double", 		"%s->AsDouble()", 	"new Val(%s, TYPE_DOUBLE)")
-DEFINE_BIF_TYPE(TYPE_FILE, 	"file", "file", "BroFile*", 		"%s->AsFile()", 	"new Val(%s)")
-DEFINE_BIF_TYPE(TYPE_INT, 	"int", "int", "bro_int_t", 		"%s->AsInt()", 		"new Val(%s, TYPE_INT)")
-DEFINE_BIF_TYPE(TYPE_INTERVAL, 	"interval", "interval", "double", 	"%s->AsInterval()", 	"new IntervalVal(%s, Seconds)")
-DEFINE_BIF_TYPE(TYPE_PACKET, 	"packet", "packet", "TCP_TracePacket*", "%s->AsRecordVal()->GetOrigin()", "%s->PacketVal()")
-DEFINE_BIF_TYPE(TYPE_PATTERN, 	"pattern", "pattern", "RE_Matcher*", 	"%s->AsPattern()",	"new PatternVal(%s)")
-// DEFINE_BIF_TYPE(TYPE_PORT, 	"port", "port", "uint32", 		"%s->AsPortVal()->Port()", "incomplete data")
-DEFINE_BIF_TYPE(TYPE_PORT, 	"port", "port", "PortVal*", 		"%s->AsPortVal()",	"%s")
-DEFINE_BIF_TYPE(TYPE_PORTVAL, 	"portval", "port", "PortVal*", 		"%s->AsPortVal()",	"%s")
-DEFINE_BIF_TYPE(TYPE_STRING, 	"string", "string", "StringVal*", 	"%s->AsStringVal()",	"%s")
-// DEFINE_BIF_TYPE(TYPE_STRING, 	"string", "string", "BroString*", 	"%s->AsString()",	"new StringVal(%s)")
-DEFINE_BIF_TYPE(TYPE_SUBNET, 	"subnet", "subnet", "SubNetVal*", 	"%s->AsSubNetVal()",	"%s")
-DEFINE_BIF_TYPE(TYPE_TIME, 	"time", "time", "double", 		"%s->AsTime()", 	"new Val(%s, TYPE_TIME)")
-DEFINE_BIF_TYPE(TYPE_OTHER, 	"", "", "Val*", 			"%s", 			"%s")
diff --git a/src/bro.bif b/src/bro.bif
index e168016f5e..d6cacec96d 100644
--- a/src/bro.bif
+++ b/src/bro.bif
@@ -782,6 +782,63 @@ function sha256_hash_finish%(handle: opaque of sha256%): string
 	return static_cast<HashVal*>(handle)->Get();
 	%}
 
+## Returns 32-bit digest of arbitrary input values using FNV-1a hash algorithm.
+## See `<https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function>`_.
+##
+## input: The desired input value to hash.
+##
+## Returns: The hashed value.
+##
+## .. bro:see:: hrw_weight
+function fnv1a32%(input: any%): count
+	%{
+	ODesc desc(DESC_BINARY);
+	input->Describe(&desc);
+	auto bytes = desc.Bytes();
+
+	uint32 offset32 = 2166136261;
+	uint32 prime32 = 16777619;
+	uint32 rval = offset32;
+
+	for ( auto i = 0; i < desc.Len(); ++i )
+		{
+		rval ^= (uint32) bytes[i];
+		rval *= prime32;
+		}
+
+	return new Val(rval, TYPE_COUNT);
+	%}
+
+## Calculates a weight value for use in a Rendezvous Hashing algorithm.
+## See `<https://en.wikipedia.org/wiki/Rendezvous_hashing>`_.
+## The weight function used is the one recommended in the original
+## paper: `<http://www.eecs.umich.edu/techreports/cse/96/CSE-TR-316-96.pdf>`_.
+##
+## key_digest: A 32-bit digest of a key.  E.g. use :bro:see:`fnv1a32` to
+##             produce this.
+##
+## site_id: A 32-bit site/node identifier.
+##
+## Returns: The weight value for the key/site pair.
+##
+## .. bro:see:: fnv1a32
+function hrw_weight%(key_digest: count, site_id: count%): count
+	%{
+	uint32 d = key_digest;
+	d &= 0x7fffffff; // 31-bit digest
+	int32 si = site_id;
+	auto a = 1103515245;
+	auto b = 12345;
+	auto m = 2147483648; // 2**31
+
+	int32 rval = (a * ((a * si + b) ^ d) + b) % m;
+
+	if ( rval < 0 )
+		rval += m; // [0, 2**31 - 1]
+
+	return new Val((uint64) rval, TYPE_COUNT);
+	%}
+
 ## Generates a random number.
 ##
 ## max: The maximum value of the random number.
@@ -796,8 +853,7 @@ function sha256_hash_finish%(handle: opaque of sha256%): string
 ##      provided by the OS.
 function rand%(max: count%): count
 	%{
-	int result;
-	result = bro_uint_t(double(max) * double(bro_random()) / (RAND_MAX + 1.0));
+	auto result = bro_uint_t(double(max) * double(bro_random()) / (RAND_MAX + 1.0));
 	return new Val(result, TYPE_COUNT);
 	%}
 
@@ -1211,33 +1267,48 @@ bool sort_function(Val* a, Val* b)
 	int int_result = result->CoerceToInt();
 	Unref(result);
 
-	sort_func_args.remove_nth(1);
-	sort_func_args.remove_nth(0);
-
 	return int_result < 0;
 	}
 
-bool indirect_sort_function(int a, int b)
+bool indirect_sort_function(size_t a, size_t b)
 	{
 	return sort_function(index_map[a], index_map[b]);
 	}
 
-bool int_sort_function (Val* a, Val* b)
+bool signed_sort_function (Val* a, Val* b)
 	{
 	if ( ! a )
 		return 0;
 	if ( ! b )
 		return 1;
 
-	int ia = a->CoerceToInt();
-	int ib = b->CoerceToInt();
+	auto ia = a->CoerceToInt();
+	auto ib = b->CoerceToInt();
 
 	return ia < ib;
 	}
 
-bool indirect_int_sort_function(int a, int b)
+bool unsigned_sort_function (Val* a, Val* b)
 	{
-	return int_sort_function(index_map[a], index_map[b]);
+	if ( ! a )
+		return 0;
+	if ( ! b )
+		return 1;
+
+	auto ia = a->CoerceToUnsigned();
+	auto ib = b->CoerceToUnsigned();
+
+	return ia < ib;
+	}
+
+bool indirect_signed_sort_function(size_t a, size_t b)
+	{
+	return signed_sort_function(index_map[a], index_map[b]);
+	}
+
+bool indirect_unsigned_sort_function(size_t a, size_t b)
+	{
+	return unsigned_sort_function(index_map[a], index_map[b]);
 	}
 %%}
 
@@ -1302,7 +1373,12 @@ function sort%(v: any, ...%) : any
 		sort(vv.begin(), vv.end(), sort_function);
 		}
 	else
-		sort(vv.begin(), vv.end(), int_sort_function);
+		{
+		if ( elt_type->InternalType() == TYPE_INTERNAL_UNSIGNED )
+			sort(vv.begin(), vv.end(), unsigned_sort_function);
+		else
+			sort(vv.begin(), vv.end(), signed_sort_function);
+		}
 
 	return v;
 	%}
@@ -1351,13 +1427,13 @@ function order%(v: any, ...%) : index_vec
 		builtin_error("comparison function required for order() with non-integral types");
 
 	vector<Val*>& vv = *v->AsVector();
-	int n = vv.size();
+	auto n = vv.size();
 
 	// Set up initial mapping of indices directly to corresponding
 	// elements.
-	vector<int> ind_vv(n);
+	vector<size_t> ind_vv(n);
 	index_map = new Val*[n];
-	int i;
+	size_t i;
 	for ( i = 0; i < n; ++i )
 		{
 		ind_vv[i] = i;
@@ -1379,7 +1455,12 @@ function order%(v: any, ...%) : index_vec
 		sort(ind_vv.begin(), ind_vv.end(), indirect_sort_function);
 		}
 	else
-		sort(ind_vv.begin(), ind_vv.end(), indirect_int_sort_function);
+		{
+		if ( elt_type->InternalType() == TYPE_INTERNAL_UNSIGNED )
+			sort(ind_vv.begin(), ind_vv.end(), indirect_unsigned_sort_function);
+		else
+			sort(ind_vv.begin(), ind_vv.end(), indirect_signed_sort_function);
+		}
 
 	delete [] index_map;
 	index_map = 0;
@@ -1775,13 +1856,14 @@ function global_ids%(%): id_table
 		rec->Assign(1, new Val(id->IsExport(), TYPE_BOOL));
 		rec->Assign(2, new Val(id->IsConst(), TYPE_BOOL));
 		rec->Assign(3, new Val(id->IsEnumConst(), TYPE_BOOL));
-		rec->Assign(4, new Val(id->IsRedefinable(), TYPE_BOOL));
+		rec->Assign(4, new Val(id->IsOption(), TYPE_BOOL));
+		rec->Assign(5, new Val(id->IsRedefinable(), TYPE_BOOL));
 
 		if ( id->HasVal() )
 			{
 			Val* val = id->ID_Val();
 			Ref(val);
-			rec->Assign(5, val);
+			rec->Assign(6, val);
 			}
 
 		Val* id_name = new StringVal(id->Name());
@@ -2131,8 +2213,7 @@ function to_int%(str: string%): int
 	const char* s = str->CheckString();
 	char* end_s;
 
-	long l = strtol(s, &end_s, 10);
-	int i = int(l);
+	bro_int_t i = strtoll(s, &end_s, 10);
 
 #if 0
 	// Not clear we should complain.  For example, is " 205 "
@@ -2270,7 +2351,7 @@ function port_to_count%(p: port%): count
 ## .. bro:see:: port_to_count
 function count_to_port%(num: count, proto: transport_proto%): port
 	%{
-	return new PortVal(num, (TransportProto)proto->AsEnum());
+	return port_mgr->Get(num, (TransportProto)proto->AsEnum());
 	%}
 
 ## Converts a :bro:type:`string` to an :bro:type:`addr`.
@@ -2430,16 +2511,16 @@ function to_port%(s: string%): port
             {
             ++slash;
             if ( streq(slash, "tcp") )
-                return new PortVal(port, TRANSPORT_TCP);
+                return port_mgr->Get(port, TRANSPORT_TCP);
             else if ( streq(slash, "udp") )
-                return new PortVal(port, TRANSPORT_UDP);
+                return port_mgr->Get(port, TRANSPORT_UDP);
             else if ( streq(slash, "icmp") )
-                return new PortVal(port, TRANSPORT_ICMP);
+                return port_mgr->Get(port, TRANSPORT_ICMP);
             }
         }
 
     builtin_error("wrong port format, must be /[0-9]{1,5}\\/(tcp|udp|icmp)/");
-    return new PortVal(port, TRANSPORT_UNKNOWN);
+    return port_mgr->Get(port, TRANSPORT_UNKNOWN);
 	%}
 
 ## Converts a string of bytes (in network byte order) to a :bro:type:`double`.
@@ -2715,7 +2796,7 @@ function encode_base64%(s: string, a: string &default=""%): string
 		return new StringVal(t);
 	else
 		{
-		reporter->Error("error in encoding string %s", s->CheckString());
+		reporter->Error("Broker query has an invalid data store");
 		return new StringVal("");
 		}
 	%}
@@ -2877,14 +2958,8 @@ function uuid_to_string%(uuid: string%): string
 ##
 ##      This function must be called at Bro startup time, e.g., in the event
 ##      :bro:id:`bro_init`.
-function merge_pattern%(p1: pattern, p2: pattern%): pattern
+function merge_pattern%(p1: pattern, p2: pattern%): pattern &deprecated
 	%{
-	if ( bro_start_network_time != 0.0 )
-		{
-		builtin_error("merge_pattern can only be called at init time");
-		return 0;
-		}
-
 	RE_Matcher* re = new RE_Matcher();
 	re->AddPat(p1->PatternText());
 	re->AddPat(p2->PatternText());
@@ -2952,12 +3027,6 @@ function convert_for_pattern%(s: string%): string
 ##      :bro:id:`bro_init`.
 function string_to_pattern%(s: string, convert: bool%): pattern
 	%{
-	if ( bro_start_network_time != 0.0 )
-		{
-		builtin_error("string_to_pattern can only be called at init time");
-		return 0;
-		}
-
 	const char* ss = (const char*) (s->Bytes());
 	int sn = s->Len();
 	char* pat;
@@ -3208,9 +3277,9 @@ function lookup_connection%(cid: conn_id%): connection
 
 	RecordVal* id_val = new RecordVal(conn_id);
 	id_val->Assign(0, new AddrVal((unsigned int) 0));
-	id_val->Assign(1, new PortVal(ntohs(0), TRANSPORT_UDP));
+	id_val->Assign(1, port_mgr->Get(ntohs(0), TRANSPORT_UDP));
 	id_val->Assign(2, new AddrVal((unsigned int) 0));
-	id_val->Assign(3, new PortVal(ntohs(0), TRANSPORT_UDP));
+	id_val->Assign(3, port_mgr->Get(ntohs(0), TRANSPORT_UDP));
 	c->Assign(0, id_val);
 
 	RecordVal* orig_endp = new RecordVal(endpoint);
@@ -3263,6 +3332,12 @@ function dump_current_packet%(file_name: string%) : bool
 	     ! current_pktsrc->GetCurrentPacket(&pkt) )
 		return new Val(0, TYPE_BOOL);
 
+	if ( addl_pkt_dumper && addl_pkt_dumper->Path() != file_name->CheckString())
+		{
+		addl_pkt_dumper->Close();
+		addl_pkt_dumper = nullptr;
+		}
+
 	if ( ! addl_pkt_dumper )
 		addl_pkt_dumper = iosource_mgr->OpenPktDumper(file_name->CheckString(), true);
 
@@ -3338,10 +3413,16 @@ function get_current_packet_header%(%) : raw_pkt_hdr
 ## .. bro:see:: get_current_packet dump_current_packet send_current_packet
 function dump_packet%(pkt: pcap_packet, file_name: string%) : bool
 	%{
+	if ( addl_pkt_dumper && addl_pkt_dumper->Path() != file_name->CheckString())
+		{
+		addl_pkt_dumper->Close();
+		addl_pkt_dumper = nullptr;
+		}
+
 	if ( ! addl_pkt_dumper )
 		addl_pkt_dumper = iosource_mgr->OpenPktDumper(file_name->CheckString(), true);
 
-	if ( addl_pkt_dumper )
+	if ( ! addl_pkt_dumper->IsError() )
 		{
 		pkt_timeval ts;
 		uint32 caplen, len, link_type;
@@ -3518,77 +3599,269 @@ function lookup_hostname%(host: string%) : addr_set
 %%{
 #ifdef USE_GEOIP
 extern "C" {
-#include <GeoIPCity.h>
+#include <maxminddb.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
 }
 
-static GeoIP* open_geoip_db(GeoIPDBTypes type)
+class MMDB {
+public:
+	MMDB(const char* filename);
+
+	~MMDB();
+
+	MMDB_lookup_result_s Lookup(const struct sockaddr* const sa);
+
+private:
+	MMDB_s mmdb;
+};
+
+MMDB::MMDB(const char *filename)
 	{
-	GeoIP* geoip = 0;
+	int status = MMDB_open(filename, MMDB_MODE_MMAP, &mmdb);
 
-	if ( GeoIP_db_avail(type) )
-		geoip = GeoIP_open_type(type, GEOIP_MEMORY_CACHE);
-
-	return geoip;
+	if ( MMDB_SUCCESS != status )
+		{
+		throw std::runtime_error(MMDB_strerror(status));
+		}
 	}
 
-static GeoIP* open_geoip_city_db()
+MMDB::~MMDB()
 	{
-	GeoIP* geoip = open_geoip_db(GEOIP_CITY_EDITION_REV0);
-
-	if ( ! geoip )
-		geoip = open_geoip_db(GEOIP_CITY_EDITION_REV1);
-
-	if ( ! geoip )
-		{
-		string rev0_path = GeoIPDBFileName[GEOIP_CITY_EDITION_REV0];
-		string rev1_path = GeoIPDBFileName[GEOIP_CITY_EDITION_REV1];
-		string db_path = rev0_path;
-
-		// Maybe in the future the revisions won't share a common default path.
-		if ( rev0_path != rev1_path )
-			db_path = rev0_path + " or " + rev1_path;
-
-		reporter->Info("Failed to open GeoIP City database: %s",
-		               db_path.c_str());
-		}
-
-	return geoip;
+	MMDB_close(&mmdb);
 	}
 
-static GeoIP* open_geoip_city_db_v6()
+MMDB_lookup_result_s MMDB::Lookup(const struct sockaddr* const sa)
 	{
-	GeoIP* geoip = 0;
+	int mmdb_error;
+	MMDB_lookup_result_s result = MMDB_lookup_sockaddr(&mmdb, sa, &mmdb_error);
 
-	// Both city edition revisions for IPv6 show up in libGeoIP 1.4.7.
-#ifdef HAVE_GEOIP_CITY_EDITION_REV0_V6
-	geoip = open_geoip_db(GEOIP_CITY_EDITION_REV0_V6);
-
-	if ( ! geoip )
-		geoip = open_geoip_db(GEOIP_CITY_EDITION_REV1_V6);
-
-	if ( ! geoip )
+	if ( MMDB_SUCCESS != mmdb_error )
 		{
-		string rev0_path = GeoIPDBFileName[GEOIP_CITY_EDITION_REV0_V6];
-		string rev1_path = GeoIPDBFileName[GEOIP_CITY_EDITION_REV1_V6];
-		string db_path = rev0_path;
-
-		// Maybe in the future the revisions won't share a common default path.
-		if ( rev0_path != rev1_path )
-			db_path = rev0_path + " or " + rev1_path;
-
-		reporter->Info("Failed to open GeoIP Cityv6 database: %s",
-		               db_path.c_str());
+		throw std::runtime_error(MMDB_strerror(mmdb_error));
 		}
-#endif
 
-	return geoip;
+	return result;
+	}
+
+std::unique_ptr<MMDB> mmdb_loc;
+std::unique_ptr<MMDB> mmdb_asn;
+
+static bool mmdb_open(const char* filename, bool asn)
+	{
+	struct stat buf;
+
+	if ( 0 != stat(filename, &buf) )
+		{
+		return false;
+		}
+
+	try
+		{
+		if ( asn )
+			{
+			mmdb_asn.reset(new MMDB(filename));
+			}
+		else
+			{
+			mmdb_loc.reset(new MMDB(filename));
+			}
+		}
+
+	catch ( const std::exception& e )
+		{
+		reporter->Info("Failed to open MaxMind DB: %s [%s]", filename,
+		               e.what());
+		return false;
+		}
+
+	return true;
+	}
+
+static bool mmdb_open_loc(const char* filename)
+	{
+	return mmdb_open(filename, false);
+	}
+
+static bool mmdb_open_asn(const char* filename)
+	{
+	return mmdb_open(filename, true);
+	}
+
+static bool mmdb_lookup(const IPAddr& addr, MMDB_lookup_result_s& result,
+                        bool asn)
+	{
+	struct sockaddr_storage ss = {0};
+
+	if ( IPv4 == addr.GetFamily() )
+		{
+		struct sockaddr_in* sa = (struct sockaddr_in*)&ss;
+		sa->sin_family = AF_INET;
+		addr.CopyIPv4(&sa->sin_addr);
+		}
+
+	else
+		{
+		struct sockaddr_in6* sa = (struct sockaddr_in6*)&ss;
+		sa->sin6_family = AF_INET6;
+		addr.CopyIPv6(&sa->sin6_addr);
+		}
+
+	try
+		{
+		result = asn ? mmdb_asn->Lookup((struct sockaddr*)&ss)
+		             : mmdb_loc->Lookup((struct sockaddr*)&ss);
+		}
+
+	catch ( const std::exception& e )
+		{
+		reporter->Info("MaxMind DB lookup location error [%s]",
+		               e.what());
+		return false;
+		}
+
+	return result.found_entry;
+	}
+
+static bool mmdb_lookup_loc(const IPAddr& addr, MMDB_lookup_result_s& result)
+	{
+	return mmdb_lookup(addr, result, false);
+	}
+
+static bool mmdb_lookup_asn(const IPAddr& addr, MMDB_lookup_result_s& result)
+	{
+	return mmdb_lookup(addr, result, true);
+	}
+
+static Val* mmdb_getvalue(MMDB_entry_data_s* entry_data, int status,
+                          int data_type )
+	{
+	switch (status)
+		{
+		case MMDB_SUCCESS:
+			if ( entry_data->has_data )
+				{
+				switch (data_type)
+					{
+					case MMDB_DATA_TYPE_UTF8_STRING:
+						return new StringVal(entry_data->data_size,
+						                     entry_data->utf8_string);
+						break;
+
+					case MMDB_DATA_TYPE_DOUBLE:
+						return new Val(entry_data->double_value, TYPE_DOUBLE);
+						break;
+
+					case MMDB_DATA_TYPE_UINT32:
+						return new Val(entry_data->uint32, TYPE_COUNT);
+
+					default:
+						break;
+					}
+				}
+			break;
+
+		case MMDB_LOOKUP_PATH_DOES_NOT_MATCH_DATA_ERROR:
+			// key doesn't exist, nothing to do
+			break;
+
+		default:
+			reporter->Info("MaxMind DB error [%s]", MMDB_strerror(status));
+			break;
+		}
+
+	return nullptr;
+	}
+
+static bool mmdb_try_open_loc ()
+	{
+	// City database is always preferred over Country database.
+	auto mmdb_dir_val = global_scope()->Lookup("mmdb_dir")->ID_Val();
+	std::string mmdb_dir = mmdb_dir_val->AsString()->CheckString();
+
+	if ( ! mmdb_dir.empty() )
+		{
+		auto d = mmdb_dir + "/GeoLite2-City.mmdb";
+
+		if ( mmdb_open_loc(d.data()) )
+			return true;
+
+		d = mmdb_dir + "/GeoLite2-Country.mmdb";
+
+		if ( mmdb_open_loc(d.data()) )
+			return true;;
+		}
+
+	return mmdb_open_loc("/usr/share/GeoIP/GeoLite2-City.mmdb")
+	    || mmdb_open_loc("/var/lib/GeoIP/GeoLite2-City.mmdb")
+	    || mmdb_open_loc("/usr/local/share/GeoIP/GeoLite2-City.mmdb")
+	    || mmdb_open_loc("/usr/local/var/GeoIP/GeoLite2-City.mmdb")
+	    || mmdb_open_loc("/usr/share/GeoIP/GeoLite2-Country.mmdb")
+	    || mmdb_open_loc("/var/lib/GeoIP/GeoLite2-Country.mmdb")
+	    || mmdb_open_loc("/usr/local/share/GeoIP/GeoLite2-Country.mmdb")
+	    || mmdb_open_loc("/usr/local/var/GeoIP/GeoLite2-Country.mmdb");
+	}
+
+static bool mmdb_try_open_asn ()
+	{
+	auto mmdb_dir_val = global_scope()->Lookup("mmdb_dir")->ID_Val();
+	std::string mmdb_dir = mmdb_dir_val->AsString()->CheckString();
+
+	if ( ! mmdb_dir.empty() )
+		{
+		auto d = mmdb_dir + "/GeoLite2-ASN.mmdb";
+
+		if ( mmdb_open_asn(d.data()) )
+			return true;
+		}
+
+	return mmdb_open_asn("/usr/share/GeoIP/GeoLite2-ASN.mmdb")
+	    || mmdb_open_asn("/var/lib/GeoIP/GeoLite2-ASN.mmdb")
+	    || mmdb_open_asn("/usr/local/share/GeoIP/GeoLite2-ASN.mmdb")
+	    || mmdb_open_asn("/usr/local/var/GeoIP/GeoLite2-ASN.mmdb");
 	}
 
 #endif
 %%}
 
+## Initializes MMDB for later use of lookup_location.
+## Requires Bro to be built with ``libmaxminddb``.
+##
+## f: The filename of the MaxMind City or Country DB.
+##
+## Returns: A boolean indicating whether the db was successfully opened.
+##
+## .. bro:see:: lookup_asn
+function mmdb_open_location_db%(f: string%) : bool
+	%{
+#ifdef USE_GEOIP
+	return new Val(mmdb_open_loc(f->CheckString()), TYPE_BOOL);
+#else
+        return new Val(0, TYPE_BOOL);
+#endif
+	%}
+
+## Initializes MMDB for later use of lookup_asn.
+## Requires Bro to be built with ``libmaxminddb``.
+##
+## f: The filename of the MaxMind ASN DB.
+##
+## Returns: A boolean indicating whether the db was successfully opened.
+##
+## .. bro:see:: lookup_asn
+function mmdb_open_asn_db%(f: string%) : bool
+	%{
+#ifdef USE_GEOIP
+	return new Val(mmdb_open_asn(f->CheckString()), TYPE_BOOL);
+#else
+	return new Val(0, TYPE_BOOL);
+#endif
+	%}
+
 ## Performs a geo-lookup of an IP address.
-## Requires Bro to be built with ``libgeoip``.
+## Requires Bro to be built with ``libmaxminddb``.
 ##
 ## a: The IP address to lookup.
 ##
@@ -3600,104 +3873,52 @@ function lookup_location%(a: addr%) : geo_location
 	RecordVal* location = new RecordVal(geo_location);
 
 #ifdef USE_GEOIP
-	static bool geoip_initialized = false;
-	static GeoIP* geoip = 0;
-	static GeoIP* geoip_v6 = 0;
-	static bool have_city_db = false;
-	static bool have_cityv6_db = false;
-	GeoIPRecord* gir = 0;
-	const char* cc = 0;
-
-	if ( ! geoip_initialized )
+	if ( ! mmdb_loc )
 		{
-		geoip_initialized = true;
-		geoip = open_geoip_city_db();
-
-		if ( ! geoip )
+		if ( ! mmdb_try_open_loc() )
 			{
-			geoip = open_geoip_db(GEOIP_COUNTRY_EDITION);
-			string db_path = GeoIPDBFileName[GEOIP_COUNTRY_EDITION];
-
-			if ( ! geoip )
-				builtin_error(fmt("Failed fall back to GeoIP Country "
-				                  "database: %s",
-				                  GeoIPDBFileName[GEOIP_COUNTRY_EDITION]));
-			else
-				reporter->Info("Fell back to GeoIP Country database");
+			builtin_error("Failed to open GeoIP location database");
+			return location;
 			}
-		else
-			have_city_db = true;
-
-		geoip_v6 = open_geoip_city_db_v6();
-
-		if ( geoip_v6 )
-			have_cityv6_db = true;
-
-#ifdef HAVE_GEOIP_COUNTRY_EDITION_V6
-		if ( ! geoip_v6 )
-			{
-			geoip_v6 = open_geoip_db(GEOIP_COUNTRY_EDITION_V6);
-
-			if ( ! geoip_v6 )
-				reporter->Info("Failed to open GeoIPv6 Country database: %s",
-				               GeoIPDBFileName[GEOIP_COUNTRY_EDITION_V6]);
-			}
-#endif
-
-		if ( ! geoip_v6 )
-			builtin_error("Can't open GeoIPv6 City/Country database");
 		}
 
-#ifdef HAVE_GEOIP_COUNTRY_EDITION_V6
-	if ( geoip_v6 && a->AsAddr().GetFamily() == IPv6 )
+	MMDB_lookup_result_s result;
+
+	if ( mmdb_lookup_loc(a->AsAddr(), result) )
 		{
-		geoipv6_t ga;
-		a->AsAddr().CopyIPv6(&ga);
-		if ( have_cityv6_db )
-			gir = GeoIP_record_by_ipnum_v6(geoip_v6, ga);
-		else
-			cc = GeoIP_country_code_by_ipnum_v6(geoip_v6, ga);
-		}
-	else
-#endif
+		MMDB_entry_data_s entry_data;
+		int status;
 
-	if ( geoip && a->AsAddr().GetFamily() == IPv4 )
-		{
-		const uint32* bytes;
-		a->AsAddr().GetBytes(&bytes);
-		if ( have_city_db )
-			gir = GeoIP_record_by_ipnum(geoip, ntohl(*bytes));
-		else
-			cc = GeoIP_country_code_by_ipnum(geoip, ntohl(*bytes));
-		}
+		// Get Country ISO Code
+		status = MMDB_get_value(&result.entry, &entry_data,
+		                        "country", "iso_code", nullptr);
+		location->Assign(0, mmdb_getvalue(&entry_data, status,
+		                 MMDB_DATA_TYPE_UTF8_STRING));
 
-	if ( gir )
-		{
-		if ( gir->country_code )
-			location->Assign(0, new StringVal(gir->country_code));
+		// Get Major Subdivision ISO Code
+		status = MMDB_get_value(&result.entry, &entry_data,
+		                        "subdivisions", "0", "iso_code", nullptr);
+		location->Assign(1, mmdb_getvalue(&entry_data, status,
+		                 MMDB_DATA_TYPE_UTF8_STRING));
 
-		if ( gir->region )
-			location->Assign(1, new StringVal(gir->region));
+		// Get City English Name
+		status = MMDB_get_value(&result.entry, &entry_data,
+		                        "city", "names", "en", nullptr);
+		location->Assign(2, mmdb_getvalue(&entry_data, status,
+		                 MMDB_DATA_TYPE_UTF8_STRING));
 
-		if ( gir->city )
-			location->Assign(2, new StringVal(gir->city));
+		// Get Location Latitude
+		status = MMDB_get_value(&result.entry, &entry_data,
+		                        "location", "latitude", nullptr);
+		location->Assign(3, mmdb_getvalue(&entry_data, status,
+		                 MMDB_DATA_TYPE_DOUBLE));
 
-		if ( gir->latitude )
-			location->Assign(3, new Val(gir->latitude,
-							TYPE_DOUBLE));
+		// Get Location Longitude
+		status = MMDB_get_value(&result.entry, &entry_data,
+		                        "location", "longitude", nullptr);
+		location->Assign(4, mmdb_getvalue(&entry_data, status,
+		                 MMDB_DATA_TYPE_DOUBLE));
 
-		if ( gir->longitude )
-			location->Assign(4, new Val(gir->longitude,
-						TYPE_DOUBLE));
-
-		GeoIPRecord_delete(gir);
-
-		return location;
-		}
-
-	else if ( cc )
-		{
-		location->Assign(0, new StringVal(cc));
 		return location;
 		}
 
@@ -3711,64 +3932,45 @@ function lookup_location%(a: addr%) : geo_location
 		}
 #endif
 
-	// We can get here even if we have GeoIP support if we weren't
+	// We can get here even if we have MMDB support if we weren't
 	// able to initialize it or it didn't return any information for
 	// the address.
 
 	return location;
 	%}
 
-## Performs an AS lookup of an IP address.
-## Requires Bro to be built with ``libgeoip``.
+## Performs an ASN lookup of an IP address.
+## Requires Bro to be built with ``libmaxminddb``.
 ##
 ## a: The IP address to lookup.
 ##
-## Returns: The number of the AS that contains *a*.
+## Returns: The number of the ASN that contains *a*.
 ##
 ## .. bro:see:: lookup_location
 function lookup_asn%(a: addr%) : count
 	%{
 #ifdef USE_GEOIP
-	static GeoIP* geoip_asn = 0;
-	static bool geoip_asn_initialized = false;
-	char* gir = 0;
-
-	if ( ! geoip_asn_initialized )
+	if ( ! mmdb_asn )
 		{
-		geoip_asn_initialized = true;
-		geoip_asn = open_geoip_db(GEOIP_ASNUM_EDITION);
-
-		if ( ! geoip_asn )
-			builtin_error(fmt("Can't open GeoIP ASNUM database: %s",
-			                  GeoIPDBFileName[GEOIP_ASNUM_EDITION]));
-		}
-
-	if ( geoip_asn )
-		{
-// IPv6 support showed up in 1.4.5.
-#ifdef HAVE_GEOIP_COUNTRY_EDITION_V6
-		if ( a->AsAddr().GetFamily() == IPv6 )
+		if ( ! mmdb_try_open_asn() )
 			{
-			geoipv6_t ga;
-			a->AsAddr().CopyIPv6(&ga);
-			gir = GeoIP_name_by_ipnum_v6(geoip_asn, ga);
-			}
-		else
-#endif
-
-		if ( a->AsAddr().GetFamily() == IPv4 )
-			{
-			const uint32* bytes;
-			a->AsAddr().GetBytes(&bytes);
-			gir = GeoIP_name_by_ipnum(geoip_asn, ntohl(*bytes));
+			builtin_error("No open GeoIP ASN database");
+			return new Val(0, TYPE_COUNT);
 			}
 		}
 
-	if ( gir )
+	MMDB_lookup_result_s result;
+
+	if ( mmdb_lookup_asn(a->AsAddr(), result) )
 		{
-		// Move the pointer +2 so we don't return
-		// the first two characters: "AS".
-		return new Val(atoi(gir+2), TYPE_COUNT);
+		MMDB_entry_data_s entry_data;
+		int status;
+
+		// Get Autonomous System Number
+		status = MMDB_get_value(&result.entry, &entry_data,
+		                        "autonomous_system_number", nullptr);
+		Val* asn = mmdb_getvalue(&entry_data, status, MMDB_DATA_TYPE_UINT32);
+		return asn == nullptr ? new Val(0, TYPE_COUNT) : asn;
 		}
 
 #else // not USE_GEOIP
@@ -4039,6 +4241,7 @@ function set_inactivity_timeout%(cid: conn_id, t: interval%): interval
 ##
 ## .. bro:see:: active_file open_for_append close write_file
 ##              get_file_name set_buf flush_all mkdir enable_raw_output
+##              rmdir unlink rename
 function open%(f: string%): file
 	%{
 	const char* file = f->CheckString();
@@ -4058,6 +4261,7 @@ function open%(f: string%): file
 ##
 ## .. bro:see:: active_file open close write_file
 ##              get_file_name set_buf flush_all mkdir enable_raw_output
+##              rmdir unlink rename
 function open_for_append%(f: string%): file
 	%{
 	return new Val(new BroFile(f->CheckString(), "a"));
@@ -4071,6 +4275,7 @@ function open_for_append%(f: string%): file
 ##
 ## .. bro:see:: active_file open open_for_append write_file
 ##              get_file_name set_buf flush_all mkdir enable_raw_output
+##              rmdir unlink rename
 function close%(f: file%): bool
 	%{
 	return new Val(f->Close(), TYPE_BOOL);
@@ -4086,6 +4291,7 @@ function close%(f: file%): bool
 ##
 ## .. bro:see:: active_file open open_for_append close
 ##              get_file_name set_buf flush_all mkdir enable_raw_output
+##              rmdir unlink rename
 function write_file%(f: file, data: string%): bool
 	%{
 	if ( ! f )
@@ -4106,6 +4312,7 @@ function write_file%(f: file, data: string%): bool
 ##
 ## .. bro:see:: active_file open open_for_append close
 ##              get_file_name write_file flush_all mkdir enable_raw_output
+##              rmdir unlink rename
 function set_buf%(f: file, buffered: bool%): any
 	%{
 	f->SetBuf(buffered);
@@ -4118,6 +4325,7 @@ function set_buf%(f: file, buffered: bool%): any
 ##
 ## .. bro:see:: active_file open open_for_append close
 ##              get_file_name write_file set_buf mkdir enable_raw_output
+##              rmdir unlink rename
 function flush_all%(%): bool
 	%{
 	return new Val(fflush(0) == 0, TYPE_BOOL);
@@ -4127,17 +4335,102 @@ function flush_all%(%): bool
 ##
 ## f: The directory name.
 ##
-## Returns: Returns true if the operation succeeds or if *f* already exists,
+## Returns: True if the operation succeeds or if *f* already exists,
 ##          and false if the file creation fails.
 ##
 ## .. bro:see:: active_file open_for_append close write_file
 ##              get_file_name set_buf flush_all enable_raw_output
+##              rmdir unlink rename
 function mkdir%(f: string%): bool
 	%{
 	const char* filename = f->CheckString();
-	if ( mkdir(filename, 0777) < 0 && errno != EEXIST )
+
+	if ( mkdir(filename, 0777) < 0 )
 		{
-		builtin_error("cannot create directory", @ARG@[0]);
+		int error = errno;
+		struct stat filestat;
+		// check if already exists and is directory.
+		if ( errno == EEXIST && stat(filename, &filestat) == 0
+		     && S_ISDIR(filestat.st_mode) )
+			return new Val(1, TYPE_BOOL);
+
+		builtin_error(fmt("cannot create directory '%s': %s", filename,
+		                  strerror(error)));
+		return new Val(0, TYPE_BOOL);
+		}
+	else
+		return new Val(1, TYPE_BOOL);
+	%}
+
+
+## Removes a directory.
+##
+## d: The directory name.
+##
+## Returns: True if the operation succeeds, and false if the
+##          directory delete operation fails.
+##
+## .. bro:see:: active_file open_for_append close write_file
+##              get_file_name set_buf flush_all enable_raw_output
+##              mkdir unlink rename
+function rmdir%(d: string%): bool
+	%{
+	const char* dirname = d->CheckString();
+
+	if ( rmdir(dirname) < 0 )
+		{
+		builtin_error(fmt("cannot remove directory '%s': %s", dirname,
+		                  strerror(errno)));
+		return new Val(0, TYPE_BOOL);
+		}
+	else
+		return new Val(1, TYPE_BOOL);
+	%}
+
+## Removes a file from a directory.
+##
+## f: the file to delete.
+##
+## Returns: True if the operation succeeds and the file was deleted,
+##          and false if the deletion fails.
+##
+## .. bro:see:: active_file open_for_append close write_file
+##              get_file_name set_buf flush_all enable_raw_output
+##              mkdir rmdir rename
+function unlink%(f: string%): bool
+	%{
+	const char* filename = f->CheckString();
+
+	if ( unlink(filename) < 0 )
+		{
+		builtin_error(fmt("cannot unlink file '%s': %s", filename,
+		                  strerror(errno)));
+		return new Val(0, TYPE_BOOL);
+		}
+	else
+		return new Val(1, TYPE_BOOL);
+	%}
+
+## Renames a file from src_f to dst_f.
+##
+## src_f: the name of the file to rename.
+##
+## dest_f: the name of the file after the rename operation.
+##
+## Returns: True if the rename succeeds and false otherwise.
+##
+## .. bro:see:: active_file open_for_append close write_file
+##              get_file_name set_buf flush_all enable_raw_output
+##              mkdir rmdir unlink
+function rename%(src_f: string, dst_f: string%): bool
+	%{
+	const char* src_filename = src_f->CheckString();
+	const char* dst_filename = dst_f->CheckString();
+
+	if ( rename(src_filename, dst_filename) < 0 )
+		{
+		builtin_error(fmt("cannot rename file '%s' to '%s': %s", src_filename,
+		                  dst_filename, strerror(errno)));
 		return new Val(0, TYPE_BOOL);
 		}
 	else
@@ -4533,7 +4826,7 @@ function uninstall_dst_net_filter%(snet: subnet%) : bool
 ## Enables the communication system. By default, the communication is off until
 ## explicitly enabled, and all other calls to communication-related functions
 ## will be ignored until done so.
-function enable_communication%(%): any
+function enable_communication%(%): any &deprecated
 	%{
 	if ( bro_start_network_time != 0.0 )
 		{
@@ -4643,7 +4936,7 @@ function capture_state_updates%(filename: string%) : bool
 ##              set_compression_level
 ##              send_state
 ##              send_id
-function connect%(ip: addr, zone_id: string, p: port, our_class: string, retry: interval, ssl: bool%) : count
+function connect%(ip: addr, zone_id: string, p: port, our_class: string, retry: interval, ssl: bool%) : count &deprecated
 	%{
 	return new Val(uint32(remote_serializer->Connect(ip->AsAddr(),
 	               zone_id->CheckString(), p->Port(), our_class->CheckString(),
@@ -4658,7 +4951,7 @@ function connect%(ip: addr, zone_id: string, p: port, our_class: string, retry:
 ## Returns: True on success.
 ##
 ## .. bro:see:: connect listen
-function disconnect%(p: event_peer%) : bool
+function disconnect%(p: event_peer%) : bool &deprecated
     %{
 	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
 	return new Val(remote_serializer->CloseConnection(id), TYPE_BOOL);
@@ -4676,7 +4969,7 @@ function disconnect%(p: event_peer%) : bool
 ## .. bro:see:: request_remote_sync
 ##              request_remote_logs
 ##              set_accept_state
-function request_remote_events%(p: event_peer, handlers: pattern%) : bool
+function request_remote_events%(p: event_peer, handlers: pattern%) : bool &deprecated
 	%{
 	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
 	return new Val(remote_serializer->RequestEvents(id, handlers),
@@ -4695,7 +4988,7 @@ function request_remote_events%(p: event_peer, handlers: pattern%) : bool
 ## .. bro:see:: request_remote_events
 ##              request_remote_logs
 ##              set_accept_state
-function request_remote_sync%(p: event_peer, auth: bool%) : bool
+function request_remote_sync%(p: event_peer, auth: bool%) : bool &deprecated
 	%{
 	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
 	return new Val(remote_serializer->RequestSync(id, auth), TYPE_BOOL);
@@ -4709,7 +5002,7 @@ function request_remote_sync%(p: event_peer, auth: bool%) : bool
 ##
 ## .. bro:see:: request_remote_events
 ##              request_remote_sync
-function request_remote_logs%(p: event_peer%) : bool
+function request_remote_logs%(p: event_peer%) : bool &deprecated
 	%{
 	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
 	return new Val(remote_serializer->RequestLogs(id), TYPE_BOOL);
@@ -4726,7 +5019,7 @@ function request_remote_logs%(p: event_peer%) : bool
 ## .. bro:see:: request_remote_events
 ##              request_remote_sync
 ##              set_compression_level
-function set_accept_state%(p: event_peer, accept: bool%) : bool
+function set_accept_state%(p: event_peer, accept: bool%) : bool &deprecated
 	%{
 	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
 	return new Val(remote_serializer->SetAcceptState(id, accept),
@@ -4743,7 +5036,7 @@ function set_accept_state%(p: event_peer, accept: bool%) : bool
 ## Returns: True on success.
 ##
 ## .. bro:see:: set_accept_state
-function set_compression_level%(p: event_peer, level: count%) : bool
+function set_compression_level%(p: event_peer, level: count%) : bool &deprecated
 	%{
 	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
 	return new Val(remote_serializer->SetCompressionLevel(id, level),
@@ -4770,7 +5063,7 @@ function set_compression_level%(p: event_peer, level: count%) : bool
 ## Returns: True on success.
 ##
 ## .. bro:see:: connect disconnect
-function listen%(ip: addr, p: port, ssl: bool, ipv6: bool, zone_id: string, retry_interval: interval%) : bool
+function listen%(ip: addr, p: port, ssl: bool, ipv6: bool, zone_id: string, retry_interval: interval%) : bool &deprecated
 	%{
 	return new Val(remote_serializer->Listen(ip->AsAddr(), p->Port(), ssl, ipv6, zone_id->CheckString(), retry_interval), TYPE_BOOL);
 	%}
@@ -4806,7 +5099,7 @@ function send_state%(p: event_peer%) : bool
 ## Returns: True on success.
 ##
 ## .. bro:see:: send_state send_ping send_current_packet send_capture_filter
-function send_id%(p: event_peer, id: string%) : bool
+function send_id%(p: event_peer, id: string%) : bool &deprecated
 	%{
 	RemoteSerializer::PeerID pid = p->AsRecordVal()->Lookup(0)->AsCount();
 
@@ -4825,7 +5118,7 @@ function send_id%(p: event_peer, id: string%) : bool
 ## data from parent and child has been sent out.
 ##
 ## Returns: True if the termination process has been started successfully.
-function terminate_communication%(%) : bool
+function terminate_communication%(%) : bool &deprecated
 	%{
 	return new Val(remote_serializer->Terminate(), TYPE_BOOL);
 	%}
@@ -4836,7 +5129,7 @@ function terminate_communication%(%) : bool
 ## p: The peer ID returned from :bro:id:`connect`.
 ##
 ## Returns: True on success.
-function complete_handshake%(p: event_peer%) : bool
+function complete_handshake%(p: event_peer%) : bool &deprecated
 	%{
 	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
 	return new Val(remote_serializer->CompleteHandshake(id), TYPE_BOOL);
@@ -4853,7 +5146,7 @@ function complete_handshake%(p: event_peer%) : bool
 ## Returns: True if sending the ping succeeds.
 ##
 ## .. bro:see:: send_state send_id send_current_packet send_capture_filter
-function send_ping%(p: event_peer, seq: count%) : bool
+function send_ping%(p: event_peer, seq: count%) : bool &deprecated
 	%{
 	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
 	return new Val(remote_serializer->SendPing(id, seq), TYPE_BOOL);
@@ -4867,7 +5160,7 @@ function send_ping%(p: event_peer, seq: count%) : bool
 ##
 ## .. bro:see:: send_id send_state send_ping send_capture_filter
 ##              dump_packet dump_current_packet get_current_packet
-function send_current_packet%(p: event_peer%) : bool
+function send_current_packet%(p: event_peer%) : bool &deprecated
 	%{
 	const Packet* pkt;
 
@@ -4883,10 +5176,14 @@ function send_current_packet%(p: event_peer%) : bool
 
 ## Returns the peer who generated the last event.
 ##
+## Note, this function is deprecated. It works correctly only for local events and
+## events received through the legacy communication system. It does *not* work for
+## events received through Broker and will report an error in that case.
+##
 ## Returns: The ID of the peer who generated the last event.
 ##
 ## .. bro:see:: get_local_event_peer
-function get_event_peer%(%) : event_peer
+function get_event_peer%(%) : event_peer &deprecated
 	%{
 	SourceID src = mgr.CurrentSource();
 
@@ -4897,6 +5194,14 @@ function get_event_peer%(%) : event_peer
 		return p;
 		}
 
+	if ( src == SOURCE_BROKER )
+		{
+		reporter->Error("get_event_peer() does not support Broker events");
+		RecordVal* p = mgr.GetLocalPeerVal();
+		Ref(p);
+		return p;
+		}
+
 	if ( ! remote_serializer )
 		reporter->InternalError("remote_serializer not initialized");
 
@@ -4917,7 +5222,7 @@ function get_event_peer%(%) : event_peer
 ## Returns: The peer ID of the local Bro instance.
 ##
 ## .. bro:see:: get_event_peer
-function get_local_event_peer%(%) : event_peer
+function get_local_event_peer%(%) : event_peer &deprecated
 	%{
 	RecordVal* p = mgr.GetLocalPeerVal();
 	Ref(p);
@@ -4933,7 +5238,7 @@ function get_local_event_peer%(%) : event_peer
 ## Returns: True if sending the packet succeeds.
 ##
 ## .. bro:see:: send_id send_state send_ping send_current_packet
-function send_capture_filter%(p: event_peer, s: string%) : bool
+function send_capture_filter%(p: event_peer, s: string%) : bool &deprecated
 	%{
 	RemoteSerializer::PeerID id = p->AsRecordVal()->Lookup(0)->AsCount();
 	return new Val(remote_serializer->SendCaptureFilter(id, s->CheckString()), TYPE_BOOL);
@@ -4962,7 +5267,7 @@ function continue_processing%(%) : any
 ## Stops propagating :bro:attr:`&synchronized` accesses.
 ##
 ## .. bro:see:: suspend_processing continue_processing resume_state_updates
-function suspend_state_updates%(%) : any
+function suspend_state_updates%(%) : any &deprecated
 	%{
 	if ( remote_serializer )
 		remote_serializer->SuspendStateUpdates();
@@ -4972,7 +5277,7 @@ function suspend_state_updates%(%) : any
 ## Resumes propagating :bro:attr:`&synchronized` accesses.
 ##
 ## .. bro:see:: suspend_processing continue_processing suspend_state_updates
-function resume_state_updates%(%) : any
+function resume_state_updates%(%) : any &deprecated
 	%{
 	if ( remote_serializer )
 		remote_serializer->ResumeStateUpdates();
diff --git a/src/broker-dummy/CMakeLists.txt b/src/broker-dummy/CMakeLists.txt
deleted file mode 100644
index 08c5f3214c..0000000000
--- a/src/broker-dummy/CMakeLists.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-# Placeholder for Broker-based communication functionality, not enabled
-# by default.  This helps satisfy coverage unit tests pass regardless of
-# whether Broker is enabled or not.
-
-include(BroSubdir)
-
-bif_target(comm.bif)
-bif_target(data.bif)
-bif_target(messaging.bif)
-bif_target(store.bif)
-
-bro_add_subdir_library(broker_dummy ${BIF_OUTPUT_CC})
-add_dependencies(bro_broker_dummy generate_outputs)
diff --git a/src/broker-dummy/comm.bif b/src/broker-dummy/comm.bif
deleted file mode 100644
index b030a4cc73..0000000000
--- a/src/broker-dummy/comm.bif
+++ /dev/null
@@ -1,3 +0,0 @@
-
-##! Placeholder for Broker-based communication functionality, not enabled
-##! by default.
diff --git a/src/broker-dummy/data.bif b/src/broker-dummy/data.bif
deleted file mode 100644
index e9b9950474..0000000000
--- a/src/broker-dummy/data.bif
+++ /dev/null
@@ -1,3 +0,0 @@
-
-##! Placeholder for Broker-based communication functionality, not enabled
-##! by default
diff --git a/src/broker-dummy/messaging.bif b/src/broker-dummy/messaging.bif
deleted file mode 100644
index e9b9950474..0000000000
--- a/src/broker-dummy/messaging.bif
+++ /dev/null
@@ -1,3 +0,0 @@
-
-##! Placeholder for Broker-based communication functionality, not enabled
-##! by default
diff --git a/src/broker-dummy/store.bif b/src/broker-dummy/store.bif
deleted file mode 100644
index e9b9950474..0000000000
--- a/src/broker-dummy/store.bif
+++ /dev/null
@@ -1,3 +0,0 @@
-
-##! Placeholder for Broker-based communication functionality, not enabled
-##! by default
diff --git a/src/broker/CMakeLists.txt b/src/broker/CMakeLists.txt
index 988855cafb..e3a3a73661 100644
--- a/src/broker/CMakeLists.txt
+++ b/src/broker/CMakeLists.txt
@@ -10,9 +10,6 @@ if ( ROCKSDB_INCLUDE_DIR )
     include_directories(BEFORE ${ROCKSDB_INCLUDE_DIR})
 endif ()
 
-include_directories(BEFORE ${CAF_INCLUDE_DIR_CORE})
-include_directories(BEFORE ${CAF_INCLUDE_DIR_IO})
-
 set(comm_SRCS
     Data.cc
     Manager.cc
diff --git a/src/broker/Data.cc b/src/broker/Data.cc
index bc4197a974..b836b66002 100644
--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@@ -1,7 +1,8 @@
 #include "Data.h"
 #include "broker/data.bif.h"
-#include <caf/binary_serializer.hpp>
-#include <caf/binary_deserializer.hpp>
+#include <caf/stream_serializer.hpp>
+#include <caf/stream_deserializer.hpp>
+#include <caf/streambuf.hpp>
 
 using namespace std;
 
@@ -11,6 +12,8 @@ OpaqueType* bro_broker::opaque_of_table_iterator;
 OpaqueType* bro_broker::opaque_of_vector_iterator;
 OpaqueType* bro_broker::opaque_of_record_iterator;
 
+BroType* bro_broker::DataVal::script_data_type = nullptr;
+
 static broker::port::protocol to_broker_port_proto(TransportProto tp)
 	{
 	switch ( tp ) {
@@ -45,7 +48,11 @@ struct val_converter {
 	using result_type = Val*;
 
 	BroType* type;
-	bool require_log_attr;
+
+	result_type operator()(broker::none)
+		{
+		return nullptr;
+		}
 
 	result_type operator()(bool a)
 		{
@@ -96,14 +103,34 @@ struct val_converter {
 			}
 		case TYPE_FUNC:
 			{
-			auto id = lookup_ID(a.data(), GLOBAL_MODULE_NAME);
-			auto rval = id ? id->ID_Val() : nullptr;
-			Unref(id);
+			auto id = global_scope()->Lookup(a.data());
 
-			if ( rval && rval->Type()->Tag() == TYPE_FUNC )
-				return rval;
+			if ( ! id )
+				return nullptr;
 
-			return nullptr;
+			auto rval = id->ID_Val();
+
+			if ( ! rval )
+				return nullptr;
+
+			auto t = rval->Type();
+
+			if ( ! t )
+				return nullptr;
+
+			if ( t->Tag() != TYPE_FUNC )
+				return nullptr;
+
+			return rval->Ref();
+			}
+		case TYPE_OPAQUE:
+			{
+			SerializationFormat* form = new BinarySerializationFormat();
+			form->StartRead(a.data(), a.size());
+			CloneSerializer ss(form);
+			UnserialInfo uinfo(&ss);
+			uinfo.cache = false;
+			return Val::Unserialize(&uinfo, type->Tag());
 			}
 		default:
 			return nullptr;
@@ -135,25 +162,29 @@ struct val_converter {
 	result_type operator()(broker::port& a)
 		{
 		if ( type->Tag() == TYPE_PORT )
-			return new PortVal(a.number(), bro_broker::to_bro_port_proto(a.type()));
+			return port_mgr->Get(a.number(), bro_broker::to_bro_port_proto(a.type()));
 
 		return nullptr;
 		}
 
-	result_type operator()(broker::time_point& a)
+	result_type operator()(broker::timestamp& a)
 		{
-		if ( type->Tag() == TYPE_TIME )
-			return new Val(a.value, TYPE_TIME);
+		if ( type->Tag() != TYPE_TIME )
+			return nullptr;
 
-		return nullptr;
+		using namespace std::chrono;
+		auto s = duration_cast<broker::fractional_seconds>(a.time_since_epoch());
+		return new Val(s.count(), TYPE_TIME);
 		}
 
-	result_type operator()(broker::time_duration& a)
+	result_type operator()(broker::timespan& a)
 		{
-		if ( type->Tag() == TYPE_INTERVAL )
-			return new Val(a.value, TYPE_INTERVAL);
+		if ( type->Tag() != TYPE_INTERVAL )
+			return nullptr;
 
-		return nullptr;
+		using namespace std::chrono;
+		auto s = duration_cast<broker::fractional_seconds>(a);
+		return new Val(s.count(), TYPE_INTERVAL);
 		}
 
 	result_type operator()(broker::enum_value& a)
@@ -182,17 +213,32 @@ struct val_converter {
 
 		for ( auto& item : a )
 			{
+			auto expected_index_types = tt->Indices()->Types();
 			broker::vector composite_key;
-			auto indices = broker::get<broker::vector>(item);
+			auto indices = caf::get_if<broker::vector>(&item);
 
-			if ( ! indices )
+			if ( indices )
+				{
+				if ( expected_index_types->length() == 1 )
+					{
+					auto index_is_vector_or_record =
+					     (*expected_index_types)[0]->Tag() == TYPE_RECORD ||
+					     (*expected_index_types)[0]->Tag() == TYPE_VECTOR;
+
+					if ( index_is_vector_or_record )
+						{
+						// Disambiguate from composite key w/ multiple vals.
+						composite_key.emplace_back(move(item));
+						indices = &composite_key;
+						}
+					}
+				}
+			else
 				{
 				composite_key.emplace_back(move(item));
 				indices = &composite_key;
 				}
 
-			auto expected_index_types = tt->Indices()->Types();
-
 			if ( static_cast<size_t>(expected_index_types->length()) !=
 			     indices->size() )
 				{
@@ -235,17 +281,32 @@ struct val_converter {
 
 		for ( auto& item : a )
 			{
+			auto expected_index_types = tt->Indices()->Types();
 			broker::vector composite_key;
-			auto indices = broker::get<broker::vector>(item.first);
+			auto indices = caf::get_if<broker::vector>(&item.first);
 
-			if ( ! indices )
+			if ( indices )
+				{
+				if ( expected_index_types->length() == 1 )
+					{
+					auto index_is_vector_or_record =
+					     (*expected_index_types)[0]->Tag() == TYPE_RECORD ||
+					     (*expected_index_types)[0]->Tag() == TYPE_VECTOR;
+
+					if ( index_is_vector_or_record )
+						{
+						// Disambiguate from composite key w/ multiple vals.
+						composite_key.emplace_back(move(item.first));
+						indices = &composite_key;
+						}
+					}
+				}
+			else
 				{
 				composite_key.emplace_back(move(item.first));
 				indices = &composite_key;
 				}
 
-			auto expected_index_types = tt->Indices()->Types();
-
 			if ( static_cast<size_t>(expected_index_types->length()) !=
 			     indices->size() )
 				{
@@ -289,78 +350,435 @@ struct val_converter {
 
 	result_type operator()(broker::vector& a)
 		{
-		if ( type->Tag() != TYPE_VECTOR )
-			return nullptr;
-
-		auto vt = type->AsVectorType();
-		auto rval = new VectorVal(vt);
-
-		for ( auto& item : a )
+		if ( type->Tag() == TYPE_VECTOR )
 			{
-			auto item_val = bro_broker::data_to_val(move(item), vt->YieldType());
+			auto vt = type->AsVectorType();
+			auto rval = new VectorVal(vt);
 
-			if ( ! item_val )
+			for ( auto& item : a )
 				{
-				Unref(rval);
-				return nullptr;
+				auto item_val = bro_broker::data_to_val(move(item), vt->YieldType());
+
+				if ( ! item_val )
+					{
+					Unref(rval);
+					return nullptr;
+					}
+
+				rval->Assign(rval->Size(), item_val);
 				}
 
-			rval->Assign(rval->Size(), item_val);
+			return rval;
 			}
-
-		return rval;
-		}
-
-	result_type operator()(broker::record& a)
-		{
-		if ( type->Tag() != TYPE_RECORD )
-			return nullptr;
-
-		auto rt = type->AsRecordType();
-		auto rval = new RecordVal(rt);
-		auto idx = 0u;
-
-		for ( auto i = 0u; i < static_cast<size_t>(rt->NumFields()); ++i )
+		else if ( type->Tag() == TYPE_RECORD )
 			{
-			if ( require_log_attr && ! rt->FieldDecl(i)->FindAttr(ATTR_LOG) )
-				continue;
+			auto rt = type->AsRecordType();
+			auto rval = new RecordVal(rt);
+			auto idx = 0u;
 
-			if ( idx >= a.fields.size() )
+			for ( auto i = 0u; i < static_cast<size_t>(rt->NumFields()); ++i )
 				{
-				Unref(rval);
-				return nullptr;
-				}
+				if ( idx >= a.size() )
+					{
+					Unref(rval);
+					return nullptr;
+					}
 
-			if ( ! a.fields[idx] )
-				{
-				rval->Assign(i, nullptr);
+				if ( caf::get_if<broker::none>(&a[idx]) != nullptr )
+					{
+					rval->Assign(i, nullptr);
+					++idx;
+					continue;
+					}
+
+				auto item_val = bro_broker::data_to_val(move(a[idx]),
+																								rt->FieldType(i));
+
+				if ( ! item_val )
+					{
+					Unref(rval);
+					return nullptr;
+					}
+
+				rval->Assign(i, item_val);
 				++idx;
-				continue;
 				}
 
-			auto item_val = bro_broker::data_to_val(move(*a.fields[idx]),
-			                                        rt->FieldType(i));
+			return rval;
+			}
+		else if ( type->Tag() == TYPE_PATTERN )
+			{
+			if ( a.size() != 2 )
+				return nullptr;
 
-			if ( ! item_val )
+			auto exact_text = caf::get_if<std::string>(&a[0]);
+			auto anywhere_text = caf::get_if<std::string>(&a[1]);
+
+			if ( ! exact_text || ! anywhere_text )
+				return nullptr;
+
+			RE_Matcher* re = new RE_Matcher(exact_text->c_str(),
+			                                anywhere_text->c_str());
+
+			if ( ! re->Compile() )
 				{
-				Unref(rval);
+				reporter->Error("failed compiling unserialized pattern: %s, %s",
+				                exact_text->c_str(), anywhere_text->c_str());
+				delete re;
 				return nullptr;
 				}
 
-			rval->Assign(i, item_val);
-			++idx;
+			auto rval = new PatternVal(re);
+			return rval;
 			}
 
-		return rval;
+		return nullptr;
 		}
 };
 
-Val* bro_broker::data_to_val(broker::data d, BroType* type, bool require_log_attr)
+struct type_checker {
+	using result_type = bool;
+
+	BroType* type;
+
+	result_type operator()(broker::none)
+		{
+		return false;
+		}
+
+	result_type operator()(bool a)
+		{
+		if ( type->Tag() == TYPE_BOOL )
+			return true;
+		return false;
+		}
+
+	result_type operator()(uint64_t a)
+		{
+		if ( type->Tag() == TYPE_COUNT )
+			return true;
+		if ( type->Tag() == TYPE_COUNTER )
+			return true;
+		return false;
+		}
+
+	result_type operator()(int64_t a)
+		{
+		if ( type->Tag() == TYPE_INT )
+			return true;
+		return false;
+		}
+
+	result_type operator()(double a)
+		{
+		if ( type->Tag() == TYPE_DOUBLE )
+			return true;
+		return false;
+		}
+
+	result_type operator()(const std::string& a)
+		{
+		switch ( type->Tag() ) {
+		case TYPE_STRING:
+			return true;
+		case TYPE_FILE:
+			return true;
+		case TYPE_FUNC:
+			{
+			auto id = global_scope()->Lookup(a.data());
+
+			if ( ! id )
+				return false;
+
+			auto rval = id->ID_Val();
+
+			if ( ! rval )
+				return false;
+
+			auto t = rval->Type();
+
+			if ( ! t )
+				return false;
+
+			if ( t->Tag() != TYPE_FUNC )
+				return false;
+
+			return true;
+			}
+		case TYPE_OPAQUE:
+			{
+			// TODO
+			SerializationFormat* form = new BinarySerializationFormat();
+			form->StartRead(a.data(), a.size());
+			CloneSerializer ss(form);
+			UnserialInfo uinfo(&ss);
+			uinfo.cache = false;
+			return Val::Unserialize(&uinfo, type->Tag());
+			}
+		default:
+			return false;
+		}
+		}
+
+	result_type operator()(const broker::address& a)
+		{
+		if ( type->Tag() == TYPE_ADDR )
+			return true;
+
+		return false;
+		}
+
+	result_type operator()(const broker::subnet& a)
+		{
+		if ( type->Tag() == TYPE_SUBNET )
+			return true;
+
+		return false;
+		}
+
+	result_type operator()(const broker::port& a)
+		{
+		if ( type->Tag() == TYPE_PORT )
+			return true;
+
+		return false;
+		}
+
+	result_type operator()(const broker::timestamp& a)
+		{
+		if ( type->Tag() == TYPE_TIME )
+			return true;
+
+		return false;
+		}
+
+	result_type operator()(const broker::timespan& a)
+		{
+		if ( type->Tag() == TYPE_INTERVAL )
+			return true;
+
+		return false;
+		}
+
+	result_type operator()(const broker::enum_value& a)
+		{
+		if ( type->Tag() == TYPE_ENUM )
+			{
+			auto etype = type->AsEnumType();
+			auto i = etype->Lookup(GLOBAL_MODULE_NAME, a.name.data());
+			return i != -1;
+			}
+
+		return false;
+		}
+
+	result_type operator()(const broker::set& a)
+		{
+		if ( ! type->IsSet() )
+			return false;
+
+		auto tt = type->AsTableType();
+
+		for ( const auto& item : a )
+			{
+			auto expected_index_types = tt->Indices()->Types();
+			auto indices = caf::get_if<broker::vector>(&item);
+			vector<const broker::data*> indices_to_check;
+
+			if ( indices )
+				{
+				if ( expected_index_types->length() == 1 )
+					{
+					auto index_is_vector_or_record =
+					     (*expected_index_types)[0]->Tag() == TYPE_RECORD ||
+					     (*expected_index_types)[0]->Tag() == TYPE_VECTOR;
+
+					if ( index_is_vector_or_record )
+						// Disambiguate from composite key w/ multiple vals.
+						indices_to_check.emplace_back(&item);
+					else
+						{
+						indices_to_check.reserve(indices->size());
+
+						for ( auto i = 0u; i < indices->size(); ++i )
+							indices_to_check.emplace_back(&(*indices)[i]);
+						}
+					}
+				else
+					{
+					indices_to_check.reserve(indices->size());
+
+					for ( auto i = 0u; i < indices->size(); ++i )
+						indices_to_check.emplace_back(&(*indices)[i]);
+					}
+				}
+			else
+				indices_to_check.emplace_back(&item);
+
+			if ( static_cast<size_t>(expected_index_types->length()) !=
+			     indices_to_check.size() )
+				return false;
+
+			for ( auto i = 0u; i < indices_to_check.size(); ++i )
+				{
+				auto expect = (*expected_index_types)[i];
+				auto& index_to_check = *(indices_to_check)[i];
+
+				if ( ! caf::visit(type_checker{expect}, index_to_check) )
+					return false;
+				}
+			}
+
+		return true;
+		}
+
+	result_type operator()(const broker::table& a)
+		{
+		if ( ! type->IsTable() )
+			return false;
+
+		auto tt = type->AsTableType();
+
+		for ( auto& item : a )
+			{
+			auto expected_index_types = tt->Indices()->Types();
+			auto indices = caf::get_if<broker::vector>(&item.first);
+			vector<const broker::data*> indices_to_check;
+
+			if ( indices )
+				{
+				if ( expected_index_types->length() == 1 )
+					{
+					auto index_is_vector_or_record =
+					     (*expected_index_types)[0]->Tag() == TYPE_RECORD ||
+					     (*expected_index_types)[0]->Tag() == TYPE_VECTOR;
+
+					if ( index_is_vector_or_record )
+						// Disambiguate from composite key w/ multiple vals.
+						indices_to_check.emplace_back(&item.first);
+					else
+						{
+						indices_to_check.reserve(indices->size());
+
+						for ( auto i = 0u; i < indices->size(); ++i )
+							indices_to_check.emplace_back(&(*indices)[i]);
+						}
+					}
+				else
+					{
+					indices_to_check.reserve(indices->size());
+
+					for ( auto i = 0u; i < indices->size(); ++i )
+						indices_to_check.emplace_back(&(*indices)[i]);
+					}
+				}
+			else
+				indices_to_check.emplace_back(&item.first);
+
+
+			if ( static_cast<size_t>(expected_index_types->length()) !=
+			     indices_to_check.size() )
+				{
+				return false;
+				}
+
+			auto list_val = new ListVal(TYPE_ANY);
+
+			for ( auto i = 0u; i < indices_to_check.size(); ++i )
+				{
+				auto expect = (*expected_index_types)[i];
+				auto& index_to_check = *(indices_to_check)[i];
+
+				if ( ! caf::visit(type_checker{expect}, index_to_check) )
+					return false;
+				}
+
+			if ( ! caf::visit(type_checker{tt->YieldType()},
+			                     item.second) )
+				return false;
+			}
+
+		return true;
+		}
+
+	result_type operator()(const broker::vector& a)
+		{
+		if ( type->Tag() == TYPE_VECTOR )
+			{
+			auto vt = type->AsVectorType();
+
+			for ( auto& item : a )
+				{
+				if ( ! caf::visit(type_checker{vt->YieldType()}, item) )
+					return false;
+				}
+
+			return true;
+			}
+		else if ( type->Tag() == TYPE_RECORD )
+			{
+			auto rt = type->AsRecordType();
+			auto idx = 0u;
+
+			for ( auto i = 0u; i < static_cast<size_t>(rt->NumFields()); ++i )
+				{
+				if ( idx >= a.size() )
+					return false;
+
+				if ( caf::get_if<broker::none>(&a[idx]) != nullptr )
+					{
+					++idx;
+					continue;
+					}
+
+				if ( ! caf::visit(type_checker{rt->FieldType(i)},
+				                     a[idx]) )
+					return false;
+
+				++idx;
+				}
+
+			return true;
+			}
+		else if ( type->Tag() == TYPE_PATTERN )
+			{
+			if ( a.size() != 2 )
+				return false;
+
+			auto exact_text = caf::get_if<std::string>(&a[0]);
+			auto anywhere_text = caf::get_if<std::string>(&a[1]);
+
+			if ( ! exact_text || ! anywhere_text )
+				return false;
+
+			RE_Matcher* re = new RE_Matcher(exact_text->c_str(),
+			                                anywhere_text->c_str());
+			auto compiled = re->Compile();
+			delete re;
+
+			if ( ! compiled )
+				{
+				reporter->Error("failed compiling pattern: %s, %s",
+				                exact_text->c_str(), anywhere_text->c_str());
+				return false;
+				}
+
+			return true;
+			}
+
+		return false;
+		}
+};
+
+Val* bro_broker::data_to_val(broker::data d, BroType* type)
 	{
-	return broker::visit(val_converter{type, require_log_attr}, d);
+	if ( type->Tag() == TYPE_ANY )
+		return bro_broker::make_data_val(move(d));
+
+	return caf::visit(val_converter{type}, std::move(d));
 	}
 
-broker::util::optional<broker::data> bro_broker::val_to_data(Val* v)
+broker::expected<broker::data> bro_broker::val_to_data(Val* v)
 	{
 	switch ( v->Type()->Tag() ) {
 	case TYPE_BOOL:
@@ -394,15 +812,22 @@ broker::util::optional<broker::data> bro_broker::val_to_data(Val* v)
 		auto a = broker::address(reinterpret_cast<const uint32_t*>(&tmp),
 		                         broker::address::family::ipv6,
 		                         broker::address::byte_order::network);
-		return {broker::subnet(a, s.Length())};
+		return {broker::subnet(std::move(a), s.Length())};
 		}
 		break;
 	case TYPE_DOUBLE:
 		return {v->AsDouble()};
 	case TYPE_TIME:
-		return {broker::time_point(v->AsTime())};
+		{
+	  auto secs = broker::fractional_seconds{v->AsTime()};
+	  auto since_epoch = std::chrono::duration_cast<broker::timespan>(secs);
+		return {broker::timestamp{since_epoch}};
+		}
 	case TYPE_INTERVAL:
-		return {broker::time_duration(v->AsInterval())};
+		{
+	  auto secs = broker::fractional_seconds{v->AsInterval()};
+		return {std::chrono::duration_cast<broker::timespan>(secs)};
+		}
 	case TYPE_ENUM:
 		{
 		auto enum_type = v->Type()->AsEnumType();
@@ -462,7 +887,7 @@ broker::util::optional<broker::data> bro_broker::val_to_data(Val* v)
 				auto key_part = val_to_data((*vl->Vals())[k]);
 
 				if ( ! key_part )
-					return {};
+					return broker::ec::invalid_data;
 
 				composite_key.emplace_back(move(*key_part));
 				}
@@ -475,20 +900,19 @@ broker::util::optional<broker::data> bro_broker::val_to_data(Val* v)
 				key = move(composite_key);
 
 			if ( is_set )
-				broker::get<broker::set>(rval)->emplace(move(key));
+				caf::get<broker::set>(rval).emplace(move(key));
 			else
 				{
 				auto val = val_to_data(entry->Value());
 
 				if ( ! val )
-					return {};
+					return broker::ec::invalid_data;
 
-				broker::get<broker::table>(rval)->emplace(move(key),
-				                                          move(*val));
+				caf::get<broker::table>(rval).emplace(move(key), move(*val));
 				}
 			}
 
-		return {rval};
+		return {std::move(rval)};
 		}
 	case TYPE_VECTOR:
 		{
@@ -506,19 +930,19 @@ broker::util::optional<broker::data> bro_broker::val_to_data(Val* v)
 			auto item = val_to_data(item_val);
 
 			if ( ! item )
-				return {};
+				return broker::ec::invalid_data;
 
 			rval.emplace_back(move(*item));
 			}
 
-		return {rval};
+		return {std::move(rval)};
 		}
 	case TYPE_RECORD:
 		{
 		auto rec = v->AsRecordVal();
-		broker::record rval;
+		broker::vector rval;
 		size_t num_fields = v->Type()->AsRecordType()->NumFields();
-		rval.fields.reserve(num_fields);
+		rval.reserve(num_fields);
 
 		for ( auto i = 0u; i < num_fields; ++i )
 			{
@@ -526,7 +950,7 @@ broker::util::optional<broker::data> bro_broker::val_to_data(Val* v)
 
 			if ( ! item_val )
 				{
-				rval.fields.emplace_back(broker::record::field{});
+				rval.emplace_back(broker::nil);
 				continue;
 				}
 
@@ -534,12 +958,36 @@ broker::util::optional<broker::data> bro_broker::val_to_data(Val* v)
 			Unref(item_val);
 
 			if ( ! item )
-				return {};
+				return broker::ec::invalid_data;
 
-			rval.fields.emplace_back(broker::record::field{move(*item)});
+			rval.emplace_back(move(*item));
 			}
 
-		return {rval};
+		return {std::move(rval)};
+		}
+	case TYPE_PATTERN:
+		{
+		RE_Matcher* p = v->AsPattern();
+		broker::vector rval = {p->PatternText(), p->AnywherePatternText()};
+		return {std::move(rval)};
+		}
+	case TYPE_OPAQUE:
+		{
+		SerializationFormat* form = new BinarySerializationFormat();
+		form->StartWrite();
+		CloneSerializer ss(form);
+		SerialInfo sinfo(&ss);
+		sinfo.cache = false;
+		sinfo.include_locations = false;
+
+		if ( ! v->Serialize(&sinfo) )
+			return broker::ec::invalid_data;
+
+		char* data;
+		uint32 len = form->EndWrite(&data);
+		string rval(data, len);
+		free(data);
+		return {std::move(rval)};
 		}
 	default:
 		reporter->Error("unsupported Broker::Data type: %s",
@@ -547,7 +995,7 @@ broker::util::optional<broker::data> bro_broker::val_to_data(Val* v)
 		break;
 	}
 
-	return {};
+	return broker::ec::invalid_data;
 	}
 
 RecordVal* bro_broker::make_data_val(Val* v)
@@ -571,100 +1019,103 @@ RecordVal* bro_broker::make_data_val(broker::data d)
 struct data_type_getter {
 	using result_type = EnumVal*;
 
-	result_type operator()(bool a)
+	result_type operator()(broker::none)
+		{
+		return new EnumVal(BifEnum::Broker::NONE,
+		                   BifType::Enum::Broker::DataType);
+		}
+
+	result_type operator()(bool)
 		{
 		return new EnumVal(BifEnum::Broker::BOOL,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(uint64_t a)
+	result_type operator()(uint64_t)
 		{
 		return new EnumVal(BifEnum::Broker::COUNT,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(int64_t a)
+	result_type operator()(int64_t)
 		{
 		return new EnumVal(BifEnum::Broker::INT,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(double a)
+	result_type operator()(double)
 		{
 		return new EnumVal(BifEnum::Broker::DOUBLE,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(const std::string& a)
+	result_type operator()(const std::string&)
 		{
 		return new EnumVal(BifEnum::Broker::STRING,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(const broker::address& a)
+	result_type operator()(const broker::address&)
 		{
 		return new EnumVal(BifEnum::Broker::ADDR,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(const broker::subnet& a)
+	result_type operator()(const broker::subnet&)
 		{
 		return new EnumVal(BifEnum::Broker::SUBNET,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(const broker::port& a)
+	result_type operator()(const broker::port&)
 		{
 		return new EnumVal(BifEnum::Broker::PORT,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(const broker::time_point& a)
+	result_type operator()(const broker::timestamp&)
 		{
 		return new EnumVal(BifEnum::Broker::TIME,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(const broker::time_duration& a)
+	result_type operator()(const broker::timespan&)
 		{
 		return new EnumVal(BifEnum::Broker::INTERVAL,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(const broker::enum_value& a)
+	result_type operator()(const broker::enum_value&)
 		{
 		return new EnumVal(BifEnum::Broker::ENUM,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(const broker::set& a)
+	result_type operator()(const broker::set&)
 		{
 		return new EnumVal(BifEnum::Broker::SET,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(const broker::table& a)
+	result_type operator()(const broker::table&)
 		{
 		return new EnumVal(BifEnum::Broker::TABLE,
 		                   BifType::Enum::Broker::DataType);
 		}
 
-	result_type operator()(const broker::vector& a)
+	result_type operator()(const broker::vector&)
 		{
+		// Note that Broker uses vectors to store record data, so there's
+		// no actual way to tell if this data was originally associated
+		// with a Bro record.
 		return new EnumVal(BifEnum::Broker::VECTOR,
 		                   BifType::Enum::Broker::DataType);
 		}
-
-	result_type operator()(const broker::record& a)
-		{
-		return new EnumVal(BifEnum::Broker::RECORD,
-		                   BifType::Enum::Broker::DataType);
-		}
 };
 
 EnumVal* bro_broker::get_data_type(RecordVal* v, Frame* frame)
 	{
-	return broker::visit(data_type_getter{}, opaque_field_to_data(v, frame));
+	return caf::visit(data_type_getter{}, opaque_field_to_data(v, frame));
 	}
 
 broker::data& bro_broker::opaque_field_to_data(RecordVal* v, Frame* f)
@@ -678,17 +1129,28 @@ broker::data& bro_broker::opaque_field_to_data(RecordVal* v, Frame* f)
 	return static_cast<DataVal*>(d)->data;
 	}
 
+bool bro_broker::DataVal::canCastTo(BroType* t) const
+	{
+	return caf::visit(type_checker{t}, data);
+	}
+
+Val* bro_broker::DataVal::castTo(BroType* t)
+	{
+	return data_to_val(data, t);
+	}
+
 IMPLEMENT_SERIAL(bro_broker::DataVal, SER_COMM_DATA_VAL);
 
 bool bro_broker::DataVal::DoSerialize(SerialInfo* info) const
 	{
 	DO_SERIALIZE(SER_COMM_DATA_VAL, OpaqueVal);
 
-	std::string serial;
-	caf::binary_serializer bs(std::back_inserter(serial));
-	bs << data;
+	std::string buffer;
+	caf::containerbuf<std::string> sb{buffer};
+	caf::stream_serializer<caf::containerbuf<std::string>&> serializer{sb};
+	serializer << data;
 
-	if ( ! SERIALIZE_STR(serial.data(), serial.size()) )
+	if ( ! SERIALIZE_STR(buffer.data(), buffer.size()) )
 		return false;
 
 	return true;
@@ -704,8 +1166,51 @@ bool bro_broker::DataVal::DoUnserialize(UnserialInfo* info)
 	if ( ! UNSERIALIZE_STR(&serial, &len) )
 		return false;
 
-	caf::binary_deserializer bd(serial, len);
-	caf::uniform_typeid<broker::data>()->deserialize(&data, &bd);
+	caf::arraybuf<char> sb{const_cast<char*>(serial), // will not write
+	                       static_cast<size_t>(len)};
+	caf::stream_deserializer<caf::arraybuf<char>&> deserializer{sb};
+	deserializer >> data;
+
 	delete [] serial;
 	return true;
 	}
+
+broker::data bro_broker::threading_field_to_data(const threading::Field* f)
+	{
+	auto name = f->name;
+	auto type = static_cast<uint64_t>(f->type);
+	auto subtype = static_cast<uint64_t>(f->subtype);
+	auto optional = f->optional;
+
+	broker::data secondary = broker::nil;
+
+	if ( f->secondary_name )
+		secondary = {f->secondary_name};
+
+	return broker::vector({name, secondary, type, subtype, optional});
+	}
+
+threading::Field* bro_broker::data_to_threading_field(broker::data d)
+	{
+	if ( ! caf::holds_alternative<broker::vector>(d) )
+		return nullptr;
+
+	auto& v = caf::get<broker::vector>(d);
+	auto name = caf::get_if<std::string>(&v[0]);
+	auto secondary = v[1];
+	auto type = caf::get_if<broker::count>(&v[2]);
+	auto subtype = caf::get_if<broker::count>(&v[3]);
+	auto optional = caf::get_if<broker::boolean>(&v[4]);
+
+	if ( ! (name && type && subtype && optional) )
+		return nullptr;
+
+	if ( secondary != broker::nil && ! caf::holds_alternative<std::string>(secondary) )
+		return nullptr;
+
+	return new threading::Field(name->c_str(),
+				    secondary != broker::nil ? caf::get<std::string>(secondary).c_str() : nullptr,
+				    static_cast<TypeTag>(*type),
+				    static_cast<TypeTag>(*subtype),
+				    *optional);
+	}
diff --git a/src/broker/Data.h b/src/broker/Data.h
index 0045ad58ad..e2a5968a82 100644
--- a/src/broker/Data.h
+++ b/src/broker/Data.h
@@ -1,7 +1,7 @@
 #ifndef BRO_COMM_DATA_H
 #define BRO_COMM_DATA_H
 
-#include <broker/data.hh>
+#include <broker/broker.hh>
 #include "Val.h"
 #include "Reporter.h"
 #include "Frame.h"
@@ -48,18 +48,46 @@ EnumVal* get_data_type(RecordVal* v, Frame* frame);
  * @param v a Bro value.
  * @return a Broker data value if the Bro value could be converted to one.
  */
-broker::util::optional<broker::data> val_to_data(Val* v);
+broker::expected<broker::data> val_to_data(Val* v);
 
 /**
  * Convert a Broker data value to a Bro value.
  * @param d a Broker data value.
  * @param type the expected type of the value to return.
- * @param require_log_attr if true, skip over record fields that don't have the
- * &log attribute.
  * @return a pointer to a new Bro value or a nullptr if the conversion was not
  * possible.
  */
-Val* data_to_val(broker::data d, BroType* type, bool require_log_attr = false);
+Val* data_to_val(broker::data d, BroType* type);
+
+/**
+ * Convert a Bro threading::Value to a Broker data value.
+ * @param v a Bro threading::Value.
+ * @return a Broker data value if the Bro threading::Value could be converted to one.
+ */
+broker::expected<broker::data> threading_val_to_data(const threading::Value* v);
+
+/**
+ * Convert a Bro threading::Field to a Broker data value.
+ * @param f a Bro threading::Field.
+ * @return a Broker data value if the Bro threading::Field could be converted to one.
+ */
+broker::data threading_field_to_data(const threading::Field* f);
+
+/**
+ * Convert a Broker data value to a Bro threading::Value.
+ * @param d a Broker data value.
+ * @return a pointer to a new Bro threading::Value or a nullptr if the conversion was not
+ * possible.
+ */
+threading::Value* data_to_threading_val(broker::data d);
+
+/**
+ * Convert a Broker data value to a Bro threading::Value.
+ * @param d a Broker data value.
+ * @return a pointer to a new Bro threading::Value or a nullptr if the conversion was not
+ * possible.
+ */
+threading::Field* data_to_threading_field(broker::data d);
 
 /**
  * A Bro value which wraps a Broker data value.
@@ -78,14 +106,29 @@ public:
 		d->Add("}");
 		}
 
+	Val* castTo(BroType* t);
+	bool canCastTo(BroType* t) const;
+
+	// Returns the Bro type that scripts use to represent a Broker data
+	// instance. This may be wrapping the opaque value inside another
+	// type.
+	static BroType* ScriptDataType()
+		{
+		if ( ! script_data_type )
+			script_data_type = internal_type("Broker::Data");
+
+		return script_data_type;
+		}
+
 	DECLARE_SERIAL(DataVal);
 
 	broker::data data;
 
 protected:
-
 	DataVal()
 		{}
+
+	static BroType* script_data_type;
 };
 
 /**
@@ -94,50 +137,55 @@ protected:
 struct type_name_getter {
 	using result_type = const char*;
 
-	result_type operator()(bool a)
+	result_type operator()(broker::none)
+		{ return "NONE"; } // FIXME: what's the right thing to return here?
+
+	result_type operator()(bool)
 		{ return "bool"; }
 
-	result_type operator()(uint64_t a)
+	result_type operator()(uint64_t)
 		{ return "uint64_t"; }
 
-	result_type operator()(int64_t a)
+	result_type operator()(int64_t)
 		{ return "int64_t"; }
 
-	result_type operator()(double a)
+	result_type operator()(double)
 		{ return "double"; }
 
-	result_type operator()(const std::string& a)
+	result_type operator()(const std::string&)
 		{ return "string"; }
 
-	result_type operator()(const broker::address& a)
+	result_type operator()(const broker::address&)
 		{ return "address"; }
 
-	result_type operator()(const broker::subnet& a)
+	result_type operator()(const broker::subnet&)
 		{ return "subnet"; }
 
-	result_type operator()(const broker::port& a)
+	result_type operator()(const broker::port&)
 		{ return "port"; }
 
-	result_type operator()(const broker::time_point& a)
+	result_type operator()(const broker::timestamp&)
 		{ return "time"; }
 
-	result_type operator()(const broker::time_duration& a)
+	result_type operator()(const broker::timespan&)
 		{ return "interval"; }
 
-	result_type operator()(const broker::enum_value& a)
+	result_type operator()(const broker::enum_value&)
 		{ return "enum"; }
 
-	result_type operator()(const broker::set& a)
+	result_type operator()(const broker::set&)
 		{ return "set"; }
 
-	result_type operator()(const broker::table& a)
+	result_type operator()(const broker::table&)
 		{ return "table"; }
 
-	result_type operator()(const broker::vector& a)
-		{ return "vector"; }
+	result_type operator()(const broker::vector&)
+		{ 
+		assert(tag == TYPE_VECTOR || tag == TYPE_RECORD);
+	 	return tag == TYPE_VECTOR ? "vector" : "record";
+		}
 
-	result_type operator()(const broker::record& a)
-		{ return "record"; }
+	TypeTag tag;
 };
 
 /**
@@ -162,12 +210,11 @@ broker::data& opaque_field_to_data(RecordVal* v, Frame* f);
 template <typename T>
 T& require_data_type(broker::data& d, TypeTag tag, Frame* f)
 	{
-	auto ptr = broker::get<T>(d);
-
+	auto ptr = caf::get_if<T>(&d);
 	if ( ! ptr )
 		reporter->RuntimeError(f->GetCall()->GetLocationInfo(),
 		                       "data is of type '%s' not of type '%s'",
-		                       broker::visit(type_name_getter{}, d),
+		                       caf::visit(type_name_getter{tag}, d),
 		                       type_name(tag));
 
 	return *ptr;
@@ -182,21 +229,6 @@ inline T& require_data_type(RecordVal* v, TypeTag tag, Frame* f)
 	return require_data_type<T>(opaque_field_to_data(v, f), tag, f);
 	}
 
-/**
- * Convert a Broker::Data Bro value to a Bro value of a given type.
- * @tparam a type that a Broker data variant may contain.
- * @param v a Broker::Data value.
- * @param tag a Bro type to convert to.
- * @param f used to get location information on error.
- * A runtime interpret exception is thrown if trying to access a type which
- * is not currently stored in the Broker data.
- */
-template <typename T>
-inline Val* refine(RecordVal* v, TypeTag tag, Frame* f)
-	{
-	return new Val(require_data_type<T>(v, tag, f), tag);
-	}
-
 // Copying data in to iterator vals is not the fastest approach, but safer...
 
 class SetIterator : public OpaqueVal {
@@ -243,12 +275,12 @@ public:
 
 	RecordIterator(RecordVal* v, TypeTag tag, Frame* f)
 	    : OpaqueVal(bro_broker::opaque_of_record_iterator),
-	      dat(require_data_type<broker::record>(v, TYPE_RECORD, f)),
-	      it(dat.fields.begin())
+	      dat(require_data_type<broker::vector>(v, TYPE_RECORD, f)),
+	      it(dat.begin())
 		{}
 
-	broker::record dat;
-	decltype(broker::record::fields)::iterator it;
+	broker::vector dat;
+	broker::vector::iterator it;
 };
 
 } // namespace bro_broker
diff --git a/src/broker/Manager.cc b/src/broker/Manager.cc
index 334b7f84f5..6aef1e06cf 100644
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@@ -1,10 +1,12 @@
+
+#include <broker/broker.hh>
+#include <broker/bro.hh>
+#include <cstdio>
+#include <unistd.h>
+
 #include "Manager.h"
 #include "Data.h"
 #include "Store.h"
-#include <broker/broker.hh>
-#include <broker/report.hh>
-#include <cstdio>
-#include <unistd.h>
 #include "util.h"
 #include "Var.h"
 #include "Reporter.h"
@@ -18,279 +20,729 @@
 
 using namespace std;
 
-VectorType* bro_broker::Manager::vector_of_data_type;
-EnumType* bro_broker::Manager::log_id_type;
-int bro_broker::Manager::send_flags_self_idx;
-int bro_broker::Manager::send_flags_peers_idx;
-int bro_broker::Manager::send_flags_unsolicited_idx;
+namespace bro_broker {
 
-bro_broker::Manager::Manager()
-	: iosource::IOSource(), next_timestamp(-1)
+// Max number of log messages buffered per stream before we send them out as
+// a batch.
+static const int LOG_BATCH_SIZE = 400;
+
+// Max secs to buffer log messages before sending the current set out as a
+// batch.
+static const double LOG_BUFFER_INTERVAL = 1.0;
+
+static inline Val* get_option(const char* option)
 	{
-	SetIdle(true);
+	auto id = global_scope()->Lookup(option);
+
+	if ( ! (id && id->ID_Val()) )
+		reporter->FatalError("Unknown Broker option %s", option);
+
+	return id->ID_Val();
 	}
 
-bro_broker::Manager::~Manager()
+class BrokerConfig : public broker::configuration {
+public:
+	BrokerConfig(broker::broker_options options)
+		: broker::configuration(options)
+		{
+		openssl_cafile = get_option("Broker::ssl_cafile")->AsString()->CheckString();
+		openssl_capath = get_option("Broker::ssl_capath")->AsString()->CheckString();
+		openssl_certificate = get_option("Broker::ssl_certificate")->AsString()->CheckString();
+		openssl_key = get_option("Broker::ssl_keyfile")->AsString()->CheckString();
+		openssl_passphrase = get_option("Broker::ssl_passphrase")->AsString()->CheckString();
+		}
+};
+
+class BrokerState {
+public:
+	BrokerState(BrokerConfig config, size_t congestion_queue_size)
+		: endpoint(std::move(config)),
+		  subscriber(endpoint.make_subscriber({}, congestion_queue_size)),
+		  status_subscriber(endpoint.make_status_subscriber(true))
+		{
+		}
+
+	broker::endpoint endpoint;
+	broker::subscriber subscriber;
+	broker::status_subscriber status_subscriber;
+};
+
+const broker::endpoint_info Manager::NoPeer{{}, {}};
+
+int Manager::script_scope = 0;
+
+struct unref_guard {
+	unref_guard(Val* v) : val(v) {}
+	~unref_guard() { Unref(val); }
+	Val* val;
+};
+
+struct scoped_reporter_location {
+	scoped_reporter_location(Frame* frame)
+		{
+		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
+		}
+
+	~scoped_reporter_location()
+		{
+		reporter->PopLocation();
+		}
+};
+
+#ifdef DEBUG
+static std::string RenderMessage(std::string topic, broker::data x)
 	{
-	vector<decltype(data_stores)::key_type> stores_to_close;
-
-	for ( auto& s : data_stores )
-		stores_to_close.emplace_back(s.first);
-
-	for ( auto& s : stores_to_close )
-		// This doesn't loop directly over data_stores, because CloseStore
-		// modifies the map and invalidates iterators.
-		CloseStore(s.first, s.second);
+	return fmt("%s -> %s", broker::to_string(x).c_str(), topic.c_str());
 	}
 
-static int require_field(RecordType* rt, const char* name)
+static std::string RenderEvent(std::string topic, std::string name, broker::data args)
 	{
-	auto rval = rt->FieldOffset(name);
-
-	if ( rval < 0 )
-		reporter->InternalError("no field named '%s' in record type '%s'", name,
-		                        rt->GetName().data());
-
-	return rval;
+	return fmt("%s(%s) -> %s", name.c_str(), broker::to_string(args).c_str(), topic.c_str());
 	}
 
-static int endpoint_flags_to_int(Val* broker_endpoint_flags)
+static std::string RenderMessage(broker::store::response x)
 	{
-	int rval = 0;
-	auto r = broker_endpoint_flags->AsRecordVal();
-	Val* auto_publish_flag = r->Lookup("auto_publish", true);
-	Val* auto_advertise_flag = r->Lookup("auto_advertise", true);
-
-	if ( auto_publish_flag->AsBool() )
-		rval |= broker::AUTO_PUBLISH;
-
-	if ( auto_advertise_flag->AsBool() )
-		rval |= broker::AUTO_ADVERTISE;
-
-	Unref(auto_publish_flag);
-	Unref(auto_advertise_flag);
-	return rval;
+	return fmt("%s [id %" PRIu64 "]", (x.answer ? broker::to_string(*x.answer).c_str() : "<no answer>"), x.id);
 	}
 
-bool bro_broker::Manager::Enable(Val* broker_endpoint_flags)
+static std::string RenderMessage(const broker::vector* xs)
 	{
-	if ( endpoint != nullptr )
-		return true;
+	return broker::to_string(*xs);
+	}
 
-	auto send_flags_type = internal_type("Broker::SendFlags")->AsRecordType();
-	send_flags_self_idx = require_field(send_flags_type, "self");
-	send_flags_peers_idx = require_field(send_flags_type, "peers");
-	send_flags_unsolicited_idx = require_field(send_flags_type, "unsolicited");
+static std::string RenderMessage(const broker::data& d)
+	{
+	return broker::to_string(d);
+	}
 
+static std::string RenderMessage(const broker::vector& xs)
+	{
+	return broker::to_string(xs);
+	}
+
+static std::string RenderMessage(const broker::status& s)
+	{
+	return broker::to_string(s.code());
+	}
+
+static std::string RenderMessage(const broker::error& e)
+	{
+	return fmt("%s (%s)", broker::to_string(e.code()).c_str(),
+		   caf::to_string(e.context()).c_str());
+	}
+
+#endif
+
+Manager::Manager(bool arg_reading_pcaps)
+	{
+	bound_port = 0;
+	reading_pcaps = arg_reading_pcaps;
+	after_bro_init = false;
+	peer_count = 0;
+	log_topic_func = nullptr;
+	vector_of_data_type = nullptr;
+	log_id_type = nullptr;
+	writer_id_type = nullptr;
+
+	SetIdle(false);
+	}
+
+Manager::~Manager()
+	{
+	}
+
+void Manager::InitPostScript()
+	{
+	DBG_LOG(DBG_BROKER, "Initializing");
+
+	default_log_topic_prefix =
+	    get_option("Broker::default_log_topic_prefix")->AsString()->CheckString();
+	log_topic_func = get_option("Broker::log_topic")->AsFunc();
 	log_id_type = internal_type("Log::ID")->AsEnumType();
+	writer_id_type = internal_type("Log::Writer")->AsEnumType();
 
-	bro_broker::opaque_of_data_type = new OpaqueType("Broker::Data");
-	bro_broker::opaque_of_set_iterator = new OpaqueType("Broker::SetIterator");
-	bro_broker::opaque_of_table_iterator = new OpaqueType("Broker::TableIterator");
-	bro_broker::opaque_of_vector_iterator = new OpaqueType("Broker::VectorIterator");
-	bro_broker::opaque_of_record_iterator = new OpaqueType("Broker::RecordIterator");
-	bro_broker::opaque_of_store_handle = new OpaqueType("Broker::Handle");
+	opaque_of_data_type = new OpaqueType("Broker::Data");
+	opaque_of_set_iterator = new OpaqueType("Broker::SetIterator");
+	opaque_of_table_iterator = new OpaqueType("Broker::TableIterator");
+	opaque_of_vector_iterator = new OpaqueType("Broker::VectorIterator");
+	opaque_of_record_iterator = new OpaqueType("Broker::RecordIterator");
+	opaque_of_store_handle = new OpaqueType("Broker::Store");
 	vector_of_data_type = new VectorType(internal_type("Broker::Data")->Ref());
 
-	auto res = broker::init();
+	// Register as a "dont-count" source first, we may change that later.
+	iosource_mgr->Register(this, true);
 
-	if ( res )
-		{
-		fprintf(stderr, "broker::init failed: %s\n", broker::strerror(res));
-		return false;
-		}
+	broker::broker_options options;
+	options.disable_ssl = get_option("Broker::disable_ssl")->AsBool();
+	options.forward = get_option("Broker::forward_messages")->AsBool();
+	options.use_real_time = ! reading_pcaps;
 
-	res = broker::report::init(true);
+	BrokerConfig config{std::move(options)};
+	auto max_threads = get_option("Broker::max_threads")->AsCount();
+	auto max_sleep = get_option("Broker::max_sleep")->AsCount();
 
-	if ( res )
-		{
-		fprintf(stderr, "broker::report::init failed: %s\n",
-		        broker::strerror(res));
-		return false;
-		}
-
-	const char* name;
-	auto name_from_script = internal_val("Broker::endpoint_name")->AsString();
-
-	if ( name_from_script->Len() )
-		name = name_from_script->CheckString();
+	if ( max_threads )
+		config.set("scheduler.max-threads", max_threads);
 	else
 		{
-		char host[256];
+		auto max_threads_env = getenv("BRO_BROKER_MAX_THREADS");
 
-		if ( gethostname(host, sizeof(host)) == 0 )
-			name = fmt("bro@%s.%ld", host, static_cast<long>(getpid()));
+		if ( max_threads_env )
+			config.set("scheduler.max-threads", atoi(max_threads_env));
 		else
-			name = fmt("bro@<unknown>.%ld", static_cast<long>(getpid()));
-		}
-
-	int flags = endpoint_flags_to_int(broker_endpoint_flags);
-	endpoint = unique_ptr<broker::endpoint>(new broker::endpoint(name, flags));
-	iosource_mgr->Register(this, true);
-	return true;
-	}
-
-bool bro_broker::Manager::SetEndpointFlags(Val* broker_endpoint_flags)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	int flags = endpoint_flags_to_int(broker_endpoint_flags);
-	endpoint->set_flags(flags);
-	return true;
-	}
-
-bool bro_broker::Manager::Listen(uint16_t port, const char* addr, bool reuse_addr)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	auto rval = endpoint->listen(port, addr, reuse_addr);
-
-	if ( ! rval )
-		{
-		reporter->Error("Failed to listen on %s:%" PRIu16 " : %s",
-		                addr ? addr : "INADDR_ANY", port,
-		                endpoint->last_error().data());
-		}
-
-	return rval;
-	}
-
-bool bro_broker::Manager::Connect(string addr, uint16_t port,
-                            chrono::duration<double> retry_interval)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	auto& peer = peers[make_pair(addr, port)];
-
-	if ( peer )
-		return false;
-
-	peer = endpoint->peer(move(addr), port, retry_interval);
-	return true;
-	}
-
-bool bro_broker::Manager::Disconnect(const string& addr, uint16_t port)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	auto it = peers.find(make_pair(addr, port));
-
-	if ( it == peers.end() )
-		return false;
-
-	auto rval = endpoint->unpeer(it->second);
-	peers.erase(it);
-	return rval;
-	}
-
-bool bro_broker::Manager::Print(string topic, string msg, Val* flags)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	endpoint->send(move(topic), broker::message{move(msg)},
-	               send_flags_to_int(flags));
-	return true;
-	}
-
-bool bro_broker::Manager::Event(std::string topic, broker::message msg, int flags)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	endpoint->send(move(topic), move(msg), flags);
-	return true;
-	}
-
-bool bro_broker::Manager::Log(EnumVal* stream, RecordVal* columns, RecordType* info,
-                        int flags)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	auto stream_name = stream->Type()->AsEnumType()->Lookup(stream->AsEnum());
-
-	if ( ! stream_name )
-		{
-		reporter->Error("Failed to remotely log: stream %d doesn't have name",
-		                stream->AsEnum());
-		return false;
-		}
-
-	broker::record column_data;
-
-	for ( auto i = 0u; i < static_cast<size_t>(info->NumFields()); ++i )
-		{
-		if ( ! info->FieldDecl(i)->FindAttr(ATTR_LOG) )
-			continue;
-
-		auto field_val = columns->LookupWithDefault(i);
-
-		if ( ! field_val )
 			{
-			column_data.fields.emplace_back(broker::record::field{});
-			continue;
+			// On high-core-count systems, letting CAF spawn a thread per core
+			// can lead to significant performance problems even if most
+			// threads are under-utilized.  Related:
+			// https://github.com/actor-framework/actor-framework/issues/699
+			if ( reading_pcaps )
+				config.set("scheduler.max-threads", 2u);
+			else
+				// If the goal was to map threads to actors, 4 threads seems
+				// like a minimal default that could make sense -- the main
+				// actors that should be doing work are (1) the core,
+				// (2) the subscriber, (3) data stores (actually made of
+				// a frontend + proxy actor).  Number of data stores may
+				// actually vary, but lumped togather for simplicity.  A (4)
+				// may be CAF's multiplexing or other internals...
+				// 4 is also the minimum number that CAF uses by default,
+				// even for systems with less than 4 cores.
+				config.set("scheduler.max-threads", 4u);
 			}
-
-		auto opt_field_data = val_to_data(field_val);
-		Unref(field_val);
-
-		if ( ! opt_field_data )
-			{
-			reporter->Error("Failed to remotely log stream %s: "
-			                "unsupported type '%s'",
-			                stream_name,
-			                type_name(info->FieldDecl(i)->type->Tag()));
-			return false;
-			}
-
-		column_data.fields.emplace_back(
-		            broker::record::field{move(*opt_field_data)});
 		}
 
-	broker::message msg{broker::enum_value{stream_name}, move(column_data)};
-	std::string topic = std::string("bro/log/") + stream_name;
-	endpoint->send(move(topic), move(msg), flags);
+	if ( max_sleep )
+		config.set("work-stealing.relaxed-sleep-duration-us", max_sleep);
+	else
+		// 64ms is just an arbitrary amount derived from testing
+		// the overhead of a unused CAF actor system on a 32-core system.
+		// Performance was within 2% of baseline timings (w/o CAF)
+		// when using this sleep duration.
+		config.set("work-stealing.relaxed-sleep-duration-us", 64000);
+
+	auto cqs = get_option("Broker::congestion_queue_size")->AsCount();
+	bstate = std::make_shared<BrokerState>(std::move(config), cqs);
+	}
+
+void Manager::Terminate()
+	{
+	FlushLogBuffers();
+
+	vector<string> stores_to_close;
+
+	for ( auto& x : data_stores )
+		stores_to_close.push_back(x.first);
+
+	for ( auto& x: stores_to_close )
+		// This doesn't loop directly over data_stores, because CloseStore
+		// modifies the map and invalidates iterators.
+		CloseStore(x);
+
+	FlushLogBuffers();
+
+	for ( auto& p : bstate->endpoint.peers() )
+		if ( p.peer.network )
+			bstate->endpoint.unpeer(p.peer.network->address,
+			                        p.peer.network->port);
+
+	bstate->endpoint.shutdown();
+	}
+
+bool Manager::Active()
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return false;
+
+	if ( bound_port > 0 )
+		return true;
+
+	return peer_count > 0;
+	}
+
+void Manager::AdvanceTime(double seconds_since_unix_epoch)
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return;
+
+	if ( bstate->endpoint.use_real_time() )
+		return;
+
+	auto secs = std::chrono::duration<double>(seconds_since_unix_epoch);
+	auto span = std::chrono::duration_cast<broker::timespan>(secs);
+	broker::timestamp next_time{span};
+	bstate->endpoint.advance_time(next_time);
+	}
+
+void Manager::FlushPendingQueries()
+	{
+	while ( ! pending_queries.empty() )
+		{
+		// possibly an infinite loop if a query can recursively
+		// generate more queries...
+		for ( auto& s : data_stores )
+			{
+			while ( ! s.second->proxy.mailbox().empty() )
+				{
+				auto response = s.second->proxy.receive();
+				ProcessStoreResponse(s.second, move(response));
+				}
+			}
+		}
+
+	SetIdle(false);
+	}
+
+uint16_t Manager::Listen(const string& addr, uint16_t port)
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return 0;
+
+	bound_port = bstate->endpoint.listen(addr, port);
+
+	if ( bound_port == 0 )
+		Error("Failed to listen on %s:%" PRIu16,
+		      addr.empty() ? "INADDR_ANY" : addr.c_str(), port);
+
+	// Register as a "does-count" source now.
+	iosource_mgr->Register(this, false);
+
+	DBG_LOG(DBG_BROKER, "Listening on %s:%" PRIu16,
+		addr.empty() ? "INADDR_ANY" : addr.c_str(), port);
+
+	return bound_port;
+	}
+
+void Manager::Peer(const string& addr, uint16_t port, double retry)
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return;
+
+	DBG_LOG(DBG_BROKER, "Starting to peer with %s:%" PRIu16,
+		addr.c_str(), port);
+
+	auto e = getenv("BRO_DEFAULT_CONNECT_RETRY");
+
+	if ( e )
+		retry = atoi(e);
+
+	if ( retry > 0.0 && retry < 1.0 )
+		// Ensure that it doesn't get turned into zero.
+		retry = 1.0;
+
+	auto secs = broker::timeout::seconds(static_cast<uint64>(retry));
+	bstate->endpoint.peer_nosync(addr, port, secs);
+
+	// // Register as a "does-count" source now.
+	iosource_mgr->Register(this, false);
+	}
+
+void Manager::Unpeer(const string& addr, uint16_t port)
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return;
+
+	DBG_LOG(DBG_BROKER, "Stopping to peer with %s:%" PRIu16,
+		addr.c_str(), port);
+
+	FlushLogBuffers();
+	bstate->endpoint.unpeer_nosync(addr, port);
+	}
+
+std::vector<broker::peer_info> Manager::Peers() const
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return {};
+
+	return bstate->endpoint.peers();
+	}
+
+std::string Manager::NodeID() const
+	{
+	return to_string(bstate->endpoint.node_id());
+	}
+
+bool Manager::PublishEvent(string topic, std::string name, broker::vector args)
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return true;
+
+	if ( peer_count == 0 )
+		return true;
+
+	DBG_LOG(DBG_BROKER, "Publishing event: %s",
+		RenderEvent(topic, name, args).c_str());
+	broker::bro::Event ev(std::move(name), std::move(args));
+	bstate->endpoint.publish(move(topic), std::move(ev));
+	++statistics.num_events_outgoing;
 	return true;
 	}
 
-bool bro_broker::Manager::Event(std::string topic, RecordVal* args, Val* flags)
+bool Manager::PublishEvent(string topic, RecordVal* args)
 	{
-	if ( ! Enabled() )
-		return false;
+	if ( bstate->endpoint.is_shutdown() )
+		return true;
+
+	if ( peer_count == 0 )
+		return true;
 
 	if ( ! args->Lookup(0) )
 		return false;
 
 	auto event_name = args->Lookup(0)->AsString()->CheckString();
 	auto vv = args->Lookup(1)->AsVectorVal();
-	broker::message msg;
-	msg.reserve(vv->Size() + 1);
-	msg.emplace_back(event_name);
+	broker::vector xs;
+	xs.reserve(vv->Size());
 
 	for ( auto i = 0u; i < vv->Size(); ++i )
 		{
 		auto val = vv->Lookup(i)->AsRecordVal()->Lookup(0);
 		auto data_val = static_cast<DataVal*>(val);
-		msg.emplace_back(data_val->data);
+		xs.emplace_back(data_val->data);
 		}
 
-	endpoint->send(move(topic), move(msg), send_flags_to_int(flags));
+	return PublishEvent(topic, event_name, std::move(xs));
+	}
+
+bool Manager::RelayEvent(std::string first_topic,
+                         broker::set relay_topics,
+                         std::string name,
+                         broker::vector args,
+                         bool handle_on_relayer)
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return true;
+
+	if ( peer_count == 0 )
+		return true;
+
+	DBG_LOG(DBG_BROKER, "Publishing %s-relay event: %s",
+			handle_on_relayer ? "handle" : "",
+	        RenderEvent(first_topic, name, args).c_str());
+
+	if ( handle_on_relayer )
+		{
+		broker::bro::HandleAndRelayEvent msg(std::move(relay_topics),
+		                                     std::move(name),
+		                                     std::move(args));
+		bstate->endpoint.publish(std::move(first_topic), std::move(msg));
+		}
+	else
+		{
+		broker::bro::RelayEvent msg(std::move(relay_topics),
+		                            std::move(name),
+		                            std::move(args));
+		bstate->endpoint.publish(std::move(first_topic), std::move(msg));
+		}
+
+	++statistics.num_events_outgoing;
 	return true;
 	}
 
-bool bro_broker::Manager::AutoEvent(string topic, Val* event, Val* flags)
+bool Manager::RelayEvent(std::string first_topic,
+                         std::set<std::string> relay_topics,
+                         RecordVal* args,
+                         bool handle_on_relayer)
 	{
-	if ( ! Enabled() )
+	if ( bstate->endpoint.is_shutdown() )
+		return true;
+
+	if ( peer_count == 0 )
+		return true;
+
+	if ( ! args->Lookup(0) )
 		return false;
 
+	auto event_name = args->Lookup(0)->AsString()->CheckString();
+	auto vv = args->Lookup(1)->AsVectorVal();
+	broker::vector xs;
+	xs.reserve(vv->Size());
+
+	for ( auto i = 0u; i < vv->Size(); ++i )
+		{
+		auto val = vv->Lookup(i)->AsRecordVal()->Lookup(0);
+		auto data_val = static_cast<DataVal*>(val);
+		xs.emplace_back(data_val->data);
+		}
+
+	broker::set topic_set;
+
+	for ( auto& t : relay_topics )
+		topic_set.emplace(std::move(t));
+
+	return RelayEvent(first_topic, std::move(topic_set), event_name,
+					  std::move(xs), handle_on_relayer);
+	}
+
+bool Manager::PublishIdentifier(std::string topic, std::string id)
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return true;
+
+	if ( peer_count == 0 )
+		return true;
+
+	ID* i = global_scope()->Lookup(id.c_str());
+
+	if ( ! i )
+		return false;
+
+	auto val = i->ID_Val();
+
+	if ( ! val )
+		// Probably could have a special case to also unset the value on the
+		// receiving side, but not sure what use that would be.
+		return false;
+
+	auto data = val_to_data(val);
+
+	if ( ! data )
+		{
+		Error("Failed to publish ID with unsupported type: %s (%s)",
+		      id.c_str(), type_name(val->Type()->Tag()));
+		return false;
+		}
+
+	broker::bro::IdentifierUpdate msg(move(id), move(*data));
+	DBG_LOG(DBG_BROKER, "Publishing id-update: %s",
+	        RenderMessage(topic, msg).c_str());
+	bstate->endpoint.publish(move(topic), move(msg));
+	++statistics.num_ids_outgoing;
+	return true;
+	}
+
+bool Manager::PublishLogCreate(EnumVal* stream, EnumVal* writer,
+			       const logging::WriterBackend::WriterInfo& info,
+			       int num_fields, const threading::Field* const * fields,
+			       const broker::endpoint_info& peer)
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return true;
+
+	if ( peer_count == 0 )
+		return true;
+
+	auto stream_id = stream->Type()->AsEnumType()->Lookup(stream->AsEnum());
+
+	if ( ! stream_id )
+		{
+		reporter->Error("Failed to remotely log: stream %d doesn't have name",
+		                stream->AsEnum());
+		return false;
+		}
+
+	auto writer_id = writer->Type()->AsEnumType()->Lookup(writer->AsEnum());
+
+	if ( ! writer_id )
+		{
+		reporter->Error("Failed to remotely log: writer %d doesn't have name",
+		                writer->AsEnum());
+		return false;
+		}
+
+	auto writer_info = info.ToBroker();
+
+	broker::vector fields_data;
+	fields_data.reserve(num_fields);
+
+	for ( auto i = 0; i < num_fields; ++i )
+		{
+		auto field_data = threading_field_to_data(fields[i]);
+		fields_data.push_back(move(field_data));
+		}
+
+	std::string topic = default_log_topic_prefix + stream_id;
+	auto bstream_id = broker::enum_value(move(stream_id));
+	auto bwriter_id = broker::enum_value(move(writer_id));
+	broker::bro::LogCreate msg(move(bstream_id), move(bwriter_id), move(writer_info), move(fields_data));
+
+	DBG_LOG(DBG_BROKER, "Publishing log creation: %s", RenderMessage(topic, msg).c_str());
+
+	if ( peer.node != NoPeer.node )
+		// Direct message.
+		bstate->endpoint.publish(peer, move(topic), move(msg));
+	else
+		// Broadcast.
+		bstate->endpoint.publish(move(topic), move(msg));
+
+	return true;
+	}
+
+bool Manager::PublishLogWrite(EnumVal* stream, EnumVal* writer, string path, int num_fields, const threading::Value* const * vals)
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return true;
+
+	if ( peer_count == 0 )
+		return true;
+
+	auto stream_id_num = stream->AsEnum();
+	auto stream_id = stream->Type()->AsEnumType()->Lookup(stream_id_num);
+
+	if ( ! stream_id )
+		{
+		reporter->Error("Failed to remotely log: stream %d doesn't have name",
+		                stream->AsEnum());
+		return false;
+		}
+
+	auto writer_id = writer->Type()->AsEnumType()->Lookup(writer->AsEnum());
+
+	if ( ! writer_id )
+		{
+		reporter->Error("Failed to remotely log: writer %d doesn't have name",
+		                writer->AsEnum());
+		return false;
+		}
+
+	BinarySerializationFormat fmt;
+	char* data;
+	int len;
+
+	fmt.StartWrite();
+
+	bool success = fmt.Write(num_fields, "num_fields");
+
+	if ( ! success )
+		{
+		reporter->Error("Failed to remotely log stream %s: num_fields serialization failed", stream_id);
+		return false;
+		}
+
+	for ( int i = 0; i < num_fields; ++i )
+		{
+		if ( ! vals[i]->Write(&fmt) )
+			{
+			reporter->Error("Failed to remotely log stream %s: field %d serialization failed", stream_id, i);
+			return false;
+			}
+		}
+
+	len = fmt.EndWrite(&data);
+	std::string serial_data(data, len);
+	free(data);
+
+	val_list vl(2);
+	vl.append(stream->Ref());
+	vl.append(new StringVal(path));
+	Val* v = log_topic_func->Call(&vl);
+
+	if ( ! v )
+		{
+		reporter->Error("Failed to remotely log: log_topic func did not return"
+		                " a value for stream %s at path %s", stream_id,
+		                path.data());
+		return false;
+		}
+
+	std::string topic = v->AsString()->CheckString();
+	Unref(v);
+
+	auto bstream_id = broker::enum_value(move(stream_id));
+	auto bwriter_id = broker::enum_value(move(writer_id));
+	broker::bro::LogWrite msg(move(bstream_id), move(bwriter_id), move(path),
+	                          move(serial_data));
+
+	DBG_LOG(DBG_BROKER, "Buffering log record: %s", RenderMessage(topic, msg).c_str());
+
+	if ( log_buffers.size() <= (unsigned int)stream_id_num )
+		log_buffers.resize(stream_id_num + 1);
+
+	auto& lb = log_buffers[stream_id_num];
+	++lb.message_count;
+	auto& pending_batch = lb.msgs[topic];
+	pending_batch.emplace_back(std::move(msg));
+
+	if ( lb.message_count >= LOG_BATCH_SIZE ||
+	     (network_time - lb.last_flush >= LOG_BUFFER_INTERVAL) )
+		statistics.num_logs_outgoing += lb.Flush(bstate->endpoint);
+
+	return true;
+	}
+
+size_t Manager::LogBuffer::Flush(broker::endpoint& endpoint)
+	{
+	if ( endpoint.is_shutdown() )
+		return 0;
+
+	if ( ! message_count )
+		// No logs buffered for this stream.
+		return 0;
+
+	for ( auto& kv : msgs )
+		{
+		auto& topic = kv.first;
+		auto& pending_batch = kv.second;
+		broker::vector batch;
+		batch.reserve(LOG_BATCH_SIZE + 1);
+		pending_batch.swap(batch);
+		broker::bro::Batch msg(std::move(batch));
+		endpoint.publish(topic, move(msg));
+		}
+
+	auto rval = message_count;
+	last_flush = network_time;
+	message_count = 0;
+	return rval;
+	}
+
+size_t Manager::FlushLogBuffers()
+	{
+	DBG_LOG(DBG_BROKER, "Flushing all log buffers");
+	auto rval = 0u;
+
+	for ( auto& lb : log_buffers )
+		rval += lb.Flush(bstate->endpoint);
+
+	return rval;
+	}
+
+void Manager::Error(const char* format, ...)
+	{
+	va_list args;
+	va_start(args, format);
+	auto msg = fmt(format, args);
+	va_end(args);
+
+	if ( script_scope )
+		builtin_error(msg);
+	else
+		reporter->Error("%s", msg);
+	}
+
+bool Manager::AutoPublishEvent(string topic, Val* event)
+	{
 	if ( event->Type()->Tag() != TYPE_FUNC )
 		{
-		reporter->Error("Broker::auto_event must operate on an event");
+		Error("Broker::auto_publish must operate on an event");
+		return false;
+		}
+
+	auto event_val = event->AsFunc();
+	if ( event_val->Flavor() != FUNC_FLAVOR_EVENT )
+		{
+		Error("Broker::auto_publish must operate on an event");
+		return false;
+		}
+
+	auto handler = event_registry->Lookup(event_val->Name());
+	if ( ! handler )
+		{
+		Error("Broker::auto_publish failed to lookup event '%s'",
+		      event_val->Name());
+		return false;
+		}
+
+	DBG_LOG(DBG_BROKER, "Enabling auto-publising of event %s to topic %s", handler->Name(), topic.c_str());
+	handler->AutoPublish(move(topic));
+
+	return true;
+	}
+
+bool Manager::AutoUnpublishEvent(const string& topic, Val* event)
+	{
+	if ( event->Type()->Tag() != TYPE_FUNC )
+		{
+		Error("Broker::auto_event_stop must operate on an event");
 		return false;
 		}
 
@@ -298,7 +750,7 @@ bool bro_broker::Manager::AutoEvent(string topic, Val* event, Val* flags)
 
 	if ( event_val->Flavor() != FUNC_FLAVOR_EVENT )
 		{
-		reporter->Error("Broker::auto_event must operate on an event");
+		Error("Broker::auto_event_stop must operate on an event");
 		return false;
 		}
 
@@ -306,57 +758,25 @@ bool bro_broker::Manager::AutoEvent(string topic, Val* event, Val* flags)
 
 	if ( ! handler )
 		{
-		reporter->Error("Broker::auto_event failed to lookup event '%s'",
-		                event_val->Name());
+		Error("Broker::auto_event_stop failed to lookup event '%s'",
+		      event_val->Name());
 		return false;
 		}
 
-	handler->AutoRemote(move(topic), send_flags_to_int(flags));
+
+	DBG_LOG(DBG_BROKER, "Disabling auto-publishing of event %s to topic %s", handler->Name(), topic.c_str());
+	handler->AutoUnpublish(topic);
+
 	return true;
 	}
 
-bool bro_broker::Manager::AutoEventStop(const string& topic, Val* event)
+RecordVal* Manager::MakeEvent(val_list* args, Frame* frame)
 	{
-	if ( ! Enabled() )
-		return false;
-
-	if ( event->Type()->Tag() != TYPE_FUNC )
-		{
-		reporter->Error("Broker::auto_event_stop must operate on an event");
-		return false;
-		}
-
-	auto event_val = event->AsFunc();
-
-	if ( event_val->Flavor() != FUNC_FLAVOR_EVENT )
-		{
-		reporter->Error("Broker::auto_event_stop must operate on an event");
-		return false;
-		}
-
-	auto handler = event_registry->Lookup(event_val->Name());
-
-	if ( ! handler )
-		{
-		reporter->Error("Broker::auto_event_stop failed to lookup event '%s'",
-		                event_val->Name());
-		return false;
-		}
-
-
-	handler->AutoRemoteStop(topic);
-	return true;
-	}
-
-RecordVal* bro_broker::Manager::MakeEventArgs(val_list* args)
-	{
-	if ( ! Enabled() )
-		return nullptr;
-
-	auto rval = new RecordVal(BifType::Record::Broker::EventArgs);
+	auto rval = new RecordVal(BifType::Record::Broker::Event);
 	auto arg_vec = new VectorVal(vector_of_data_type);
 	rval->Assign(1, arg_vec);
 	Func* func = 0;
+	scoped_reporter_location srl{frame};
 
 	for ( auto i = 0; i < args->length(); ++i )
 		{
@@ -368,7 +788,7 @@ RecordVal* bro_broker::Manager::MakeEventArgs(val_list* args)
 
 			if ( arg_val->Type()->Tag() != TYPE_FUNC )
 				{
-				reporter->Error("1st param of Broker::event_args must be event");
+				Error("attempt to convert non-event into an event type");
 				return rval;
 				}
 
@@ -376,7 +796,7 @@ RecordVal* bro_broker::Manager::MakeEventArgs(val_list* args)
 
 			if ( func->Flavor() != FUNC_FLAVOR_EVENT )
 				{
-				reporter->Error("1st param of Broker::event_args must be event");
+				Error("attempt to convert non-event into an event type");
 				return rval;
 				}
 
@@ -384,8 +804,8 @@ RecordVal* bro_broker::Manager::MakeEventArgs(val_list* args)
 
 			if ( num_args != args->length() - 1 )
 				{
-				reporter->Error("bad # of Broker::event_args: got %d, expect %d",
-				                args->length(), num_args + 1);
+				Error("bad # of arguments: got %d, expect %d",
+				      args->length(), num_args + 1);
 				return rval;
 				}
 
@@ -393,22 +813,34 @@ RecordVal* bro_broker::Manager::MakeEventArgs(val_list* args)
 			continue;
 			}
 
+		auto got_type = (*args)[i]->Type();
 		auto expected_type = (*func->FType()->ArgTypes()->Types())[i - 1];
 
-		if ( ! same_type((*args)[i]->Type(), expected_type) )
+		if ( ! same_type(got_type, expected_type) )
 			{
 			rval->Assign(0, 0);
-			reporter->Error("Broker::event_args param %d type mismatch", i);
+			Error("event parameter #%d type mismatch, got %s, expect %s", i,
+			      type_name(got_type->Tag()),
+			      type_name(expected_type->Tag()));
 			return rval;
 			}
 
-		auto data_val = make_data_val((*args)[i]);
+		RecordVal* data_val;
+
+		if ( same_type(got_type, bro_broker::DataVal::ScriptDataType()) )
+			{
+			data_val = (*args)[i]->AsRecordVal();
+			Ref(data_val);
+			}
+		else
+			data_val = make_data_val((*args)[i]);
 
 		if ( ! data_val->Lookup(0) )
 			{
 			Unref(data_val);
 			rval->Assign(0, 0);
-			reporter->Error("Broker::event_args unsupported event/params");
+			Error("failed to convert param #%d of type %s to broker data",
+				  i, type_name(got_type->Tag()));
 			return rval;
 			}
 
@@ -418,665 +850,731 @@ RecordVal* bro_broker::Manager::MakeEventArgs(val_list* args)
 	return rval;
 	}
 
-bool bro_broker::Manager::SubscribeToPrints(string topic_prefix)
+bool Manager::Subscribe(const string& topic_prefix)
 	{
-	if ( ! Enabled() )
-		return false;
-
-	auto& q = print_subscriptions[topic_prefix].q;
-
-	if ( q )
-		return false;
-
-	q = broker::message_queue(move(topic_prefix), *endpoint);
+	DBG_LOG(DBG_BROKER, "Subscribing to topic prefix %s", topic_prefix.c_str());
+	bstate->subscriber.add_topic(topic_prefix, ! after_bro_init);
 	return true;
 	}
 
-bool bro_broker::Manager::UnsubscribeToPrints(const string& topic_prefix)
+bool Manager::Unsubscribe(const string& topic_prefix)
 	{
-	if ( ! Enabled() )
-		return false;
-
-	return print_subscriptions.erase(topic_prefix);
-	}
-
-bool bro_broker::Manager::SubscribeToEvents(string topic_prefix)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	auto& q = event_subscriptions[topic_prefix].q;
-
-	if ( q )
-		return false;
-
-	q = broker::message_queue(move(topic_prefix), *endpoint);
+	DBG_LOG(DBG_BROKER, "Unsubscribing from topic prefix %s", topic_prefix.c_str());
+	bstate->subscriber.remove_topic(topic_prefix, ! after_bro_init);
 	return true;
 	}
 
-bool bro_broker::Manager::UnsubscribeToEvents(const string& topic_prefix)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	return event_subscriptions.erase(topic_prefix);
-	}
-
-bool bro_broker::Manager::SubscribeToLogs(string topic_prefix)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	auto& q = log_subscriptions[topic_prefix].q;
-
-	if ( q )
-		return false;
-
-	q = broker::message_queue(move(topic_prefix), *endpoint);
-	return true;
-	}
-
-bool bro_broker::Manager::UnsubscribeToLogs(const string& topic_prefix)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	return log_subscriptions.erase(topic_prefix);
-	}
-
-bool bro_broker::Manager::PublishTopic(broker::topic t)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	endpoint->publish(move(t));
-	return true;
-	}
-
-bool bro_broker::Manager::UnpublishTopic(broker::topic t)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	endpoint->unpublish(move(t));
-	return true;
-	}
-
-bool bro_broker::Manager::AdvertiseTopic(broker::topic t)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	endpoint->advertise(move(t));
-	return true;
-	}
-
-bool bro_broker::Manager::UnadvertiseTopic(broker::topic t)
-	{
-	if ( ! Enabled() )
-		return false;
-
-	endpoint->unadvertise(move(t));
-	return true;
-	}
-
-int bro_broker::Manager::send_flags_to_int(Val* flags)
-	{
-	auto r = flags->AsRecordVal();
-	int rval = 0;
-	Val* self_flag = r->LookupWithDefault(send_flags_self_idx);
-	Val* peers_flag = r->LookupWithDefault(send_flags_peers_idx);
-	Val* unsolicited_flag = r->LookupWithDefault(send_flags_unsolicited_idx);
-
-	if ( self_flag->AsBool() )
-		rval |= broker::SELF;
-
-	if ( peers_flag->AsBool() )
-		rval |= broker::PEERS;
-
-	if ( unsolicited_flag->AsBool() )
-		rval |= broker::UNSOLICITED;
-
-	Unref(self_flag);
-	Unref(peers_flag);
-	Unref(unsolicited_flag);
-	return rval;
-	}
-
-void bro_broker::Manager::GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
+void Manager::GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
                            iosource::FD_Set* except)
 	{
-	read->Insert(endpoint->outgoing_connection_status().fd());
-	read->Insert(endpoint->incoming_connection_status().fd());
+	if ( bstate->status_subscriber.available() || bstate->subscriber.available() )
+                SetIdle(false);
 
-	for ( const auto& ps : print_subscriptions )
-		read->Insert(ps.second.q.fd());
+	read->Insert(bstate->subscriber.fd());
+	read->Insert(bstate->status_subscriber.fd());
+	write->Insert(bstate->subscriber.fd());
+	write->Insert(bstate->status_subscriber.fd());
+	except->Insert(bstate->subscriber.fd());
+	except->Insert(bstate->status_subscriber.fd());
 
-	for ( const auto& ps : event_subscriptions )
-		read->Insert(ps.second.q.fd());
-
-	for ( const auto& ps : log_subscriptions )
-		read->Insert(ps.second.q.fd());
-
-	for ( const auto& s : data_stores )
-		read->Insert(s.second->store->responses().fd());
-
-	read->Insert(broker::report::default_queue->fd());
+	for ( auto& x : data_stores )
+		read->Insert(x.second->proxy.mailbox().descriptor());
 	}
 
-double bro_broker::Manager::NextTimestamp(double* local_network_time)
+double Manager::NextTimestamp(double* local_network_time)
 	{
-	if ( next_timestamp < 0 )
-		next_timestamp = timer_mgr->Time();
+	if ( ! IsIdle() )
+		return timer_mgr->Time();
 
-	return next_timestamp;
+	if ( bstate->status_subscriber.available() || bstate->subscriber.available() )
+		return timer_mgr->Time();
+
+	for ( auto& s : data_stores )
+		{
+		if ( ! s.second->proxy.mailbox().empty() )
+			return timer_mgr->Time();
+		}
+
+	return -1;
 	}
 
-struct response_converter {
-	using result_type = RecordVal*;
-	broker::store::query::tag query_tag;
-
-	result_type operator()(bool d)
-		{
-		switch ( query_tag ) {
-		case broker::store::query::tag::pop_left:
-		case broker::store::query::tag::pop_right:
-		case broker::store::query::tag::lookup:
-			// A boolean result means the key doesn't exist (if it did, then
-			// the result would contain the broker::data value, not a bool).
-			return new RecordVal(BifType::Record::Broker::Data);
-		default:
-			return bro_broker::make_data_val(broker::data{d});
-		}
-		}
-
-	result_type operator()(uint64_t d)
-		{
-		return bro_broker::make_data_val(broker::data{d});
-		}
-
-	result_type operator()(broker::data& d)
-		{
-		return bro_broker::make_data_val(move(d));
-		}
-
-	result_type operator()(std::vector<broker::data>& d)
-		{
-		return bro_broker::make_data_val(broker::data{move(d)});
-		}
-
-	result_type operator()(broker::store::snapshot& d)
-		{
-		broker::table table;
-
-		for ( auto& item : d.entries )
-			{
-			auto& key = item.first;
-			auto& val = item.second.item;
-			table[move(key)] = move(val);
-			}
-
-		return bro_broker::make_data_val(broker::data{move(table)});
-		}
-};
-
-static RecordVal* response_to_val(broker::store::response r)
+void Manager::DispatchMessage(broker::data msg)
 	{
-	return broker::visit(response_converter{r.request.type}, r.reply.value);
+	switch ( broker::bro::Message::type(msg) ) {
+	case broker::bro::Message::Type::Event:
+		ProcessEvent(std::move(msg));
+		break;
+
+	case broker::bro::Message::Type::RelayEvent:
+		ProcessRelayEvent(std::move(msg));
+		break;
+
+	case broker::bro::Message::Type::HandleAndRelayEvent:
+		ProcessHandleAndRelayEvent(std::move(msg));
+		break;
+
+	case broker::bro::Message::Type::LogCreate:
+		ProcessLogCreate(std::move(msg));
+		break;
+
+	case broker::bro::Message::Type::LogWrite:
+		ProcessLogWrite(std::move(msg));
+		break;
+
+	case broker::bro::Message::Type::IdentifierUpdate:
+		ProcessIdentifierUpdate(std::move(msg));
+		break;
+
+	case broker::bro::Message::Type::Batch:
+		{
+		broker::bro::Batch batch(std::move(msg));
+
+		for ( auto& i : batch.batch() )
+			DispatchMessage(std::move(i));
+
+		break;
+		}
+
+	default:
+		// We ignore unknown types so that we could add more in the
+		// future if we had too.
+		break;
+	}
 	}
 
-void bro_broker::Manager::Process()
+void Manager::Process()
 	{
-	auto outgoing_connection_updates =
-	        endpoint->outgoing_connection_status().want_pop();
-	auto incoming_connection_updates =
-	        endpoint->incoming_connection_status().want_pop();
+	bool had_input = false;
 
-	statistics.outgoing_conn_status_count += outgoing_connection_updates.size();
-	statistics.incoming_conn_status_count += incoming_connection_updates.size();
+	auto status_msgs = bstate->status_subscriber.poll();
 
-	for ( auto& u : outgoing_connection_updates )
+	for ( auto& status_msg : status_msgs )
 		{
-		switch ( u.status ) {
-		case broker::outgoing_connection_status::tag::established:
-			if ( Broker::outgoing_connection_established )
-				{
-				val_list* vl = new val_list;
-				vl->append(new StringVal(u.relation.remote_tuple().first));
-				vl->append(new PortVal(u.relation.remote_tuple().second,
-				                       TRANSPORT_TCP));
-				vl->append(new StringVal(u.peer_name));
-				mgr.QueueEvent(Broker::outgoing_connection_established, vl);
-				}
-			break;
+		had_input = true;
 
-		case broker::outgoing_connection_status::tag::disconnected:
-			if ( Broker::outgoing_connection_broken )
-				{
-				val_list* vl = new val_list;
-				vl->append(new StringVal(u.relation.remote_tuple().first));
-				vl->append(new PortVal(u.relation.remote_tuple().second,
-				                       TRANSPORT_TCP));
-				mgr.QueueEvent(Broker::outgoing_connection_broken, vl);
-				}
-			break;
-
-		case broker::outgoing_connection_status::tag::incompatible:
-			if ( Broker::outgoing_connection_incompatible )
-				{
-				val_list* vl = new val_list;
-				vl->append(new StringVal(u.relation.remote_tuple().first));
-				vl->append(new PortVal(u.relation.remote_tuple().second,
-				                       TRANSPORT_TCP));
-				mgr.QueueEvent(Broker::outgoing_connection_incompatible, vl);
-				}
-			break;
-
-		default:
-			reporter->InternalWarning(
-			            "unknown broker::outgoing_connection_status::tag : %d",
-			            static_cast<int>(u.status));
-			break;
-		}
-		}
-
-	for ( auto& u : incoming_connection_updates )
-		{
-		switch ( u.status ) {
-		case broker::incoming_connection_status::tag::established:
-			if ( Broker::incoming_connection_established )
-				{
-				val_list* vl = new val_list;
-				vl->append(new StringVal(u.peer_name));
-				mgr.QueueEvent(Broker::incoming_connection_established, vl);
-				}
-			break;
-
-		case broker::incoming_connection_status::tag::disconnected:
-			if ( Broker::incoming_connection_broken )
-				{
-				val_list* vl = new val_list;
-				vl->append(new StringVal(u.peer_name));
-				mgr.QueueEvent(Broker::incoming_connection_broken, vl);
-				}
-			break;
-
-		default:
-			reporter->InternalWarning(
-			            "unknown broker::incoming_connection_status::tag : %d",
-			            static_cast<int>(u.status));
-			break;
-		}
-		}
-
-	for ( auto& ps : print_subscriptions )
-		{
-		auto print_messages = ps.second.q.want_pop();
-
-		if ( print_messages.empty() )
-			continue;
-
-		ps.second.received += print_messages.size();
-
-		if ( ! Broker::print_handler )
-			continue;
-
-		for ( auto& pm : print_messages )
+		if ( auto stat = caf::get_if<broker::status>(&status_msg) )
 			{
-			if ( pm.size() != 1 )
-				{
-				reporter->Warning("got print message of invalid size: %zd",
-				                  pm.size());
-				continue;
-				}
-
-			std::string* msg = broker::get<std::string>(pm[0]);
-
-			if ( ! msg )
-				{
-				reporter->Warning("got print message of invalid type: %d",
-				                  static_cast<int>(broker::which(pm[0])));
-				continue;
-				}
-
-			val_list* vl = new val_list;
-			vl->append(new StringVal(move(*msg)));
-			mgr.QueueEvent(Broker::print_handler, vl);
+			ProcessStatus(std::move(*stat));
+			continue;
 			}
+
+		if ( auto err = caf::get_if<broker::error>(&status_msg) )
+			{
+			ProcessError(std::move(*err));
+			continue;
+			}
+
+		reporter->InternalWarning("ignoring status_subscriber message with unexpected type");
 		}
 
-	for ( auto& es : event_subscriptions )
+	auto messages = bstate->subscriber.poll();
+
+	for ( auto& message : messages )
 		{
-		auto event_messages = es.second.q.want_pop();
+		had_input = true;
 
-		if ( event_messages.empty() )
-			continue;
+		auto& topic = message.first;
+		auto& msg = message.second;
 
-		es.second.received += event_messages.size();
-
-		for ( auto& em : event_messages )
+		try
 			{
-			if ( em.empty() )
-				{
-				reporter->Warning("got empty event message");
-				continue;
-				}
-
-			std::string* event_name = broker::get<std::string>(em[0]);
-
-			if ( ! event_name )
-				{
-				reporter->Warning("got event message w/o event name: %d",
-				                  static_cast<int>(broker::which(em[0])));
-				continue;
-				}
-
-			EventHandlerPtr ehp = event_registry->Lookup(event_name->data());
-
-			if ( ! ehp )
-				continue;
-
-			auto arg_types = ehp->FType()->ArgTypes()->Types();
-
-			if ( static_cast<size_t>(arg_types->length()) != em.size() - 1 )
-				{
-				reporter->Warning("got event message with invalid # of args,"
-				                  " got %zd, expected %d", em.size() - 1,
-				                  arg_types->length());
-				continue;
-				}
-
-			val_list* vl = new val_list;
-
-			for ( auto i = 1u; i < em.size(); ++i )
-				{
-				auto val = data_to_val(move(em[i]), (*arg_types)[i - 1]);
-
-				if ( val )
-					vl->append(val);
-				else
-					{
-					reporter->Warning("failed to convert remote event arg # %d",
-					                  i - 1);
-					break;
-					}
-				}
-
-			if ( static_cast<size_t>(vl->length()) == em.size() - 1 )
-				mgr.QueueEvent(ehp, vl);
-			else
-				delete_vals(vl);
+			DispatchMessage(std::move(msg));
+			}
+		catch ( std::runtime_error& e )
+			{
+			reporter->Warning("ignoring invalid Broker message: %s", + e.what());
+			continue;
 			}
 		}
 
-	struct unref_guard {
-		unref_guard(Val* v) : val(v) {}
-		~unref_guard() { Unref(val); }
-		Val* val;
-	};
-
-	for ( auto& ls : log_subscriptions )
+	for ( auto& s : data_stores )
 		{
-		auto log_messages = ls.second.q.want_pop();
-
-		if ( log_messages.empty() )
-			continue;
-
-		ls.second.received += log_messages.size();
-
-		for ( auto& lm : log_messages )
+		while ( ! s.second->proxy.mailbox().empty() )
 			{
-			if ( lm.size() != 2 )
-				{
-				reporter->Warning("got bad remote log size: %zd (expect 2)",
-				                  lm.size());
-				continue;
-				}
-
-			if ( ! broker::get<broker::enum_value>(lm[0]) )
-				{
-				reporter->Warning("got remote log w/o stream id: %d",
-				                  static_cast<int>(broker::which(lm[0])));
-				continue;
-				}
-
-			if ( ! broker::get<broker::record>(lm[1]) )
-				{
-				reporter->Warning("got remote log w/o columns: %d",
-				                  static_cast<int>(broker::which(lm[1])));
-				continue;
-				}
-
-			auto stream_id = data_to_val(move(lm[0]), log_id_type);
-
-			if ( ! stream_id )
-				{
-				reporter->Warning("failed to unpack remote log stream id");
-				continue;
-				}
-
-			unref_guard stream_id_unreffer{stream_id};
-			auto columns_type = log_mgr->StreamColumns(stream_id->AsEnumVal());
-
-			if ( ! columns_type )
-				{
-				reporter->Warning("got remote log for unknown stream: %s",
-				                  stream_id->Type()->AsEnumType()->Lookup(
-				                      stream_id->AsEnum()));
-				continue;
-				}
-
-			auto columns = data_to_val(move(lm[1]), columns_type, true);
-
-			if ( ! columns )
-				{
-				reporter->Warning("failed to unpack remote log stream columns"
-				                  " for stream: %s",
-				                  stream_id->Type()->AsEnumType()->Lookup(
-				                      stream_id->AsEnum()));
-				continue;
-				}
-
-			log_mgr->Write(stream_id->AsEnumVal(), columns->AsRecordVal());
-			Unref(columns);
+			had_input = true;
+			auto response = s.second->proxy.receive();
+			ProcessStoreResponse(s.second, move(response));
 			}
 		}
 
-	for ( const auto& s : data_stores )
-		{
-		auto responses = s.second->store->responses().want_pop();
-
-		if ( responses.empty() )
-			continue;
-
-		statistics.report_count += responses.size();
-
-		for ( auto& response : responses )
-			{
-			auto ck = static_cast<StoreQueryCallback*>(response.cookie);
-			auto it = pending_queries.find(ck);
-
-			if ( it == pending_queries.end() )
-				{
-				reporter->Warning("unmatched response to query on store %s",
-				                  s.second->store->id().data());
-				continue;
-				}
-
-			auto query = *it;
-
-			if ( query->Disabled() )
-				{
-				// Trigger timer must have timed the query out already.
-				delete query;
-				pending_queries.erase(it);
-				continue;
-				}
-
-			switch ( response.reply.stat ) {
-			case broker::store::result::status::timeout:
-				// Fine, trigger's timeout takes care of things.
-				break;
-			case broker::store::result::status::failure:
-				query->Result(query_result());
-				break;
-			case broker::store::result::status::success:
-				query->Result(query_result(response_to_val(move(response))));
-				break;
-			default:
-				reporter->InternalWarning("unknown store response status: %d",
-				                         static_cast<int>(response.reply.stat));
-				break;
-			}
-
-			delete query;
-			pending_queries.erase(it);
-			}
-		}
-
-	auto reports = broker::report::default_queue->want_pop();
-	statistics.report_count += reports.size();
-
-	for ( auto& report : reports )
-		{
-		if ( report.size() < 2 )
-			{
-			reporter->Warning("got broker report msg of size %zu, expect 4",
-			                  report.size());
-			continue;
-			}
-
-		uint64_t* level = broker::get<uint64_t>(report[1]);
-
-		if ( ! level )
-			{
-			reporter->Warning("got broker report msg w/ bad level type: %d",
-			                  static_cast<int>(broker::which(report[1])));
-			continue;
-			}
-
-		auto lvl = static_cast<broker::report::level>(*level);
-
-		switch ( lvl ) {
-		case broker::report::level::debug:
-			DBG_LOG(DBG_BROKER, broker::to_string(report).data());
-			break;
-		case broker::report::level::info:
-			reporter->Info("broker info: %s",
-			               broker::to_string(report).data());
-			break;
-		case broker::report::level::warn:
-			reporter->Warning("broker warning: %s",
-			                  broker::to_string(report).data());
-			break;
-		case broker::report::level::error:
-			reporter->Error("broker error: %s",
-			                broker::to_string(report).data());
-			break;
-			}
-		}
-
-	next_timestamp = -1;
+	SetIdle(! had_input);
 	}
 
-bool bro_broker::Manager::AddStore(StoreHandleVal* handle)
+
+void Manager::ProcessEvent(std::string name, broker::vector args)
 	{
-	if ( ! Enabled() )
+	DBG_LOG(DBG_BROKER, "Process event: %s %s",
+			name.data(), RenderMessage(args).data());
+	++statistics.num_events_incoming;
+	auto handler = event_registry->Lookup(name.data());
+
+	if ( ! handler )
+		return;
+
+	auto arg_types = handler->FType(false)->ArgTypes()->Types();
+
+	if ( static_cast<size_t>(arg_types->length()) != args.size() )
+		{
+		reporter->Warning("got event message '%s' with invalid # of args,"
+				  " got %zd, expected %d", name.data(), args.size(),
+				  arg_types->length());
+		return;
+		}
+
+	auto vl = new val_list;
+
+	for ( auto i = 0u; i < args.size(); ++i )
+		{
+		auto got_type = args[i].get_type_name();
+		auto expected_type = (*arg_types)[i];
+		auto val = data_to_val(std::move(args[i]), expected_type);
+
+		if ( val )
+			vl->append(val);
+		else
+			{
+			reporter->Warning("failed to convert remote event '%s' arg #%d,"
+			                  " got %s, expected %s",
+			                  name.data(), i, got_type,
+			                  type_name(expected_type->Tag()));
+			break;
+			}
+		}
+
+	if ( static_cast<size_t>(vl->length()) == args.size() )
+		mgr.QueueEvent(handler, vl, SOURCE_BROKER);
+	else
+		delete_vals(vl);
+	}
+
+void Manager::ProcessEvent(broker::bro::Event ev)
+	{
+	ProcessEvent(std::move(ev.name()), std::move(ev.args()));
+	}
+
+void Manager::ProcessRelayEvent(broker::bro::RelayEvent ev)
+	{
+	DBG_LOG(DBG_BROKER, "Received relay event: %s", RenderMessage(ev).c_str());
+	++statistics.num_events_incoming;
+
+	for ( auto& t : ev.topics() )
+		PublishEvent(std::move(caf::get<std::string>(t)),
+		             std::move(ev.name()),
+		             std::move(ev.args()));
+	}
+
+void Manager::ProcessHandleAndRelayEvent(broker::bro::HandleAndRelayEvent ev)
+	{
+	DBG_LOG(DBG_BROKER, "Received handle-relay event: %s",
+	        RenderMessage(ev).c_str());
+	ProcessEvent(ev.name(), ev.args());
+
+	for ( auto& t : ev.topics() )
+		PublishEvent(std::move(caf::get<std::string>(t)),
+		             std::move(ev.name()),
+		             std::move(ev.args()));
+	}
+
+bool bro_broker::Manager::ProcessLogCreate(broker::bro::LogCreate lc)
+	{
+	DBG_LOG(DBG_BROKER, "Received log-create: %s", RenderMessage(lc).c_str());
+
+	auto stream_id = data_to_val(std::move(lc.stream_id()), log_id_type);
+	if ( ! stream_id )
+		{
+		reporter->Warning("failed to unpack remote log stream id");
 		return false;
+		}
 
-	if ( ! handle->store )
+	unref_guard stream_id_unreffer{stream_id};
+
+	auto writer_id = data_to_val(std::move(lc.writer_id()), writer_id_type);
+	if ( ! writer_id )
+		{
+		reporter->Warning("failed to unpack remote log writer id");
 		return false;
+		}
 
-	auto key = make_pair(handle->store->id(), handle->store_type);
+	unref_guard writer_id_unreffer{writer_id};
 
-	if ( data_stores.find(key) != data_stores.end() )
+	auto writer_info = std::unique_ptr<logging::WriterBackend::WriterInfo>(new logging::WriterBackend::WriterInfo);
+	if ( ! writer_info->FromBroker(std::move(lc.writer_info())) )
+		{
+		reporter->Warning("failed to unpack remote log writer info");
 		return false;
+		}
 
-	data_stores[key] = handle;
-	Ref(handle);
+	// Get log fields.
+	auto fields_data = caf::get_if<broker::vector>(&lc.fields_data());
+
+	if ( ! fields_data )
+		{
+		reporter->Warning("failed to unpack remote log fields");
+		return false;
+		}
+
+	auto num_fields = fields_data->size();
+	auto fields = new threading::Field* [num_fields];
+
+	for ( auto i = 0u; i < num_fields; ++i )
+		{
+		if ( auto field = data_to_threading_field(std::move((*fields_data)[i])) )
+			fields[i] = field;
+		else
+			{
+			reporter->Warning("failed to convert remote log field # %d", i);
+			delete [] fields;
+			return false;
+			}
+		}
+
+	if ( ! log_mgr->CreateWriterForRemoteLog(stream_id->AsEnumVal(), writer_id->AsEnumVal(), writer_info.get(), num_fields, fields) )
+		{
+		ODesc d;
+		stream_id->Describe(&d);
+		reporter->Warning("failed to create remote log stream for %s locally", d.Description());
+		}
+
+	writer_info.release(); // log_mgr took ownership.
 	return true;
 	}
 
-bro_broker::StoreHandleVal*
-bro_broker::Manager::LookupStore(const broker::store::identifier& id,
-                           bro_broker::StoreType type)
+bool bro_broker::Manager::ProcessLogWrite(broker::bro::LogWrite lw)
 	{
-	if ( ! Enabled() )
-		return nullptr;
+	DBG_LOG(DBG_BROKER, "Received log-write: %s", RenderMessage(lw).c_str());
 
-	auto key = make_pair(id, type);
-	auto it = data_stores.find(key);
+	++statistics.num_logs_incoming;
+	auto& stream_id_name = lw.stream_id().name;
 
-	if ( it == data_stores.end() )
-		return nullptr;
+	// Get stream ID.
+	auto stream_id = data_to_val(std::move(lw.stream_id()), log_id_type);
 
-	return it->second;
+	if ( ! stream_id )
+		{
+		reporter->Warning("failed to unpack remote log stream id: %s",
+		                  stream_id_name.data());
+		return false;
+		}
+
+	unref_guard stream_id_unreffer{stream_id};
+
+	// Get writer ID.
+	auto writer_id = data_to_val(std::move(lw.writer_id()), writer_id_type);
+	if ( ! writer_id )
+		{
+		reporter->Warning("failed to unpack remote log writer id for stream: %s", stream_id_name.data());
+		return false;
+		}
+
+	unref_guard writer_id_unreffer{writer_id};
+	auto path = caf::get_if<std::string>(&lw.path());
+
+	if ( ! path )
+		{
+		reporter->Warning("failed to unpack remote log values (bad path variant) for stream: %s", stream_id_name.data());
+		return false;
+		}
+
+	auto serial_data = caf::get_if<std::string>(&lw.serial_data());
+
+	if ( ! serial_data )
+		{
+		reporter->Warning("failed to unpack remote log values (bad serial_data variant) for stream: %s", stream_id_name.data());
+		return false;
+		}
+
+	BinarySerializationFormat fmt;
+	fmt.StartRead(serial_data->data(), serial_data->size());
+
+	int num_fields;
+	bool success = fmt.Read(&num_fields, "num_fields");
+
+	if ( ! success )
+		{
+		reporter->Warning("failed to unserialize remote log num fields for stream: %s", stream_id_name.data());
+		return false;
+		}
+
+	auto vals = new threading::Value* [num_fields];
+
+	for ( int i = 0; i < num_fields; ++i )
+		{
+		vals[i] = new threading::Value;
+
+		if ( ! vals[i]->Read(&fmt) )
+			{
+			for ( int j = 0; j <=i; ++j )
+				delete vals[j];
+
+			delete [] vals;
+			reporter->Warning("failed to unserialize remote log field %d for stream: %s", i, stream_id_name.data());
+
+			return false;
+			}
+		}
+
+	log_mgr->WriteFromRemote(stream_id->AsEnumVal(), writer_id->AsEnumVal(),
+	                         std::move(*path), num_fields, vals);
+	fmt.EndRead();
+	return true;
 	}
 
-bool bro_broker::Manager::CloseStore(const broker::store::identifier& id,
-                               StoreType type)
+bool Manager::ProcessIdentifierUpdate(broker::bro::IdentifierUpdate iu)
 	{
-	if ( ! Enabled() )
-		return false;
+	DBG_LOG(DBG_BROKER, "Received id-update: %s", RenderMessage(iu).c_str());
+	++statistics.num_ids_incoming;
+	auto id_name = std::move(iu.id_name());
+	auto id_value = std::move(iu.id_value());
+	auto id = global_scope()->Lookup(id_name.c_str());
 
-	auto key = make_pair(id, type);
-	auto it = data_stores.find(key);
-
-	if ( it == data_stores.end() )
-		return false;
-
-	for ( auto it = pending_queries.begin(); it != pending_queries.end(); )
+	if ( ! id )
 		{
-		auto query = *it;
+		reporter->Warning("Received id-update request for unkown id: %s",
+		                 id_name.c_str());
+		return false;
+		}
 
-		if ( query->GetStoreType() == type && query->StoreID() == id )
+	auto val = data_to_val(std::move(id_value), id->Type());
+
+	if ( ! val )
+		{
+		reporter->Error("Failed to receive ID with unsupported type: %s (%s)",
+		                id_name.c_str(), type_name(id->Type()->Tag()));
+		return false;
+		}
+
+	id->SetVal(val);
+	return true;
+	}
+
+void Manager::ProcessStatus(broker::status stat)
+	{
+	DBG_LOG(DBG_BROKER, "Received status message: %s", RenderMessage(stat).c_str());
+
+	auto ctx = stat.context<broker::endpoint_info>();
+
+	EventHandlerPtr event;
+	switch (stat.code()) {
+	case broker::sc::unspecified:
+		event = Broker::status;
+		break;
+
+	case broker::sc::peer_added:
+		++peer_count;
+		assert(ctx);
+		log_mgr->SendAllWritersTo(*ctx);
+		event = Broker::peer_added;
+		break;
+
+	case broker::sc::peer_removed:
+		--peer_count;
+		event = Broker::peer_removed;
+		break;
+
+	case broker::sc::peer_lost:
+		--peer_count;
+		event = Broker::peer_lost;
+		break;
+	}
+
+	auto ei = internal_type("Broker::EndpointInfo")->AsRecordType();
+	auto endpoint_info = new RecordVal(ei);
+
+	if ( ctx )
+		{
+		endpoint_info->Assign(0, new StringVal(to_string(ctx->node)));
+		auto ni = internal_type("Broker::NetworkInfo")->AsRecordType();
+		auto network_info = new RecordVal(ni);
+
+		if ( ctx->network )
 			{
-			it = pending_queries.erase(it);
-			query->Abort();
-			delete query;
+			network_info->Assign(0, new StringVal(ctx->network->address.data()));
+			network_info->Assign(1, port_mgr->Get(ctx->network->port, TRANSPORT_TCP));
 			}
 		else
-			++it;
+			{
+			// TODO: are there any status messages where the ctx->network
+			// is not set and actually could be?
+			network_info->Assign(0, new StringVal("<unknown>"));
+			network_info->Assign(1, port_mgr->Get(0, TRANSPORT_TCP));
+			}
+
+		endpoint_info->Assign(1, network_info);
 		}
 
-	delete it->second->store;
-	it->second->store = nullptr;
-	Unref(it->second);
-	data_stores.erase(it);
+	auto str = stat.message();
+	auto msg = new StringVal(str ? *str : "");
+
+	auto vl = new val_list;
+	vl->append(endpoint_info);
+	vl->append(msg);
+
+	mgr.QueueEvent(event, vl);
+	}
+
+void Manager::ProcessError(broker::error err)
+	{
+	DBG_LOG(DBG_BROKER, "Received error message: %s", RenderMessage(err).c_str());
+
+	if ( ! Broker::error )
+		return;
+
+	BifEnum::Broker::ErrorCode ec;
+	std::string msg;
+
+	if ( err.category() == caf::atom("broker") )
+		{
+		msg = caf::to_string(err.context());
+
+		switch ( static_cast<broker::ec>(err.code()) ) {
+		case broker::ec::peer_incompatible:
+			ec = BifEnum::Broker::ErrorCode::PEER_INCOMPATIBLE;
+			break;
+
+		case broker::ec::peer_invalid:
+			ec = BifEnum::Broker::ErrorCode::PEER_INVALID;
+			break;
+
+		case broker::ec::peer_unavailable:
+			ec = BifEnum::Broker::ErrorCode::PEER_UNAVAILABLE;
+			break;
+
+		case broker::ec::peer_timeout:
+			ec = BifEnum::Broker::ErrorCode::PEER_TIMEOUT;
+			break;
+
+		case broker::ec::master_exists:
+			ec = BifEnum::Broker::ErrorCode::MASTER_EXISTS;
+			break;
+
+		case broker::ec::no_such_master:
+			ec = BifEnum::Broker::ErrorCode::NO_SUCH_MASTER;
+			break;
+
+		case broker::ec::no_such_key:
+			ec = BifEnum::Broker::ErrorCode::NO_SUCH_KEY;
+			break;
+
+		case broker::ec::request_timeout:
+			ec = BifEnum::Broker::ErrorCode::REQUEST_TIMEOUT;
+			break;
+
+		case broker::ec::type_clash:
+			ec = BifEnum::Broker::ErrorCode::TYPE_CLASH;
+			break;
+
+		case broker::ec::invalid_data:
+			ec = BifEnum::Broker::ErrorCode::INVALID_DATA;
+			break;
+
+		case broker::ec::backend_failure:
+			ec = BifEnum::Broker::ErrorCode::BACKEND_FAILURE;
+			break;
+
+		case broker::ec::stale_data:
+			ec = BifEnum::Broker::ErrorCode::STALE_DATA;
+			break;
+
+		case broker::ec::unspecified: // fall-through
+		default:
+			ec = BifEnum::Broker::ErrorCode::UNSPECIFIED;
+		}
+		}
+	else
+		{
+		ec = BifEnum::Broker::ErrorCode::CAF_ERROR;
+		msg = fmt("[%s] %s", caf::to_string(err.category()).c_str(), caf::to_string(err.context()).c_str());
+		}
+
+	auto vl = new val_list;
+	vl->append(new EnumVal(ec, BifType::Enum::Broker::ErrorCode));
+	vl->append(new StringVal(msg));
+	mgr.QueueEvent(Broker::error, vl);
+	}
+
+void Manager::ProcessStoreResponse(StoreHandleVal* s, broker::store::response response)
+	{
+	DBG_LOG(DBG_BROKER, "Received store response: %s", RenderMessage(response).c_str());
+
+	auto request = pending_queries.find(std::make_pair(response.id, s));
+
+	if ( request == pending_queries.end() )
+		{
+		reporter->Warning("unmatched response to query %" PRIu64 " on store %s",
+				  response.id, s->store.name().c_str());
+		return;
+		}
+
+	if ( request->second->Disabled() )
+		{
+		// Trigger timer must have timed the query out already.
+		delete request->second;
+		pending_queries.erase(request);
+		return;
+		}
+
+	if ( response.answer )
+		request->second->Result(query_result(make_data_val(std::move(*response.answer))));
+	else if ( response.answer.error() == broker::ec::request_timeout )
+		{
+		// Fine, trigger's timeout takes care of things.
+		}
+	else if ( response.answer.error() == broker::ec::stale_data )
+		{
+		// It's sort of arbitrary whether to make this type of error successful
+		// query with a "fail" status versus going through the when stmt timeout
+		// code path.  I think the timeout path is maybe more expected in order
+		// for failures like "no such key" to actually be distinguishable from
+		// this type of error (which is less easily handled programmatically).
+		}
+	else if ( response.answer.error() == broker::ec::no_such_key )
+		request->second->Result(query_result());
+	else
+		reporter->InternalWarning("unknown store response status: %s",
+					  to_string(response.answer.error()).c_str());
+
+	delete request->second;
+	pending_queries.erase(request);
+	}
+
+StoreHandleVal* Manager::MakeMaster(const string& name, broker::backend type,
+                                    broker::backend_options opts)
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return nullptr;
+
+	if ( LookupStore(name) )
+		return nullptr;
+
+	DBG_LOG(DBG_BROKER, "Creating master for data store %s", name.c_str());
+
+	auto it = opts.find("path");
+
+	if ( it == opts.end() )
+		it = opts.emplace("path", "").first;
+
+	if ( it->second == broker::data("") )
+		{
+		auto suffix = ".store";
+
+		switch ( type ) {
+		case broker::backend::sqlite:
+			suffix = ".sqlite";
+			break;
+		case broker::backend::rocksdb:
+			suffix = ".rocksdb";
+			break;
+		default:
+			break;
+		}
+
+		it->second = name + suffix;
+		}
+
+	auto result = bstate->endpoint.attach_master(name, type, move(opts));
+	if ( ! result )
+		{
+		Error("Failed to attach master store %s:",
+		      to_string(result.error()).c_str());
+		return nullptr;
+		}
+
+	auto handle = new StoreHandleVal{*result};
+	Ref(handle);
+
+	data_stores.emplace(name, handle);
+
+	if ( bstate->endpoint.use_real_time() )
+		return handle;
+
+	// Wait for master to become available/responsive.
+	// Possibly avoids timeouts in scripts during unit tests.
+	handle->store.exists("");
+	return handle;
+	}
+
+StoreHandleVal* Manager::MakeClone(const string& name, double resync_interval,
+                                   double stale_interval,
+                                   double mutation_buffer_interval)
+	{
+	if ( bstate->endpoint.is_shutdown() )
+		return nullptr;
+
+	if ( LookupStore(name) )
+		return nullptr;
+
+	DBG_LOG(DBG_BROKER, "Creating clone for data store %s", name.c_str());
+
+	auto result = bstate->endpoint.attach_clone(name, resync_interval,
+	                                            stale_interval,
+	                                            mutation_buffer_interval);
+	if ( ! result )
+		{
+		Error("Failed to attach clone store %s:",
+		      to_string(result.error()).c_str());
+		return nullptr;
+		}
+
+	auto handle = new StoreHandleVal{*result};
+	Ref(handle);
+
+	data_stores.emplace(name, handle);
+
+	return handle;
+	}
+
+StoreHandleVal* Manager::LookupStore(const string& name)
+	{
+	auto i = data_stores.find(name);
+	return i == data_stores.end() ? nullptr : i->second;
+	}
+
+bool Manager::CloseStore(const string& name)
+	{
+	DBG_LOG(DBG_BROKER, "Closing data store %s", name.c_str());
+
+	auto s = data_stores.find(name);
+	if ( s == data_stores.end() )
+		return false;
+
+	for ( auto i = pending_queries.begin(); i != pending_queries.end(); )
+		if ( i->second->Store().name() == name )
+			{
+			i->second->Abort();
+			delete i->second;
+			i = pending_queries.erase(i);
+			}
+	else
+		{
+		++i;
+		}
+
+	Unref(s->second);
+	data_stores.erase(s);
 	return true;
 	}
 
-bool bro_broker::Manager::TrackStoreQuery(StoreQueryCallback* cb)
+bool Manager::TrackStoreQuery(StoreHandleVal* handle, broker::request_id id,
+                              StoreQueryCallback* cb)
 	{
-	assert(Enabled());
-	return pending_queries.insert(cb).second;
-	}
+	auto rval = pending_queries.emplace(std::make_pair(id, handle), cb).second;
 
-bro_broker::Stats bro_broker::Manager::ConsumeStatistics()
-	{
-	statistics.outgoing_peer_count = peers.size();
-	statistics.data_store_count = data_stores.size();
-	statistics.pending_query_count = pending_queries.size();
+	if ( bstate->endpoint.use_real_time() )
+		return rval;
 
-	for ( auto& s : print_subscriptions )
-		{
-		statistics.print_count[s.first] = s.second.received;
-		s.second.received = 0;
-		}
-
-	for ( auto& s : event_subscriptions )
-		{
-		statistics.event_count[s.first] = s.second.received;
-		s.second.received = 0;
-		}
-
-	for ( auto& s : log_subscriptions )
-		{
-		statistics.log_count[s.first] = s.second.received;
-		s.second.received = 0;
-		}
-
-	auto rval = move(statistics);
-	statistics = Stats{};
+	FlushPendingQueries();
 	return rval;
 	}
+
+const Stats& Manager::GetStatistics()
+	{
+	statistics.num_peers = peer_count;
+	statistics.num_stores = data_stores.size();
+	statistics.num_pending_queries = pending_queries.size();
+
+	// The other attributes are set as activity happens.
+
+	return statistics;
+	}
+
+} // namespace bro_broker
diff --git a/src/broker/Manager.h b/src/broker/Manager.h
index 9fb7b9e328..a42cb495e6 100644
--- a/src/broker/Manager.h
+++ b/src/broker/Manager.h
@@ -1,11 +1,13 @@
 #ifndef BRO_COMM_MANAGER_H
 #define BRO_COMM_MANAGER_H
 
-#include <broker/endpoint.hh>
-#include <broker/message_queue.hh>
+#include <broker/broker.hh>
+#include <broker/bro.hh>
 #include <memory>
 #include <string>
 #include <map>
+#include <set>
+#include <unordered_map>
 #include <unordered_set>
 #include "broker/Store.h"
 #include "Reporter.h"
@@ -14,32 +16,30 @@
 
 namespace bro_broker {
 
+class BrokerState;
+
 /**
- * Communication statistics.  Some are tracked in relation to last
- * sample (bro_broker::Manager::ConsumeStatistics()).
+ * Communication statistics.
  */
 struct Stats {
-	// Number of outgoing peer connections (at time of sample).
-	size_t outgoing_peer_count = 0;
-	// Number of data stores (at time of sample).
-	size_t data_store_count = 0;
-	// Number of pending data store queries (at time of sample).
-	size_t pending_query_count = 0;
-	// Number of data store responses received (since last sample).
-	size_t response_count = 0;
-	// Number of outgoing connection updates received (since last sample).
-	size_t outgoing_conn_status_count = 0;
-	// Number of incoming connection updates received (since last sample).
-	size_t incoming_conn_status_count = 0;
-	// Number of broker report messages (e.g. debug, warning, errors) received
-	// (since last sample).
-	size_t report_count = 0;
-	// Number of print messages received per topic-prefix (since last sample).
-	std::map<std::string, size_t> print_count;
-	// Number of event messages received per topic-prefix (since last sample).
-	std::map<std::string, size_t> event_count;
-	// Number of log messages received per topic-prefix (since last sample).
-	std::map<std::string, size_t> log_count;
+	// Number of active peer connections.
+	size_t num_peers = 0;
+	// Number of active data stores.
+	size_t num_stores = 0;
+	// Number of pending data store queries.
+	size_t num_pending_queries = 0;
+	// Number of total log messages received.
+	size_t num_events_incoming = 0;
+	// Number of total log messages sent.
+	size_t num_events_outgoing = 0;
+	// Number of total log records received.
+	size_t num_logs_incoming = 0;
+	// Number of total log records sent.
+	size_t num_logs_outgoing = 0;
+	// Number of total identifiers received.
+	size_t num_ids_incoming = 0;
+	// Number of total identifiers sent.
+	size_t num_ids_outgoing = 0;
 };
 
 /**
@@ -47,124 +47,181 @@ struct Stats {
  * or other external applications via use of the Broker messaging library.
  */
 class Manager : public iosource::IOSource {
-friend class StoreHandleVal;
 public:
+    static const broker::endpoint_info NoPeer;
 
 	/**
 	 * Constructor.
 	 */
-	Manager();
+	Manager(bool reading_pcaps);
 
 	/**
-	 * Destructor.  Any still-pending data store queries are aborted.
+	 * Destructor.
 	 */
-	~Manager();
+	~Manager() override;
 
 	/**
-	 * Enable use of communication.
-	 * @param flags used to tune the local Broker endpoint's behavior.
-	 * See the Broker::EndpointFlags record type.
-	 * @return true if communication is successfully initialized.
+	 * Initialization of the manager. This is called late during Bro's
+	 * initialization after any scripts are processed.
 	 */
-	bool Enable(Val* flags);
+	void InitPostScript();
+
+	void BroInitDone()
+		{ after_bro_init = true; }
 
 	/**
-	 * Changes endpoint flags originally supplied to bro_broker::Manager::Enable().
-	 * @param flags the new behavior flags to use.
-	 * @return true if flags were changed.
+	 * Shuts Broker down at termination.
 	 */
-	bool SetEndpointFlags(Val* flags);
+	void Terminate();
 
 	/**
-	 * @return true if bro_broker::Manager::Enable() has previously been called and
-	 * it succeeded.
+	 * Returns true if any Broker communincation is currently active.
 	 */
-	bool Enabled()
-		{ return endpoint != nullptr; }
+	bool Active();
+
+	/**
+	 * Advances time.  Broker data store expiration is driven by this
+	 * simulated time instead of real/wall time.
+	 */
+	void AdvanceTime(double seconds_since_unix_epoch);
 
 	/**
 	 * Listen for remote connections.
 	 * @param port the TCP port to listen on.
 	 * @param addr an address string on which to accept connections, e.g.
-	 * "127.0.0.1".  A nullptr refers to @p INADDR_ANY.
-	 * @param reuse_addr equivalent to behavior of SO_REUSEADDR.
-	 * @return true if the local endpoint is now listening for connections.
+	 * "127.0.0.1".  The empty string refers to @p INADDR_ANY.
+	 * @return 0 on failure or the bound port otherwise. If *port* != 0, then the
+	 * return value equals *port* on success. If *port* equals 0, then the
+	 * return values represents the bound port as chosen by the OS.
 	 */
-	bool Listen(uint16_t port, const char* addr = nullptr,
-	            bool reuse_addr = true);
+	uint16_t Listen(const std::string& addr, uint16_t port);
 
 	/**
-	 * Initiate a remote connection.
+	 * Initiate a peering with a remote endpoint.
 	 * @param addr an address to connect to, e.g. "localhost" or "127.0.0.1".
 	 * @param port the TCP port on which the remote side is listening.
-	 * @param retry_interval an interval at which to retry establishing the
-	 * connection with the remote peer.
-	 * @return true if it's possible to try connecting with the peer and
-	 * it's a new peer.  The actual connection may not be established until a
-	 * later point in time.
+	 * @param retry If non-zero, the time after which to retry if
+	 * connection cannot be established, or breaks.  BRO_DEFAULT_CONNECT_RETRY
+	 * environment variable overrides this value.
 	 */
-	bool Connect(std::string addr, uint16_t port,
-	             std::chrono::duration<double> retry_interval);
+	void Peer(const std::string& addr, uint16_t port, double retry = 10.0);
 
 	/**
-	 * Remove a remote connection.
-	 * @param addr the address used in bro_broker::Manager::Connect().
-	 * @param port the port used in bro_broker::Manager::Connect().
-	 * @return true if the arguments match a previously successful call to
-	 * bro_broker::Manager::Connect().
+	 * Remove a remote peering.
+	 * @param addr the address used in bro_broker::Manager::Peer().
+	 * @param port the port used in bro_broker::Manager::Peer().
 	 */
-	bool Disconnect(const std::string& addr, uint16_t port);
+	void Unpeer(const std::string& addr, uint16_t port);
 
 	/**
-	 * Print a simple message to any interested peers.
-	 * @param topic a topic string associated with the print message.
-	 * Peers advertise interest by registering a subscription to some prefix
-	 * of this topic name.
-	 * @param msg the string to send to peers.
-	 * @param flags tune the behavior of how the message is send.
-	 * See the Broker::SendFlags record type.
+	 * @return a list of peer endpoints.
+	 */
+	std::vector<broker::peer_info> Peers() const;
+
+	/**
+	 * @return a unique identifier for this broker endpoint.
+	 */
+	std::string NodeID() const;
+
+	/**
+	 * Send an identifier's value to interested peers.
+	 * @param topic a topic string associated with the message.
+	 * @param id the name of the identifier to send.
 	 * @return true if the message is sent successfully.
 	 */
-	bool Print(std::string topic, std::string msg, Val* flags);
+	bool PublishIdentifier(std::string topic, std::string id);
 
 	/**
 	 * Send an event to any interested peers.
-	 * @param topic a topic string associated with the print message.
+	 * @param topic a topic string associated with the message.
 	 * Peers advertise interest by registering a subscription to some prefix
 	 * of this topic name.
-	 * @param msg the event to send to peers, which is the name of the event
-	 * as a string followed by all of its arguments.
-	 * @param flags tune the behavior of how the message is send.
-	 * See the Broker::SendFlags record type.
+	 * @param name the name of the event
+	 * @param args the event's arguments
 	 * @return true if the message is sent successfully.
 	 */
-	bool Event(std::string topic, broker::message msg, int flags);
+	bool PublishEvent(std::string topic, std::string name, broker::vector args);
 
 	/**
 	 * Send an event to any interested peers.
-	 * @param topic a topic string associated with the print message.
+	 * @param topic a topic string associated with the message.
 	 * Peers advertise interest by registering a subscription to some prefix
 	 * of this topic name.
-	 * @param args the event and its arguments to send to peers.  See the
-	 * Broker::EventArgs record type.
-	 * @param flags tune the behavior of how the message is send.
-	 * See the Broker::SendFlags record type.
+	 * @param ev the event and its arguments to send to peers, in the form of
+	 * a Broker::Event record type.
 	 * @return true if the message is sent successfully.
 	 */
-	bool Event(std::string topic, RecordVal* args, Val* flags);
+	bool PublishEvent(std::string topic, RecordVal* ev);
+
+	/**
+	 * Sends an event to any interested peers, who, upon receipt,
+	 * republishes the event to a new set of topics and optionally
+	 * calls event handlers.
+	 * @param first_topic the first topic to use when publishing the event
+	 * @param relay_topics the set of topics the receivers will use to
+	 * republish the event.  The event is relayed at most a single hop.
+	 * @param name the name of the event
+	 * @param args the event's arguments
+	 * @param handle_on_relayer whether they relaying-node should call event
+	 * handlers.
+	 * @return true if the message is sent successfully.
+	 */
+	bool RelayEvent(std::string first_topic,
+					broker::set relay_topics,
+					std::string name,
+					broker::vector args,
+					bool handle_on_relayer);
+
+	/**
+	 * Sends an event to any interested peers, who, upon receipt,
+	 * republishes the event to a new set of topics and optionally
+	 * calls event handlers.
+	 * @param first_topic the first topic to use when publishing the event
+	 * @param relay_topics the set of topics the receivers will use to
+	 * republish the event.  The event is relayed at most a single hop.
+	 * @param ev the event and its arguments to send to peers, in the form of
+	 * a Broker::Event record type.
+	 * @param handle_on_relayer whether they relaying-node should call event
+	 * handlers.
+	 * @return true if the message is sent successfully.
+	 */
+	bool RelayEvent(std::string first_topic,
+					std::set<std::string> relay_topics,
+					RecordVal* ev,
+					bool handle_on_relayer);
+
+	/**
+	 * Send a message to create a log stream to any interested peers.
+	 * The log stream may or may not already exist on the receiving side.
+	 * The topic name used is implicitly "bro/log/<stream-name>".
+	 * @param stream the stream to which the log entry belongs.
+	 * @param writer the writer to use for outputting this log entry.
+	 * @param info backend initialization information for the writer.
+	 * @param num_fields the number of fields the log has.
+	 * @param fields the log's fields, of size num_fields.
+	 * See the Broker::SendFlags record type.
+	 * @param peer If given, send the message only to this peer.
+	 * @return true if the message is sent successfully.
+	 */
+	bool PublishLogCreate(EnumVal* stream, EnumVal* writer,
+	                      const logging::WriterBackend::WriterInfo& info,
+	                      int num_fields,
+	                      const threading::Field* const * fields,
+	                      const broker::endpoint_info& peer = NoPeer);
 
 	/**
 	 * Send a log entry to any interested peers.  The topic name used is
 	 * implicitly "bro/log/<stream-name>".
-	 * @param stream_id the stream to which the log entry belongs.
-	 * @param columns the data which comprises the log entry.
-	 * @param info the record type corresponding to the log's columns.
-	 * @param flags tune the behavior of how the message is send.
+	 * @param stream the stream to which the log entry belongs.
+	 * @param writer the writer to use for outputting this log entry.
+	 * @param path the log path to output the log entry to.
+	 * @param num_vals the number of fields to log.
+	 * @param vals the log values to log, of size num_vals.
 	 * See the Broker::SendFlags record type.
 	 * @return true if the message is sent successfully.
 	 */
-	bool Log(EnumVal* stream_id, RecordVal* columns, RecordType* info,
-	         int flags);
+	bool PublishLogWrite(EnumVal* stream, EnumVal* writer, string path, int num_vals,
+			     const threading::Value* const * vals);
 
 	/**
 	 * Automatically send an event to any interested peers whenever it is
@@ -173,45 +230,27 @@ public:
 	 * Peers advertise interest by registering a subscription to some prefix
 	 * of this topic name.
 	 * @param event a Bro event value.
-	 * @param flags tune the behavior of how the message is send.
-	 * See the Broker::SendFlags record type.
 	 * @return true if automatic event sending is now enabled.
 	 */
-	bool AutoEvent(std::string topic, Val* event, Val* flags);
+	bool AutoPublishEvent(std::string topic, Val* event);
 
 	/**
 	 * Stop automatically sending an event to peers upon local dispatch.
-	 * @param topic a topic originally given to bro_broker::Manager::AutoEvent().
-	 * @param event an event originally given to bro_broker::Manager::AutoEvent().
+	 * @param topic a topic originally given to bro_broker::Manager::AutoPublish().
+	 * @param event an event originally given to bro_broker::Manager::AutoPublish().
 	 * @return true if automatic events will no occur for the topic/event pair.
 	 */
-	bool AutoEventStop(const std::string& topic, Val* event);
+	bool AutoUnpublishEvent(const std::string& topic, Val* event);
 
 	/**
-	 * Create an EventArgs record value from an event and its arguments.
+	 * Create an `Event` record value from an event and its arguments.
 	 * @param args the event and its arguments.  The event is always the first
 	 * elements in the list.
-	 * @return an EventArgs record value.  If an invalid event or arguments
+	 * @param frame the calling frame, used to report location info upon error
+	 * @return an `Event` record value.  If an invalid event or arguments
 	 * were supplied the optional "name" field will not be set.
 	 */
-	RecordVal* MakeEventArgs(val_list* args);
-
-	/**
-	 * Register interest in peer print messages that use a certain topic prefix.
-	 * @param topic_prefix a prefix to match against remote message topics.
-	 * e.g. an empty prefix will match everything and "a" will match "alice"
-	 * and "amy" but not "bob".
-	 * @return true if it's a new print subscriptions and it is now registered.
-	 */
-	bool SubscribeToPrints(std::string topic_prefix);
-
-	/**
-	 * Unregister interest in peer print messages.
-	 * @param topic_prefix a prefix previously supplied to a successful call
-	 * to bro_broker::Manager::SubscribeToPrints().
-	 * @return true if interest in topic prefix is no longer advertised.
-	 */
-	bool UnsubscribeToPrints(const std::string& topic_prefix);
+	RecordVal* MakeEvent(val_list* args, Frame* frame);
 
 	/**
 	 * Register interest in peer event messages that use a certain topic prefix.
@@ -220,112 +259,111 @@ public:
 	 * and "amy" but not "bob".
 	 * @return true if it's a new event subscription and it is now registered.
 	 */
-	bool SubscribeToEvents(std::string topic_prefix);
+	bool Subscribe(const std::string& topic_prefix);
 
 	/**
 	 * Unregister interest in peer event messages.
 	 * @param topic_prefix a prefix previously supplied to a successful call
-	 * to bro_broker::Manager::SubscribeToEvents().
+	 * to bro_broker::Manager::Subscribe().
 	 * @return true if interest in topic prefix is no longer advertised.
 	 */
-	bool UnsubscribeToEvents(const std::string& topic_prefix);
+	bool Unsubscribe(const std::string& topic_prefix);
 
 	/**
-	 * Register interest in peer log messages that use a certain topic prefix.
-	 * @param topic_prefix a prefix to match against remote message topics.
-	 * e.g. an empty prefix will match everything and "a" will match "alice"
-	 * and "amy" but not "bob".
-	 * @return true if it's a new log subscription and it is now registered.
+	 * Create a new *master* data store.
+	 * @param name The name of the store.
+	 * @param type The backend type.
+	 * @param opts The backend options.
+	 * @return a pointer to the newly created store a nullptr on failure.
 	 */
-	bool SubscribeToLogs(std::string topic_prefix);
+	StoreHandleVal* MakeMaster(const std::string& name, broker::backend type,
+	                           broker::backend_options opts);
 
 	/**
-	 * Unregister interest in peer log messages.
-	 * @param topic_prefix a prefix previously supplied to a successful call
-	 * to bro_broker::Manager::SubscribeToLogs().
-	 * @return true if interest in topic prefix is no longer advertised.
+	 * Create a new *clone* data store.
+	 * @param name The name of the store.
+	 * @param resync_interval The frequency at which the clone will attempt
+	 * to reconnect/resynchronize with its master in the event it becomes
+	 * disconnected.
+	 * @param stale_interval The duration after which a clone that is
+	 * disconnected from its master will treat its local cache as stale.
+	 * In this state, queries to the clone will timeout.  A negative value
+	 * indicates to never treat the local cache as stale.
+	 * @param mutation_buffer_interval The max amount of time that a
+	 * disconnected clone will buffer mutation commands.  If the clone
+	 * reconnects before this time, it replays all buffered commands.  Note
+	 * that this doesn't completely prevent the loss of store updates: all
+	 * mutation messages are fire-and-forget and not explicitly acknowledged by
+	 * the master.  A negative/zero value indicates to never buffer commands.
+	 * @return a pointer to the newly created store a nullptr on failure.
 	 */
-	bool UnsubscribeToLogs(const std::string& topic_prefix);
-
-	/**
-	 * Allow sending messages to peers if associated with the given topic.
-	 * This has no effect if auto publication behavior is enabled via the flags
-	 * supplied to bro_broker::Manager::Enable() or bro_broker::Manager::SetEndpointFlags().
-	 * @param t a topic to allow messages to be published under.
-	 * @return true if successful.
-	 */
-	bool PublishTopic(broker::topic t);
-
-	/**
-	 * Disallow sending messages to peers if associated with the given topic.
-	 * This has no effect if auto publication behavior is enabled via the flags
-	 * supplied to bro_broker::Manager::Enable() or bro_broker::Manager::SetEndpointFlags().
-	 * @param t a topic to disallow messages to be published under.
-	 * @return true if successful.
-	 */
-	bool UnpublishTopic(broker::topic t);
-
-	/**
-	 * Allow advertising interest in the given topic to peers.
-	 * This has no effect if auto advertise behavior is enabled via the flags
-	 * supplied to bro_broker::Manager::Enable() or bro_broker::Manager::SetEndpointFlags().
-	 * @param t a topic to allow advertising interest/subscription to peers.
-	 * @return true if successful.
-	 */
-	bool AdvertiseTopic(broker::topic t);
-
-	/**
-	 * Disallow advertising interest in the given topic to peers.
-	 * This has no effect if auto advertise behavior is enabled via the flags
-	 * supplied to bro_broker::Manager::Enable() or bro_broker::Manager::SetEndpointFlags().
-	 * @param t a topic to disallow advertising interest/subscription to peers.
-	 * @return true if successful.
-	 */
-	bool UnadvertiseTopic(broker::topic t);
-
-	/**
-	 * Register the availability of a data store.
-	 * @param handle the data store.
-	 * @return true if the store was valid and not already away of it.
-	 */
-	bool AddStore(StoreHandleVal* handle);
+	StoreHandleVal* MakeClone(const std::string& name,
+	                          double resync_interval = 10.0,
+	                          double stale_interval = 300.0,
+	                          double mutation_buffer_interval = 120.0);
 
 	/**
 	 * Lookup a data store by it's identifier name and type.
-	 * @param id the store's name.
-	 * @param type the type of data store.
+	 * @param name the store's name.
 	 * @return a pointer to the store handle if it exists else nullptr.
 	 */
-	StoreHandleVal* LookupStore(const broker::store::identifier& id, StoreType type);
+	StoreHandleVal* LookupStore(const std::string& name);
 
 	/**
 	 * Close and unregister a data store.  Any existing references to the
 	 * store handle will not be able to be used for any data store operations.
-	 * @param id the stores' name.
-	 * @param type the type of the data store.
+	 * @param name the stores' name.
 	 * @return true if such a store existed and is now closed.
 	 */
-	bool CloseStore(const broker::store::identifier& id, StoreType type);
+	bool CloseStore(const std::string& name);
 
 	/**
 	 * Register a data store query callback.
 	 * @param cb the callback info to use when the query completes or times out.
 	 * @return true if now tracking a data store query.
 	 */
-	bool TrackStoreQuery(StoreQueryCallback* cb);
+	bool TrackStoreQuery(StoreHandleVal* handle, broker::request_id id,
+	                     StoreQueryCallback* cb);
+
+	/**
+	 * Send all pending log write messages.
+	 * @return the number of messages sent.
+	 */
+	size_t FlushLogBuffers();
 
 	/**
 	 * @return communication statistics.
 	 */
-	Stats ConsumeStatistics();
+	const Stats& GetStatistics();
 
 	/**
-	 * Convert Broker::SendFlags to int flags for use with broker::send().
+	 * Creating an instance of this struct simply helps the manager
+	 * keep track of whether calls into its API are coming from script
+	 * layer BIFs so that error messages can emit useful call site info.
 	 */
-	static int send_flags_to_int(Val* flags);
+	struct ScriptScopeGuard {
+		ScriptScopeGuard() { ++script_scope; }
+		~ScriptScopeGuard() { --script_scope; }
+	};
 
 private:
 
+	void DispatchMessage(broker::data msg);
+	void ProcessEvent(std::string name, broker::vector args);
+	void ProcessEvent(broker::bro::Event ev);
+	void ProcessRelayEvent(broker::bro::RelayEvent re);
+	void ProcessHandleAndRelayEvent(broker::bro::HandleAndRelayEvent ev);
+	bool ProcessLogCreate(broker::bro::LogCreate lc);
+	bool ProcessLogWrite(broker::bro::LogWrite lw);
+	bool ProcessIdentifierUpdate(broker::bro::IdentifierUpdate iu);
+	void ProcessStatus(broker::status stat);
+	void ProcessError(broker::error err);
+	void ProcessStoreResponse(StoreHandleVal*, broker::store::response response);
+	void FlushPendingQueries();
+
+	void Error(const char* format, ...)
+		__attribute__((format (printf, 2, 3)));
+
 	// IOSource interface overrides:
 	void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
 	            iosource::FD_Set* except) override;
@@ -337,32 +375,48 @@ private:
 	const char* Tag() override
 		{ return "Broker::Manager"; }
 
-	broker::endpoint& Endpoint()
-		{ return *endpoint; }
+	struct LogBuffer {
+		// Indexed by topic string.
+		std::unordered_map<std::string, broker::vector> msgs;
+		double last_flush;
+		size_t message_count;
 
-	struct QueueWithStats {
-		broker::message_queue q;
-		size_t received = 0;
+		size_t Flush(broker::endpoint& endpoint);
 	};
 
-	std::unique_ptr<broker::endpoint> endpoint;
-	std::map<std::pair<std::string, uint16_t>, broker::peering> peers;
-	std::map<std::string, QueueWithStats> print_subscriptions;
-	std::map<std::string, QueueWithStats> event_subscriptions;
-	std::map<std::string, QueueWithStats> log_subscriptions;
+	// Data stores
+	using query_id = std::pair<broker::request_id, StoreHandleVal*>;
 
-	std::map<std::pair<broker::store::identifier, StoreType>,
-	         StoreHandleVal*> data_stores;
-	std::unordered_set<StoreQueryCallback*> pending_queries;
+	struct query_id_hasher {
+		size_t operator()(const query_id& qid) const
+			{
+			size_t rval = 0;
+			broker::detail::hash_combine(rval, qid.first);
+			broker::detail::hash_combine(rval, qid.second);
+			return rval;
+			}
+	};
+
+	std::vector<LogBuffer> log_buffers; // Indexed by stream ID enum.
+	std::string default_log_topic_prefix;
+	std::shared_ptr<BrokerState> bstate;
+	std::unordered_map<std::string, StoreHandleVal*> data_stores;
+	std::unordered_map<query_id, StoreQueryCallback*,
+	                   query_id_hasher> pending_queries;
 
 	Stats statistics;
-	double next_timestamp;
 
-	static VectorType* vector_of_data_type;
-	static EnumType* log_id_type;
-	static int send_flags_self_idx;
-	static int send_flags_peers_idx;
-	static int send_flags_unsolicited_idx;
+	uint16_t bound_port;
+	bool reading_pcaps;
+	bool after_bro_init;
+	int peer_count;
+
+	Func* log_topic_func;
+	VectorType* vector_of_data_type;
+	EnumType* log_id_type;
+	EnumType* writer_id_type;
+
+	static int script_scope;
 };
 
 } // namespace bro_broker
diff --git a/src/broker/Store.cc b/src/broker/Store.cc
index 97954bb328..200e1b6abf 100644
--- a/src/broker/Store.cc
+++ b/src/broker/Store.cc
@@ -1,204 +1,135 @@
 #include "Store.h"
 #include "broker/Manager.h"
 
-#include <broker/store/master.hh>
-#include <broker/store/clone.hh>
-#include <broker/store/sqlite_backend.hh>
+namespace bro_broker {
 
-#ifdef HAVE_ROCKSDB
-#include <broker/store/rocksdb_backend.hh>
-#include <rocksdb/db.h>
-#endif
+OpaqueType* opaque_of_store_handle;
 
-OpaqueType* bro_broker::opaque_of_store_handle;
-
-bro_broker::StoreHandleVal::StoreHandleVal(broker::store::identifier id,
-                                     bro_broker::StoreType arg_type,
-                                     broker::util::optional<BifEnum::Broker::BackendType> arg_back,
-                                     RecordVal* backend_options, std::chrono::duration<double> resync)
-	: OpaqueVal(opaque_of_store_handle),
-	  store(), store_type(arg_type), backend_type(arg_back)
+void StoreHandleVal::ValDescribe(ODesc* d) const
 	{
-	using BifEnum::Broker::BackendType;
-	std::unique_ptr<broker::store::backend> backend;
-
-	if ( backend_type )
-		switch ( *backend_type ) {
-		case BackendType::MEMORY:
-			backend.reset(new broker::store::memory_backend);
-			break;
-		case BackendType::SQLITE:
-			{
-			auto sqlite = new broker::store::sqlite_backend;
-			std::string path = backend_options->Lookup(0)->AsRecordVal()
-			                   ->Lookup(0)->AsStringVal()->CheckString();
-
-			if ( sqlite->open(path) )
-				backend.reset(sqlite);
-			else
-				{
-				reporter->Error("failed to open sqlite backend at path %s: %s",
-				                path.data(), sqlite->last_error().data());
-				delete sqlite;
-				}
-			}
-			break;
-		case BackendType::ROCKSDB:
-			{
-#ifdef HAVE_ROCKSDB
-			std::string path = backend_options->Lookup(1)->AsRecordVal()
-			                   ->Lookup(0)->AsStringVal()->CheckString();
-			rocksdb::Options rock_op;
-			rock_op.create_if_missing = true;
-
-			auto rocksdb = new broker::store::rocksdb_backend;
-
-			if ( rocksdb->open(path, options).ok() )
-				backend.reset(rocksdb);
-			else
-				{
-				reporter->Error("failed to open rocksdb backend at path %s: %s",
-				                path.data(), rocksdb->last_error().data());
-				delete rocksdb;
-				}
-#else
-			reporter->Error("rocksdb backend support is not enabled");
-#endif
-			}
-			break;
-		default:
-			reporter->FatalError("unknown data store backend: %d",
-			                     static_cast<int>(*backend_type));
-			}
-
-	switch ( store_type ) {
-	case StoreType::FRONTEND:
-		store = new broker::store::frontend(broker_mgr->Endpoint(), move(id));
-		break;
-	case StoreType::MASTER:
-		store = new broker::store::master(broker_mgr->Endpoint(), move(id),
-		                                  move(backend));
-		break;
-	case StoreType::CLONE:
-		store = new broker::store::clone(broker_mgr->Endpoint(), move(id), resync,
-		                                 move(backend));
-		break;
-	default:
-		reporter->FatalError("unknown data store type: %d",
-		                     static_cast<int>(store_type));
-		}
-	}
-
-void bro_broker::StoreHandleVal::ValDescribe(ODesc* d) const
-	{
-	using BifEnum::Broker::BackendType;
+	//using BifEnum::Broker::BackendType;
 	d->Add("broker::store::");
 
-	switch ( store_type ) {
-	case StoreType::FRONTEND:
-		d->Add("frontend");
-		break;
-	case StoreType::MASTER:
-		d->Add("master");
-		break;
-	case StoreType::CLONE:
-		d->Add("clone");
-		break;
-	default:
-		d->Add("unknown");
-		}
+	//switch ( store_type ) {
+  //  case broker::frontend::FRONTEND:
+	//	d->Add("frontend");
+	//	break;
+  //  case broker::frontend::MASTER:
+	//	d->Add("master");
+	//	break;
+  //  case broker::frontend::CLONE:
+	//	d->Add("clone");
+	//	break;
+	//default:
+	//	d->Add("unknown");
+	//	}
 
 	d->Add("{");
-	d->Add(store->id());
+	d->Add(store.name());
 
-	if ( backend_type )
-		{
-		d->Add(", ");
+	//if ( backend_type )
+	//	{
+	//	d->Add(", ");
 
-		switch ( *backend_type ) {
-		case BackendType::MEMORY:
-			d->Add("memory");
-			break;
-		case BackendType::SQLITE:
-			d->Add("sqlite");
-			break;
-		case BackendType::ROCKSDB:
-			d->Add("rocksdb");
-			break;
-		default:
-			d->Add("unknown");
-			}
-		}
+	//	switch ( *backend_type ) {
+	//	case BackendType::MEMORY:
+	//		d->Add("memory");
+	//		break;
+	//	case BackendType::SQLITE:
+	//		d->Add("sqlite");
+	//		break;
+	//	case BackendType::ROCKSDB:
+	//		d->Add("rocksdb");
+	//		break;
+	//	default:
+	//		d->Add("unknown");
+	//		}
+	//	}
 
 	d->Add("}");
 	}
 
-IMPLEMENT_SERIAL(bro_broker::StoreHandleVal, SER_COMM_STORE_HANDLE_VAL);
+IMPLEMENT_SERIAL(StoreHandleVal, SER_COMM_STORE_HANDLE_VAL);
 
-bool bro_broker::StoreHandleVal::DoSerialize(SerialInfo* info) const
+bool StoreHandleVal::DoSerialize(SerialInfo* info) const
 	{
 	DO_SERIALIZE(SER_COMM_STORE_HANDLE_VAL, OpaqueVal);
 
-	bool have_store = store != nullptr;
-
-	if ( ! SERIALIZE(have_store) )
-		return false;
-
-	if ( ! have_store )
-		return true;
-
-	if ( ! SERIALIZE(static_cast<int>(store_type)) )
-		return false;
-
-	if ( ! SERIALIZE_STR(store->id().data(), store->id().size()) )
+	auto name = store.name();
+	if ( ! SERIALIZE_STR(name.data(), name.size()) )
 		return false;
 
 	return true;
 	}
 
-bool bro_broker::StoreHandleVal::DoUnserialize(UnserialInfo* info)
+bool StoreHandleVal::DoUnserialize(UnserialInfo* info)
 	{
 	DO_UNSERIALIZE(OpaqueVal);
 
-	bool have_store;
-
-	if ( ! UNSERIALIZE(&have_store) )
-		return false;
-
-	if ( ! have_store )
-		{
-		store = nullptr;
-		return true;
-		}
-
-	int type;
-
-	if ( ! UNSERIALIZE(&type) )
-		return false;
-
-	const char* id_str;
+	const char* name_str;
 	int len;
 
-	if ( ! UNSERIALIZE_STR(&id_str, &len) )
+	if ( ! UNSERIALIZE_STR(&name_str, &len) )
 		return false;
 
-	broker::store::identifier id(id_str, len);
-	delete [] id_str;
-
-	auto handle = broker_mgr->LookupStore(id, static_cast<bro_broker::StoreType>(type));
+	std::string name(name_str, len);
+	delete [] name_str;
 
+	auto handle = broker_mgr->LookupStore(name);
 	if ( ! handle )
 		{
 		// Passing serialized version of store handles to other Bro processes
 		// doesn't make sense, only allow local clones of the handle val.
-		reporter->Error("failed to look up unserialized store handle %s, %d",
-		                id.data(), type);
-		store = nullptr;
+		reporter->Error("failed to look up unserialized store handle %s",
+		                name.c_str());
 		return false;
 		}
 
 	store = handle->store;
-	store_type = handle->store_type;
-	backend_type = handle->backend_type;
+	proxy = broker::store::proxy{store};
+
 	return true;
 	}
+
+broker::backend to_backend_type(BifEnum::Broker::BackendType type)
+	{
+	switch ( type ) {
+	case BifEnum::Broker::MEMORY:
+		return broker::memory;
+
+	case BifEnum::Broker::SQLITE:
+		return broker::sqlite;
+
+	case BifEnum::Broker::ROCKSDB:
+		return broker::rocksdb;
+	}
+
+	throw std::runtime_error("unknown broker backend");
+	}
+
+broker::backend_options to_backend_options(broker::backend backend,
+                                           RecordVal* options)
+	{
+	switch ( backend ) {
+	case broker::sqlite:
+		{
+		auto path = options->Lookup(0)->AsRecordVal()
+			->Lookup(0)->AsStringVal()->CheckString();
+		return {{"path", path}};
+		}
+
+	case broker::rocksdb:
+		{
+		auto path = options->Lookup(1)->AsRecordVal()
+			->Lookup(0)->AsStringVal()->CheckString();
+		return {{"path", path}};
+		}
+
+	default:
+		break;
+	}
+
+	return broker::backend_options{};
+	}
+
+} // namespace bro_broker
diff --git a/src/broker/Store.h b/src/broker/Store.h
index 4b673e70dc..628a678f45 100644
--- a/src/broker/Store.h
+++ b/src/broker/Store.h
@@ -8,22 +8,12 @@
 #include "Val.h"
 #include "Trigger.h"
 
-#include <broker/store/frontend.hh>
+#include <broker/broker.hh>
 
 namespace bro_broker {
 
 extern OpaqueType* opaque_of_store_handle;
 
-/**
- * Enumerates the possible types of data stores.
- */
-enum StoreType {
-	// Just a view in to a remote store, contains no data itself.
-	FRONTEND,
-	MASTER,
-	CLONE,
-};
-
 /**
  * Create a Broker::QueryStatus value.
  * @param success whether the query status should be set to success or failure.
@@ -75,12 +65,9 @@ inline RecordVal* query_result(RecordVal* data)
  */
 class StoreQueryCallback {
 public:
-
 	StoreQueryCallback(Trigger* arg_trigger, const CallExpr* arg_call,
-					   broker::store::identifier arg_store_id,
-	                   StoreType arg_store_type)
-		: trigger(arg_trigger), call(arg_call), store_id(move(arg_store_id)),
-	      store_type(arg_store_type)
+			   broker::store store)
+		: trigger(arg_trigger), call(arg_call), store(move(store))
 		{
 		Ref(trigger);
 		}
@@ -108,18 +95,14 @@ public:
 	bool Disabled() const
 		{ return trigger->Disabled(); }
 
-	const broker::store::identifier& StoreID() const
-		{ return store_id; }
-
-	StoreType GetStoreType() const
-		{ return store_type; }
+	const broker::store& Store() const
+		{ return store; }
 
 private:
 
 	Trigger* trigger;
 	const CallExpr* call;
-	broker::store::identifier store_id;
-	StoreType store_type;
+	broker::store store;
 };
 
 /**
@@ -127,27 +110,28 @@ private:
  */
 class StoreHandleVal : public OpaqueVal {
 public:
-
-	StoreHandleVal(broker::store::identifier id,
-		       bro_broker::StoreType arg_type,
-		       broker::util::optional<BifEnum::Broker::BackendType> arg_back,
-		       RecordVal* backend_options,
-		       std::chrono::duration<double> resync = std::chrono::seconds(1));
+	StoreHandleVal(broker::store s)
+		: OpaqueVal(bro_broker::opaque_of_store_handle), store{s}, proxy{store}
+		{ }
 
 	void ValDescribe(ODesc* d) const override;
 
 	DECLARE_SERIAL(StoreHandleVal);
 
-	broker::store::frontend* store;
-	bro_broker::StoreType store_type;
-	broker::util::optional<BifEnum::Broker::BackendType> backend_type;
+	broker::store store;
+	broker::store::proxy proxy;
 
 protected:
-
-	StoreHandleVal()
-		{}
+	StoreHandleVal() = default;
 };
 
+// Helper function to construct a broker backend type from script land.
+broker::backend to_backend_type(BifEnum::Broker::BackendType type);
+
+// Helper function to construct broker backend options from script land.
+broker::backend_options to_backend_options(broker::backend backend,
+                                           RecordVal* options);
+
 } // namespace bro_broker
 
 #endif // BRO_COMM_STORE_H
diff --git a/src/broker/TODO b/src/broker/TODO
new file mode 100644
index 0000000000..e7f2893f97
--- /dev/null
+++ b/src/broker/TODO
@@ -0,0 +1,8 @@
+
+For later:
+
+- Routing isn't supported yet
+
+- Error logging doesn't record the relevant peer. That's because
+  Broker doesn't pass the endpoint_info on for errors, as status
+  messages do.
diff --git a/src/broker/comm.bif b/src/broker/comm.bif
index 3bc8fa7dff..28ed862b7c 100644
--- a/src/broker/comm.bif
+++ b/src/broker/comm.bif
@@ -7,133 +7,134 @@
 
 module Broker;
 
-type Broker::EndpointFlags: record;
+## Generated when something changes in the Broker sub-system.
+event Broker::status%(endpoint: EndpointInfo, msg: string%);
 
-function Broker::__enable%(flags: EndpointFlags%): bool
+## Generated when a new peering has been established.
+event Broker::peer_added%(endpoint: EndpointInfo, msg: string%);
+
+## Generated when an existing peer has been removed.
+event Broker::peer_removed%(endpoint: EndpointInfo, msg: string%);
+
+## Generated when an existing peering has been lost.
+event Broker::peer_lost%(endpoint: EndpointInfo, msg: string%);
+
+## Generated when an error occurs in the Broker sub-system.
+event Broker::error%(code: ErrorCode, msg: string%);
+
+## Enumerates the possible error types. 
+enum ErrorCode %{
+	UNSPECIFIED = 1,
+	PEER_INCOMPATIBLE = 2,
+	PEER_INVALID = 3,
+	PEER_UNAVAILABLE = 4,
+	PEER_TIMEOUT = 5,
+	MASTER_EXISTS = 6,
+	NO_SUCH_MASTER = 7,
+	NO_SUCH_KEY = 8,
+	REQUEST_TIMEOUT = 9,
+	TYPE_CLASH = 10,
+	INVALID_DATA = 11,
+	BACKEND_FAILURE = 12,
+	STALE_DATA = 13,
+	CAF_ERROR = 100,
+%}
+
+## The possible states of a peer endpoint.
+enum PeerStatus %{
+	INITIALIZING,
+	CONNECTING,
+	CONNECTED,
+	PEERED,
+	DISCONNECTED,
+	RECONNECTING,
+%}
+
+function Broker::__listen%(a: string, p: port%): port
 	%{
-	return new Val(broker_mgr->Enable(flags), TYPE_BOOL);
-	%}
+	bro_broker::Manager::ScriptScopeGuard ssg;
 
-function Broker::__set_endpoint_flags%(flags: EndpointFlags%): bool
-	%{
-	return new Val(broker_mgr->SetEndpointFlags(flags), TYPE_BOOL);
-	%}
-
-function Broker::__publish_topic%(topic: string%): bool
-	%{
-	return new Val(broker_mgr->PublishTopic(topic->CheckString()), TYPE_BOOL);
-	%}
-
-function Broker::__unpublish_topic%(topic: string%): bool
-	%{
-	return new Val(broker_mgr->UnpublishTopic(topic->CheckString()), TYPE_BOOL);
-	%}
-
-## Allow advertising interest in the given topic to peers.
-## This has no effect if auto advertise behavior is enabled via the flags
-## supplied to :bro:see:`Broker::enable` or :bro:see:`Broker::set_endpoint_flags`.
-##
-## topic: a topic to allow advertising interest/subscription to peers.
-##
-## Returns: true if successful.
-function Broker::advertise_topic%(topic: string%): bool
-	%{
-	return new Val(broker_mgr->AdvertiseTopic(topic->CheckString()), TYPE_BOOL);
-	%}
-
-## Disallow advertising interest in the given topic to peers.
-## This has no effect if auto advertise behavior is enabled via the flags
-## supplied to :bro:see:`Broker::enable` or :bro:see:`Broker::set_endpoint_flags`.
-##
-## topic: a topic to disallow advertising interest/subscription to peers.
-##
-## Returns: true if successful.
-function Broker::unadvertise_topic%(topic: string%): bool
-	%{
-	return new Val(broker_mgr->UnadvertiseTopic(topic->CheckString()), TYPE_BOOL);
-	%}
-
-## Generated when a connection has been established due to a previous call
-## to :bro:see:`Broker::connect`.
-##
-## peer_address: the address used to connect to the peer.
-##
-## peer_port: the port used to connect to the peer.
-##
-## peer_name: the name by which the peer identified itself.
-event Broker::outgoing_connection_established%(peer_address: string,
-                                             peer_port: port,
-                                             peer_name: string%);
-
-## Generated when a previously established connection becomes broken.
-## Reconnection will automatically be attempted at a frequency given
-## by the original call to :bro:see:`Broker::connect`.
-##
-## peer_address: the address used to connect to the peer.
-##
-## peer_port: the port used to connect to the peer.
-##
-## .. bro:see:: Broker::outgoing_connection_established
-event Broker::outgoing_connection_broken%(peer_address: string,
-                                        peer_port: port%);
-
-## Generated when a connection via :bro:see:`Broker::connect` has failed
-## because the remote side is incompatible.
-##
-## peer_address: the address used to connect to the peer.
-##
-## peer_port: the port used to connect to the peer.
-event Broker::outgoing_connection_incompatible%(peer_address: string,
-                                              peer_port: port%);
-
-## Generated when a peer has established a connection with this process
-## as a result of previously performing a :bro:see:`Broker::listen`.
-##
-## peer_name: the name by which the peer identified itself.
-event Broker::incoming_connection_established%(peer_name: string%);
-
-## Generated when a peer that previously established a connection with this
-## process becomes disconnected.
-##
-## peer_name: the name by which the peer identified itself.
-##
-## .. bro:see:: Broker::incoming_connection_established
-event Broker::incoming_connection_broken%(peer_name: string%);
-
-function Broker::__listen%(p: port, a: string, reuse: bool%): bool
-	%{
 	if ( ! p->IsTCP() )
 		{
-		reporter->Error("listen port must use tcp");
+		builtin_error("listen port must use tcp");
+		return port_mgr->Get(0, TRANSPORT_UNKNOWN);
+		}
+
+	auto rval = broker_mgr->Listen(a->Len() ? a->CheckString() : "", p->Port());
+	return port_mgr->Get(rval, TRANSPORT_TCP);
+	%}
+
+function Broker::__peer%(a: string, p: port, retry: interval%): bool
+	%{
+	bro_broker::Manager::ScriptScopeGuard ssg;
+
+	if ( ! p->IsTCP() )
+		{
+		builtin_error("remote connection port must use tcp");
 		return new Val(false, TYPE_BOOL);
 		}
 
-	auto rval = broker_mgr->Listen(p->Port(), a->Len() ? a->CheckString() : 0,
-								 reuse);
-	return new Val(rval, TYPE_BOOL);
+	broker_mgr->Peer(a->CheckString(), p->Port(), retry);
+	return new Val(true, TYPE_BOOL);
 	%}
 
-function Broker::__connect%(a: string, p: port, retry: interval%): bool
+function Broker::__unpeer%(a: string, p: port%): bool
 	%{
+	bro_broker::Manager::ScriptScopeGuard ssg;
+
 	if ( ! p->IsTCP() )
 		{
-		reporter->Error("remote connection port must use tcp");
+		builtin_error("remote connection port must use tcp");
 		return new Val(false, TYPE_BOOL);
 		}
 
-	auto rval = broker_mgr->Connect(a->CheckString(), p->Port(),
-	                              std::chrono::duration<double>(retry));
-	return new Val(rval, TYPE_BOOL);
+	broker_mgr->Unpeer(a->CheckString(), p->Port());
+	return new Val(true, TYPE_BOOL);
 	%}
 
-function Broker::__disconnect%(a: string, p: port%): bool
+function Broker::__peers%(%): PeerInfos
 	%{
-	if ( ! p->IsTCP() )
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	VectorVal* rval = new VectorVal(internal_type("Broker::PeerInfos")->AsVectorType());
+	auto i = 0;
+
+	for ( auto& p : broker_mgr->Peers() )
 		{
-		reporter->Error("remote connection port must use tcp");
-		return new Val(false, TYPE_BOOL);
+		auto pi = internal_type("Broker::PeerInfo")->AsRecordType();
+		auto ei = internal_type("Broker::EndpointInfo")->AsRecordType();
+		auto ni = internal_type("Broker::NetworkInfo")->AsRecordType();
+		auto peer_info = new RecordVal(pi);
+		auto endpoint_info = new RecordVal(ei);
+		auto network_info = new RecordVal(ni);
+		auto n = p.peer.network;
+
+		if ( n )
+			{
+			network_info->Assign(0, new AddrVal(IPAddr(n->address)));
+			network_info->Assign(1, port_mgr->Get(n->port, TRANSPORT_TCP));
+			}
+		else
+			{
+			network_info->Assign(0, new AddrVal("0.0.0.0"));
+			network_info->Assign(1, port_mgr->Get(0, TRANSPORT_TCP));
+			}
+
+		endpoint_info->Assign(0, new StringVal(to_string(p.peer.node)));
+		endpoint_info->Assign(1, network_info);
+
+		auto ps = (BifEnum::Broker::PeerStatus)p.status;
+		peer_info->Assign(0, endpoint_info);
+		peer_info->Assign(1, new EnumVal(ps, BifType::Enum::Broker::PeerStatus));
+
+		rval->Assign(i, peer_info);
+		++i;
 		}
 
-	auto rval = broker_mgr->Disconnect(a->CheckString(), p->Port());
-	return new Val(rval, TYPE_BOOL);
+	return rval;
+	%}
+
+function Broker::__node_id%(%): string
+	%{
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	return new StringVal(broker_mgr->NodeID());
 	%}
diff --git a/src/broker/data.bif b/src/broker/data.bif
index d526d0a779..e874076434 100644
--- a/src/broker/data.bif
+++ b/src/broker/data.bif
@@ -10,6 +10,7 @@ module Broker;
 ## Enumerates the possible types that :bro:see:`Broker::Data` may be in
 ## terms of Bro data types.
 enum DataType %{
+	NONE,
 	BOOL,
 	INT,
 	COUNT,
@@ -24,7 +25,6 @@ enum DataType %{
 	SET,
 	TABLE,
 	VECTOR,
-	RECORD,
 %}
 
 type Broker::Data: record;
@@ -41,77 +41,6 @@ function Broker::__data_type%(d: Broker::Data%): Broker::DataType
 	return bro_broker::get_data_type(d->AsRecordVal(), frame);
 	%}
 
-function Broker::__refine_to_bool%(d: Broker::Data%): bool
-	%{
-	return bro_broker::refine<bool>(d->AsRecordVal(), TYPE_BOOL, frame);
-	%}
-
-function Broker::__refine_to_int%(d: Broker::Data%): int
-	%{
-	return bro_broker::refine<int64_t>(d->AsRecordVal(), TYPE_INT, frame);
-	%}
-
-function Broker::__refine_to_count%(d: Broker::Data%): count
-	%{
-	return bro_broker::refine<uint64_t>(d->AsRecordVal(), TYPE_COUNT, frame);
-	%}
-
-function Broker::__refine_to_double%(d: Broker::Data%): double
-	%{
-	return bro_broker::refine<double>(d->AsRecordVal(), TYPE_DOUBLE, frame);
-	%}
-
-function Broker::__refine_to_string%(d: Broker::Data%): string
-	%{
-	return new StringVal(bro_broker::require_data_type<std::string>(d->AsRecordVal(),
-												              TYPE_STRING,
-															  frame));
-	%}
-
-function Broker::__refine_to_addr%(d: Broker::Data%): addr
-	%{
-	auto& a = bro_broker::require_data_type<broker::address>(d->AsRecordVal(),
-													   TYPE_ADDR, frame);
-	auto bits = reinterpret_cast<const in6_addr*>(&a.bytes());
-	return new AddrVal(IPAddr(*bits));
-	%}
-
-function Broker::__refine_to_subnet%(d: Broker::Data%): subnet
-	%{
-	auto& a = bro_broker::require_data_type<broker::subnet>(d->AsRecordVal(),
-													  TYPE_SUBNET, frame);
-	auto bits = reinterpret_cast<const in6_addr*>(&a.network().bytes());
-	return new SubNetVal(IPPrefix(IPAddr(*bits), a.length()));
-	%}
-
-function Broker::__refine_to_port%(d: Broker::Data%): port
-	%{
-	auto& a = bro_broker::require_data_type<broker::port>(d->AsRecordVal(),
-													TYPE_PORT, frame);
-	return new PortVal(a.number(), bro_broker::to_bro_port_proto(a.type()));
-	%}
-
-function Broker::__refine_to_time%(d: Broker::Data%): time
-	%{
-	auto v = bro_broker::require_data_type<broker::time_point>(d->AsRecordVal(),
-														TYPE_TIME, frame).value;
-	return new Val(v, TYPE_TIME);
-	%}
-
-function Broker::__refine_to_interval%(d: Broker::Data%): interval
-	%{
-	auto v = bro_broker::require_data_type<broker::time_duration>(d->AsRecordVal(),
-														TYPE_INTERVAL, frame).value;
-	return new Val(v, TYPE_INTERVAL);
-	%}
-
-function Broker::__refine_to_enum_name%(d: Broker::Data%): string
-	%{
-	auto& v = bro_broker::require_data_type<broker::enum_value>(d->AsRecordVal(),
-														TYPE_ENUM, frame).name;
-	return new StringVal(v);
-	%}
-
 function Broker::__set_create%(%): Broker::Data
 	%{
 	return bro_broker::make_data_val(broker::set());
@@ -119,41 +48,63 @@ function Broker::__set_create%(%): Broker::Data
 
 function Broker::__set_clear%(s: Broker::Data%): bool
 	%{
-	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
-												   frame);
+	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(),
+	                                                     TYPE_TABLE, frame);
 	v.clear();
 	return new Val(true, TYPE_BOOL);
 	%}
 
 function Broker::__set_size%(s: Broker::Data%): count
 	%{
-	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
-												   frame);
+	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(),
+	                                                     TYPE_TABLE, frame);
 	return new Val(static_cast<uint64_t>(v.size()), TYPE_COUNT);
 	%}
 
-function Broker::__set_contains%(s: Broker::Data, key: Broker::Data%): bool
+function Broker::__set_contains%(s: Broker::Data, key: any%): bool
 	%{
-	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
-												   frame);
-	auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame);
-	return new Val(v.find(k) != v.end(), TYPE_BOOL);
+	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(),
+	                                                     TYPE_TABLE, frame);
+	auto k = bro_broker::val_to_data(key);
+
+	if ( ! k )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	return new Val(v.find(*k) != v.end(), TYPE_BOOL);
 	%}
 
-function Broker::__set_insert%(s: Broker::Data, key: Broker::Data%): bool
+function Broker::__set_insert%(s: Broker::Data, key: any%): bool
 	%{
-	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
-												   frame);
-	auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame);
-	return new Val(v.insert(k).second, TYPE_BOOL);
+	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(),
+	                                                     TYPE_TABLE, frame);
+
+	auto k = bro_broker::val_to_data(key);
+
+	if ( ! k )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	return new Val(v.insert(std::move(*k)).second, TYPE_BOOL);
 	%}
 
-function Broker::__set_remove%(s: Broker::Data, key: Broker::Data%): bool
+function Broker::__set_remove%(s: Broker::Data, key: any%): bool
 	%{
-	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(), TYPE_TABLE,
-												   frame);
-	auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame);
-	return new Val(v.erase(k) > 0, TYPE_BOOL);
+	auto& v = bro_broker::require_data_type<broker::set>(s->AsRecordVal(),
+	                                                     TYPE_TABLE, frame);
+	auto k = bro_broker::val_to_data(key);
+
+	if ( ! k )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	return new Val(v.erase(*k) > 0, TYPE_BOOL);
 	%}
 
 function Broker::__set_iterator%(s: Broker::Data%): opaque of Broker::SetIterator
@@ -185,9 +136,7 @@ function Broker::__set_iterator_value%(it: opaque of Broker::SetIterator%): Brok
 
 	if ( set_it->it == set_it->dat.end() )
 		{
-		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
-		reporter->Warning("attempt to retrieve value of invalid set iterator");
-		reporter->PopLocation();
+		builtin_error("attempt to retrieve value of invalid set iterator");
 		return rval;
 		}
 
@@ -203,7 +152,7 @@ function Broker::__table_create%(%): Broker::Data
 function Broker::__table_clear%(t: Broker::Data%): bool
 	%{
 	auto& v = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
-													 TYPE_TABLE, frame);
+	                                                       TYPE_TABLE, frame);
 	v.clear();
 	return new Val(true, TYPE_BOOL);
 	%}
@@ -211,45 +160,75 @@ function Broker::__table_clear%(t: Broker::Data%): bool
 function Broker::__table_size%(t: Broker::Data%): count
 	%{
 	auto& v = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
-													 TYPE_TABLE, frame);
+	                                                       TYPE_TABLE, frame);
 	return new Val(static_cast<uint64_t>(v.size()), TYPE_COUNT);
 	%}
 
-function Broker::__table_contains%(t: Broker::Data, key: Broker::Data%): bool
+function Broker::__table_contains%(t: Broker::Data, key: any%): bool
 	%{
 	auto& v = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
-													 TYPE_TABLE, frame);
-	auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame);
-	return new Val(v.find(k) != v.end(), TYPE_BOOL);
+	                                                       TYPE_TABLE, frame);
+
+	auto k = bro_broker::val_to_data(key);
+
+	if ( ! k )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	return new Val(v.find(*k) != v.end(), TYPE_BOOL);
 	%}
 
-function Broker::__table_insert%(t: Broker::Data, key: Broker::Data, val: Broker::Data%): Broker::Data
+function Broker::__table_insert%(t: Broker::Data, key: any, val: any%): Broker::Data
 	%{
 	auto& table = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
-													     TYPE_TABLE, frame);
-	auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame);
-	auto& v = bro_broker::opaque_field_to_data(val->AsRecordVal(), frame);
+	                                                           TYPE_TABLE, frame);
+
+	auto k = bro_broker::val_to_data(key);
+
+	if ( ! k )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new RecordVal(BifType::Record::Broker::Data);
+		}
+
+	auto v = bro_broker::val_to_data(val);
+
+	if ( ! v )
+		{
+		builtin_error("invalid Broker data conversion for value argument");
+		return new RecordVal(BifType::Record::Broker::Data);
+		}
 
 	try
 		{
-		auto& prev = table.at(k);
+		auto& prev = table.at(*k);
 		auto rval = bro_broker::make_data_val(move(prev));
-		prev = v;
+		prev = std::move(*v);
 		return rval;
 		}
 	catch (const std::out_of_range&)
 		{
-		table[k] = v;
+		table[std::move(*k)] = std::move(*v);
 		return new RecordVal(BifType::Record::Broker::Data);
 		}
 	%}
 
-function Broker::__table_remove%(t: Broker::Data, key: Broker::Data%): Broker::Data
+function Broker::__table_remove%(t: Broker::Data, key: any%): Broker::Data
 	%{
 	auto& table = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
-													     TYPE_TABLE, frame);
-	auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame);
-	auto it = table.find(k);
+	                                                           TYPE_TABLE, frame);
+
+	auto k = bro_broker::val_to_data(key);
+
+	if ( ! k )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new RecordVal(BifType::Record::Broker::Data);
+		}
+
+	auto it = table.find(*k);
 
 	if ( it == table.end() )
 		return new RecordVal(BifType::Record::Broker::Data);
@@ -261,12 +240,20 @@ function Broker::__table_remove%(t: Broker::Data, key: Broker::Data%): Broker::D
 		}
 	%}
 
-function Broker::__table_lookup%(t: Broker::Data, key: Broker::Data%): Broker::Data
+function Broker::__table_lookup%(t: Broker::Data, key: any%): Broker::Data
 	%{
 	auto& table = bro_broker::require_data_type<broker::table>(t->AsRecordVal(),
-													     TYPE_TABLE, frame);
-	auto& k = bro_broker::opaque_field_to_data(key->AsRecordVal(), frame);
-	auto it = table.find(k);
+	                                                           TYPE_TABLE, frame);
+
+	auto k = bro_broker::val_to_data(key);
+
+	if ( ! k )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new RecordVal(BifType::Record::Broker::Data);
+		}
+
+	auto it = table.find(*k);
 
 	if ( it == table.end() )
 		return new RecordVal(BifType::Record::Broker::Data);
@@ -307,9 +294,7 @@ function Broker::__table_iterator_value%(it: opaque of Broker::TableIterator%):
 
 	if ( ti->it == ti->dat.end() )
 		{
-		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
-		reporter->Warning("attempt to retrieve value of invalid table iterator");
-		reporter->PopLocation();
+		builtin_error("attempt to retrieve value of invalid table iterator");
 		return rval;
 		}
 
@@ -326,7 +311,7 @@ function Broker::__vector_create%(%): Broker::Data
 function Broker::__vector_clear%(v: Broker::Data%): bool
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
-													    TYPE_VECTOR, frame);
+	                                                          TYPE_VECTOR, frame);
 	vec.clear();
 	return new Val(true, TYPE_BOOL);
 	%}
@@ -334,38 +319,51 @@ function Broker::__vector_clear%(v: Broker::Data%): bool
 function Broker::__vector_size%(v: Broker::Data%): count
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
-													    TYPE_VECTOR, frame);
+	                                                          TYPE_VECTOR, frame);
 	return new Val(static_cast<uint64_t>(vec.size()), TYPE_COUNT);
 	%}
 
-function Broker::__vector_insert%(v: Broker::Data, d: Broker::Data, idx: count%): bool
+function Broker::__vector_insert%(v: Broker::Data, idx:count, d: any%): bool
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
-													    TYPE_VECTOR, frame);
-	auto& item = bro_broker::opaque_field_to_data(d->AsRecordVal(), frame);
+	                                                          TYPE_VECTOR, frame);
+	auto item = bro_broker::val_to_data(d);
+
+	if ( ! item )
+		{
+		builtin_error("invalid Broker data conversion for item argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
 	idx = min(idx, static_cast<uint64_t>(vec.size()));
-	vec.insert(vec.begin() + idx, item);
+	vec.insert(vec.begin() + idx, std::move(*item));
 	return new Val(true, TYPE_BOOL);
 	%}
 
-function Broker::__vector_replace%(v: Broker::Data, d: Broker::Data, idx: count%): Broker::Data
+function Broker::__vector_replace%(v: Broker::Data, idx: count, d: any%): Broker::Data
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
-													    TYPE_VECTOR, frame);
-	auto& item = bro_broker::opaque_field_to_data(d->AsRecordVal(), frame);
+	                                                          TYPE_VECTOR, frame);
+	auto item = bro_broker::val_to_data(d);
+
+	if ( ! item )
+		{
+		builtin_error("invalid Broker data conversion for item argument");
+		return new Val(false, TYPE_BOOL);
+		}
 
 	if ( idx >= vec.size() )
 		return new RecordVal(BifType::Record::Broker::Data);
 
 	auto rval = bro_broker::make_data_val(move(vec[idx]));
-	vec[idx] = item;
+	vec[idx] = std::move(*item);
 	return rval;
 	%}
 
 function Broker::__vector_remove%(v: Broker::Data, idx: count%): Broker::Data
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
-													    TYPE_VECTOR, frame);
+	                                                          TYPE_VECTOR, frame);
 
 	if ( idx >= vec.size() )
 		return new RecordVal(BifType::Record::Broker::Data);
@@ -378,7 +376,7 @@ function Broker::__vector_remove%(v: Broker::Data, idx: count%): Broker::Data
 function Broker::__vector_lookup%(v: Broker::Data, idx: count%): Broker::Data
 	%{
 	auto& vec = bro_broker::require_data_type<broker::vector>(v->AsRecordVal(),
-													    TYPE_VECTOR, frame);
+	                                                          TYPE_VECTOR, frame);
 
 	if ( idx >= vec.size() )
 		return new RecordVal(BifType::Record::Broker::Data);
@@ -415,9 +413,7 @@ function Broker::__vector_iterator_value%(it: opaque of Broker::VectorIterator%)
 
 	if ( vi->it == vi->dat.end() )
 		{
-		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
-		reporter->Warning("attempt to retrieve value of invalid vector iterator");
-		reporter->PopLocation();
+		builtin_error("attempt to retrieve value of invalid vector iterator");
 		return rval;
 		}
 
@@ -427,41 +423,44 @@ function Broker::__vector_iterator_value%(it: opaque of Broker::VectorIterator%)
 
 function Broker::__record_create%(sz: count%): Broker::Data
 	%{
-	return bro_broker::make_data_val(broker::record(std::vector<broker::record::field>(sz)));
+	return bro_broker::make_data_val(broker::vector(sz));
 	%}
 
 function Broker::__record_size%(r: Broker::Data%): count
 	%{
-	auto& v = bro_broker::require_data_type<broker::record>(r->AsRecordVal(),
-													  TYPE_RECORD, frame);
-	return new Val(static_cast<uint64_t>(v.fields.size()), TYPE_COUNT);
+	auto& v = bro_broker::require_data_type<broker::vector>(r->AsRecordVal(),
+	                                                        TYPE_RECORD, frame);
+	return new Val(static_cast<uint64_t>(v.size()), TYPE_COUNT);
 	%}
 
-function Broker::__record_assign%(r: Broker::Data, d: Broker::Data, idx: count%): bool
+function Broker::__record_assign%(r: Broker::Data, idx: count, d: any%): bool
 	%{
-	auto& v = bro_broker::require_data_type<broker::record>(r->AsRecordVal(),
-													  TYPE_RECORD, frame);
-	auto& item = bro_broker::opaque_field_to_data(d->AsRecordVal(), frame);
-
-	if ( idx >= v.fields.size() )
+	auto& v = bro_broker::require_data_type<broker::vector>(r->AsRecordVal(),
+	                                                       TYPE_RECORD, frame);
+	if ( idx >= v.size() )
 		return new Val(false, TYPE_BOOL);
 
-	v.fields[idx] = item;
+	auto item = bro_broker::val_to_data(d);
+
+	if ( ! item )
+		{
+		builtin_error("invalid Broker data conversion for item argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	v[idx] = std::move(*item);
 	return new Val(true, TYPE_BOOL);
 	%}
 
 function Broker::__record_lookup%(r: Broker::Data, idx: count%): Broker::Data
 	%{
-	auto& v = bro_broker::require_data_type<broker::record>(r->AsRecordVal(),
-													  TYPE_RECORD, frame);
+	auto& v = bro_broker::require_data_type<broker::vector>(r->AsRecordVal(),
+	                                                        TYPE_RECORD, frame);
 
-	if ( idx >= v.size() )
+	if ( idx >= v.size() || caf::get_if<broker::none>(&v[idx]) )
 		return new RecordVal(BifType::Record::Broker::Data);
 
-	if ( ! v.fields[idx] )
-		return new RecordVal(BifType::Record::Broker::Data);
-
-	return bro_broker::make_data_val(*v.fields[idx]);
+	return bro_broker::make_data_val(v[idx]);
 	%}
 
 function Broker::__record_iterator%(r: Broker::Data%): opaque of Broker::RecordIterator
@@ -472,18 +471,18 @@ function Broker::__record_iterator%(r: Broker::Data%): opaque of Broker::RecordI
 function Broker::__record_iterator_last%(it: opaque of Broker::RecordIterator%): bool
 	%{
 	auto ri = static_cast<bro_broker::RecordIterator*>(it);
-	return new Val(ri->it == ri->dat.fields.end(), TYPE_BOOL);
+	return new Val(ri->it == ri->dat.end(), TYPE_BOOL);
 	%}
 
 function Broker::__record_iterator_next%(it: opaque of Broker::RecordIterator%): bool
 	%{
 	auto ri = static_cast<bro_broker::RecordIterator*>(it);
 
-	if ( ri->it == ri->dat.fields.end() )
+	if ( ri->it == ri->dat.end() )
 		return new Val(false, TYPE_BOOL);
 
 	++ri->it;
-	return new Val(ri->it != ri->dat.fields.end(), TYPE_BOOL);
+	return new Val(ri->it != ri->dat.end(), TYPE_BOOL);
 	%}
 
 function Broker::__record_iterator_value%(it: opaque of Broker::RecordIterator%): Broker::Data
@@ -491,17 +490,15 @@ function Broker::__record_iterator_value%(it: opaque of Broker::RecordIterator%)
 	auto ri = static_cast<bro_broker::RecordIterator*>(it);
 	auto rval = new RecordVal(BifType::Record::Broker::Data);
 
-	if ( ri->it == ri->dat.fields.end() )
+	if ( ri->it == ri->dat.end() )
 		{
-		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
-		reporter->Warning("attempt to retrieve value of invalid record iterator");
-		reporter->PopLocation();
+		builtin_error("attempt to retrieve value of invalid record iterator");
 		return rval;
 		}
 
-	if ( ! *ri->it )
+	if ( caf::get_if<broker::none>(&(*ri->it)) )
 		return rval; // field isn't set
 
-	rval->Assign(0, new bro_broker::DataVal(**ri->it));
+	rval->Assign(0, new bro_broker::DataVal(*ri->it));
 	return rval;
 	%}
diff --git a/src/broker/messaging.bif b/src/broker/messaging.bif
index dadece9681..bc0d03a629 100644
--- a/src/broker/messaging.bif
+++ b/src/broker/messaging.bif
@@ -1,112 +1,537 @@
 
-##! Functions for peering and various messaging patterns (e.g. print/log/event).
+##! Functions for peering and various messaging patterns.
 
 %%{
 #include "broker/Manager.h"
 #include "logging/Manager.h"
+#include <set>
+#include <string>
+
+static bool is_string_set(const BroType* type)
+	{
+	if ( ! type->IsSet() )
+		return false;
+
+	auto index_types = type->AsSetType()->IndexTypes();
+
+	if ( index_types->length() != 1 )
+		return false;
+
+	return (*index_types)[0]->Tag() == TYPE_STRING;
+	}
+
+std::set<std::string> val_to_topic_set(Val* val)
+	{
+	std::set<std::string> rval;
+
+	if ( val->Type()->Tag() == TYPE_STRING )
+		rval.emplace(val->AsString()->CheckString());
+	else
+		{
+		const PDict(TableEntryVal)* tbl = val->AsTable();
+
+		if ( tbl->Length() == 0 )
+			return rval;
+
+		IterCookie* c = tbl->InitForIteration();
+		HashKey* k;
+
+		while ( tbl->NextEntry(k, c) )
+			{
+			auto index = val->AsTableVal()->RecoverIndex(k);
+			rval.emplace(index->Index(0)->AsString()->CheckString());
+			Unref(index);
+			delete k;
+			}
+		}
+
+	return rval;
+	}
+
+static bool publish_event_args(val_list& args, const BroString* topic,
+                               Frame* frame)
+	{
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	auto rval = false;
+
+	if ( args[0]->Type()->Tag() == TYPE_RECORD )
+		rval = broker_mgr->PublishEvent(topic->CheckString(),
+		                                args[0]->AsRecordVal());
+	else
+		{
+		auto ev = broker_mgr->MakeEvent(&args, frame);
+		rval = broker_mgr->PublishEvent(topic->CheckString(), ev);
+		Unref(ev);
+		}
+
+	return rval;
+	}
+
+static bool relay_event_args(val_list& args, const BroString* topic,
+                             std::set<std::string> topic_set, Frame* frame)
+	{
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	auto rval = false;
+
+	if ( args[0]->Type()->Tag() == TYPE_RECORD )
+		rval = broker_mgr->RelayEvent(topic->CheckString(),
+									  std::move(topic_set),
+		                              args[0]->AsRecordVal(), false);
+	else
+		{
+		auto ev = broker_mgr->MakeEvent(&args, frame);
+		rval = broker_mgr->RelayEvent(topic->CheckString(),
+									  std::move(topic_set),
+									  ev, false);
+		Unref(ev);
+		}
+
+	return rval;
+	}
+
 %%}
 
 module Broker;
 
-type Broker::SendFlags: record;
-
-type Broker::EventArgs: record;
-
-## Used to handle remote print messages from peers that call
-## :bro:see:`Broker::send_print`.
-event Broker::print_handler%(msg: string%);
-
-function Broker::__send_print%(topic: string, msg: string, flags: Broker::SendFlags%): bool
-	%{
-	auto rval = broker_mgr->Print(topic->CheckString(), msg->CheckString(),
-	                            flags);
-	return new Val(rval, TYPE_BOOL);
-	%}
-
-function Broker::__subscribe_to_prints%(topic_prefix: string%): bool
-	%{
-	auto rval = broker_mgr->SubscribeToPrints(topic_prefix->CheckString());
-	return new Val(rval, TYPE_BOOL);
-	%}
-
-function Broker::__unsubscribe_to_prints%(topic_prefix: string%): bool
-	%{
-	auto rval = broker_mgr->UnsubscribeToPrints(topic_prefix->CheckString());
-	return new Val(rval, TYPE_BOOL);
-	%}
+type Broker::Event: record;
 
 ## Create a data structure that may be used to send a remote event via
-## :bro:see:`Broker::send_event`.
+## :bro:see:`Broker::publish`.
 ##
 ## args: an event, followed by a list of argument values that may be used
 ##       to call it.
 ##
 ## Returns: opaque communication data that may be used to send a remote
 ##          event.
-function Broker::event_args%(...%): Broker::EventArgs
+function Broker::make_event%(...%): Broker::Event
 	%{
-	auto rval = broker_mgr->MakeEventArgs(@ARGS@);
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	auto rval = broker_mgr->MakeEvent(@ARGS@, frame);
 	return rval;
 	%}
 
-function Broker::__event%(topic: string, args: Broker::EventArgs, flags: Broker::SendFlags%): bool
+## Publishes an event at a given topic.
+##
+## topic: a topic associated with the event message.
+##
+## args: Either the event arguments as already made by
+##       :bro:see:`Broker::make_event` or the argument list to pass along
+##       to it.
+##
+## Returns: true if the message is sent.
+function Broker::publish%(topic: string, ...%): bool
 	%{
-	auto rval = broker_mgr->Event(topic->CheckString(), args->AsRecordVal(),
-	                            flags);
+	val_list* bif_args = @ARGS@;
+	val_list args(bif_args->length() - 1);
+
+	for ( auto i = 1; i < bif_args->length(); ++i )
+		args.append((*bif_args)[i]);
+
+	auto rval = publish_event_args(args, topic->AsString(), frame);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-function Broker::__auto_event%(topic: string, ev: any, flags: Broker::SendFlags%): bool
+## Publishes an event at a given topic, with any receivers automatically
+## forwarding it to its peers with a different topic.  The event is relayed
+## at most a single hop and the relayer does not call any local event handlers.
+##
+## first_topic: the initial topic to use for publishing the event.
+##
+## args: the first member of the argument list may be either a string or
+##       a set of strings indicating the secondary topic that the first
+##       set of receivers will use to re-publish the event.  The remaining
+##       members of the argument list are either the return value of a
+##       previously-made call to :bro:see:`Broker::make_event` or the
+##       argument list that should be passed along to it, so that it can
+##       be called as part of executing this function.
+##
+## Returns: true if the message is sent.
+function Broker::relay%(first_topic: string, ...%): bool
 	%{
-	auto rval = broker_mgr->AutoEvent(topic->CheckString(), ev, flags);
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	val_list* bif_args = @ARGS@;
+
+	if ( bif_args->length() < 3 )
+		{
+		builtin_error("Broker::relay requires at least 3 arguments");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto second_topic = (*bif_args)[1];
+
+	if ( second_topic->Type()->Tag() != TYPE_STRING &&
+		 ! is_string_set(second_topic->Type()) )
+		{
+		builtin_error("Broker::relay requires a string or string_set as 2nd argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto topic_set = val_to_topic_set(second_topic);
+
+	if ( topic_set.empty() )
+		return new Val(false, TYPE_BOOL);
+
+	val_list args(bif_args->length() - 2);
+
+	for ( auto i = 2; i < bif_args->length(); ++i )
+		args.append((*bif_args)[i]);
+
+	auto rval = false;
+
+	if ( args[0]->Type()->Tag() == TYPE_RECORD )
+		rval = broker_mgr->RelayEvent(first_topic->CheckString(),
+									  std::move(topic_set),
+	                                  args[0]->AsRecordVal(), false);
+	else
+		{
+		auto ev = broker_mgr->MakeEvent(&args, frame);
+		rval = broker_mgr->RelayEvent(first_topic->CheckString(),
+									  std::move(topic_set), ev, false);
+		Unref(ev);
+		}
+
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-function Broker::__auto_event_stop%(topic: string, ev: any%): bool
+## Publishes an event at a given topic, with any receivers automatically
+## forwarding it to its peers with a different topic.  The event is relayed
+## at most a single hop and the relayer does call local event handlers.
+##
+## first_topic: the initial topic to use for publishing the event.
+##
+## args: the first member of the argument list may be either a string or
+##       a set of strings indicating the secondary topic that the first
+##       set of receivers will use to re-publish the event.  The remaining
+##       members of the argument list are either the return value of a
+##       previously-made call to :bro:see:`Broker::make_event` or the
+##       argument list that should be passed along to it, so that it can
+##       be called as part of executing this function.
+##
+## Returns: true if the message is sent.
+function Broker::publish_and_relay%(first_topic: string, ...%): bool
 	%{
-	auto rval = broker_mgr->AutoEventStop(topic->CheckString(), ev);
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	val_list* bif_args = @ARGS@;
+
+	if ( bif_args->length() < 3 )
+		{
+		builtin_error("Broker::publish_and_relay requires at least 3 arguments");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto second_topic = (*bif_args)[1];
+
+	if ( second_topic->Type()->Tag() != TYPE_STRING &&
+		 ! is_string_set(second_topic->Type()) )
+		{
+		builtin_error("Broker::publish_and_relay requires a string or string_set as 2nd argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto topic_set = val_to_topic_set(second_topic);
+
+	if ( topic_set.empty() )
+		return new Val(false, TYPE_BOOL);
+
+	val_list args(bif_args->length() - 2);
+
+	for ( auto i = 2; i < bif_args->length(); ++i )
+		args.append((*bif_args)[i]);
+
+	auto rval = false;
+
+	if ( args[0]->Type()->Tag() == TYPE_RECORD )
+		rval = broker_mgr->RelayEvent(first_topic->CheckString(),
+									  std::move(topic_set),
+	                                  args[0]->AsRecordVal(), true);
+	else
+		{
+		auto ev = broker_mgr->MakeEvent(&args, frame);
+		rval = broker_mgr->RelayEvent(first_topic->CheckString(),
+									  std::move(topic_set), ev, true);
+		Unref(ev);
+		}
+
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-function Broker::__subscribe_to_events%(topic_prefix: string%): bool
+function Broker::__flush_logs%(%): count
 	%{
-	auto rval = broker_mgr->SubscribeToEvents(topic_prefix->CheckString());
+	auto rval = broker_mgr->FlushLogBuffers();
+	return new Val(static_cast<uint64>(rval), TYPE_COUNT);
+	%}
+
+function Broker::__publish_id%(topic: string, id: string%): bool
+	%{
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	auto rval = broker_mgr->PublishIdentifier(topic->CheckString(),
+	                                          id->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-function Broker::__unsubscribe_to_events%(topic_prefix: string%): bool
+function Broker::__auto_publish%(topic: string, ev: any%): bool
 	%{
-	auto rval = broker_mgr->UnsubscribeToEvents(topic_prefix->CheckString());
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	auto rval = broker_mgr->AutoPublishEvent(topic->CheckString(), ev);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-function Broker::__enable_remote_logs%(id: Log::ID, flags: Broker::SendFlags%): bool
+function Broker::__auto_unpublish%(topic: string, ev: any%): bool
 	%{
-	auto rval = log_mgr->EnableRemoteLogs(id->AsEnumVal(),
-	                                   bro_broker::Manager::send_flags_to_int(flags));
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	auto rval = broker_mgr->AutoUnpublishEvent(topic->CheckString(), ev);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-function Broker::__disable_remote_logs%(id: Log::ID%): bool
+function Broker::__subscribe%(topic_prefix: string%): bool
 	%{
-	auto rval = log_mgr->DisableRemoteLogs(id->AsEnumVal());
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	auto rval = broker_mgr->Subscribe(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-function Broker::__remote_logs_enabled%(id: Log::ID%): bool
+function Broker::__unsubscribe%(topic_prefix: string%): bool
 	%{
-	auto rval = log_mgr->RemoteLogsAreEnabled(id->AsEnumVal());
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	auto rval = broker_mgr->Unsubscribe(topic_prefix->CheckString());
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-function Broker::__subscribe_to_logs%(topic_prefix: string%): bool
+module Cluster;
+
+type Cluster::Pool: record;
+
+## Publishes an event to a node within a pool according to Round-Robin
+## distribution strategy.
+##
+## pool: the pool of nodes that are eligible to receive the event.
+##
+## key: an arbitrary string to identify the purpose for which you're
+##      distributing the event.  e.g. consider using namespacing of your
+##      script like "Intel::cluster_rr_key".
+##
+## args: Either the event arguments as already made by
+##       :bro:see:`Broker::make_event` or the argument list to pass along
+##       to it.
+##
+## Returns: true if the message is sent.
+function Cluster::publish_rr%(pool: Pool, key: string, ...%): bool
 	%{
-	auto rval = broker_mgr->SubscribeToLogs(topic_prefix->CheckString());
+	static Func* topic_func = 0;
+
+	if ( ! topic_func )
+		topic_func = global_scope()->Lookup("Cluster::rr_topic")->ID_Val()->AsFunc();
+
+	val_list vl(2);
+	vl.append(pool->Ref());
+	vl.append(key->Ref());
+	auto topic = topic_func->Call(&vl);
+
+	if ( ! topic->AsString()->Len() )
+		{
+		Unref(topic);
+		return new Val(false, TYPE_BOOL);
+		}
+
+	val_list* bif_args = @ARGS@;
+	val_list args(bif_args->length() - 2);
+
+	for ( auto i = 2; i < bif_args->length(); ++i )
+		args.append((*bif_args)[i]);
+
+	auto rval = publish_event_args(args, topic->AsString(), frame);
+	Unref(topic);
 	return new Val(rval, TYPE_BOOL);
 	%}
 
-function Broker::__unsubscribe_to_logs%(topic_prefix: string%): bool
+
+## Publishes an event at a given topic, with a receiver node chosen
+## from a pool according to Round-Robin distribution strategy.  The receiving
+## node, then automatically forwards it to its peers with a different topic.
+## The event is relayed at most a single hop.
+##
+## pool: the pool of nodes that are eligible to receive the event.
+##
+## key: an arbitrary string to identify the purpose for which you're
+##      distributing the event.  e.g. consider using namespacing of your
+##      script like "Intel::cluster_rr_key".
+##
+## args: the first member of the argument list may be either a string or
+##       a set of strings indicating the secondary topic that the receiver
+##       will use to re-publish the event.  The remaining
+##       members of the argument list are either the return value of a
+##       previously-made call to :bro:see:`Broker::make_event` or the
+##       argument list that should be passed along to it, so that it can
+##       be called as part of executing this function.
+##
+## Returns: true if the message is sent.
+function Cluster::relay_rr%(pool: Pool, key: any, ...%): bool
 	%{
-	auto rval = broker_mgr->UnsubscribeToLogs(topic_prefix->CheckString());
+	val_list* bif_args = @ARGS@;
+
+	if ( bif_args->length() < 4 )
+		{
+		builtin_error("Cluster::relay_rr requires at least 4 arguments");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	static Func* topic_func = 0;
+
+	if ( ! topic_func )
+		topic_func = global_scope()->Lookup("Cluster::rr_topic")->ID_Val()->AsFunc();
+
+	val_list vl(2);
+	vl.append(pool->Ref());
+	vl.append(key->Ref());
+	auto topic = topic_func->Call(&vl);
+
+	if ( ! topic->AsString()->Len() )
+		{
+		Unref(topic);
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto second_topic = (*bif_args)[2];
+
+	if ( second_topic->Type()->Tag() != TYPE_STRING &&
+		 ! is_string_set(second_topic->Type()) )
+		{
+		builtin_error("Cluster::relay_rr requires a string or string_set as 3rd argument");
+		Unref(topic);
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto topic_set = val_to_topic_set(second_topic);
+
+	if ( topic_set.empty() )
+		{
+		Unref(topic);
+		return new Val(false, TYPE_BOOL);
+		}
+
+	val_list args(bif_args->length() - 3);
+
+	for ( auto i = 3; i < bif_args->length(); ++i )
+		args.append((*bif_args)[i]);
+
+	auto rval = relay_event_args(args, topic->AsString(), std::move(topic_set),
+	                             frame);
+	Unref(topic);
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+## Publishes an event to a node within a pool according to Rendezvous
+## (Highest Random Weight) hashing strategy.
+##
+## pool: the pool of nodes that are eligible to receive the event.
+##
+## key: data used for input to the hashing function that will uniformly
+##      distribute keys among available nodes.
+##
+## args: Either the event arguments as already made by
+##       :bro:see:`Broker::make_event` or the argument list to pass along
+##       to it.
+##
+## Returns: true if the message is sent.
+function Cluster::publish_hrw%(pool: Pool, key: any, ...%): bool
+	%{
+	static Func* topic_func = 0;
+
+	if ( ! topic_func )
+		topic_func = global_scope()->Lookup("Cluster::hrw_topic")->ID_Val()->AsFunc();
+
+	val_list vl(2);
+	vl.append(pool->Ref());
+	vl.append(key->Ref());
+	auto topic = topic_func->Call(&vl);
+
+	if ( ! topic->AsString()->Len() )
+		{
+		Unref(topic);
+		return new Val(false, TYPE_BOOL);
+		}
+
+	val_list* bif_args = @ARGS@;
+	val_list args(bif_args->length() - 2);
+
+	for ( auto i = 2; i < bif_args->length(); ++i )
+		args.append((*bif_args)[i]);
+
+	auto rval = publish_event_args(args, topic->AsString(), frame);
+	Unref(topic);
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+## Publishes an event at a given topic, with a receiver node chosen
+## from a pool according to Rendezvous (Highest Random Weight) distribution
+## strategy.  The receiving nodes then automatically forwards it to its peers
+## with a different topic.  The event is relayed at most a single hop.
+##
+## pool: the pool of nodes that are eligible to receive the event.
+##
+## key: data used for input to the hashing function that will uniformly
+##      distribute keys among available nodes.
+##
+## args: the first member of the argument list may be either a string or
+##       a set of strings indicating the secondary topic that the receiver
+##       will use to re-publish the event.  The remaining
+##       members of the argument list are either the return value of a
+##       previously-made call to :bro:see:`Broker::make_event` or the
+##       argument list that should be passed along to it, so that it can
+##       be called as part of executing this function.
+##
+## Returns: true if the message is sent.
+function Cluster::relay_hrw%(pool: Pool, key: any, ...%): bool
+	%{
+	val_list* bif_args = @ARGS@;
+
+	if ( bif_args->length() < 4 )
+		{
+		builtin_error("Cluster::relay_hrw requires at least 4 arguments");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	static Func* topic_func = 0;
+
+	if ( ! topic_func )
+		topic_func = global_scope()->Lookup("Cluster::hrw_topic")->ID_Val()->AsFunc();
+
+	val_list vl(2);
+	vl.append(pool->Ref());
+	vl.append(key->Ref());
+	auto topic = topic_func->Call(&vl);
+
+	if ( ! topic->AsString()->Len() )
+		{
+		Unref(topic);
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto second_topic = (*bif_args)[2];
+
+	if ( second_topic->Type()->Tag() != TYPE_STRING &&
+		 ! is_string_set(second_topic->Type()) )
+		{
+		builtin_error("Cluster::relay_hrw requires a string or string_set as 3rd argument");
+		Unref(topic);
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto topic_set = val_to_topic_set(second_topic);
+
+	if ( topic_set.empty() )
+		{
+		Unref(topic);
+		return new Val(false, TYPE_BOOL);
+		}
+
+	val_list args(bif_args->length() - 3);
+
+	for ( auto i = 3; i < bif_args->length(); ++i )
+		args.append((*bif_args)[i]);
+
+	auto rval = relay_event_args(args, topic->AsString(), std::move(topic_set),
+	                             frame);
+	Unref(topic);
 	return new Val(rval, TYPE_BOOL);
 	%}
diff --git a/src/broker/store.bif b/src/broker/store.bif
index 6d7ddea6af..af17ceebae 100644
--- a/src/broker/store.bif
+++ b/src/broker/store.bif
@@ -6,12 +6,24 @@
 #include "broker/Store.h"
 #include "broker/Data.h"
 #include "Trigger.h"
+
+static broker::optional<broker::timespan> prepare_expiry(double e)
+	{
+	broker::optional<broker::timespan> ts;
+
+	if ( e )
+		{
+		broker::timespan x;
+		broker::convert(e, x);
+		ts = x;
+		}
+
+	return ts;
+	}
 %%}
 
 module Broker;
 
-type Broker::ExpiryTime: record;
-
 type Broker::QueryResult: record;
 
 type Broker::BackendOptions: record;
@@ -24,410 +36,628 @@ enum BackendType %{
 %}
 
 function Broker::__create_master%(id: string, b: BackendType,
-                               options: BackendOptions &default = BackendOptions()%): opaque of Broker::Handle
+                                  options: BackendOptions &default = BackendOptions()%): opaque of Broker::Store
 	%{
-	auto id_str = id->CheckString();
-	auto type = bro_broker::StoreType::MASTER;
-	auto rval = broker_mgr->LookupStore(id_str, type);
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	auto name = id->CheckString();
+	auto rval = broker_mgr->LookupStore(name);
 
 	if ( rval )
 		{
-		Ref(rval);
+		::Ref(rval);
 		return rval;
 		}
 
-	rval = new bro_broker::StoreHandleVal(id_str, type,
-	                                static_cast<BifEnum::Broker::BackendType>(b->AsEnum()),
-	                                options->AsRecordVal());
-	auto added = broker_mgr->AddStore(rval);
-	assert(added);
-	return rval;
+	auto e = static_cast<BifEnum::Broker::BackendType>(b->AsEnum());
+	auto type = bro_broker::to_backend_type(e);
+	auto opts = bro_broker::to_backend_options(type, options->AsRecordVal());
+
+	auto store = broker_mgr->MakeMaster(name, type, std::move(opts));
+
+	if ( ! store )
+		{
+		builtin_error(fmt("Could not create Broker master store '%s'", name));
+		return nullptr;
+		}
+
+	return store;
 	%}
 
-function Broker::__create_clone%(id: string, b: BackendType,
-                              options: BackendOptions &default = BackendOptions(),
-                              resync: interval &default = 1sec%): opaque of Broker::Handle
+function Broker::__create_clone%(id: string, resync_interval: interval,
+                                 stale_interval: interval,
+                                 mutation_buffer_interval: interval%): opaque of Broker::Store
 	%{
-	auto id_str = id->CheckString();
-	auto type = bro_broker::StoreType::CLONE;
-	auto rval = broker_mgr->LookupStore(id_str, type);
+	bro_broker::Manager::ScriptScopeGuard ssg;
+	auto name = id->CheckString();
+	auto rval = broker_mgr->LookupStore(name);
 
 	if ( rval )
 		{
-		Ref(rval);
+		::Ref(rval);
 		return rval;
 		}
 
-	rval = new bro_broker::StoreHandleVal(id_str, type,
-	                                static_cast<BifEnum::Broker::BackendType>(b->AsEnum()),
-	                                options->AsRecordVal(),
-	                                std::chrono::duration<double>(resync));
-	auto added = broker_mgr->AddStore(rval);
-	assert(added);
-	return rval;
-	%}
-
-function Broker::__create_frontend%(id: string%): opaque of Broker::Handle
-	%{
-	auto id_str = id->CheckString();
-	auto type = bro_broker::StoreType::FRONTEND;
-	auto rval = broker_mgr->LookupStore(id_str, type);
-
-	if ( rval )
+	auto store = broker_mgr->MakeClone(name, resync_interval, stale_interval,
+	                                   mutation_buffer_interval);
+	if ( ! store )
 		{
-		Ref(rval);
-		return rval;
+		builtin_error(fmt("Could not create clone of Broker store '%s'", name));
+		return nullptr;
 		}
 
-	rval = new bro_broker::StoreHandleVal(id_str, type, {}, nullptr);
-	auto added = broker_mgr->AddStore(rval);
-	assert(added);
-	return rval;
+	return store;
 	%}
 
-function Broker::__close_by_handle%(h: opaque of Broker::Handle%): bool
+function Broker::__is_closed%(h: opaque of Broker::Store%): bool
 	%{
-	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	bro_broker::Manager::ScriptScopeGuard ssg;
 
-	if ( ! handle->store )
-		return new Val(false, TYPE_BOOL);
-
-	return new Val(broker_mgr->CloseStore(handle->store->id(),
-										handle->store_type), TYPE_BOOL);
-	%}
-
-###########################
-# non-blocking update API #
-###########################
-
-function Broker::__insert%(h: opaque of Broker::Handle,
-                        k: Broker::Data, v: Broker::Data,
-                        e: Broker::ExpiryTime &default = Broker::ExpiryTime()%): bool
-	%{
-	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
-
-	if ( ! handle->store )
-		return new Val(false, TYPE_BOOL);
-
-	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
-	auto& val = bro_broker::opaque_field_to_data(v->AsRecordVal(), frame);
-
-	using broker::store::expiration_time;
-
-	auto abs_expiry_val = e->AsRecordVal()->Lookup(0);
-
-	if ( abs_expiry_val )
+	if ( ! h )
 		{
-		auto expiry = expiration_time(abs_expiry_val->AsTime());
-		handle->store->insert(key, val, expiry);
-		return new Val(true, TYPE_BOOL);
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
 		}
 
-	auto rel_expiry_val = e->AsRecordVal()->Lookup(1);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	return new Val(broker_mgr->LookupStore(handle->store.name()), TYPE_BOOL);
+	%}
 
-	if ( rel_expiry_val )
+function Broker::__close%(h: opaque of Broker::Store%): bool
+	%{
+	bro_broker::Manager::ScriptScopeGuard ssg;
+
+	if ( ! h )
 		{
-		auto ct = broker::time_point::now().value;
-		auto expiry = expiration_time(rel_expiry_val->AsInterval(), ct);
-		handle->store->insert(key, val, expiry);
-		return new Val(true, TYPE_BOOL);
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
 		}
 
-	handle->store->insert(key, val);
-	return new Val(true, TYPE_BOOL);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	return new Val(broker_mgr->CloseStore(handle->store.name()), TYPE_BOOL);
 	%}
 
-function Broker::__erase%(h: opaque of Broker::Handle, k: Broker::Data%): bool
+function Broker::__store_name%(h: opaque of Broker::Store%): string
 	%{
-	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
-
-	if ( ! handle->store )
-		return new Val(false, TYPE_BOOL);
-
-	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
-	handle->store->erase(key);
-	return new Val(true, TYPE_BOOL);
-	%}
-
-function Broker::__clear%(h: opaque of Broker::Handle%): bool
-	%{
-	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
-
-	if ( ! handle->store )
-		return new Val(false, TYPE_BOOL);
-
-	handle->store->clear();
-	return new Val(true, TYPE_BOOL);
-	%}
-
-function Broker::__increment%(h: opaque of Broker::Handle,
-                           k: Broker::Data, by: int &default = +1%): bool
-	%{
-	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
-
-	if ( ! handle->store )
-		return new Val(false, TYPE_BOOL);
-
-	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
-	handle->store->increment(key, by);
-	return new Val(true, TYPE_BOOL);
-	%}
-
-function Broker::__decrement%(h: opaque of Broker::Handle,
-                           k: Broker::Data, by: int &default = +1%): bool
-	%{
-	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
-
-	if ( ! handle->store )
-		return new Val(false, TYPE_BOOL);
-
-	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
-	handle->store->decrement(key, by);
-	return new Val(true, TYPE_BOOL);
-	%}
-
-function Broker::__add_to_set%(h: opaque of Broker::Handle,
-                            k: Broker::Data, element: Broker::Data%): bool
-	%{
-	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
-
-	if ( ! handle->store )
-		return new Val(false, TYPE_BOOL);
-
-	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
-	auto& ele = bro_broker::opaque_field_to_data(element->AsRecordVal(), frame);
-	handle->store->add_to_set(key, ele);
-	return new Val(true, TYPE_BOOL);
-	%}
-
-function Broker::__remove_from_set%(h: opaque of Broker::Handle,
-                                 k: Broker::Data, element: Broker::Data%): bool
-	%{
-	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
-
-	if ( ! handle->store )
-		return new Val(false, TYPE_BOOL);
-
-	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
-	auto& ele = bro_broker::opaque_field_to_data(element->AsRecordVal(), frame);
-	handle->store->remove_from_set(key, ele);
-	return new Val(true, TYPE_BOOL);
-	%}
-
-function Broker::__push_left%(h: opaque of Broker::Handle, k: Broker::Data,
-                           items: Broker::DataVector%): bool
-	%{
-	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
-
-	if ( ! handle->store )
-		return new Val(false, TYPE_BOOL);
-
-	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
-	broker::vector items_vector;
-	auto items_vv = items->AsVector();
-
-	for ( auto i = 0u; i < items_vv->size(); ++i )
+	if ( ! h )
 		{
-		auto& item = bro_broker::opaque_field_to_data((*items_vv)[i]->AsRecordVal(),
-		                                        frame);
-		items_vector.emplace_back(item);
+		builtin_error("invalid Broker store handle");
+		return new StringVal("");
 		}
 
-	handle->store->push_left(key, move(items_vector));
-	return new Val(true, TYPE_BOOL);
-	%}
-
-function Broker::__push_right%(h: opaque of Broker::Handle, k: Broker::Data,
-                            items: Broker::DataVector%): bool
-	%{
 	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
-
-	if ( ! handle->store )
-		return new Val(false, TYPE_BOOL);
-
-	auto& key = bro_broker::opaque_field_to_data(k->AsRecordVal(), frame);
-	broker::vector items_vector;
-	auto items_vv = items->AsVector();
-
-	for ( auto i = 0u; i < items_vv->size(); ++i )
-		{
-		auto& item = bro_broker::opaque_field_to_data((*items_vv)[i]->AsRecordVal(),
-		                                        frame);
-		items_vector.emplace_back(item);
-		}
-
-	handle->store->push_right(key, move(items_vector));
-	return new Val(true, TYPE_BOOL);
+	return new StringVal(handle->store.name());
 	%}
 
-##########################
-# non-blocking query API #
-##########################
-
-%%{
-static bool prepare_for_query(Val* opaque, Frame* frame,
-			      bro_broker::StoreHandleVal** handle,
-			      double* timeout,
-			      bro_broker::StoreQueryCallback** cb)
-	{
-	*handle = static_cast<bro_broker::StoreHandleVal*>(opaque);
-
-	if ( ! (*handle)->store )
+function Broker::__exists%(h: opaque of Broker::Store,
+                           k: any%): Broker::QueryResult
+	%{
+	if ( ! h )
 		{
-		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
-		reporter->Error("Broker query has an invalid data store");
-		reporter->PopLocation();
-		return false;
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
 		}
 
-	Trigger* trigger = frame->GetTrigger();
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+
+	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return bro_broker::query_result();
+		}
+
+	auto trigger = frame->GetTrigger();
 
 	if ( ! trigger )
 		{
-		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
-		reporter->Error("Broker queries can only be called inside when-condition");
-		reporter->PopLocation();
-		return false;
+		builtin_error("Broker queries can only be called inside when-condition");
+		return bro_broker::query_result();
 		}
 
-	*timeout = trigger->TimeoutValue();
+	auto timeout = trigger->TimeoutValue();
 
-	if ( *timeout < 0 )
+	if ( timeout < 0 )
 		{
-		reporter->PushLocation(frame->GetCall()->GetLocationInfo());
-		reporter->Error("Broker queries must specify a timeout block");
-		reporter->PopLocation();
-		return false;
+		builtin_error("Broker queries must specify a timeout block");
+		return bro_broker::query_result();
 		}
 
 	frame->SetDelayed();
 	trigger->Hold();
-	*cb = new bro_broker::StoreQueryCallback(trigger, frame->GetCall(),
-					   (*handle)->store->id(),
-					   (*handle)->store_type);
-	broker_mgr->TrackStoreQuery(*cb);
-	return true;
-	}
 
-%%}
+	auto cb = new bro_broker::StoreQueryCallback(trigger, frame->GetCall(),
+	                                             handle->store);
+	auto req_id = handle->proxy.exists(std::move(*key));
+	broker_mgr->TrackStoreQuery(handle, req_id, cb);
 
-function Broker::__pop_left%(h: opaque of Broker::Handle,
-                          k: Broker::Data%): Broker::QueryResult
+	return 0;
+	%}
+
+function Broker::__get%(h: opaque of Broker::Store,
+                        k: any%): Broker::QueryResult
 	%{
-	if ( ! broker_mgr->Enabled() )
-		return bro_broker::query_result();
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
 
-	Val* key = k->AsRecordVal()->Lookup(0);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
 
 	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
 		return bro_broker::query_result();
+		}
 
-	double timeout;
-	bro_broker::StoreQueryCallback* cb;
-	bro_broker::StoreHandleVal* handle;
+	auto trigger = frame->GetTrigger();
 
-	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
+	if ( ! trigger )
+		{
+		builtin_error("Broker queries can only be called inside when-condition");
 		return bro_broker::query_result();
+		}
+
+	auto timeout = trigger->TimeoutValue();
+
+	if ( timeout < 0 )
+		{
+		builtin_error("Broker queries must specify a timeout block");
+		return bro_broker::query_result();
+		}
+
+	frame->SetDelayed();
+	trigger->Hold();
+
+	auto cb = new bro_broker::StoreQueryCallback(trigger, frame->GetCall(),
+	                                             handle->store);
+	auto req_id = handle->proxy.get(std::move(*key));
+	broker_mgr->TrackStoreQuery(handle, req_id, cb);
 
-	handle->store->pop_left(static_cast<bro_broker::DataVal*>(key)->data,
-	                         std::chrono::duration<double>(timeout), cb);
 	return 0;
 	%}
 
-function Broker::__pop_right%(h: opaque of Broker::Handle,
-                           k: Broker::Data%): Broker::QueryResult
+function Broker::__put_unique%(h: opaque of Broker::Store,
+                               k: any, v: any, e: interval%): Broker::QueryResult
 	%{
-	if ( ! broker_mgr->Enabled() )
-		return bro_broker::query_result();
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
 
-	Val* key = k->AsRecordVal()->Lookup(0);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+	auto val = bro_broker::val_to_data(v);
 
 	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
 		return bro_broker::query_result();
+		}
 
-	double timeout;
-	bro_broker::StoreQueryCallback* cb;
-	bro_broker::StoreHandleVal* handle;
-
-	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
+	if ( ! val )
+		{
+		builtin_error("invalid Broker data conversion for value argument");
 		return bro_broker::query_result();
+		}
+
+	auto trigger = frame->GetTrigger();
+
+	if ( ! trigger )
+		{
+		builtin_error("Broker queries can only be called inside when-condition");
+		return bro_broker::query_result();
+		}
+
+	auto timeout = trigger->TimeoutValue();
+
+	if ( timeout < 0 )
+		{
+		builtin_error("Broker queries must specify a timeout block");
+		return bro_broker::query_result();
+		}
+
+	frame->SetDelayed();
+	trigger->Hold();
+
+	auto cb = new bro_broker::StoreQueryCallback(trigger, frame->GetCall(),
+	                                             handle->store);
+
+	auto req_id = handle->proxy.put_unique(std::move(*key), std::move(*val),
+	                                       prepare_expiry(e));
+	broker_mgr->TrackStoreQuery(handle, req_id, cb);
 
-	handle->store->pop_right(static_cast<bro_broker::DataVal*>(key)->data,
-	                         std::chrono::duration<double>(timeout), cb);
 	return 0;
 	%}
 
-function Broker::__lookup%(h: opaque of Broker::Handle,
-                       k: Broker::Data%): Broker::QueryResult
+function Broker::__get_index_from_value%(h: opaque of Broker::Store,
+                                         k: any, i: any%): Broker::QueryResult
 	%{
-	if ( ! broker_mgr->Enabled() )
-		return bro_broker::query_result();
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
 
-	Val* key = k->AsRecordVal()->Lookup(0);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
 
 	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
 		return bro_broker::query_result();
+		}
 
-	double timeout;
-	bro_broker::StoreQueryCallback* cb;
-	bro_broker::StoreHandleVal* handle;
+	auto index = bro_broker::val_to_data(i);
 
-	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
+	if ( ! index )
+		{
+		builtin_error("invalid Broker data conversion for index argument");
 		return bro_broker::query_result();
+		}
+	
+	auto trigger = frame->GetTrigger();
+
+	if ( ! trigger )
+		{
+		builtin_error("Broker queries can only be called inside when-condition");
+		return bro_broker::query_result();
+		}
+
+	auto timeout = trigger->TimeoutValue();
+
+	if ( timeout < 0 )
+		{
+		builtin_error("Broker queries must specify a timeout block");
+		return bro_broker::query_result();
+		}
+
+	frame->SetDelayed();
+	trigger->Hold();
+
+	auto cb = new bro_broker::StoreQueryCallback(trigger, frame->GetCall(),
+						     handle->store);
+	auto req_id = handle->proxy.get_index_from_value(std::move(*key),
+	                                                 std::move(*index));
+	broker_mgr->TrackStoreQuery(handle, req_id, cb);
 
-	handle->store->lookup(static_cast<bro_broker::DataVal*>(key)->data,
-	                      std::chrono::duration<double>(timeout), cb);
 	return 0;
 	%}
 
-function Broker::__exists%(h: opaque of Broker::Handle,
-                        k: Broker::Data%): Broker::QueryResult
+function Broker::__keys%(h: opaque of Broker::Store%): Broker::QueryResult
 	%{
-	if ( ! broker_mgr->Enabled() )
-		return bro_broker::query_result();
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
 
-	Val* key = k->AsRecordVal()->Lookup(0);
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+
+	auto trigger = frame->GetTrigger();
+
+	if ( ! trigger )
+		{
+		builtin_error("Broker queries can only be called inside when-condition");
+		return bro_broker::query_result();
+		}
+
+	auto timeout = trigger->TimeoutValue();
+
+	if ( timeout < 0 )
+		{
+		builtin_error("Broker queries must specify a timeout block");
+		return bro_broker::query_result();
+		}
+
+	frame->SetDelayed();
+	trigger->Hold();
+
+	auto cb = new bro_broker::StoreQueryCallback(trigger, frame->GetCall(),
+	                                             handle->store);
+	auto req_id = handle->proxy.keys();
+	broker_mgr->TrackStoreQuery(handle, req_id, cb);
+
+	return 0;
+	%}
+
+function Broker::__put%(h: opaque of Broker::Store,
+                        k: any, v: any, e: interval%): bool
+	%{
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+	auto val = bro_broker::val_to_data(v);
 
 	if ( ! key )
-		return bro_broker::query_result();
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
 
-	double timeout;
-	bro_broker::StoreQueryCallback* cb;
-	bro_broker::StoreHandleVal* handle;
+	if ( ! val )
+		{
+		builtin_error("invalid Broker data conversion for value argument");
+		return new Val(false, TYPE_BOOL);
+		}
 
-	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
-		return bro_broker::query_result();
-
-	handle->store->exists(static_cast<bro_broker::DataVal*>(key)->data,
-	                      std::chrono::duration<double>(timeout), cb);
-	return 0;
+	handle->store.put(std::move(*key), std::move(*val), prepare_expiry(e));
+	return new Val(true, TYPE_BOOL);
 	%}
 
-function Broker::__keys%(h: opaque of Broker::Handle%): Broker::QueryResult
+function Broker::__erase%(h: opaque of Broker::Store, k: any%): bool
 	%{
-	double timeout;
-	bro_broker::StoreQueryCallback* cb;
-	bro_broker::StoreHandleVal* handle;
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
 
-	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
-		return bro_broker::query_result();
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
 
-	handle->store->keys(std::chrono::duration<double>(timeout), cb);
-	return 0;
+	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	handle->store.erase(std::move(*key));
+	return new Val(true, TYPE_BOOL);
 	%}
 
-function Broker::__size%(h: opaque of Broker::Handle%): Broker::QueryResult
+function Broker::__increment%(h: opaque of Broker::Store, k: any, a: any,
+                              e: interval%): bool
 	%{
-	if ( ! broker_mgr->Enabled() )
-		return bro_broker::query_result();
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
 
-	double timeout;
-	bro_broker::StoreQueryCallback* cb;
-	bro_broker::StoreHandleVal* handle;
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+	auto amount = bro_broker::val_to_data(a);
 
-	if ( ! prepare_for_query(h, frame, &handle, &timeout, &cb) )
-		return bro_broker::query_result();
+	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
 
-	handle->store->size(std::chrono::duration<double>(timeout), cb);
-	return 0;
+	if ( ! amount )
+		{
+		builtin_error("invalid Broker data conversion for amount argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	handle->store.increment(std::move(*key), std::move(*amount),
+	                        prepare_expiry(e));
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Broker::__decrement%(h: opaque of Broker::Store, k: any, a: any,
+                              e: interval%): bool
+	%{
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+	auto amount = bro_broker::val_to_data(a);
+
+	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	if ( ! amount )
+		{
+		builtin_error("invalid Broker data conversion for amount argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	handle->store.decrement(std::move(*key), std::move(*amount), prepare_expiry(e));
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Broker::__append%(h: opaque of Broker::Store, k: any, s: any,
+                           e: interval%): bool
+	%{
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+	auto str = bro_broker::val_to_data(s);
+
+	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	if ( ! str )
+		{
+		builtin_error("invalid Broker data conversion for str argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	handle->store.append(std::move(*key), std::move(*str), prepare_expiry(e));
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Broker::__insert_into_set%(h: opaque of Broker::Store, k: any, i: any,
+                                    e: interval%): bool
+	%{
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+	auto idx = bro_broker::val_to_data(i);
+
+	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	if ( ! idx )
+		{
+		builtin_error("invalid Broker data conversion for index argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	handle->store.insert_into(std::move(*key), std::move(*idx),
+	                          prepare_expiry(e));
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Broker::__insert_into_table%(h: opaque of Broker::Store, k: any,
+                                      i: any, v: any, e: interval%): bool
+	%{
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+	auto idx = bro_broker::val_to_data(i);
+	auto val = bro_broker::val_to_data(v);
+
+	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	if ( ! idx )
+		{
+		builtin_error("invalid Broker data conversion for index argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	if ( ! val )
+		{
+		builtin_error("invalid Broker data conversion for value argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	handle->store.insert_into(std::move(*key), std::move(*idx),
+	                          std::move(*val), prepare_expiry(e));
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Broker::__remove_from%(h: opaque of Broker::Store, k: any, i: any,
+                                e: interval%): bool
+	%{
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+	auto idx = bro_broker::val_to_data(i);
+
+	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	if ( ! idx )
+		{
+		builtin_error("invalid Broker data conversion for index argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	handle->store.remove_from(std::move(*key), std::move(*idx),
+	                          prepare_expiry(e));
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Broker::__push%(h: opaque of Broker::Store, k: any, v: any,
+                         e: interval%): bool
+	%{
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+	auto val = bro_broker::val_to_data(v);
+
+	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	if ( ! val )
+		{
+		builtin_error("invalid Broker data conversion for value argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	handle->store.push(std::move(*key), std::move(*val), prepare_expiry(e));
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Broker::__pop%(h: opaque of Broker::Store, k: any, e: interval%): bool
+	%{
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+	auto key = bro_broker::val_to_data(k);
+
+	if ( ! key )
+		{
+		builtin_error("invalid Broker data conversion for key argument");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	handle->store.pop(std::move(*key), prepare_expiry(e));
+	return new Val(true, TYPE_BOOL);
+	%}
+
+function Broker::__clear%(h: opaque of Broker::Store%): bool
+	%{
+	if ( ! h )
+		{
+		builtin_error("invalid Broker store handle");
+		return new Val(false, TYPE_BOOL);
+		}
+
+	auto handle = static_cast<bro_broker::StoreHandleVal*>(h);
+
+	handle->store.clear();
+	return new Val(true, TYPE_BOOL);
 	%}
diff --git a/src/broxygen/Configuration.h b/src/broxygen/Configuration.h
index 7729c800b3..d41deb2c71 100644
--- a/src/broxygen/Configuration.h
+++ b/src/broxygen/Configuration.h
@@ -27,7 +27,7 @@ public:
 	 * an empty string most methods are a no-op.
 	 * @param delim The delimiter between target fields.
 	 */
-	Config(const std::string& file, const std::string& delim = "\t");
+	explicit Config(const std::string& file, const std::string& delim = "\t");
 
 	/**
 	  * Destructor, cleans up targets created when parsing config file.
diff --git a/src/broxygen/IdentifierInfo.h b/src/broxygen/IdentifierInfo.h
index 9a315ed3a5..be7e721838 100644
--- a/src/broxygen/IdentifierInfo.h
+++ b/src/broxygen/IdentifierInfo.h
@@ -36,7 +36,7 @@ public:
 	/**
 	 * Dtor.  Releases any references to script-level objects.
 	 */
-	~IdentifierInfo();
+	~IdentifierInfo() override;
 
 	/**
 	 * Add a comment associated with the identifier.  If the identifier is a
@@ -131,12 +131,12 @@ public:
 
 private:
 
-	time_t DoGetModificationTime() const;
+	time_t DoGetModificationTime() const override;
 
-	std::string DoName() const
+	std::string DoName() const override
 		{ return id->Name(); }
 
-	std::string DoReStructuredText(bool roles_only) const;
+	std::string DoReStructuredText(bool roles_only) const override;
 
 	struct RecordField {
 		~RecordField()
diff --git a/src/broxygen/Manager.cc b/src/broxygen/Manager.cc
index 9e33e6919b..4fd28d60f5 100644
--- a/src/broxygen/Manager.cc
+++ b/src/broxygen/Manager.cc
@@ -12,7 +12,13 @@ using namespace std;
 
 static void DbgAndWarn(const char* msg)
 	{
-	reporter->InternalWarning("%s", msg);
+	if ( reporter->Errors() )
+		// We've likely already reported to real source of the problem
+		// as an error, avoid adding an additional warning which may
+		// be confusing.
+		return;
+
+	reporter->Warning("%s", msg);
 	DBG_LOG(DBG_BROXYGEN, "%s", msg);
 	}
 
@@ -22,7 +28,8 @@ static void WarnMissingScript(const char* type, const ID* id,
 	if ( script == "<command line>" )
 		return;
 
-	DbgAndWarn(fmt("Can't document %s %s, lookup of %s failed",
+	DbgAndWarn(fmt("Can't generate Broxygen doumentation for %s %s, "
+	               "lookup of %s failed",
 	               type, id->Name(), script.c_str()));
 	}
 
@@ -122,7 +129,8 @@ void Manager::Script(const string& path)
 
 	if ( scripts.GetInfo(name) )
 		{
-		DbgAndWarn(fmt("Duplicate script documentation: %s", name.c_str()));
+		DbgAndWarn(fmt("Duplicate Broxygen script documentation: %s",
+		               name.c_str()));
 		return;
 		}
 
@@ -138,7 +146,8 @@ void Manager::Script(const string& path)
 
 	if ( packages.GetInfo(name) )
 		{
-		DbgAndWarn(fmt("Duplicate package documentation: %s", name.c_str()));
+		DbgAndWarn(fmt("Duplicate Broxygen package documentation: %s",
+		               name.c_str()));
 		return;
 		}
 
@@ -155,7 +164,8 @@ void Manager::ScriptDependency(const string& path, const string& dep)
 
 	if ( dep.empty() )
 		{
-		DbgAndWarn(fmt("Empty script doc dependency: %s", path.c_str()));
+		DbgAndWarn(fmt("Empty Broxygen script doc dependency: %s",
+		               path.c_str()));
 		return;
 		}
 
@@ -165,8 +175,8 @@ void Manager::ScriptDependency(const string& path, const string& dep)
 
 	if ( ! script_info )
 		{
-		DbgAndWarn(fmt("Failed to add script doc dependency %s for %s",
-		               depname.c_str(), name.c_str()));
+		DbgAndWarn(fmt("Failed to add Broxygen script doc dependency %s "
+		               "for %s", depname.c_str(), name.c_str()));
 		return;
 		}
 
@@ -189,7 +199,7 @@ void Manager::ModuleUsage(const string& path, const string& module)
 
 	if ( ! script_info )
 		{
-		DbgAndWarn(fmt("Failed to add module usage %s in %s",
+		DbgAndWarn(fmt("Failed to add Broxygen module usage %s in %s",
 		               module.c_str(), name.c_str()));
 		return;
 		}
@@ -231,7 +241,8 @@ void Manager::StartType(ID* id)
 
 	if ( id->GetLocationInfo() == &no_location )
 		{
-		DbgAndWarn(fmt("Can't document %s, no location available", id->Name()));
+		DbgAndWarn(fmt("Can't generate broxygen doumentation for %s, "
+		               "no location available", id->Name()));
 		return;
 		}
 
@@ -323,7 +334,8 @@ void Manager::RecordField(const ID* id, const TypeDecl* field,
 
 	if ( ! idd )
 		{
-		DbgAndWarn(fmt("Can't document record field %s, unknown record: %s",
+		DbgAndWarn(fmt("Can't generate broxygen doumentation for "
+		               "record field %s, unknown record: %s",
 		               field->id, id->Name()));
 		return;
 		}
@@ -348,7 +360,8 @@ void Manager::Redef(const ID* id, const string& path)
 
 	if ( ! id_info )
 		{
-		DbgAndWarn(fmt("Can't document redef of %s, identifier lookup failed",
+		DbgAndWarn(fmt("Can't generate broxygen doumentation for "
+		               "redef of %s, identifier lookup failed",
 		               id->Name()));
 		return;
 		}
diff --git a/src/broxygen/PackageInfo.h b/src/broxygen/PackageInfo.h
index 67dd36da5f..967bbe3443 100644
--- a/src/broxygen/PackageInfo.h
+++ b/src/broxygen/PackageInfo.h
@@ -22,7 +22,7 @@ public:
 	 * @param name The name of the Bro script package (relative path from a
 	 * component within BROPATH.
 	 */
-	PackageInfo(const std::string& name);
+	explicit PackageInfo(const std::string& name);
 
 	/**
 	 * @return The content of the package's README file, each line being
@@ -34,12 +34,12 @@ public:
 
 private:
 
-	time_t DoGetModificationTime() const;
+	time_t DoGetModificationTime() const override;
 
-	std::string DoName() const
+	std::string DoName() const override
 		{ return pkg_name; }
 
-	std::string DoReStructuredText(bool roles_only) const;
+	std::string DoReStructuredText(bool roles_only) const override;
 
 	std::string pkg_name;
 	std::vector<std::string> readme;
diff --git a/src/broxygen/ReStructuredTextTable.h b/src/broxygen/ReStructuredTextTable.h
index c3679e6fac..34cc30c332 100644
--- a/src/broxygen/ReStructuredTextTable.h
+++ b/src/broxygen/ReStructuredTextTable.h
@@ -18,7 +18,7 @@ public:
 	 * Create the reST table object.
 	 * @param arg_num_cols The number of columns in the table.
 	 */
-	ReStructuredTextTable(size_t arg_num_cols);
+	explicit ReStructuredTextTable(size_t arg_num_cols);
 
 	/**
 	 * Add a new content row to the table.
diff --git a/src/broxygen/ScriptInfo.cc b/src/broxygen/ScriptInfo.cc
index f9c5bf2288..2c054ea9b1 100644
--- a/src/broxygen/ScriptInfo.cc
+++ b/src/broxygen/ScriptInfo.cc
@@ -160,7 +160,7 @@ ScriptInfo::ScriptInfo(const string& arg_name, const string& arg_path)
       name(arg_name), path(arg_path),
       is_pkg_loader(SafeBasename(name).result == PACKAGE_LOADER),
       dependencies(), module_usages(), comments(), id_info(),
-      options(), constants(), state_vars(), types(), events(), hooks(),
+      redef_options(), constants(), state_vars(), types(), events(), hooks(),
       functions(), redefs()
 	{
 	}
@@ -219,9 +219,9 @@ void ScriptInfo::DoInitPostScript()
 			{
 			if ( id->FindAttr(ATTR_REDEF) )
 				{
-				DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as an option",
+				DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as a redef_option",
 				        id->Name(), name.c_str());
-				options.push_back(info);
+				redef_options.push_back(info);
 				}
 			else
 				{
@@ -232,6 +232,14 @@ void ScriptInfo::DoInitPostScript()
 
 			continue;
 			}
+		else if ( id->IsOption() )
+			{
+			DBG_LOG(DBG_BROXYGEN, "Filter id '%s' in '%s' as an runtime option",
+							id->Name(), name.c_str());
+			options.push_back(info);
+
+			continue;
+			}
 
 		if ( id->Type()->Tag() == TYPE_ENUM )
 			// Enums are always referenced/documented from the type's
@@ -242,6 +250,19 @@ void ScriptInfo::DoInitPostScript()
 		        id->Name(), name.c_str());
 		state_vars.push_back(info);
 		}
+
+	// The following enum types are automatically created internally in Bro,
+	// so just manually associating them with scripts for now.
+	if ( name == "base/frameworks/input/main.bro" )
+		{
+		auto id = global_scope()->Lookup("Input::Reader");
+		types.push_back(new IdentifierInfo(id, this));
+		}
+	else if ( name == "base/frameworks/logging/main.bro" )
+		{
+		auto id = global_scope()->Lookup("Log::Writer");
+		types.push_back(new IdentifierInfo(id, this));
+		}
 	}
 
 vector<string> ScriptInfo::GetComments() const
@@ -309,7 +330,8 @@ string ScriptInfo::DoReStructuredText(bool roles_only) const
 	rval += fmt(":Source File: :download:`/scripts/%s`\n", name.c_str());
 	rval += "\n";
 	rval += broxygen::make_heading("Summary", '~');
-	rval += make_summary("Options", '#', '=', options);
+	rval += make_summary("Runtime Options", '#', '=', options);
+	rval += make_summary("Redefinable Options", '#', '=', redef_options);
 	rval += make_summary("Constants", '#', '=', constants);
 	rval += make_summary("State Variables", '#', '=', state_vars);
 	rval += make_summary("Types", '#', '=', types);
@@ -319,7 +341,8 @@ string ScriptInfo::DoReStructuredText(bool roles_only) const
 	rval += make_summary("Functions", '#', '=', functions);
 	rval += "\n";
 	rval += broxygen::make_heading("Detailed Interface", '~');
-	rval += make_details("Options", '#', options);
+	rval += make_details("Runtime Options", '#', options);
+	rval += make_details("Redefinable Options", '#', redef_options);
 	rval += make_details("Constants", '#', constants);
 	rval += make_details("State Variables", '#', state_vars);
 	rval += make_details("Types", '#', types);
diff --git a/src/broxygen/ScriptInfo.h b/src/broxygen/ScriptInfo.h
index 146d66f05f..d7328ef7c8 100644
--- a/src/broxygen/ScriptInfo.h
+++ b/src/broxygen/ScriptInfo.h
@@ -92,14 +92,14 @@ private:
 	typedef std::map<std::string, IdentifierInfo*> id_info_map;
 	typedef std::set<std::string> string_set;
 
-	time_t DoGetModificationTime() const;
+	time_t DoGetModificationTime() const override;
 
-	std::string DoName() const
+	std::string DoName() const override
 		{ return name; }
 
-	std::string DoReStructuredText(bool roles_only) const;
+	std::string DoReStructuredText(bool roles_only) const override;
 
-	void DoInitPostScript() /* override */;
+	void DoInitPostScript() override /* override */;
 
 	std::string name;
 	std::string path;
@@ -108,6 +108,7 @@ private:
 	string_set module_usages;
 	std::vector<std::string> comments;
 	id_info_map id_info;
+	id_info_list redef_options;
 	id_info_list options;
 	id_info_list constants;
 	id_info_list state_vars;
diff --git a/src/broxygen/Target.h b/src/broxygen/Target.h
index 1615ae090d..9a5a23107c 100644
--- a/src/broxygen/Target.h
+++ b/src/broxygen/Target.h
@@ -27,7 +27,7 @@ struct TargetFile {
 	 * directories that don't already exist.
 	 *
 	 */
-	TargetFile(const std::string& arg_name);
+	explicit TargetFile(const std::string& arg_name);
 
 	/**
 	 * Close the file.
@@ -185,9 +185,9 @@ protected:
 
 private:
 
-	void DoFindDependencies(const std::vector<Info*>& infos);
+	void DoFindDependencies(const std::vector<Info*>& infos) override;
 
-	void DoGenerate() const;
+	void DoGenerate() const override;
 
 	virtual void DoCreateAnalyzerDoc(FILE* f) const = 0;
 };
@@ -209,7 +209,7 @@ public:
 
 private:
 
-	void DoCreateAnalyzerDoc(FILE* f) const;
+	void DoCreateAnalyzerDoc(FILE* f) const override;
 };
 
 /**
@@ -229,7 +229,7 @@ public:
 
 private:
 
-	void DoCreateAnalyzerDoc(FILE* f) const;
+	void DoCreateAnalyzerDoc(FILE* f) const override;
 };
 
 /**
@@ -249,9 +249,9 @@ public:
 
 private:
 
-	void DoFindDependencies(const std::vector<Info*>& infos);
+	void DoFindDependencies(const std::vector<Info*>& infos) override;
 
-	void DoGenerate() const;
+	void DoGenerate() const override;
 
 	std::vector<PackageInfo*> pkg_deps;
 	std::vector<ScriptInfo*> script_deps;
@@ -276,9 +276,9 @@ public:
 
 private:
 
-	void DoFindDependencies(const std::vector<Info*>& infos);
+	void DoFindDependencies(const std::vector<Info*>& infos) override;
 
-	void DoGenerate() const;
+	void DoGenerate() const override;
 
 	std::vector<PackageInfo*> pkg_deps;
 };
@@ -301,7 +301,7 @@ public:
 		: Target(name, pattern), script_deps()
 		{ }
 
-	~ScriptTarget()
+	~ScriptTarget() override
 		{ for ( size_t i = 0; i < pkg_deps.size(); ++i ) delete pkg_deps[i]; }
 
 protected:
@@ -310,9 +310,9 @@ protected:
 
 private:
 
-	void DoFindDependencies(const std::vector<Info*>& infos);
+	void DoFindDependencies(const std::vector<Info*>& infos) override;
 
-	void DoGenerate() const;
+	void DoGenerate() const override;
 
 	bool IsDir() const
 		{ return Name()[Name().size() - 1] == '/'; }
@@ -337,7 +337,7 @@ public:
 
 private:
 
-	void DoGenerate() const /* override */;
+	void DoGenerate() const override /* override */;
 };
 
 /**
@@ -357,7 +357,7 @@ public:
 
 private:
 
-	void DoGenerate() const /* override */;
+	void DoGenerate() const override /* override */;
 };
 
 /**
@@ -377,9 +377,9 @@ public:
 
 private:
 
-	void DoFindDependencies(const std::vector<Info*>& infos);
+	void DoFindDependencies(const std::vector<Info*>& infos) override;
 
-	void DoGenerate() const;
+	void DoGenerate() const override;
 
 	std::vector<IdentifierInfo*> id_deps;
 };
diff --git a/src/builtin-func.l b/src/builtin-func.l
deleted file mode 100644
index 2d59408f83..0000000000
--- a/src/builtin-func.l
+++ /dev/null
@@ -1,422 +0,0 @@
-%{
-#include <ctype.h>
-#include <string.h>
-#include <unistd.h>
-#include "bif_arg.h"
-#include "bif_parse.h"
-
-char* copy_string(const char* s)
-	{
-	char* c = new char[strlen(s)+1];
-	strcpy(c, s);
-	return c;
-	}
-
-int line_number = 1;
-
-extern int in_c_code;
-
-int check_c_mode(int t)
-	{
-	if ( ! in_c_code )
-		return t;
-
-	yylval.str = copy_string(yytext);
-	return TOK_C_TOKEN;
-	}
-%}
-
-WS	[ \t]+
-OWS	[ \t]*
- /* Note, bifcl only accepts a single "::" in IDs while the policy
-    layer acceptes multiple. (But the policy layer doesn't have
-	a hierachy. */
-IDCOMPONENT [A-Za-z_][A-Za-z_0-9]*
-ID	{IDCOMPONENT}(::{IDCOMPONENT})?
-ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
-DEC [[:digit:]]+
-HEX	[0-9a-fA-F]+
-
-
-%option nodefault
-
-%%
-
-#.*	{
-	yylval.str = copy_string(yytext);
-	return TOK_COMMENT;
-	}
-
-\n	{
-	++line_number;
-	return TOK_LF;
-	}
-
-{WS}	{
-	yylval.str = copy_string(yytext);
-	return TOK_WS;
-	}
-
-[=,:;]	return check_c_mode(yytext[0]);
-
-"%{"	return TOK_LPB;
-"%}"	return TOK_RPB;
-"%%{"	return TOK_LPPB;
-"%%}"	return TOK_RPPB;
-
-"%("		return check_c_mode(TOK_LPP);
-"%)"		return check_c_mode(TOK_RPP);
-"..."		return check_c_mode(TOK_VAR_ARG);
-"function"	return check_c_mode(TOK_FUNCTION);
-"event"		return check_c_mode(TOK_EVENT);
-"const"		return check_c_mode(TOK_CONST);
-"enum"		return check_c_mode(TOK_ENUM);
-"type"		return check_c_mode(TOK_TYPE);
-"record"	return check_c_mode(TOK_RECORD);
-"set"		return check_c_mode(TOK_SET);
-"table"		return check_c_mode(TOK_TABLE);
-"vector"	return check_c_mode(TOK_VECTOR);
-"of"            return check_c_mode(TOK_OF);
-"opaque"        return check_c_mode(TOK_OPAQUE);
-"module"        return check_c_mode(TOK_MODULE);
-
-"@ARG@"		return TOK_ARG;
-"@ARGS@"	return TOK_ARGS;
-"@ARGC@"	return TOK_ARGC;
-
-"T"	yylval.val = 1; return TOK_BOOL;
-"F"	yylval.val = 0; return TOK_BOOL;
-
-{DEC}	{
-	yylval.str = copy_string(yytext);
-	return TOK_INT;
-	}
-
-"0x"{HEX} {
-	yylval.str = copy_string(yytext);
-	return TOK_INT;
-	}
-
-
-{ID}	{
-	yylval.str = copy_string(yytext);
-	return TOK_ID;
-	}
-
-  /*
-  Hacky way to pass along arbitrary attribute expressions since the BIF parser
-  has little understanding of valid Bro expressions.  With this pattern, the
-  attribute expression should stop when it reaches another attribute, another
-  function argument, or the end of the function declaration.
-  */
-&{ID}({OWS}={OWS}[^&%;,]+)?	{
-	int t = check_c_mode(TOK_ATTR);
-
-	if ( t == TOK_ATTR )
-		{
-		yylval.str = copy_string(yytext);
-		return TOK_ATTR;
-		}
-	else
-		return t;
-	}
-
-\"([^\\\n\"]|{ESCSEQ})*\"	{
-	yylval.str = copy_string(yytext);
-	return TOK_CSTR;
-	}
-
-\'([^\\\n\']|{ESCSEQ})*\'	{
-	yylval.str = copy_string(yytext);
-	return TOK_CSTR;
-	}
-
-.	{
-	yylval.val = yytext[0];
-	return TOK_ATOM;
-	}
-%%
-
-int yywrap()
-	{
-	yy_delete_buffer(YY_CURRENT_BUFFER);
-	return 1;
-	}
-
-extern int yyparse();
-char* input_filename = 0;
-char* input_filename_with_path = 0;
-char* plugin = 0;
-int   alternative_mode = 0;
-
-FILE* fp_bro_init = 0;
-FILE* fp_func_def = 0;
-FILE* fp_func_h = 0;
-FILE* fp_func_init = 0;
-FILE* fp_func_register = 0;
-FILE* fp_netvar_h = 0;
-FILE* fp_netvar_def = 0;
-FILE* fp_netvar_init = 0;
-
-void remove_file(const char *surfix);
-void err_exit(void);
-FILE* open_output_file(const char* surfix);
-void close_if_open(FILE **fpp);
-void close_all_output_files(void);
-
-
-FILE* open_output_file(const char* surfix)
-	{
-	char fn[1024];
-	FILE* fp;
-
-	snprintf(fn, sizeof(fn), "%s.%s", input_filename, surfix);
-	if ( (fp = fopen(fn, "w")) == NULL )
-		{
-		fprintf(stderr, "Error: cannot open file: %s\n", fn);
-		err_exit();
-		}
-
-	return fp;
-	}
-
-void usage()
-	{
-	fprintf(stderr, "usage: bifcl [-p <plugin> | -s] *.bif\n");
-	exit(1);
-	}
-
-void init_alternative_mode()
-	{
-	fp_bro_init = open_output_file("bro");
-	fp_func_h = open_output_file("h");
-	fp_func_def = open_output_file("cc");
-	fp_func_init = open_output_file("init.cc");
-	fp_func_register = plugin ? open_output_file("register.cc") : NULL;
-
-	fp_netvar_h = fp_func_h;
-	fp_netvar_def = fp_func_def;
-	fp_netvar_init = fp_func_init;
-
-	int n = 1024 + strlen(input_filename);
-	char auto_gen_comment[n];
-
-	snprintf(auto_gen_comment, n,
-		 "This file was automatically generated by bifcl from %s (%s mode).",
-		 input_filename_with_path, plugin ? "plugin" : "alternative");
-
-	fprintf(fp_bro_init, "# %s\n\n", auto_gen_comment);
-	fprintf(fp_func_def, "// %s\n\n", auto_gen_comment);
-	fprintf(fp_func_h, "// %s\n\n", auto_gen_comment);
-	fprintf(fp_func_init, "// %s\n\n", auto_gen_comment);
-
-	if ( fp_func_register )
-		fprintf(fp_func_register, "// %s\n\n", auto_gen_comment);
-
-	static char guard[1024];
-	if ( getcwd(guard, sizeof(guard)) == NULL )
-		{
-		fprintf(stderr, "Error: cannot get current working directory\n");
-		err_exit();
-		}
-	strncat(guard, "/", sizeof(guard) - strlen(guard) - 1);
-	strncat(guard, input_filename, sizeof(guard) - strlen(guard) - 1);
-
-	for ( char* p = guard; *p; p++ )
-		{
-		if ( ! isalnum(*p) )
-			*p = '_';
-		}
-
-	fprintf(fp_func_h, "#if defined(BRO_IN_NETVAR) || ! defined(%s)\n", guard);
-
-	fprintf(fp_func_h, "#ifndef BRO_IN_NETVAR\n");
-	fprintf(fp_func_h, "#ifndef %s\n", guard);
-	fprintf(fp_func_h, "#define %s\n", guard);
-	fprintf(fp_func_h, "#include \"bro-bif.h\"\n");
-	fprintf(fp_func_h, "#endif\n");
-	fprintf(fp_func_h, "#endif\n");
-	fprintf(fp_func_h, "\n");
-
-	fprintf(fp_func_def, "\n");
-	fprintf(fp_func_def, "#include \"%s.h\"\n", input_filename);
-	fprintf(fp_func_def, "\n");
-
-	static char name[1024];
-	strncpy(name, input_filename, sizeof(name));
-	char* dot = strchr(name, '.');
-	if ( dot )
-		*dot = '\0';
-
-	if ( plugin )
-		{
-		static char plugin_canon[1024];
-		strncpy(plugin_canon, plugin, sizeof(plugin_canon));
-		char* colon = strstr(plugin_canon, "::");
-
-		if ( colon ) {
-			*colon = '_';
-			memmove(colon + 1, colon + 2, plugin_canon + strlen(plugin_canon) - colon);
-			}
-
-		fprintf(fp_func_init, "\n");
-		fprintf(fp_func_init, "#include <list>\n");
-		fprintf(fp_func_init, "#include <string>\n");
-		fprintf(fp_func_init, "#include \"plugin/Plugin.h\"\n");
-		fprintf(fp_func_init, "#include \"%s.h\"\n", input_filename);
-		fprintf(fp_func_init, "\n");
-		fprintf(fp_func_init, "namespace plugin { namespace %s {\n", plugin_canon);
-		fprintf(fp_func_init, "\n");
-		fprintf(fp_func_init, "void __bif_%s_init(plugin::Plugin* plugin)\n", name);
-		fprintf(fp_func_init, "\t{\n");
-
-		fprintf(fp_func_register, "#include \"plugin/Manager.h\"\n");
-		fprintf(fp_func_register, "\n");
-		fprintf(fp_func_register, "namespace plugin { namespace %s {\n", plugin_canon);
-		fprintf(fp_func_register, "void __bif_%s_init(plugin::Plugin* plugin);\n", name);
-		fprintf(fp_func_register, "::plugin::__RegisterBif __register_bifs_%s_%s(\"%s\", __bif_%s_init);\n", plugin_canon, name, plugin, name);
-		fprintf(fp_func_register, "} }\n");
-        }
-	}
-
-void finish_alternative_mode()
-	{
-	fprintf(fp_func_h, "\n");
-	fprintf(fp_func_h, "#endif\n");
-
-	if ( plugin )
-		{
-		fprintf(fp_func_init, "\n");
-		fprintf(fp_func_init, "\t}\n");
-		fprintf(fp_func_init, "} }\n");
-		fprintf(fp_func_init, "\n");
-		fprintf(fp_func_init, "\n");
-		}
-	}
-
-int main(int argc, char* argv[])
-	{
-	int opt;
-
-	while ( (opt = getopt(argc, argv, "p:s")) != -1 )
-		{
-		switch ( opt ) {
-		case 'p':
-			alternative_mode = 1;
-			plugin = optarg;
-			break;
-
-		case 's':
-			alternative_mode = 1;
-			break;
-
-		default:
-			usage();
-		}
-		}
-
-	for ( int i = optind; i < argc; i++ )
-		{
-		FILE* fp_input;
-		char* slash;
-
-		input_filename = input_filename_with_path = argv[i];
-		slash = strrchr(input_filename, '/');
-
-		if ( (fp_input = fopen(input_filename, "r")) == NULL )
-			{
-			fprintf(stderr, "Error: cannot open file: %s\n", input_filename);
-			/* no output files open. can simply exit */
-			exit(1);
-			}
-
-		if ( slash )
-			input_filename = slash + 1;
-
-		if ( ! alternative_mode )
-			{
-			fp_bro_init = open_output_file("bro");
-			fp_func_h = open_output_file("func_h");
-			fp_func_def = open_output_file("func_def");
-			fp_func_init = open_output_file("func_init");
-			fp_netvar_h = open_output_file("netvar_h");
-			fp_netvar_def = open_output_file("netvar_def");
-			fp_netvar_init = open_output_file("netvar_init");
-
-			int n = 1024 + strlen(input_filename);
-			char auto_gen_comment[n];
-
-			snprintf(auto_gen_comment, n,
-				"This file was automatically generated by bifcl from %s.",
-				input_filename);
-
-			fprintf(fp_bro_init, "# %s\n\n", auto_gen_comment);
-			fprintf(fp_func_def, "// %s\n\n", auto_gen_comment);
-			fprintf(fp_func_h, "// %s\n\n", auto_gen_comment);
-			fprintf(fp_func_init, "// %s\n\n", auto_gen_comment);
-			fprintf(fp_netvar_def, "// %s\n\n", auto_gen_comment);
-			fprintf(fp_netvar_h, "// %s\n\n", auto_gen_comment);
-			fprintf(fp_netvar_init, "// %s\n\n", auto_gen_comment);
-			}
-
-		else
-			init_alternative_mode();
-
-		yy_switch_to_buffer(yy_create_buffer(fp_input, YY_BUF_SIZE));
-		yyparse();
-
-		if ( alternative_mode )
-			finish_alternative_mode();
-
-		fclose(fp_input);
-		close_all_output_files();
-
-		}
-	}
-
-void close_if_open(FILE **fpp)
-	{
-	if (*fpp)
-		fclose(*fpp);
-	*fpp = NULL;
-	}
-
-void close_all_output_files(void)
-	{
-	close_if_open(&fp_bro_init);
-	close_if_open(&fp_func_h);
-	close_if_open(&fp_func_def);
-	close_if_open(&fp_func_init);
-	close_if_open(&fp_func_register);
-
-	if ( ! alternative_mode )
-		{
-		close_if_open(&fp_netvar_h);
-		close_if_open(&fp_netvar_def);
-		close_if_open(&fp_netvar_init);
-		}
-	}
-
-void remove_file(const char *surfix)
-	{
-	char fn[1024];
-
-	snprintf(fn, sizeof(fn), "%s.%s", input_filename, surfix);
-	unlink(fn);
-	}
-
-void err_exit(void)
-	{
-	close_all_output_files();
-	/* clean up. remove all output files we've generated so far */
-	remove_file("bro");
-	remove_file("func_h");
-	remove_file("func_def");
-	remove_file("func_init");
-	remove_file("func_register");
-	remove_file("netvar_h");
-	remove_file("netvar_def");
-	remove_file("netvar_init");
-	exit(1);
-	}
-
diff --git a/src/builtin-func.y b/src/builtin-func.y
deleted file mode 100644
index 0f895ced52..0000000000
--- a/src/builtin-func.y
+++ /dev/null
@@ -1,785 +0,0 @@
-%{
-#include <vector>
-#include <set>
-#include <string>
-#include <cstring>
-
-using namespace std;
-
-#include <stdio.h>
-#include <stdlib.h>
-
-#include "module_util.h"
-
-using namespace std;
-
-extern int line_number;
-extern char* input_filename;
-extern char* plugin;
-
-#define print_line_directive(fp) fprintf(fp, "\n#line %d \"%s\"\n", line_number, input_filename)
-
-extern FILE* fp_bro_init;
-extern FILE* fp_func_def;
-extern FILE* fp_func_h;
-extern FILE* fp_func_init;
-extern FILE* fp_netvar_h;
-extern FILE* fp_netvar_def;
-extern FILE* fp_netvar_init;
-
-int in_c_code = 0;
-string current_module = GLOBAL_MODULE_NAME;
-int definition_type;
-string type_name;
-
-
-enum {
-	C_SEGMENT_DEF,
-	FUNC_DEF,
-	EVENT_DEF,
-	TYPE_DEF,
-	CONST_DEF,
-};
-
-// Holds the name of a declared object (function, enum, record type, event,
-// etc. and information about namespaces, etc.
-struct decl_struct {
-	string module_name;
-	string bare_name; // name without module or namespace
-	string c_namespace_start; // "opening" namespace for use in netvar_*
-	string c_namespace_end;   // closing "}" for all the above namespaces
-	string c_fullname; // fully qualified name (namespace::....) for use in netvar_init
-	string bro_fullname; // fully qualified bro name, for netvar (and lookup_ID())
-	string bro_name;  // the name as we read it from input. What we write into the .bro file
-
-	// special cases for events. Events have an EventHandlerPtr
-	// and a generate_* function. This name is for the generate_* function
-	string generate_bare_name;
-	string generate_c_fullname;
-	string generate_c_namespace_start;
-	string generate_c_namespace_end;
-} decl;
-
-void set_definition_type(int type, const char *arg_type_name)
-	{
-	definition_type = type;
-	if ( type == TYPE_DEF && arg_type_name )
-		type_name = string(arg_type_name);
-	else
-		type_name = "";
-	}
-
-void set_decl_name(const char *name)
-	{
-	decl.bare_name = extract_var_name(name);
-
-	// make_full_var_name prepends the correct module, if any
-	// then we can extract the module name again.
-	string varname = make_full_var_name(current_module.c_str(), name);
-	decl.module_name = extract_module_name(varname.c_str());
-
-	decl.c_namespace_start = "";
-	decl.c_namespace_end = "";
-	decl.c_fullname = "";
-	decl.bro_fullname = "";
-	decl.bro_name = "";
-
-	decl.generate_c_fullname = "";
-	decl.generate_bare_name = string("generate_") + decl.bare_name;
-	decl.generate_c_namespace_start = "";
-	decl.generate_c_namespace_end = "";
-
-	switch ( definition_type ) {
-	case TYPE_DEF:
-		decl.c_namespace_start = "namespace BifType { namespace " + type_name + "{ ";
-		decl.c_namespace_end = " } }";
-		decl.c_fullname = "BifType::" + type_name + "::";
-		break;
-
-	case CONST_DEF:
-		decl.c_namespace_start = "namespace BifConst { ";
-		decl.c_namespace_end = " } ";
-		decl.c_fullname = "BifConst::";
-		break;
-
-	case FUNC_DEF:
-		decl.c_namespace_start = "namespace BifFunc { ";
-		decl.c_namespace_end = " } ";
-		decl.c_fullname = "BifFunc::";
-		break;
-
-	case EVENT_DEF:
-		decl.c_namespace_start = "";
-		decl.c_namespace_end = "";
-		decl.c_fullname = "::";  // need this for namespace qualified events due do event_c_body
-		decl.generate_c_namespace_start = "namespace BifEvent { ";
-		decl.generate_c_namespace_end = " } ";
-		decl.generate_c_fullname = "BifEvent::";
-		break;
-
-	default:
-		break;
-	}
-
-	if ( decl.module_name != GLOBAL_MODULE_NAME )
-		{
-		decl.c_namespace_start += "namespace " + decl.module_name + " { ";
-		decl.c_namespace_end += string(" }");
-		decl.c_fullname += decl.module_name + "::";
-		decl.bro_fullname += decl.module_name + "::";
-
-		decl.generate_c_namespace_start  += "namespace " + decl.module_name + " { ";
-		decl.generate_c_namespace_end += " } ";
-		decl.generate_c_fullname += decl.module_name + "::";
-		}
-
-	decl.bro_fullname += decl.bare_name;
-	if ( definition_type == FUNC_DEF )
-		decl.bare_name = string("bro_") + decl.bare_name;
-
-	decl.c_fullname += decl.bare_name;
-	decl.bro_name += name;
-	decl.generate_c_fullname += decl.generate_bare_name;
-
-	}
-
-const char* arg_list_name = "BiF_ARGS";
-
-#include "bif_arg.h"
-
-/* Map bif/bro type names to C types for use in const declaration */
-static struct {
-	const char* bif_type;
-	const char* bro_type;
-	const char* c_type;
-	const char* accessor;
-	const char* constructor;
-} builtin_types[] = {
-#define DEFINE_BIF_TYPE(id, bif_type, bro_type, c_type, accessor, constructor) \
-	{bif_type, bro_type, c_type, accessor, constructor},
-#include "bif_type.def"
-#undef DEFINE_BIF_TYPE
-};
-
-int get_type_index(const char *type_name)
-	{
-	for ( int i = 0; builtin_types[i].bif_type[0] != '\0'; ++i )
-		{
-		if ( strcmp(builtin_types[i].bif_type, type_name) == 0 )
-			return i;
-		}
-		return TYPE_OTHER;
-	}
-
-
-int var_arg; // whether the number of arguments is variable
-std::vector<BuiltinFuncArg*> args;
-
-extern int yyerror(const char[]);
-extern int yywarn(const char msg[]);
-extern int yylex();
-
-char* concat(const char* str1, const char* str2)
-	{
-	int len1 = strlen(str1);
-	int len2 = strlen(str2);
-
-	char* s = new char[len1 + len2 +1];
-
-	memcpy(s, str1, len1);
-	memcpy(s + len1, str2, len2);
-
-	s[len1+len2] = '\0';
-
-	return s;
-	}
-
-// Print the bro_event_* function prototype in C++, without the ending ';'
-void print_event_c_prototype(FILE *fp, bool is_header)
-	{
-	if ( is_header )
-		fprintf(fp, "%s void %s(analyzer::Analyzer* analyzer%s",
-			decl.generate_c_namespace_start.c_str(), decl.generate_bare_name.c_str(),
-			args.size() ? ", " : "" );
-	else
-		fprintf(fp, "void %s(analyzer::Analyzer* analyzer%s",
-			decl.generate_c_fullname.c_str(),
-			args.size() ? ", " : "" );
-	for ( int i = 0; i < (int) args.size(); ++i )
-		{
-		if ( i > 0 )
-			fprintf(fp, ", ");
-		args[i]->PrintCArg(fp, i);
-		}
-	fprintf(fp, ")");
-	if ( is_header )
-		fprintf(fp, "; %s\n", decl.generate_c_namespace_end.c_str());
-	else
-		fprintf(fp, "\n");
-	}
-
-// Print the bro_event_* function body in C++.
-void print_event_c_body(FILE *fp)
-	{
-	fprintf(fp, "\t{\n");
-	fprintf(fp, "\t// Note that it is intentional that here we do not\n");
-	fprintf(fp, "\t// check if %s is NULL, which should happen *before*\n",
-		decl.c_fullname.c_str());
-	fprintf(fp, "\t// %s is called to avoid unnecessary Val\n",
-		decl.generate_c_fullname.c_str());
-	fprintf(fp, "\t// allocation.\n");
-	fprintf(fp, "\n");
-
-	fprintf(fp, "\tval_list* vl = new val_list;\n\n");
-	BuiltinFuncArg *connection_arg = 0;
-
-	for ( int i = 0; i < (int) args.size(); ++i )
-		{
-		fprintf(fp, "\t");
-		fprintf(fp, "vl->append(");
-		args[i]->PrintBroValConstructor(fp);
-		fprintf(fp, ");\n");
-
-		if ( args[i]->Type() == TYPE_CONNECTION )
-			{
-			if ( connection_arg == 0 )
-				connection_arg = args[i];
-			else
-				{
-				// We are seeing two connection type arguments.
-				yywarn("Warning: with more than connection-type "
-				       "event arguments, bifcl only passes "
-				       "the first one to EventMgr as cookie.");
-				}
-			}
-		}
-
-	fprintf(fp, "\n");
-	fprintf(fp, "\tmgr.QueueEvent(%s, vl, SOURCE_LOCAL, analyzer->GetID(), timer_mgr",
-		decl.c_fullname.c_str());
-
-	if ( connection_arg )
-		// Pass the connection to the EventMgr as the "cookie"
-		fprintf(fp, ", %s", connection_arg->Name());
-
-	fprintf(fp, ");\n");
-	fprintf(fp, "\t} // event generation\n");
-	//fprintf(fp, "%s // end namespace\n", decl.generate_c_namespace_end.c_str());
-	}
-
-void record_bif_item(const char* id, const char* type)
-	{
-	if ( ! plugin )
-		return;
-
-	fprintf(fp_func_init, "\tplugin->AddBifItem(\"%s\", plugin::BifItem::%s);\n", id, type);
-	}
-
-%}
-
-%token TOK_LPP TOK_RPP TOK_LPB TOK_RPB TOK_LPPB TOK_RPPB TOK_VAR_ARG
-%token TOK_BOOL
-%token TOK_FUNCTION TOK_EVENT TOK_CONST TOK_ENUM TOK_OF
-%token TOK_TYPE TOK_RECORD TOK_SET TOK_VECTOR TOK_OPAQUE TOK_TABLE TOK_MODULE
-%token TOK_ARGS TOK_ARG TOK_ARGC
-%token TOK_ID TOK_ATTR TOK_CSTR TOK_LF TOK_WS TOK_COMMENT
-%token TOK_ATOM TOK_INT TOK_C_TOKEN
-
-%left ',' ':'
-
-%type <str> TOK_C_TOKEN TOK_ID TOK_CSTR TOK_WS TOK_COMMENT TOK_ATTR TOK_INT opt_ws type attr_list opt_attr_list opt_func_attrs
-%type <val> TOK_ATOM TOK_BOOL
-
-%union	{
-	const char* str;
-	int val;
-}
-
-%%
-
-builtin_lang:	definitions
-			{
-			fprintf(fp_bro_init, "} # end of export section\n");
-			fprintf(fp_bro_init, "module %s;\n", GLOBAL_MODULE_NAME);
-			}
-
-
-
-definitions:	definitions definition opt_ws
-			{
-			if ( in_c_code )
-				fprintf(fp_func_def, "%s", $3);
-			else
-				fprintf(fp_bro_init, "%s", $3);
-			}
-	|	opt_ws
-			{
-			fprintf(fp_bro_init, "%s", $1);
-			fprintf(fp_bro_init, "export {\n");
-			}
-	;
-
-definition:	event_def
-	|	func_def
-	|	c_code_segment
-	|	enum_def
-	|	const_def
-	|	type_def
-	|   module_def
-	;
-
-
-module_def:	TOK_MODULE opt_ws TOK_ID opt_ws ';'
-			{
-			current_module = string($3);
-			fprintf(fp_bro_init, "module %s;\n", $3);
-			}
-
-	 // XXX: Add the netvar glue so that the event engine knows about
-	 // the type. One still has to define the type in bro.init.
-	 // Would be nice, if we could just define the record type here
-	 // and then copy to the .bif.bro file, but type declarations in
-	 // Bro can be quite powerful. Don't know whether it's worth it
-	 // extend the bif-language to be able to handle that all....
-	 // Or we just support a simple form of record type definitions
-	 // TODO: add other types (tables, sets)
-type_def:	TOK_TYPE opt_ws TOK_ID opt_ws ':' opt_ws type_def_types opt_ws ';'
-			{
-			set_decl_name($3);
-
-			fprintf(fp_netvar_h, "%s extern %sType * %s; %s\n",
-				decl.c_namespace_start.c_str(), type_name.c_str(),
-				decl.bare_name.c_str(), decl.c_namespace_end.c_str());
-			fprintf(fp_netvar_def, "%s %sType * %s; %s\n",
-				decl.c_namespace_start.c_str(), type_name.c_str(),
-				decl.bare_name.c_str(), decl.c_namespace_end.c_str());
-			fprintf(fp_netvar_init,
-				"\t%s = internal_type(\"%s\")->As%sType();\n",
-				decl.c_fullname.c_str(), decl.bro_fullname.c_str(),
-				type_name.c_str());
-
-			record_bif_item(decl.bro_fullname.c_str(), "TYPE");
-			}
-	;
-
-type_def_types: TOK_RECORD
-			{ set_definition_type(TYPE_DEF, "Record"); }
-	| TOK_SET
-			{ set_definition_type(TYPE_DEF, "Set"); }
-	| TOK_VECTOR
-			{ set_definition_type(TYPE_DEF, "Vector"); }
-	| TOK_TABLE
-			{ set_definition_type(TYPE_DEF, "Table"); }
-	;
-
-opt_func_attrs:	attr_list opt_ws
-		{ $$ = $1; }
-	| /* nothing */
-		{ $$ = ""; }
-	;
-
-event_def:	event_prefix opt_ws plain_head opt_func_attrs
-			{ fprintf(fp_bro_init, "%s", $4); } end_of_head ';'
-			{
-			print_event_c_prototype(fp_func_h, true);
-			print_event_c_prototype(fp_func_def, false);
-			print_event_c_body(fp_func_def);
-			}
-
-func_def:	func_prefix opt_ws typed_head opt_func_attrs
-			{ fprintf(fp_bro_init, "%s", $4); } end_of_head body
-	;
-
-enum_def:	enum_def_1 enum_list TOK_RPB opt_attr_list
-			{
-			// First, put an end to the enum type decl.
-			fprintf(fp_bro_init, "} ");
-			fprintf(fp_bro_init, "%s", $4);
-			fprintf(fp_bro_init, ";\n");
-			if ( decl.module_name != GLOBAL_MODULE_NAME )
-				fprintf(fp_netvar_h, "}; } }\n");
-			else
-				fprintf(fp_netvar_h, "}; }\n");
-
-			// Now generate the netvar's.
-			fprintf(fp_netvar_h, "%s extern EnumType * %s; %s\n",
-				decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
-			fprintf(fp_netvar_def, "%s EnumType * %s; %s\n",
-				decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
-			fprintf(fp_netvar_init,
-				"\t%s = internal_type(\"%s\")->AsEnumType();\n",
-				decl.c_fullname.c_str(), decl.bro_fullname.c_str());
-
-			record_bif_item(decl.bro_fullname.c_str(), "TYPE");
-			}
-	;
-
-enum_def_1:	TOK_ENUM opt_ws TOK_ID opt_ws TOK_LPB opt_ws
-			{
-			set_definition_type(TYPE_DEF, "Enum");
-			set_decl_name($3);
-			fprintf(fp_bro_init, "type %s: enum %s{%s", decl.bro_name.c_str(), $4, $6);
-
-			// this is the namespace were the enumerators are defined, not where
-			// the type is defined.
-			// We don't support fully qualified names as enumerators. Use a module name
-			fprintf(fp_netvar_h, "namespace BifEnum { ");
-			if ( decl.module_name != GLOBAL_MODULE_NAME )
-				fprintf(fp_netvar_h, "namespace %s { ", decl.module_name.c_str());
-			fprintf(fp_netvar_h, "enum %s {\n", $3);
-			}
-	;
-
-enum_list:	enum_list TOK_ID opt_ws ',' opt_ws
-			{
-			fprintf(fp_bro_init, "%s%s,%s", $2, $3, $5);
-			fprintf(fp_netvar_h, "\t%s,\n", $2);
-			}
-	| 		enum_list TOK_ID opt_ws '=' opt_ws TOK_INT opt_ws ',' opt_ws
-			{
-			fprintf(fp_bro_init, "%s = %s%s,%s", $2, $6, $7, $9);
-			fprintf(fp_netvar_h, "\t%s = %s,\n", $2, $6);
-			}
-	|	/* nothing */
-	;
-
-
-const_def:	TOK_CONST opt_ws TOK_ID opt_ws ':' opt_ws TOK_ID opt_ws ';'
-			{
-			set_definition_type(CONST_DEF, 0);
-			set_decl_name($3);
-			int typeidx = get_type_index($7);
-			char accessor[1024];
-
-			snprintf(accessor, sizeof(accessor), builtin_types[typeidx].accessor, "");
-
-
-			fprintf(fp_netvar_h, "%s extern %s %s; %s\n",
-					decl.c_namespace_start.c_str(),
-					builtin_types[typeidx].c_type, decl.bare_name.c_str(),
-					decl.c_namespace_end.c_str());
-			fprintf(fp_netvar_def, "%s %s %s; %s\n",
-					decl.c_namespace_start.c_str(),
-					builtin_types[typeidx].c_type, decl.bare_name.c_str(),
-					decl.c_namespace_end.c_str());
-			fprintf(fp_netvar_init, "\t%s = internal_const_val(\"%s\")%s;\n",
-				decl.c_fullname.c_str(), decl.bro_fullname.c_str(),
-				accessor);
-
-			record_bif_item(decl.bro_fullname.c_str(), "CONSTANT");
-			}
-
-attr_list:
-		attr_list TOK_ATTR
-			{ $$ = concat($1, $2); }
-	|
-		TOK_ATTR
-	;
-
-opt_attr_list:
-		attr_list
-	|	/* nothing */
-		{ $$ = ""; }
-	;
-
-func_prefix:	TOK_FUNCTION
-			{ set_definition_type(FUNC_DEF, 0); }
-	;
-
-event_prefix:	TOK_EVENT
-			{ set_definition_type(EVENT_DEF, 0); }
-	;
-
-end_of_head:	/* nothing */
-			{
-			fprintf(fp_bro_init, ";\n");
-			}
-	;
-
-typed_head:	plain_head return_type
-			{
-			}
-	;
-
-plain_head:	head_1 args arg_end opt_ws
-			{
-			if ( var_arg )
-				fprintf(fp_bro_init, "va_args: any");
-			else
-				{
-				for ( int i = 0; i < (int) args.size(); ++i )
-					{
-					if ( i > 0 )
-						fprintf(fp_bro_init, ", ");
-					args[i]->PrintBro(fp_bro_init);
-					}
-				}
-
-			fprintf(fp_bro_init, ")");
-
-			fprintf(fp_bro_init, "%s", $4);
-			fprintf(fp_func_def, "%s", $4);
-			}
-	;
-
-head_1:		TOK_ID opt_ws arg_begin
-			{
-			const char* method_type = 0;
-			set_decl_name($1);
-
-			if ( definition_type == FUNC_DEF )
-				{
-				method_type = "function";
-				print_line_directive(fp_func_def);
-				}
-			else if ( definition_type == EVENT_DEF )
-				method_type = "event";
-
-			if ( method_type )
-				fprintf(fp_bro_init,
-					"global %s: %s%s(",
-					decl.bro_name.c_str(), method_type, $2);
-
-			if ( definition_type == FUNC_DEF )
-				{
-				fprintf(fp_func_init,
-					"\t(void) new BuiltinFunc(%s, \"%s\", 0);\n",
-					decl.c_fullname.c_str(), decl.bro_fullname.c_str());
-
-				fprintf(fp_func_h,
-					"%sextern Val* %s(Frame* frame, val_list*);%s\n",
-					decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
-
-				fprintf(fp_func_def,
-					"Val* %s(Frame* frame, val_list* %s)",
-					decl.c_fullname.c_str(), arg_list_name);
-
-				record_bif_item(decl.bro_fullname.c_str(), "FUNCTION");
-				}
-			else if ( definition_type == EVENT_DEF )
-				{
-				// TODO: add namespace for events here
-				fprintf(fp_netvar_h,
-					"%sextern EventHandlerPtr %s; %s\n",
-					decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
-
-				fprintf(fp_netvar_def,
-					"%sEventHandlerPtr %s; %s\n",
-					decl.c_namespace_start.c_str(), decl.bare_name.c_str(), decl.c_namespace_end.c_str());
-
-				fprintf(fp_netvar_init,
-					"\t%s = internal_handler(\"%s\");\n",
-					decl.c_fullname.c_str(), decl.bro_fullname.c_str());
-
-				record_bif_item(decl.bro_fullname.c_str(), "EVENT");
-
-				// C++ prototypes of bro_event_* functions will
-				// be generated later.
-				}
-			}
-	;
-
-arg_begin:	TOK_LPP
-			{ args.clear(); var_arg = 0; }
-	;
-
-arg_end:	TOK_RPP
-	;
-
-args:		args_1
-	|	opt_ws
-			{ /* empty, to avoid yacc complaint about type clash */ }
-	;
-
-args_1:		args_1 ',' opt_ws arg opt_ws opt_attr_list
-			{ if ( ! args.empty() ) args[args.size()-1]->SetAttrStr($6); }
-	|	opt_ws arg opt_ws opt_attr_list
-			{ if ( ! args.empty() ) args[args.size()-1]->SetAttrStr($4); }
-	;
-
-// TODO: Migrate all other compound types to this rule. Once the BiF language
-// can parse all regular Bro types, we can throw out the unnecessary
-// boilerplate typedefs for addr_set, string_set, etc.
-type:
-                TOK_OPAQUE opt_ws TOK_OF opt_ws TOK_ID
-                        { $$ = concat("opaque of ", $5); }
-        |       TOK_ID
-                        { $$ = $1; }
-        ;
-
-arg:		TOK_ID opt_ws ':' opt_ws type
-			{ args.push_back(new BuiltinFuncArg($1, $5)); }
-	|	TOK_VAR_ARG
-			{
-			if ( definition_type == EVENT_DEF )
-				yyerror("events cannot have variable arguments");
-			var_arg = 1;
-			}
-	;
-
-return_type:	':' opt_ws type opt_ws
-			{
-			BuiltinFuncArg* ret = new BuiltinFuncArg("", $3);
-			ret->PrintBro(fp_bro_init);
-			delete ret;
-			fprintf(fp_func_def, "%s", $4);
-			}
-	;
-
-body:		body_start c_body body_end
-			{
-			fprintf(fp_func_def, " // end of %s\n", decl.c_fullname.c_str());
-			print_line_directive(fp_func_def);
-			}
-	;
-
-c_code_begin:	/* empty */
-			{
-			in_c_code = 1;
-			print_line_directive(fp_func_def);
-			}
-	;
-
-c_code_end:	/* empty */
-			{ in_c_code = 0; }
-	;
-
-body_start:	TOK_LPB c_code_begin
-			{
-			int implicit_arg = 0;
-			int argc = args.size();
-
-			fprintf(fp_func_def, "{");
-
-			if ( argc > 0 || ! var_arg )
-				fprintf(fp_func_def, "\n");
-
-			if ( ! var_arg )
-				{
-				fprintf(fp_func_def, "\tif ( %s->length() != %d )\n", arg_list_name, argc);
-				fprintf(fp_func_def, "\t\t{\n");
-				fprintf(fp_func_def,
-					"\t\treporter->Error(\"%s() takes exactly %d argument(s)\");\n",
-					decl.bro_fullname.c_str(), argc);
-				fprintf(fp_func_def, "\t\treturn 0;\n");
-				fprintf(fp_func_def, "\t\t}\n");
-				}
-			else if ( argc > 0 )
-				{
-				fprintf(fp_func_def, "\tif ( %s->length() < %d )\n", arg_list_name, argc);
-				fprintf(fp_func_def, "\t\t{\n");
-				fprintf(fp_func_def,
-					"\t\treporter->Error(\"%s() takes at least %d argument(s)\");\n",
-					decl.bro_fullname.c_str(), argc);
-				fprintf(fp_func_def, "\t\treturn 0;\n");
-				fprintf(fp_func_def, "\t\t}\n");
-				}
-
-			for ( int i = 0; i < (int) args.size(); ++i )
-				args[i]->PrintCDef(fp_func_def, i + implicit_arg);
-			print_line_directive(fp_func_def);
-			}
-	;
-
-body_end:	TOK_RPB c_code_end
-			{
-			fprintf(fp_func_def, "}");
-			}
-	;
-
-c_code_segment: TOK_LPPB c_code_begin c_body c_code_end TOK_RPPB
-	;
-
-c_body:		opt_ws
-			{ fprintf(fp_func_def, "%s", $1); }
-	|	c_body c_atom opt_ws
-			{ fprintf(fp_func_def, "%s", $3); }
-	;
-
-c_atom:		TOK_ID
-			{ fprintf(fp_func_def, "%s", $1); }
-	|	TOK_C_TOKEN
-			{ fprintf(fp_func_def, "%s", $1); }
-	|	TOK_ARG
-			{ fprintf(fp_func_def, "(*%s)", arg_list_name); }
-	|	TOK_ARGS
-			{ fprintf(fp_func_def, "%s", arg_list_name); }
-	|	TOK_ARGC
-			{ fprintf(fp_func_def, "%s->length()", arg_list_name); }
-	|	TOK_CSTR
-			{ fprintf(fp_func_def, "%s", $1); }
-	|	TOK_ATOM
-			{ fprintf(fp_func_def, "%c", $1); }
-	|	TOK_INT
-			{ fprintf(fp_func_def, "%s", $1); }
-
-	;
-
-opt_ws:		opt_ws TOK_WS
-			{ $$ = concat($1, $2); }
-	|	opt_ws TOK_LF
-			{ $$ = concat($1, "\n"); }
-	|	opt_ws TOK_COMMENT
-			{
-			if ( in_c_code )
-				$$ = concat($1, $2);
-			else
-				if ( $2[1] == '#' )
-					// This is a special type of comment that is used to
-					// generate bro script documentation, so pass it through.
-					$$ = concat($1, $2);
-				else
-					$$ = $1;
-			}
-	|	/* empty */
-			{ $$ = ""; }
-	;
-
-%%
-
-extern char* yytext;
-extern char* input_filename;
-extern int line_number;
-void err_exit(void);
-
-void print_msg(const char msg[])
-	{
-	int msg_len = strlen(msg) + strlen(yytext) + 64;
-	char* msgbuf = new char[msg_len];
-
-	if ( yytext[0] == '\n' )
-		snprintf(msgbuf, msg_len, "%s, on previous line", msg);
-
-	else if ( yytext[0] == '\0' )
-		snprintf(msgbuf, msg_len, "%s, at end of file", msg);
-
-	else
-		snprintf(msgbuf, msg_len, "%s, at or near \"%s\"", msg, yytext);
-
-	/*
-	extern int column;
-	sprintf(msgbuf, "%*s\n%*s\n", column, "^", column, msg);
-	*/
-
-	if ( input_filename )
-		fprintf(stderr, "%s:%d: ", input_filename, line_number);
-	else
-		fprintf(stderr, "line %d: ", line_number);
-	fprintf(stderr, "%s\n", msgbuf);
-
-	delete [] msgbuf;
-	}
-
-int yywarn(const char msg[])
-	{
-	print_msg(msg);
-	return 0;
-	}
-
-int yyerror(const char msg[])
-	{
-	print_msg(msg);
-
-	err_exit();
-	return 0;
-	}
diff --git a/src/event.bif b/src/event.bif
index f568de902b..28ed7f6807 100644
--- a/src/event.bif
+++ b/src/event.bif
@@ -183,7 +183,7 @@ event connection_flow_label_changed%(c: connection, is_orig: bool, old_label: co
 
 ## Generated for a new connection received from the communication subsystem.
 ## Remote peers can inject packets into Bro's packet loop, for example via
-## :doc:`Broccoli </components/broccoli/README>`.  The communication system
+## Broccoli.  The communication system
 ## raises this event with the first packet of a connection coming in this way.
 ##
 ## c: The connection.
diff --git a/src/file_analysis/AnalyzerSet.cc b/src/file_analysis/AnalyzerSet.cc
index 5b7bdd875c..35968c9a02 100644
--- a/src/file_analysis/AnalyzerSet.cc
+++ b/src/file_analysis/AnalyzerSet.cc
@@ -129,11 +129,12 @@ bool AnalyzerSet::Remove(file_analysis::Tag tag, HashKey* key)
 	        file->GetID().c_str(),
 	        file_mgr->GetComponentName(tag).c_str());
 
+	a->Done();
 
 	// We don't delete the analyzer object right here because the remove
 	// operation may execute at a time when it can still be accessed.
-	// Instead we let disable it; it will be deleted together with the AnalyzerSet.
-	a->SetSkip(true);
+	// Instead we let the file know to delete the analyzer later.
+	file->DoneWithAnalyzer(a);
 
 	return true;
 	}
diff --git a/src/file_analysis/AnalyzerSet.h b/src/file_analysis/AnalyzerSet.h
index 642792f776..3cbe5b1898 100644
--- a/src/file_analysis/AnalyzerSet.h
+++ b/src/file_analysis/AnalyzerSet.h
@@ -29,7 +29,7 @@ public:
 	 * Constructor.  Nothing special.
 	 * @param arg_file the file to which all analyzers in the set are attached.
 	 */
-	AnalyzerSet(File* arg_file);
+	explicit AnalyzerSet(File* arg_file);
 
 	/**
 	 * Destructor.  Any queued analyzer additions/removals are aborted and
@@ -173,9 +173,9 @@ private:
 		 */
 		AddMod(file_analysis::Analyzer* arg_a, HashKey* arg_key)
 			: Modification(), a(arg_a), key(arg_key) {}
-		virtual ~AddMod() {}
-		virtual bool Perform(AnalyzerSet* set);
-		virtual void Abort() { delete a; delete key; }
+		~AddMod() override {}
+		bool Perform(AnalyzerSet* set) override;
+		void Abort() override { delete a; delete key; }
 
 	protected:
 		file_analysis::Analyzer* a;
@@ -194,9 +194,9 @@ private:
 		 */
 		RemoveMod(file_analysis::Tag arg_tag, HashKey* arg_key)
 			: Modification(), tag(arg_tag), key(arg_key) {}
-		virtual ~RemoveMod() {}
-		virtual bool Perform(AnalyzerSet* set);
-		virtual void Abort() { delete key; }
+		~RemoveMod() override {}
+		bool Perform(AnalyzerSet* set) override;
+		void Abort() override { delete key; }
 
 	protected:
 		file_analysis::Tag tag;
diff --git a/src/file_analysis/Component.h b/src/file_analysis/Component.h
index 1a4d8a2fb6..b4bcbb9552 100644
--- a/src/file_analysis/Component.h
+++ b/src/file_analysis/Component.h
@@ -52,7 +52,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	~Component();
+	~Component() override;
 
 	/**
 	 * Initialization function. This function has to be called before any
diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index ff65eb0c32..711186335e 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -34,9 +34,9 @@ static RecordVal* get_conn_id_val(const Connection* conn)
 	{
 	RecordVal* v = new RecordVal(conn_id);
 	v->Assign(0, new AddrVal(conn->OrigAddr()));
-	v->Assign(1, new PortVal(ntohs(conn->OrigPort()), conn->ConnTransport()));
+	v->Assign(1, port_mgr->Get(ntohs(conn->OrigPort()), conn->ConnTransport()));
 	v->Assign(2, new AddrVal(conn->RespAddr()));
-	v->Assign(3, new PortVal(ntohs(conn->RespPort()), conn->ConnTransport()));
+	v->Assign(3, port_mgr->Get(ntohs(conn->RespPort()), conn->ConnTransport()));
 	return v;
 	}
 
@@ -55,6 +55,7 @@ int File::bof_buffer_size_idx = -1;
 int File::bof_buffer_idx = -1;
 int File::meta_mime_type_idx = -1;
 int File::meta_mime_types_idx = -1;
+int File::meta_inferred_idx = -1;
 
 void File::StaticInit()
 	{
@@ -76,6 +77,7 @@ void File::StaticInit()
 	bof_buffer_idx = Idx("bof_buffer", fa_file_type);
 	meta_mime_type_idx = Idx("mime_type", fa_metadata_type);
 	meta_mime_types_idx = Idx("mime_types", fa_metadata_type);
+	meta_inferred_idx = Idx("inferred", fa_metadata_type);
 	}
 
 File::File(const string& file_id, const string& source_name, Connection* conn,
@@ -107,6 +109,9 @@ File::~File()
 	DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Destroying File object", id.c_str());
 	Unref(val);
 	delete file_reassembler;
+
+	for ( auto a : done_analyzers )
+		delete a;
 	}
 
 void File::UpdateLastActivityTime()
@@ -287,6 +292,27 @@ void File::SetReassemblyBuffer(uint64 max)
 	reassembly_max_buffer = max;
 	}
 
+bool File::SetMime(const string& mime_type)
+	{
+	if ( mime_type.empty() || bof_buffer.size != 0 || did_metadata_inference )
+		return false;
+
+	did_metadata_inference = true;
+	bof_buffer.full = true;
+
+	if ( ! FileEventAvailable(file_sniff) )
+		return false;
+
+	val_list* vl = new val_list();
+	vl->append(val->Ref());
+	RecordVal* meta = new RecordVal(fa_metadata_type);
+	vl->append(meta);
+	meta->Assign(meta_mime_type_idx, new StringVal(mime_type));
+	meta->Assign(meta_inferred_idx, new Val(0, TYPE_BOOL));
+	FileEvent(file_sniff, vl);
+	return true;
+	}
+
 void File::InferMetadata()
 	{
 	did_metadata_inference = true;
@@ -494,6 +520,11 @@ void File::DeliverChunk(const u_char* data, uint64 len, uint64 offset)
 		EndOfFile();
 	}
 
+void File::DoneWithAnalyzer(Analyzer* analyzer)
+	{
+	done_analyzers.push_back(analyzer);
+	}
+
 void File::DataIn(const u_char* data, uint64 len, uint64 offset)
 	{
 	analyzers.DrainModifications();
diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h
index 6ad90e986b..1d4fb03789 100644
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@@ -119,6 +119,11 @@ public:
 	 */
 	bool RemoveAnalyzer(file_analysis::Tag tag, RecordVal* args);
 
+	/**
+	 * Signal that this analyzer can be deleted once it's safe to do so.
+	 */
+	void DoneWithAnalyzer(Analyzer* analyzer);
+
 	/**
 	 * Pass in non-sequential data and deliver to attached analyzers.
 	 * @param data pointer to start of a chunk of file data.
@@ -166,6 +171,27 @@ public:
 	 */
 	void FileEvent(EventHandlerPtr h, val_list* vl);
 
+
+	/**
+	 * Sets the MIME type for a file to a specific value.
+	 *
+	 * Setting the MIME type has to be done before the MIME type is
+	 * inferred from the content, and before any data is passed to the
+	 * analyzer (the beginning of file buffer has to be empty). After
+	 * data has been sent or a MIME type has been set once, it cannot be
+	 * changed.
+	 *
+	 * This function should only be called when it does not make sense
+	 * to perform automated MIME type detections. This is e.g. the case
+	 * in protocols where the file type is fixed in the protocol description.
+	 * This is for example the case for TLS and X.509 certificates.
+	 *
+	 * @param mime_type mime type to set
+	 * @return true if the mime type was set. False if it could not be set because
+	 *         a mime type was already set or inferred.
+	 */
+	bool SetMime(const string& mime_type);
+
 protected:
 	friend class Manager;
 	friend class FileReassembler;
@@ -287,6 +313,7 @@ protected:
 	bool postpone_timeout;     /**< Whether postponing timeout is requested. */
 	bool done;                 /**< If this object is about to be deleted. */
 	AnalyzerSet analyzers;     /**< A set of attached file analyzers. */
+	std::list<Analyzer *> done_analyzers; /**< Analyzers we're done with, remembered here until they can be safely deleted. */
 
 	struct BOF_Buffer {
 		BOF_Buffer() : full(false), size(0) {}
@@ -313,6 +340,7 @@ protected:
 	static int bof_buffer_idx;
 	static int mime_type_idx;
 	static int mime_types_idx;
+	static int meta_inferred_idx;
 
 	static int meta_mime_type_idx;
 	static int meta_mime_types_idx;
diff --git a/src/file_analysis/FileReassembler.h b/src/file_analysis/FileReassembler.h
index aa07a84d42..c6143a5565 100644
--- a/src/file_analysis/FileReassembler.h
+++ b/src/file_analysis/FileReassembler.h
@@ -15,7 +15,7 @@ class FileReassembler : public Reassembler {
 public:
 
 	FileReassembler(File* f, uint64 starting_offset);
-	virtual ~FileReassembler();
+	~FileReassembler() override;
 
 	void Done();
 
diff --git a/src/file_analysis/FileTimer.h b/src/file_analysis/FileTimer.h
index bdfd1fe165..57f4afb5ea 100644
--- a/src/file_analysis/FileTimer.h
+++ b/src/file_analysis/FileTimer.h
@@ -28,7 +28,7 @@ public:
 	 * @param t current unix time
 	 * @param is_expire true if all pending timers are being expired.
 	 */
-	void Dispatch(double t, int is_expire);
+	void Dispatch(double t, int is_expire) override;
 
 private:
 	string file_id;
diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index 217c901969..b095315de8 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -104,13 +104,22 @@ void Manager::SetHandle(const string& handle)
 	if ( handle.empty() )
 		return;
 
-	DBG_LOG(DBG_FILE_ANALYSIS, "Set current handle to %s", handle.c_str());
+#ifdef DEBUG
+	if ( debug_logger.IsEnabled(DBG_FILE_ANALYSIS) )
+		{
+		BroString tmp{handle};
+		auto rendered = tmp.Render();
+		DBG_LOG(DBG_FILE_ANALYSIS, "Set current handle to %s", rendered);
+		delete [] rendered;
+		}
+#endif
+
 	current_file_id = HashHandle(handle);
 	}
 
 string Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
                        analyzer::Tag tag, Connection* conn, bool is_orig,
-                       const string& precomputed_id)
+                       const string& precomputed_id, const string& mime_type)
 	{
 	string id = precomputed_id.empty() ? GetFileID(tag, conn, is_orig) : precomputed_id;
 	File* file = GetFile(id, conn, tag, is_orig);
@@ -118,6 +127,15 @@ string Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
 	if ( ! file )
 		return "";
 
+	// This only has any effect when
+	// * called for the first time for a file
+	// * being called before file->DataIn is called for the first time (before data is
+	//   added to the bof buffer).
+	// Afterwards SetMime just ignores what is passed to it. Thus this only has effect during
+	// the first Manager::DataIn call for each file.
+	if ( ! mime_type.empty() )
+		file->SetMime(mime_type);
+
 	file->DataIn(data, len, offset);
 
 	if ( file->IsComplete() )
@@ -130,7 +148,8 @@ string Manager::DataIn(const u_char* data, uint64 len, uint64 offset,
 	}
 
 string Manager::DataIn(const u_char* data, uint64 len, analyzer::Tag tag,
-                       Connection* conn, bool is_orig, const string& precomputed_id)
+		       Connection* conn, bool is_orig, const string& precomputed_id,
+		       const string& mime_type)
 	{
 	string id = precomputed_id.empty() ? GetFileID(tag, conn, is_orig) : precomputed_id;
 	// Sequential data input shouldn't be going over multiple conns, so don't
@@ -140,6 +159,9 @@ string Manager::DataIn(const u_char* data, uint64 len, analyzer::Tag tag,
 	if ( ! file )
 		return "";
 
+	if ( ! mime_type.empty() )
+		file->SetMime(mime_type);
+
 	file->DataIn(data, len);
 
 	if ( file->IsComplete() )
@@ -435,7 +457,7 @@ bool Manager::IsDisabled(analyzer::Tag tag)
 	if ( ! disabled )
 		disabled = internal_const_val("Files::disable")->AsTableVal();
 
-	Val* index = new Val(tag, TYPE_COUNT);
+	Val* index = new Val(bool(tag), TYPE_COUNT);
 	Val* yield = disabled->Lookup(index);
 	Unref(index);
 
diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h
index bcc8ac5dd2..fe3328b679 100644
--- a/src/file_analysis/Manager.h
+++ b/src/file_analysis/Manager.h
@@ -70,7 +70,8 @@ public:
 
 	/**
 	 * Creates a file identifier from a unique file handle string.
-	 * @param handle a unique string which identifies a single file.
+	 * @param handle a unique string (may contain NULs) which identifies
+	 * a single file.
 	 * @return a prettified MD5 hash of \a handle, truncated to *bits_per_uid* bits.
 	 */
 	string HashHandle(const string& handle) const;
@@ -78,7 +79,8 @@ public:
 	/**
 	 * Take in a unique file handle string to identify next piece of
 	 * incoming file data/information.
-	 * @param handle a unique string which identifies a single file.
+	 * @param handle a unique string (may contain NULs) which identifies
+	 * a single file.
 	 */
 	void SetHandle(const string& handle);
 
@@ -93,6 +95,13 @@ public:
 	 *        or false if is being sent in the opposite direction.
 	 * @param precomputed_file_id may be set to a previous return value in order to
 	 *        bypass costly file handle lookups.
+	 * @param mime_type may be set to the mime type of the file, if already known due
+	 *        to the protocol. This is, e.g., the case in TLS connections where X.509
+	 *        certificates are passed as files; here the type of the file is set by
+	 *        the protocol. If this parameter is given, MIME type detection will be
+	 *        disabled.
+	 *        This parameter only has any effect for the first DataIn call of each
+	 *        file. It is ignored for all subsequent calls.
 	 * @return a unique file ID string which, in certain contexts, may be
 	 *         cached and passed back in to a subsequent function call in order
 	 *         to avoid costly file handle lookups (which have to go through
@@ -101,7 +110,8 @@ public:
 	 */
 	std::string DataIn(const u_char* data, uint64 len, uint64 offset,
 	                   analyzer::Tag tag, Connection* conn, bool is_orig,
-	                   const std::string& precomputed_file_id = "");
+	                   const std::string& precomputed_file_id = "",
+	                   const std::string& mime_type = "");
 
 	/**
 	 * Pass in sequential file data.
@@ -113,6 +123,12 @@ public:
 	 *        or false if is being sent in the opposite direction.
 	 * @param precomputed_file_id may be set to a previous return value in order to
 	 *        bypass costly file handle lookups.
+	 * @param mime_type may be set to the mime type of the file, if already known due
+	 *        to the protocol. This is, e.g., the case in TLS connections where X.509
+	 *        certificates are passed as files; here the type of the file is set by
+	 *        the protocol. If this parameter is give, mime type detection will be
+	 *        disabled.
+	 *        This parameter is only used for the first bit of data for each file.
 	 * @return a unique file ID string which, in certain contexts, may be
 	 *         cached and passed back in to a subsequent function call in order
 	 *         to avoid costly file handle lookups (which have to go through
@@ -121,7 +137,8 @@ public:
 	 */
 	std::string DataIn(const u_char* data, uint64 len, analyzer::Tag tag,
 	                   Connection* conn, bool is_orig,
-	                   const std::string& precomputed_file_id = "");
+	                   const std::string& precomputed_file_id = "",
+	                   const std::string& mime_type = "");
 
 	/**
 	 * Pass in sequential file data from external source (e.g. input framework).
@@ -241,6 +258,14 @@ public:
 	bool SetExtractionLimit(const string& file_id, RecordVal* args,
 	                        uint64 n) const;
 
+	/**
+	 * Try to retrieve a file that's being analyzed, using its identifier/hash.
+	 * @param file_id the file identifier/hash.
+	 * @return the File object mapped to \a file_id, or a null pointer if no
+	 *         mapping exists.
+	 */
+	File* LookupFile(const string& file_id) const;
+
 	/**
 	 * Queue attachment of an analzer to the file identifier.  Multiple
 	 * analyzers of a given type can be attached per file identifier at a time
@@ -340,14 +365,6 @@ protected:
 	              bool is_orig = false, bool update_conn = true,
 	              const char* source_name = 0);
 
-	/**
-	 * Try to retrieve a file that's being analyzed, using its identifier/hash.
-	 * @param file_id the file identifier/hash.
-	 * @return the File object mapped to \a file_id, or a null pointer if no
-	 *         mapping exists.
-	 */
-	File* LookupFile(const string& file_id) const;
-
 	/**
 	 * Evaluate timeout policy for a file and remove the File object mapped to
 	 * \a file_id if needed.
diff --git a/src/file_analysis/Tag.h b/src/file_analysis/Tag.h
index c28183a07f..9d131fa808 100644
--- a/src/file_analysis/Tag.h
+++ b/src/file_analysis/Tag.h
@@ -41,12 +41,8 @@ public:
 	/**
 	 * Returns false if the tag represents an error value rather than a
 	 * legal analyzer type.
-	 * TODO: make this conversion operator "explicit" (C++11) or use a
-	 *       "safe bool" idiom (not necessary if "explicit" is available),
-	 *       otherwise this may allow nonsense/undesired comparison operations.
-	 *
 	 */
-	operator bool() const	{ return *this != Tag(); }
+	explicit operator bool() const	{ return *this != Tag(); }
 
 	/**
 	 * Assignment operator.
@@ -101,14 +97,14 @@ protected:
 	 * @param subtype The sub type, which is left to an analyzer for
 	 * interpretation. By default it's set to zero.
 	 */
-	Tag(type_t type, subtype_t subtype = 0);
+	explicit Tag(type_t type, subtype_t subtype = 0);
 
 	/**
 	 * Constructor.
 	 *
 	 * @param val An enum value of script type \c Files::Tag.
 	 */
-	Tag(EnumVal* val) : ::Tag(val) {}
+	explicit Tag(EnumVal* val) : ::Tag(val) {}
 };
 
 }
diff --git a/src/file_analysis/analyzer/data_event/DataEvent.h b/src/file_analysis/analyzer/data_event/DataEvent.h
index 60b0487a6f..fe1fe2cc56 100644
--- a/src/file_analysis/analyzer/data_event/DataEvent.h
+++ b/src/file_analysis/analyzer/data_event/DataEvent.h
@@ -25,7 +25,7 @@ public:
 	 * @param offset number of bytes from start of file at which chunk occurs.
 	 * @return always true
 	 */
-	virtual bool DeliverChunk(const u_char* data, uint64 len, uint64 offset);
+	bool DeliverChunk(const u_char* data, uint64 len, uint64 offset) override;
 
 	/**
 	 * Generates the event, if any, specified by the "stream_event" field of
@@ -34,7 +34,7 @@ public:
 	 * @param len number of bytes in the data chunk.
 	 * @return always true
 	 */
-	virtual bool DeliverStream(const u_char* data, uint64 len);
+	bool DeliverStream(const u_char* data, uint64 len) override;
 
 	/**
 	 * Create a new instance of a DataEvent analyzer.
diff --git a/src/file_analysis/analyzer/entropy/Entropy.h b/src/file_analysis/analyzer/entropy/Entropy.h
index 6a5075263c..955c8484c2 100644
--- a/src/file_analysis/analyzer/entropy/Entropy.h
+++ b/src/file_analysis/analyzer/entropy/Entropy.h
@@ -23,7 +23,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	virtual ~Entropy();
+	~Entropy() override;
 
 	/**
 	 * Create a new instance of an Extract analyzer.
@@ -40,13 +40,13 @@ public:
 	 * @param len number of bytes in the data chunk.
 	 * @return false if the digest is in an invalid state, else true.
 	 */
-	virtual bool DeliverStream(const u_char* data, uint64 len);
+	bool DeliverStream(const u_char* data, uint64 len) override;
 
 	/**
 	 * Finalizes the hash and raises a "file_entropy_test" event.
 	 * @return always false so analyze will be deteched from file.
 	 */
-	virtual bool EndOfFile();
+	bool EndOfFile() override;
 
 	/**
 	 * Missing data can't be handled, so just indicate the this analyzer should
@@ -55,7 +55,7 @@ public:
 	 * @param len number of missing bytes.
 	 * @return always false so analyzer will detach from file.
 	 */
-	virtual bool Undelivered(uint64 offset, uint64 len);
+	bool Undelivered(uint64 offset, uint64 len) override;
 
 protected:
 
diff --git a/src/file_analysis/analyzer/extract/Extract.cc b/src/file_analysis/analyzer/extract/Extract.cc
index c758414a6e..f936a5156b 100644
--- a/src/file_analysis/analyzer/extract/Extract.cc
+++ b/src/file_analysis/analyzer/extract/Extract.cc
@@ -20,7 +20,7 @@ Extract::Extract(RecordVal* args, File* file, const string& arg_filename,
 		{
 		fd = 0;
 		char buf[128];
-		strerror_r(errno, buf, sizeof(buf));
+		bro_strerror_r(errno, buf, sizeof(buf));
 		reporter->Error("cannot open %s: %s", filename.c_str(), buf);
 		}
 	}
diff --git a/src/file_analysis/analyzer/extract/Extract.h b/src/file_analysis/analyzer/extract/Extract.h
index cb57950d4c..c19440ee31 100644
--- a/src/file_analysis/analyzer/extract/Extract.h
+++ b/src/file_analysis/analyzer/extract/Extract.h
@@ -22,7 +22,7 @@ public:
 	/**
 	 * Destructor.  Will close the file that was used for data extraction.
 	 */
-	virtual ~Extract();
+	~Extract() override;
 
 	/**
 	 * Write a chunk of file data to the local extraction file.
@@ -31,7 +31,7 @@ public:
 	 * @return false if there was no extraction file open and the data couldn't
 	 *         be written, else true.
 	 */
-	virtual bool DeliverStream(const u_char* data, uint64 len);
+	bool DeliverStream(const u_char* data, uint64 len) override;
 
 	/**
 	 * Report undelivered bytes.
@@ -39,7 +39,7 @@ public:
 	 * @param len number of bytes undelivered.
 	 * @return true
 	 */
-	virtual bool Undelivered(uint64 offset, uint64 len);
+	bool Undelivered(uint64 offset, uint64 len) override;
 
 	/**
 	 * Create a new instance of an Extract analyzer.
diff --git a/src/file_analysis/analyzer/hash/Hash.h b/src/file_analysis/analyzer/hash/Hash.h
index 13303e21fc..f3ec222e9a 100644
--- a/src/file_analysis/analyzer/hash/Hash.h
+++ b/src/file_analysis/analyzer/hash/Hash.h
@@ -23,7 +23,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	virtual ~Hash();
+	~Hash() override;
 
 	/**
 	 * Incrementally hash next chunk of file contents.
@@ -31,13 +31,13 @@ public:
 	 * @param len number of bytes in the data chunk.
 	 * @return false if the digest is in an invalid state, else true.
 	 */
-	virtual bool DeliverStream(const u_char* data, uint64 len);
+	bool DeliverStream(const u_char* data, uint64 len) override;
 
 	/**
 	 * Finalizes the hash and raises a "file_hash" event.
 	 * @return always false so analyze will be deteched from file.
 	 */
-	virtual bool EndOfFile();
+	bool EndOfFile() override;
 
 	/**
 	 * Missing data can't be handled, so just indicate the this analyzer should
@@ -46,7 +46,7 @@ public:
 	 * @param len number of missing bytes.
 	 * @return always false so analyzer will detach from file.
 	 */
-	virtual bool Undelivered(uint64 offset, uint64 len);
+	bool Undelivered(uint64 offset, uint64 len) override;
 
 protected:
 
diff --git a/src/file_analysis/analyzer/unified2/Unified2.h b/src/file_analysis/analyzer/unified2/Unified2.h
index c2ee9e00da..b2e289c726 100644
--- a/src/file_analysis/analyzer/unified2/Unified2.h
+++ b/src/file_analysis/analyzer/unified2/Unified2.h
@@ -17,9 +17,9 @@ namespace file_analysis {
  */
 class Unified2 : public file_analysis::Analyzer {
 public:
-	virtual ~Unified2();
+	~Unified2() override;
 
-	virtual bool DeliverStream(const u_char* data, uint64 len);
+	bool DeliverStream(const u_char* data, uint64 len) override;
 
 	static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file);
 
diff --git a/src/file_analysis/analyzer/unified2/unified2-analyzer.pac b/src/file_analysis/analyzer/unified2/unified2-analyzer.pac
index 11072f140b..bedf54be5b 100644
--- a/src/file_analysis/analyzer/unified2/unified2-analyzer.pac
+++ b/src/file_analysis/analyzer/unified2/unified2-analyzer.pac
@@ -54,7 +54,7 @@ refine flow Flow += {
 		case 17: proto = TRANSPORT_UDP; break;
 		}
 
-		return new PortVal(n, proto);
+		return port_mgr->Get(n, proto);
 		%}
 
 	#function proc_record(rec: Record) : bool
diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt
index aa663cfa6e..a4c5767e56 100644
--- a/src/file_analysis/analyzer/x509/CMakeLists.txt
+++ b/src/file_analysis/analyzer/x509/CMakeLists.txt
@@ -5,6 +5,7 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}
                            ${CMAKE_CURRENT_BINARY_DIR})
 
 bro_plugin_begin(Bro X509)
-bro_plugin_cc(X509.cc Plugin.cc)
-bro_plugin_bif(events.bif types.bif functions.bif)
+bro_plugin_cc(X509Common.cc X509.cc OCSP.cc Plugin.cc)
+bro_plugin_bif(events.bif types.bif functions.bif ocsp_events.bif)
+bro_plugin_pac(x509-extension.pac x509-signed_certificate_timestamp.pac)
 bro_plugin_end()
diff --git a/src/file_analysis/analyzer/x509/OCSP.cc b/src/file_analysis/analyzer/x509/OCSP.cc
new file mode 100644
index 0000000000..bea88fc747
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@@ -0,0 +1,737 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <string>
+
+#include "OCSP.h"
+#include "X509.h"
+#include "Event.h"
+
+#include "types.bif.h"
+#include "ocsp_events.bif.h"
+
+#include "file_analysis/Manager.h"
+
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/asn1.h>
+#include <openssl/opensslconf.h>
+
+#include "file_analysis/analyzer/x509/X509.h"
+
+// helper function of sk_X509_value to avoid namespace problem
+// sk_X509_value(X,Y) = > SKM_sk_value(X509,X,Y)
+// X509 => file_analysis::X509
+X509* helper_sk_X509_value(const STACK_OF(X509)* certs, int i)
+	{
+	return sk_X509_value(certs, i);
+	}
+
+using namespace file_analysis;
+
+IMPLEMENT_SERIAL(OCSP_RESPVal, SER_OCSP_RESP_VAL);
+
+#define OCSP_STRING_BUF_SIZE 2048
+
+static Val* get_ocsp_type(RecordVal* args, const char* name)
+	{
+	Val* rval = args->Lookup(name);
+
+	if ( ! rval )
+		reporter->Error("File extraction analyzer missing arg field: %s", name);
+
+	return rval;
+	}
+
+static bool OCSP_RESPID_bio(OCSP_BASICRESP* basic_resp, BIO* bio)
+	{
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+	ASN1_OCTET_STRING* key  = nullptr;
+	X509_NAME*         name = nullptr;
+
+	if ( ! basic_resp->tbsResponseData )
+		return false;
+
+	auto resp_id = basic_resp->tbsResponseData->responderId;
+
+	if ( resp_id->type == V_OCSP_RESPID_NAME )
+		name = resp_id->value.byName;
+	else if ( resp_id->type == V_OCSP_RESPID_KEY )
+		key = resp_id->value.byKey;
+	else
+		return false;
+#else
+	const ASN1_OCTET_STRING* key  = nullptr;
+	const X509_NAME*         name = nullptr;
+
+	if ( ! OCSP_resp_get0_id(basic_resp, &key, &name) )
+		return false;
+#endif
+
+	if ( name )
+		X509_NAME_print_ex(bio, name, 0, XN_FLAG_ONELINE);
+	else
+		i2a_ASN1_STRING(bio, key, V_ASN1_OCTET_STRING);
+
+	return true;
+	}
+
+bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, val_list* vl, BIO* bio)
+	{
+	ASN1_OBJECT*       hash_alg         = nullptr;
+	ASN1_OCTET_STRING* issuer_name_hash = nullptr;
+	ASN1_OCTET_STRING* issuer_key_hash  = nullptr;
+	ASN1_INTEGER*      serial_number    = nullptr;
+
+	auto res = OCSP_id_get0_info(&issuer_name_hash, &hash_alg,
+	                             &issuer_key_hash, &serial_number,
+	                             const_cast<OCSP_CERTID*>(cert_id));
+
+	if ( ! res )
+		{
+		reporter->Weird("OpenSSL failed to get OCSP_CERTID info");
+		vl->append(new StringVal(""));
+		vl->append(new StringVal(""));
+		vl->append(new StringVal(""));
+		vl->append(new StringVal(""));
+		return false;
+		}
+
+	char buf[OCSP_STRING_BUF_SIZE];
+	memset(buf, 0, sizeof(buf));
+
+	i2a_ASN1_OBJECT(bio, hash_alg);
+	int len = BIO_read(bio, buf, sizeof(buf));
+	vl->append(new StringVal(len, buf));
+	BIO_reset(bio);
+
+	i2a_ASN1_STRING(bio, issuer_name_hash, V_ASN1_OCTET_STRING);
+	len = BIO_read(bio, buf, sizeof(buf));
+	vl->append(new StringVal(len, buf));
+	BIO_reset(bio);
+
+	i2a_ASN1_STRING(bio, issuer_key_hash, V_ASN1_OCTET_STRING);
+	len = BIO_read(bio, buf, sizeof(buf));
+	vl->append(new StringVal(len, buf));
+	BIO_reset(bio);
+
+	i2a_ASN1_INTEGER(bio, serial_number);
+	len = BIO_read(bio, buf, sizeof(buf));
+	vl->append(new StringVal(len, buf));
+	BIO_reset(bio);
+
+	return true;
+	}
+
+file_analysis::Analyzer* OCSP::InstantiateRequest(RecordVal* args, File* file)
+	{
+	return new OCSP(args, file, true);
+	}
+
+file_analysis::Analyzer* OCSP::InstantiateReply(RecordVal* args, File* file)
+	{
+	return new OCSP(args, file, false);
+	}
+
+file_analysis::OCSP::OCSP(RecordVal* args, file_analysis::File* file, bool arg_request)
+	: file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("OCSP"), args, file), request(arg_request)
+	{
+	}
+
+bool file_analysis::OCSP::DeliverStream(const u_char* data, uint64 len)
+	{
+	ocsp_data.append(reinterpret_cast<const char*>(data), len);
+	return true;
+	}
+
+bool file_analysis::OCSP::Undelivered(uint64 offset, uint64 len)
+	{
+	return false;
+	}
+
+// we parse the entire OCSP response in EOF, because we just pass it on
+// to OpenSSL.
+bool file_analysis::OCSP::EndOfFile()
+	{
+	const unsigned char* ocsp_char = reinterpret_cast<const unsigned char*>(ocsp_data.data());
+
+	if ( request )
+		{
+		OCSP_REQUEST *req = d2i_OCSP_REQUEST(NULL, &ocsp_char, ocsp_data.size());
+
+		if (!req)
+			{
+			reporter->Weird(fmt("OPENSSL Could not parse OCSP request (fuid %s)", GetFile()->GetID().c_str()));
+			return false;
+			}
+
+		ParseRequest(req, GetFile()->GetID().c_str());
+		OCSP_REQUEST_free(req);
+		}
+	else
+		{
+		OCSP_RESPONSE *resp = d2i_OCSP_RESPONSE(NULL, &ocsp_char, ocsp_data.size());
+
+		if (!resp)
+			{
+			reporter->Weird(fmt("OPENSSL Could not parse OCSP response (fuid %s)", GetFile()->GetID().c_str()));
+			return false;
+			}
+
+		OCSP_RESPVal* resp_val = new OCSP_RESPVal(resp); // resp_val takes ownership
+		ParseResponse(resp_val, GetFile()->GetID().c_str());
+		Unref(resp_val);
+		}
+
+	return true;
+}
+
+#if ( OPENSSL_VERSION_NUMBER >= 0x10100000L )
+// Re-encode and then parse out ASN1 structures to get at what we need...
+/*-  BasicOCSPResponse       ::= SEQUENCE {
+ *      tbsResponseData      ResponseData,
+ *      signatureAlgorithm   AlgorithmIdentifier,
+ *      signature            BIT STRING,
+ *      certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+typedef struct ocsp_basic_response_st {
+    OCSP_RESPDATA *tbsResponseData;
+    X509_ALGOR *signatureAlgorithm;
+    ASN1_BIT_STRING *signature;
+    STACK_OF(X509) *certs;
+} OCSP_BASICRESP;
+*/
+static StringVal* parse_basic_resp_sig_alg(OCSP_BASICRESP* basic_resp,
+                                           BIO* bio, char* buf, size_t buf_len)
+	{
+	int der_basic_resp_len = 0;
+	unsigned char* der_basic_resp_dat = nullptr;
+
+	der_basic_resp_len = i2d_OCSP_BASICRESP(basic_resp, &der_basic_resp_dat);
+
+	if ( der_basic_resp_len <= 0 )
+		return new StringVal("");
+
+	const unsigned char* const_der_basic_resp_dat = der_basic_resp_dat;
+
+	auto bseq = d2i_ASN1_SEQUENCE_ANY(nullptr, &const_der_basic_resp_dat,
+	                                  der_basic_resp_len);
+
+	if ( ! bseq )
+		{
+		OPENSSL_free(der_basic_resp_dat);
+		return new StringVal("");
+		}
+
+	if ( sk_ASN1_TYPE_num(bseq) < 3 )
+		{
+		sk_ASN1_TYPE_free(bseq);
+		OPENSSL_free(der_basic_resp_dat);
+		return new StringVal("");
+		}
+
+	auto constexpr sig_alg_idx = 1u;
+	auto aseq_type = sk_ASN1_TYPE_value(bseq, sig_alg_idx);
+
+	if ( ASN1_TYPE_get(aseq_type) != V_ASN1_SEQUENCE )
+		{
+		sk_ASN1_TYPE_free(bseq);
+		OPENSSL_free(der_basic_resp_dat);
+		return new StringVal("");
+		}
+
+	auto aseq_str = aseq_type->value.asn1_string;
+	auto aseq_len = ASN1_STRING_length(aseq_str);
+	auto aseq_dat = ASN1_STRING_get0_data(aseq_str);
+
+	auto aseq = d2i_ASN1_SEQUENCE_ANY(nullptr, &aseq_dat, aseq_len);
+
+	if ( ! aseq )
+		{
+		sk_ASN1_TYPE_free(bseq);
+		OPENSSL_free(der_basic_resp_dat);
+		return new StringVal("");
+		}
+
+	if ( sk_ASN1_TYPE_num(aseq) < 1 )
+		{
+		sk_ASN1_TYPE_free(aseq);
+		sk_ASN1_TYPE_free(bseq);
+		OPENSSL_free(der_basic_resp_dat);
+		return new StringVal("");
+		}
+
+	auto constexpr alg_obj_idx = 0u;
+	auto alg_obj_type = sk_ASN1_TYPE_value(aseq, alg_obj_idx);
+
+	if ( ASN1_TYPE_get(alg_obj_type) != V_ASN1_OBJECT )
+		{
+		sk_ASN1_TYPE_free(aseq);
+		sk_ASN1_TYPE_free(bseq);
+		OPENSSL_free(der_basic_resp_dat);
+		return new StringVal("");
+		}
+
+	auto alg_obj = alg_obj_type->value.object;
+	i2a_ASN1_OBJECT(bio, alg_obj);
+	auto alg_len = BIO_read(bio, buf, buf_len);
+	auto rval = new StringVal(alg_len, buf);
+	BIO_reset(bio);
+
+	sk_ASN1_TYPE_free(aseq);
+	sk_ASN1_TYPE_free(bseq);
+	OPENSSL_free(der_basic_resp_dat);
+	return rval;
+	}
+
+static Val* parse_basic_resp_data_version(OCSP_BASICRESP* basic_resp)
+	{
+	int der_basic_resp_len = 0;
+	unsigned char* der_basic_resp_dat = nullptr;
+
+	der_basic_resp_len = i2d_OCSP_BASICRESP(basic_resp, &der_basic_resp_dat);
+
+	if ( der_basic_resp_len <= 0 )
+		return new Val(-1, TYPE_COUNT);
+
+	const unsigned char* const_der_basic_resp_dat = der_basic_resp_dat;
+
+	auto bseq = d2i_ASN1_SEQUENCE_ANY(nullptr, &const_der_basic_resp_dat,
+	                                  der_basic_resp_len);
+
+	if ( ! bseq )
+		{
+		OPENSSL_free(der_basic_resp_dat);
+		return new Val(-1, TYPE_COUNT);
+		}
+
+	if ( sk_ASN1_TYPE_num(bseq) < 3 )
+		{
+		sk_ASN1_TYPE_free(bseq);
+		OPENSSL_free(der_basic_resp_dat);
+		return new Val(-1, TYPE_COUNT);
+		}
+
+	auto constexpr resp_data_idx = 0u;
+	auto dseq_type = sk_ASN1_TYPE_value(bseq, resp_data_idx);
+
+	if ( ASN1_TYPE_get(dseq_type) != V_ASN1_SEQUENCE )
+		{
+		sk_ASN1_TYPE_free(bseq);
+		OPENSSL_free(der_basic_resp_dat);
+		return new Val(-1, TYPE_COUNT);
+		}
+
+	auto dseq_str = dseq_type->value.asn1_string;
+	auto dseq_len = ASN1_STRING_length(dseq_str);
+	auto dseq_dat = ASN1_STRING_get0_data(dseq_str);
+
+	auto dseq = d2i_ASN1_SEQUENCE_ANY(nullptr, &dseq_dat, dseq_len);
+
+	if ( ! dseq )
+		{
+		sk_ASN1_TYPE_free(bseq);
+		OPENSSL_free(der_basic_resp_dat);
+		return new StringVal("");
+		}
+
+	if ( sk_ASN1_TYPE_num(dseq) < 1 )
+		{
+		sk_ASN1_TYPE_free(dseq);
+		sk_ASN1_TYPE_free(bseq);
+		OPENSSL_free(der_basic_resp_dat);
+		return new StringVal("");
+		}
+
+/*-  ResponseData ::= SEQUENCE {
+ *      version              [0] EXPLICIT Version DEFAULT v1,
+ *      responderID              ResponderID,
+ *      producedAt               GeneralizedTime,
+ *      responses                SEQUENCE OF SingleResponse,
+ *      responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
+ */
+
+	auto constexpr version_idx = 0u;
+	auto version_type = sk_ASN1_TYPE_value(dseq, version_idx);
+
+	if ( ASN1_TYPE_get(version_type) != V_ASN1_INTEGER )
+		{
+		sk_ASN1_TYPE_free(dseq);
+		sk_ASN1_TYPE_free(bseq);
+		OPENSSL_free(der_basic_resp_dat);
+		// Not present, use default value.
+		return new Val(0, TYPE_COUNT);
+		}
+
+	uint64_t asn1_int = ASN1_INTEGER_get(version_type->value.integer);
+	sk_ASN1_TYPE_free(dseq);
+	sk_ASN1_TYPE_free(bseq);
+	OPENSSL_free(der_basic_resp_dat);
+	return new Val(asn1_int, TYPE_COUNT);
+	}
+
+static uint64 parse_request_version(OCSP_REQUEST* req)
+	{
+	int der_req_len = 0;
+	unsigned char* der_req_dat = nullptr;
+	der_req_len = i2d_OCSP_REQUEST(req, &der_req_dat);
+	const unsigned char* const_der_req_dat = der_req_dat;
+
+	if ( ! der_req_dat )
+		return -1;
+
+	auto rseq = d2i_ASN1_SEQUENCE_ANY(nullptr, &const_der_req_dat,
+	                                  der_req_len);
+
+	if ( ! rseq )
+		{
+		OPENSSL_free(der_req_dat);
+		return -1;
+		}
+
+	if ( sk_ASN1_TYPE_num(rseq) < 1 )
+		{
+		sk_ASN1_TYPE_free(rseq);
+		OPENSSL_free(der_req_dat);
+		return -1;
+		}
+
+	auto constexpr version_idx = 0u;
+	auto version_type = sk_ASN1_TYPE_value(rseq, version_idx);
+
+	if ( ASN1_TYPE_get(version_type) != V_ASN1_INTEGER )
+		{
+		sk_ASN1_TYPE_free(rseq);
+		OPENSSL_free(der_req_dat);
+		// Not present, use default value.
+		return 0;
+		}
+
+	uint64_t asn1_int = ASN1_INTEGER_get(version_type->value.integer);
+	sk_ASN1_TYPE_free(rseq);
+	OPENSSL_free(der_req_dat);
+	return asn1_int;
+	}
+#endif
+
+void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req, const char* fid)
+	{
+	char buf[OCSP_STRING_BUF_SIZE]; // we need a buffer for some of the openssl functions
+	memset(buf, 0, sizeof(buf));
+
+	// build up our response as we go along...
+	val_list* vl = new val_list();
+	vl->append(GetFile()->GetVal()->Ref());
+
+	uint64 version = 0;
+
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+	if ( req->tbsRequest->version )
+		version = (uint64)ASN1_INTEGER_get(req->tbsRequest->version);
+#else
+	version = parse_request_version(req);
+	// TODO: try to parse out general name ?
+#endif
+
+	vl->append(new Val(version, TYPE_COUNT));
+
+	BIO *bio = BIO_new(BIO_s_mem());
+
+	mgr.QueueEvent(ocsp_request, vl);
+
+	int req_count = OCSP_request_onereq_count(req);
+	for ( int i=0; i<req_count; i++ )
+		{
+		val_list* rvl = new val_list();
+		rvl->append(GetFile()->GetVal()->Ref());
+
+		OCSP_ONEREQ *one_req = OCSP_request_onereq_get0(req, i);
+		OCSP_CERTID *cert_id = OCSP_onereq_get0_id(one_req);
+
+		ocsp_add_cert_id(cert_id, rvl, bio);
+		mgr.QueueEvent(ocsp_request_certificate, rvl);
+		}
+
+	BIO_free(bio);
+}
+
+void file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val, const char* fid)
+	{
+	OCSP_RESPONSE   *resp       = resp_val->GetResp();
+	//OCSP_RESPBYTES  *resp_bytes = resp->responseBytes;
+	OCSP_BASICRESP  *basic_resp = nullptr;
+	OCSP_RESPDATA   *resp_data  = nullptr;
+	OCSP_RESPID     *resp_id    = nullptr;
+	const ASN1_GENERALIZEDTIME* produced_at = nullptr;
+	const STACK_OF(X509)* certs = nullptr;
+
+	int resp_count, num_ext = 0;
+	VectorVal *certs_vector = nullptr;
+	int len = 0;
+
+ 	char buf[OCSP_STRING_BUF_SIZE];
+	memset(buf, 0, sizeof(buf));
+
+	val_list* vl = new val_list();
+	vl->append(GetFile()->GetVal()->Ref());
+
+	const char *status_str = OCSP_response_status_str(OCSP_response_status(resp));
+	StringVal* status_val = new StringVal(strlen(status_str), status_str);
+	vl->append(status_val->Ref());
+	mgr.QueueEvent(ocsp_response_status, vl);
+	vl = nullptr;
+
+	//if (!resp_bytes)
+	//	{
+	//	Unref(status_val);
+	//	return;
+	//	}
+
+	BIO *bio = BIO_new(BIO_s_mem());
+	//i2a_ASN1_OBJECT(bio, resp_bytes->responseType);
+	//int len = BIO_read(bio, buf, sizeof(buf));
+	//BIO_reset(bio);
+
+	// get the basic response
+	basic_resp = OCSP_response_get1_basic(resp);
+	if ( !basic_resp )
+		goto clean_up;
+
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+	resp_data = basic_resp->tbsResponseData;
+	if ( !resp_data )
+		goto clean_up;
+#endif
+
+	vl = new val_list();
+	vl->append(GetFile()->GetVal()->Ref());
+	vl->append(resp_val->Ref());
+	vl->append(status_val);
+
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+	vl->append(new Val((uint64)ASN1_INTEGER_get(resp_data->version), TYPE_COUNT));
+#else
+	vl->append(parse_basic_resp_data_version(basic_resp));
+#endif
+
+	// responderID
+	if ( OCSP_RESPID_bio(basic_resp, bio) )
+		{
+		len = BIO_read(bio, buf, sizeof(buf));
+		vl->append(new StringVal(len, buf));
+		BIO_reset(bio);
+		}
+	else
+		{
+		reporter->Weird("OpenSSL failed to get OCSP responder id");
+		vl->append(new StringVal(""));
+		}
+
+	// producedAt
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+	produced_at = resp_data->producedAt;
+#else
+	produced_at = OCSP_resp_get0_produced_at(basic_resp);
+#endif
+
+	vl->append(new Val(GetTimeFromAsn1(produced_at, fid, reporter), TYPE_TIME));
+
+	// responses
+
+	resp_count = OCSP_resp_count(basic_resp);
+
+	for ( int i=0; i<resp_count; i++ )
+		{
+		OCSP_SINGLERESP* single_resp = OCSP_resp_get0(basic_resp, i);
+
+		if ( !single_resp )
+			continue;
+
+		val_list* rvl = new val_list();
+		rvl->append(GetFile()->GetVal()->Ref());
+
+		// cert id
+		const OCSP_CERTID* cert_id = nullptr;
+
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+		cert_id = single_resp->certId;
+#else
+		cert_id = OCSP_SINGLERESP_get0_id(single_resp);
+#endif
+
+		ocsp_add_cert_id(cert_id, rvl, bio);
+		BIO_reset(bio);
+
+		// certStatus
+		int status = V_OCSP_CERTSTATUS_UNKNOWN;
+		int reason = OCSP_REVOKED_STATUS_NOSTATUS;
+		ASN1_GENERALIZEDTIME* revoke_time = nullptr;
+		ASN1_GENERALIZEDTIME* this_update = nullptr;
+		ASN1_GENERALIZEDTIME* next_update = nullptr;
+
+		if ( ! OCSP_resp_find_status(basic_resp,
+		                             const_cast<OCSP_CERTID*>(cert_id),
+		                             &status, &reason, &revoke_time,
+		                             &this_update, &next_update) )
+			reporter->Weird("OpenSSL failed to find status of OCSP response");
+
+		const char* cert_status_str = OCSP_cert_status_str(status);
+		rvl->append(new StringVal(strlen(cert_status_str), cert_status_str));
+
+		// revocation time and reason if revoked
+		if ( status == V_OCSP_CERTSTATUS_REVOKED )
+			{
+			rvl->append(new Val(GetTimeFromAsn1(revoke_time, fid, reporter), TYPE_TIME));
+
+			if ( reason != OCSP_REVOKED_STATUS_NOSTATUS )
+				{
+				const char* revoke_reason = OCSP_crl_reason_str(reason);
+				rvl->append(new StringVal(strlen(revoke_reason), revoke_reason));
+				}
+			else
+				rvl->append(new StringVal(0, ""));
+			}
+		else
+			{
+			rvl->append(new Val(0, TYPE_TIME));
+			rvl->append(new StringVal(0, ""));
+			}
+
+		if ( this_update )
+			rvl->append(new Val(GetTimeFromAsn1(this_update, fid, reporter), TYPE_TIME));
+		else
+			rvl->append(new Val(0, TYPE_TIME));
+
+		if ( next_update )
+			rvl->append(new Val(GetTimeFromAsn1(next_update, fid, reporter), TYPE_TIME));
+		else
+			rvl->append(new Val(0, TYPE_TIME));
+
+		mgr.QueueEvent(ocsp_response_certificate, rvl);
+
+		num_ext = OCSP_SINGLERESP_get_ext_count(single_resp);
+		for ( int k = 0; k < num_ext; ++k )
+			{
+			X509_EXTENSION* ex = OCSP_SINGLERESP_get_ext(single_resp, k);
+			if ( ! ex )
+				continue;
+
+			ParseExtension(ex, ocsp_extension, false);
+			}
+		}
+
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+	i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm);
+	len = BIO_read(bio, buf, sizeof(buf));
+	vl->append(new StringVal(len, buf));
+	BIO_reset(bio);
+#else
+	vl->append(parse_basic_resp_sig_alg(basic_resp, bio, buf, sizeof(buf)));
+#endif
+
+	//i2a_ASN1_OBJECT(bio, basic_resp->signature);
+	//len = BIO_read(bio, buf, sizeof(buf));
+	//ocsp_resp_record->Assign(7, new StringVal(len, buf));
+	//BIO_reset(bio);
+
+	certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType());
+	vl->append(certs_vector);
+
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+	certs = basic_resp->certs;
+#else
+	certs = OCSP_resp_get0_certs(basic_resp);
+#endif
+
+	if ( certs )
+		{
+		int num_certs = sk_X509_num(certs);
+		for ( int i=0; i<num_certs; i++ )
+			{
+			::X509 *this_cert = X509_dup(helper_sk_X509_value(certs, i));
+			//::X509 *this_cert = X509_dup(sk_X509_value(certs, i));
+			if (this_cert)
+				certs_vector->Assign(i, new file_analysis::X509Val(this_cert));
+			else
+				reporter->Weird("OpenSSL returned null certificate");
+			}
+	  }
+	mgr.QueueEvent(ocsp_response_bytes, vl);
+
+	// ok, now that we are done with the actual certificate - let's parse extensions :)
+	num_ext = OCSP_BASICRESP_get_ext_count(basic_resp);
+	for ( int k = 0; k < num_ext; ++k )
+		{
+		X509_EXTENSION* ex = OCSP_BASICRESP_get_ext(basic_resp, k);
+		if ( ! ex )
+			continue;
+
+		ParseExtension(ex, ocsp_extension, true);
+		}
+
+clean_up:
+	if (basic_resp)
+		OCSP_BASICRESP_free(basic_resp);
+	BIO_free(bio);
+}
+
+void file_analysis::OCSP::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid)
+	{
+	// In OpenSSL 1.0.2+, we can get the extension by using NID_ct_cert_scts.
+	// In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually
+	// look it up by performing a string comparison on the oid.
+#ifdef NID_ct_cert_scts
+	if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts )
+#else
+	if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.5") == 0 )
+#endif
+		ParseSignedCertificateTimestamps(ex);
+	}
+
+OCSP_RESPVal::OCSP_RESPVal(OCSP_RESPONSE* arg_ocsp_resp) : OpaqueVal(ocsp_resp_opaque_type)
+	{
+	ocsp_resp = arg_ocsp_resp;
+	}
+
+OCSP_RESPVal::OCSP_RESPVal() : OpaqueVal(ocsp_resp_opaque_type)
+	{
+	ocsp_resp = nullptr;
+	}
+
+OCSP_RESPVal::~OCSP_RESPVal()
+	{
+	if (ocsp_resp)
+		OCSP_RESPONSE_free(ocsp_resp);
+	}
+
+OCSP_RESPONSE* OCSP_RESPVal::GetResp() const
+	{
+	return ocsp_resp;
+	}
+
+bool OCSP_RESPVal::DoSerialize(SerialInfo* info) const
+	{
+	DO_SERIALIZE(SER_OCSP_RESP_VAL, OpaqueVal);
+	unsigned char *buf = nullptr;
+	int length = i2d_OCSP_RESPONSE(ocsp_resp, &buf);
+	if ( length < 0 )
+		return false;
+	bool res = SERIALIZE_STR(reinterpret_cast<const char*>(buf), length);
+	OPENSSL_free(buf);
+	return res;
+	}
+
+bool OCSP_RESPVal::DoUnserialize(UnserialInfo* info)
+	{
+	DO_UNSERIALIZE(OpaqueVal)
+
+	int length;
+	unsigned char *ocsp_resp_buf, *opensslbuf;
+
+	if ( ! UNSERIALIZE_STR(reinterpret_cast<char **>(&ocsp_resp_buf), &length) )
+		return false;
+	opensslbuf = ocsp_resp_buf; // OpenSSL likes to shift pointers around. really.
+	ocsp_resp = d2i_OCSP_RESPONSE(nullptr, const_cast<const unsigned char**>(&opensslbuf), length);
+	delete [] ocsp_resp_buf;
+	if ( ! ocsp_resp )
+		return false;
+	return true;
+	}
diff --git a/src/file_analysis/analyzer/x509/OCSP.h b/src/file_analysis/analyzer/x509/OCSP.h
new file mode 100644
index 0000000000..75caf3120a
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/OCSP.h
@@ -0,0 +1,54 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef FILE_ANALYSIS_OCSP_H
+#define FILE_ANALYSIS_OCSP_H
+
+#include <string>
+
+#include "Val.h"
+#include "../File.h"
+#include "Analyzer.h"
+#include "X509Common.h"
+
+#include <openssl/ocsp.h>
+
+namespace file_analysis {
+
+class OCSP_RESPVal;
+
+class OCSP : public file_analysis::X509Common {
+public:
+	bool DeliverStream(const u_char* data, uint64 len) override;
+	bool Undelivered(uint64 offset, uint64 len) override;
+	bool EndOfFile() override;
+
+	static file_analysis::Analyzer* InstantiateRequest(RecordVal* args, File* file);
+	static file_analysis::Analyzer* InstantiateReply(RecordVal* args, File* file);
+
+protected:
+	OCSP(RecordVal* args, File* file, bool request);
+
+private:
+	void ParseResponse(OCSP_RESPVal*, const char* fid = 0);
+	void ParseRequest(OCSP_REQUEST*, const char* fid = 0);
+	void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) override;
+
+	std::string ocsp_data;
+	bool request = false; // true if ocsp request, false if reply
+};
+
+class OCSP_RESPVal: public OpaqueVal {
+public:
+	explicit OCSP_RESPVal(OCSP_RESPONSE *);
+	~OCSP_RESPVal() override;
+	OCSP_RESPONSE *GetResp() const;
+protected:
+	OCSP_RESPVal();
+private:
+	OCSP_RESPONSE *ocsp_resp;
+	DECLARE_SERIAL(OCSP_RESPVal);
+};
+
+}
+
+#endif
diff --git a/src/file_analysis/analyzer/x509/Plugin.cc b/src/file_analysis/analyzer/x509/Plugin.cc
index d9d1b71ab4..31dbe346a8 100644
--- a/src/file_analysis/analyzer/x509/Plugin.cc
+++ b/src/file_analysis/analyzer/x509/Plugin.cc
@@ -4,6 +4,7 @@
 #include "plugin/Plugin.h"
 
 #include "X509.h"
+#include "OCSP.h"
 
 namespace plugin {
 namespace Bro_X509 {
@@ -13,10 +14,12 @@ public:
 	plugin::Configuration Configure()
 		{
 		AddComponent(new ::file_analysis::Component("X509", ::file_analysis::X509::Instantiate));
+		AddComponent(new ::file_analysis::Component("OCSP_REQUEST", ::file_analysis::OCSP::InstantiateRequest));
+		AddComponent(new ::file_analysis::Component("OCSP_REPLY", ::file_analysis::OCSP::InstantiateReply));
 
 		plugin::Configuration config;
 		config.name = "Bro::X509";
-		config.description = "X509 analyzer";
+		config.description = "X509 and OCSP analyzer";
 		return config;
 		}
 } plugin;
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index da3c6635a8..7571915207 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -21,7 +21,7 @@ using namespace file_analysis;
 IMPLEMENT_SERIAL(X509Val, SER_X509_VAL);
 
 file_analysis::X509::X509(RecordVal* args, file_analysis::File* file)
-	: file_analysis::Analyzer(file_mgr->GetComponentTag("X509"), args, file)
+	: file_analysis::X509Common::X509Common(file_mgr->GetComponentTag("X509"), args, file)
 	{
 	cert_data.clear();
 	}
@@ -72,7 +72,7 @@ bool file_analysis::X509::EndOfFile()
 		if ( ! ex )
 			continue;
 
-		ParseExtension(ex);
+		ParseExtension(ex, x509_extension, false);
 		}
 
 	// X509_free(ssl_cert); We do _not_ free the certificate here. It is refcounted
@@ -133,13 +133,15 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char*
 	pX509Cert->Assign(3, new StringVal(len, buf));
 	BIO_free(bio);
 
-	pX509Cert->Assign(5, new Val(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), fid), TYPE_TIME));
-	pX509Cert->Assign(6, new Val(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), fid), TYPE_TIME));
+	pX509Cert->Assign(5, new Val(GetTimeFromAsn1(X509_get_notBefore(ssl_cert), fid, reporter), TYPE_TIME));
+	pX509Cert->Assign(6, new Val(GetTimeFromAsn1(X509_get_notAfter(ssl_cert), fid, reporter), TYPE_TIME));
 
 	// we only read 255 bytes because byte 256 is always 0.
 	// if the string is longer than 255, that will be our null-termination,
 	// otherwhise i2t does null-terminate.
-	if ( ! i2t_ASN1_OBJECT(buf, 255, ssl_cert->cert_info->key->algor->algorithm) )
+	ASN1_OBJECT *algorithm;
+	X509_PUBKEY_get0_param(&algorithm, NULL, NULL, NULL, X509_get_X509_PUBKEY(ssl_cert));
+	if ( ! i2t_ASN1_OBJECT(buf, 255, algorithm) )
 		buf[0] = 0;
 
 	pX509Cert->Assign(7, new StringVal(buf));
@@ -150,14 +152,18 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char*
 	// actually should be (namely - rsaEncryption), so that OpenSSL will parse out the
 	// key later. Otherwise it will just fail to parse the certificate key.
 
-	ASN1_OBJECT* old_algorithm = 0;
-	if ( OBJ_obj2nid(ssl_cert->cert_info->key->algor->algorithm) == NID_md5WithRSAEncryption )
+	if ( OBJ_obj2nid(algorithm) == NID_md5WithRSAEncryption )
 		{
-		old_algorithm = ssl_cert->cert_info->key->algor->algorithm;
-		ssl_cert->cert_info->key->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption);
+		ASN1_OBJECT *copy = OBJ_dup(algorithm); // the next line will destroy the original algorithm.
+		X509_PUBKEY_set0_param(X509_get_X509_PUBKEY(ssl_cert), OBJ_nid2obj(NID_rsaEncryption), 0, NULL, NULL, 0);
+		algorithm = copy;
+		// we do not have to worry about freeing algorithm in that case - since it will be re-assigned using
+		// set0_param and the cert will take ownership.
 		}
+	else
+		algorithm = 0;
 
-	if ( ! i2t_ASN1_OBJECT(buf, 255, ssl_cert->sig_alg->algorithm) )
+	if ( ! i2t_ASN1_OBJECT(buf, 255, OBJ_nid2obj(X509_get_signature_nid(ssl_cert))) )
 		buf[0] = 0;
 
 	pX509Cert->Assign(8, new StringVal(buf));
@@ -166,14 +172,16 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char*
 	EVP_PKEY *pkey = X509_extract_key(ssl_cert);
 	if ( pkey != NULL )
 		{
-		if ( pkey->type == EVP_PKEY_DSA )
+		if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA )
 			pX509Cert->Assign(9, new StringVal("dsa"));
 
-		else if ( pkey->type == EVP_PKEY_RSA )
+		else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA )
 			{
 			pX509Cert->Assign(9, new StringVal("rsa"));
 
-			char *exponent = BN_bn2dec(pkey->pkey.rsa->e);
+			const BIGNUM *e;
+			RSA_get0_key(EVP_PKEY_get0_RSA(pkey), NULL, &e, NULL);
+			char *exponent = BN_bn2dec(e);
 			if ( exponent != NULL )
 				{
 				pX509Cert->Assign(11, new StringVal(exponent));
@@ -182,7 +190,7 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char*
 				}
 			}
 #ifndef OPENSSL_NO_EC
-		else if ( pkey->type == EVP_PKEY_EC )
+		else if ( EVP_PKEY_base_id(pkey) == EVP_PKEY_EC )
 			{
 			pX509Cert->Assign(9, new StringVal("ecdsa"));
 			pX509Cert->Assign(12, KeyCurve(pkey));
@@ -191,8 +199,8 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char*
 
 		// set key algorithm back. We do not have to free the value that we created because (I think) it
 		// comes out of a static array from OpenSSL memory.
-		if ( old_algorithm )
-			ssl_cert->cert_info->key->algor->algorithm = old_algorithm;
+		if ( algorithm )
+			X509_PUBKEY_set0_param(X509_get_X509_PUBKEY(ssl_cert), algorithm, 0, NULL, NULL, 0);
 
 		unsigned int length = KeyLength(pkey);
 		if ( length > 0 )
@@ -205,101 +213,6 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val, const char*
 	return pX509Cert;
 	}
 
-StringVal* file_analysis::X509::GetExtensionFromBIO(BIO* bio)
-	{
-	BIO_flush(bio);
-	ERR_clear_error();
-	int length = BIO_pending(bio);
-
-	if ( ERR_peek_error() != 0 )
-		{
-		char tmp[120];
-		ERR_error_string_n(ERR_get_error(), tmp, sizeof(tmp));
-		reporter->Weird(fmt("X509::GetExtensionFromBIO: %s", tmp));
-		BIO_free_all(bio);
-		return 0;
-		}
-
-	if ( length == 0 )
-		{
-		BIO_free_all(bio);
-		return new StringVal("");
-		}
-
-	char* buffer = (char*) malloc(length);
-
-	if ( ! buffer )
-		{
-		// Just emit an error here and try to continue instead of aborting
-		// because it's unclear the length value is very reliable.
-		reporter->Error("X509::GetExtensionFromBIO malloc(%d) failed", length);
-		BIO_free_all(bio);
-		return 0;
-		}
-
-	BIO_read(bio, (void*) buffer, length);
-	StringVal* ext_val = new StringVal(length, buffer);
-
-	free(buffer);
-	BIO_free_all(bio);
-
-	return ext_val;
-	}
-
-void file_analysis::X509::ParseExtension(X509_EXTENSION* ex)
-	{
-	char name[256];
-	char oid[256];
-
-	ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex);
-	const char* short_name = OBJ_nid2sn(OBJ_obj2nid(ext_asn));
-
-	OBJ_obj2txt(name, 255, ext_asn, 0);
-	OBJ_obj2txt(oid, 255, ext_asn, 1);
-
-	int critical = 0;
-	if ( X509_EXTENSION_get_critical(ex) != 0 )
-		critical = 1;
-
-	BIO *bio = BIO_new(BIO_s_mem());
-	if( ! X509V3_EXT_print(bio, ex, 0, 0))
-		M_ASN1_OCTET_STRING_print(bio,ex->value);
-
-	StringVal* ext_val = GetExtensionFromBIO(bio);
-
-	if ( ! ext_val )
-		ext_val = new StringVal(0, "");
-
-	RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension);
-	pX509Ext->Assign(0, new StringVal(name));
-
-	if ( short_name and strlen(short_name) > 0 )
-		pX509Ext->Assign(1, new StringVal(short_name));
-
-	pX509Ext->Assign(2, new StringVal(oid));
-	pX509Ext->Assign(3, new Val(critical, TYPE_BOOL));
-	pX509Ext->Assign(4, ext_val);
-
-	// send off generic extension event
-	//
-	// and then look if we have a specialized event for the extension we just
-	// parsed. And if we have it, we send the specialized event on top of the
-	// generic event that we just had. I know, that is... kind of not nice,
-	// but I am not sure if there is a better way to do it...
-	val_list* vl = new val_list();
-	vl->append(GetFile()->GetVal()->Ref());
-	vl->append(pX509Ext);
-
-	mgr.QueueEvent(x509_extension, vl);
-
-	// look if we have a specialized handler for this event...
-	if ( OBJ_obj2nid(ext_asn) == NID_basic_constraints )
-		ParseBasicConstraints(ex);
-
-	else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name )
-		ParseSAN(ex);
-	}
-
 void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
 	{
 	assert(OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_basic_constraints);
@@ -326,6 +239,26 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
 		reporter->Weird(fmt("Certificate with invalid BasicConstraint. fuid %s", GetFile()->GetID().c_str()));
 	}
 
+void file_analysis::X509::ParseExtensionsSpecific(X509_EXTENSION* ex, bool global, ASN1_OBJECT* ext_asn, const char* oid)
+	{
+	// look if we have a specialized handler for this event...
+	if ( OBJ_obj2nid(ext_asn) == NID_basic_constraints )
+		ParseBasicConstraints(ex);
+
+	else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name )
+		ParseSAN(ex);
+
+	// In OpenSSL 1.0.2+, we can get the extension by using NID_ct_precert_scts.
+	// In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually
+	// look it up by performing a string comparison on the oid.
+#ifdef NID_ct_precert_scts
+	else if ( OBJ_obj2nid(ext_asn) == NID_ct_precert_scts )
+#else
+	else if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 )
+#endif
+		ParseSignedCertificateTimestamps(ex);
+	}
+
 void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
 	{
 	assert(OBJ_obj2nid(X509_EXTENSION_get_object(ext)) == NID_subject_alt_name);
@@ -357,7 +290,11 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
 				continue;
 				}
 
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
 			const char* name = (const char*) ASN1_STRING_data(gen->d.ia5);
+#else
+			const char* name = (const char*) ASN1_STRING_get0_data(gen->d.ia5);
+#endif
 			StringVal* bs = new StringVal(name);
 
 			switch ( gen->type )
@@ -445,7 +382,7 @@ StringVal* file_analysis::X509::KeyCurve(EVP_PKEY *key)
 	// well, we do not have EC-Support...
 	return NULL;
 #else
-	if ( key->type != EVP_PKEY_EC )
+	if ( EVP_PKEY_base_id(key) != EVP_PKEY_EC )
 		{
 		// no EC-key - no curve name
 		return NULL;
@@ -453,7 +390,7 @@ StringVal* file_analysis::X509::KeyCurve(EVP_PKEY *key)
 
 	const EC_GROUP *group;
 	int nid;
-	if ( (group = EC_KEY_get0_group(key->pkey.ec)) == NULL)
+	if ( (group = EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(key))) == NULL )
 		// I guess we could not parse this
 		return NULL;
 
@@ -474,12 +411,16 @@ unsigned int file_analysis::X509::KeyLength(EVP_PKEY *key)
 	{
 	assert(key != NULL);
 
-	switch(key->type) {
+	switch(EVP_PKEY_base_id(key)) {
 	case EVP_PKEY_RSA:
-		return BN_num_bits(key->pkey.rsa->n);
+		const BIGNUM *n;
+		RSA_get0_key(EVP_PKEY_get0_RSA(key), &n, NULL, NULL);
+		return BN_num_bits(n);
 
 	case EVP_PKEY_DSA:
-		return BN_num_bits(key->pkey.dsa->p);
+		const BIGNUM *p;
+		DSA_get0_pqg(EVP_PKEY_get0_DSA(key), &p, NULL, NULL);
+		return BN_num_bits(p);
 
 #ifndef OPENSSL_NO_EC
 	case EVP_PKEY_EC:
@@ -489,7 +430,7 @@ unsigned int file_analysis::X509::KeyLength(EVP_PKEY *key)
 			// could not malloc bignum?
 			return 0;
 
-		const EC_GROUP *group = EC_KEY_get0_group(key->pkey.ec);
+		const EC_GROUP *group = EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(key));
 
 		if ( ! group )
 			{
@@ -517,164 +458,6 @@ unsigned int file_analysis::X509::KeyLength(EVP_PKEY *key)
 	reporter->InternalError("cannot be reached");
 	}
 
-double file_analysis::X509::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid)
-	{
-	const char *fid = arg_fid ? arg_fid : "";
-	time_t lResult = 0;
-
-	char lBuffer[26];
-	char* pBuffer = lBuffer;
-
-	const char *pString = (const char *) atime->data;
-	unsigned int remaining = atime->length;
-
-	if ( atime->type == V_ASN1_UTCTIME )
-		{
-		if ( remaining < 11 || remaining > 17 )
-			{
-			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length", fid));
-			return 0;
-			}
-
-		if ( pString[remaining-1] != 'Z' )
-			{
-			// not valid according to RFC 2459 4.1.2.5.1
-			reporter->Weird(fmt("Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)", fid));
-			return 0;
-			}
-
-		// year is first two digits in YY format. Buffer expects YYYY format.
-		if ( pString[0] < '5' ) // RFC 2459 4.1.2.5.1
-			{
-			*(pBuffer++) = '2';
-			*(pBuffer++) = '0';
-			}
-		else
-			{
-			*(pBuffer++) = '1';
-			*(pBuffer++) = '9';
-			}
-
-		memcpy(pBuffer, pString, 10);
-		pBuffer += 10;
-		pString += 10;
-		remaining -= 10;
-		}
-	else if ( atime->type == V_ASN1_GENERALIZEDTIME )
-		{
-		// generalized time. We apparently ignore the YYYYMMDDHH case
-		// for now and assume we always have minutes and seconds.
-		// This should be ok because it is specified as a requirement in RFC 2459 4.1.2.5.2
-
-		if ( remaining < 12 || remaining > 23 )
-			{
-			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length", fid));
-			return 0;
-			}
-
-		memcpy(pBuffer, pString, 12);
-		pBuffer += 12;
-		pString += 12;
-		remaining -= 12;
-		}
-	else
-		{
-		reporter->Weird(fmt("Invalid time type in X509 certificate (fuid %s)", fid));
-		return 0;
-		}
-
-	if ( (remaining == 0) || (*pString == 'Z') || (*pString == '-') || (*pString == '+') )
-		{
-		*(pBuffer++) = '0';
-		*(pBuffer++) = '0';
-		}
-
-	else if ( remaining >= 2 )
-		{
-		*(pBuffer++) = *(pString++);
-		*(pBuffer++) = *(pString++);
-
-		remaining -= 2;
-
-		// Skip any fractional seconds...
-		if ( (remaining > 0) && (*pString == '.') )
-			{
-			pString++;
-			remaining--;
-
-			while ( (remaining > 0) && (*pString >= '0') && (*pString <= '9') )
-				{
-				pString++;
-				remaining--;
-				}
-			}
-		}
-
-	else
-		{
-		reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- additional char after time", fid));
-		return 0;
-		}
-
-	*(pBuffer++) = 'Z';
-	*(pBuffer++) = '\0';
-
-	time_t lSecondsFromUTC;
-
-	if ( remaining == 0 || *pString == 'Z' )
-		lSecondsFromUTC = 0;
-	else
-		{
-		if ( remaining < 5 )
-			{
-			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset", fid));
-			return 0;
-			}
-
-		if ((*pString != '+') && (*pString != '-'))
-			{
-			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- unknown offset type", fid));
-			return 0;
-			}
-
-		lSecondsFromUTC = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60;
-		lSecondsFromUTC += (pString[3] - '0') * 10 + (pString[4] - '0');
-
-		if (*pString == '-')
-			lSecondsFromUTC = -lSecondsFromUTC;
-		}
-
-	tm lTime;
-	lTime.tm_sec  = ((lBuffer[12] - '0') * 10) + (lBuffer[13] - '0');
-	lTime.tm_min  = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0');
-	lTime.tm_hour = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0');
-	lTime.tm_mday = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0');
-	lTime.tm_mon  = (((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0')) - 1;
-	lTime.tm_year = (lBuffer[0] - '0') * 1000 + (lBuffer[1] - '0') * 100 + ((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0');
-
-	if ( lTime.tm_year > 1900)
-		lTime.tm_year -= 1900;
-
-	lTime.tm_wday = 0;
-	lTime.tm_yday = 0;
-	lTime.tm_isdst = 0;  // No DST adjustment requested
-
-	lResult = mktime(&lTime);
-
-	if ( lResult )
-		{
-		if ( lTime.tm_isdst  != 0 )
-			lResult -= 3600;  // mktime may adjust for DST  (OS dependent)
-
-		lResult += lSecondsFromUTC;
-		}
-
-	else
-		lResult = 0;
-
-	return lResult;
-}
-
 X509Val::X509Val(::X509* arg_certificate) : OpaqueVal(x509_opaque_type)
 	{
 	certificate = arg_certificate;
diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h
index c671c68a99..b808b676fe 100644
--- a/src/file_analysis/analyzer/x509/X509.h
+++ b/src/file_analysis/analyzer/x509/X509.h
@@ -6,21 +6,66 @@
 #include <string>
 
 #include "Val.h"
-#include "../File.h"
-#include "Analyzer.h"
+#include "X509Common.h"
 
-#include <openssl/x509.h>
-#include <openssl/asn1.h>
+#if (OPENSSL_VERSION_NUMBER < 0x10002000L || LIBRESSL_VERSION_NUMBER)
+
+#define X509_get_signature_nid(x) OBJ_obj2nid((x)->sig_alg->algorithm)
+
+#endif
+
+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL || LIBRESSL_VERSION_NUMBER)
+
+#define X509_OBJECT_new()   (X509_OBJECT*)malloc(sizeof(X509_OBJECT))
+#define X509_OBJECT_free(a) free(a)
+
+#define OCSP_SINGLERESP_get0_id(s) (s)->certId
+#define OCSP_resp_get0_certs(x)    (x)->certs
+
+#define EVP_PKEY_get0_DSA(p)    ((p)->pkey.dsa)
+#define EVP_PKEY_get0_EC_KEY(p) ((p)->pkey.ec)
+#define EVP_PKEY_get0_RSA(p)    ((p)->pkey.rsa)
+
+static X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a)
+{
+	if ( a == nullptr || a->type != X509_LU_X509 )
+		return nullptr;
+	return a->data.x509;
+}
+
+static void DSA_get0_pqg(const DSA *d,
+			 const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
+{
+	if ( p != nullptr )
+		*p = d->p;
+	if ( q != nullptr )
+		*q = d->q;
+	if ( g != nullptr )
+		*g = d->g;
+}
+
+static void RSA_get0_key(const RSA *r,
+			 const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
+{
+	if ( n != nullptr )
+		*n = r->n;
+	if ( e != nullptr )
+		*e = r->e;
+	if ( d != nullptr )
+		*d = r->d;
+}
+
+#endif
 
 namespace file_analysis {
 
 class X509Val;
 
-class X509 : public file_analysis::Analyzer {
+class X509 : public file_analysis::X509Common {
 public:
-	virtual bool DeliverStream(const u_char* data, uint64 len);
-	virtual bool Undelivered(uint64 offset, uint64 len);
-	virtual bool EndOfFile();
+	bool DeliverStream(const u_char* data, uint64 len) override;
+	bool Undelivered(uint64 offset, uint64 len) override;
+	bool EndOfFile() override;
 
 	/**
 	 * Converts an X509 certificate into a \c X509::Certificate record
@@ -40,29 +85,17 @@ public:
 	static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file)
 		{ return new X509(args, file); }
 
-	/**
-	 * Retrieve an X509 extension value from an OpenSSL BIO to which it was
-	 * written.
-	 *
-	 * @param bio the OpenSSL BIO to read. It will be freed by the function,
-	 * including when an error occurs.
-	 *
-	 * @return The X509 extension value.
-	 */
-	static StringVal* GetExtensionFromBIO(BIO* bio);
-
 protected:
 	X509(RecordVal* args, File* file);
 
 private:
-	void ParseExtension(X509_EXTENSION* ex);
 	void ParseBasicConstraints(X509_EXTENSION* ex);
 	void ParseSAN(X509_EXTENSION* ex);
+	void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) override;
 
 	std::string cert_data;
 
 	// Helpers for ParseCertificate.
-	static double GetTimeFromAsn1(const ASN1_TIME * atime, const char* fid);
 	static StringVal* KeyCurve(EVP_PKEY *key);
 	static unsigned int KeyLength(EVP_PKEY *key);
 };
@@ -88,7 +121,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	~X509Val();
+	~X509Val() override;
 
 	/**
 	 * Get the wrapped X509 certificate. Please take care, that the
diff --git a/src/file_analysis/analyzer/x509/X509Common.cc b/src/file_analysis/analyzer/x509/X509Common.cc
new file mode 100644
index 0000000000..38102ed97e
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/X509Common.cc
@@ -0,0 +1,324 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "X509Common.h"
+#include "x509-extension_pac.h"
+
+#include "events.bif.h"
+#include "ocsp_events.bif.h"
+#include "types.bif.h"
+
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/asn1.h>
+#include <openssl/opensslconf.h>
+#include <openssl/err.h>
+
+using namespace file_analysis;
+
+X509Common::X509Common(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file)
+	: file_analysis::Analyzer(arg_tag, arg_args, arg_file)
+	{
+	}
+
+double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter)
+	{
+	const char *fid = arg_fid ? arg_fid : "";
+	time_t lResult = 0;
+
+	char lBuffer[26];
+	char* pBuffer = lBuffer;
+
+	const char *pString = (const char *) atime->data;
+	unsigned int remaining = atime->length;
+
+	if ( atime->type == V_ASN1_UTCTIME )
+		{
+		if ( remaining < 11 || remaining > 17 )
+			{
+			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- UTCTime has wrong length", fid));
+			return 0;
+			}
+
+		if ( pString[remaining-1] != 'Z' )
+			{
+			// not valid according to RFC 2459 4.1.2.5.1
+			reporter->Weird(fmt("Could not parse UTC time in non-YY-format in X509 certificate (x509 %s)", fid));
+			return 0;
+			}
+
+		// year is first two digits in YY format. Buffer expects YYYY format.
+		if ( pString[0] < '5' ) // RFC 2459 4.1.2.5.1
+			{
+			*(pBuffer++) = '2';
+			*(pBuffer++) = '0';
+			}
+		else
+			{
+			*(pBuffer++) = '1';
+			*(pBuffer++) = '9';
+			}
+
+		memcpy(pBuffer, pString, 10);
+		pBuffer += 10;
+		pString += 10;
+		remaining -= 10;
+		}
+	else if ( atime->type == V_ASN1_GENERALIZEDTIME )
+		{
+		// generalized time. We apparently ignore the YYYYMMDDHH case
+		// for now and assume we always have minutes and seconds.
+		// This should be ok because it is specified as a requirement in RFC 2459 4.1.2.5.2
+
+		if ( remaining < 12 || remaining > 23 )
+			{
+			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- Generalized time has wrong length", fid));
+			return 0;
+			}
+
+		memcpy(pBuffer, pString, 12);
+		pBuffer += 12;
+		pString += 12;
+		remaining -= 12;
+		}
+	else
+		{
+		reporter->Weird(fmt("Invalid time type in X509 certificate (fuid %s)", fid));
+		return 0;
+		}
+
+	if ( (remaining == 0) || (*pString == 'Z') || (*pString == '-') || (*pString == '+') )
+		{
+		*(pBuffer++) = '0';
+		*(pBuffer++) = '0';
+		}
+
+	else if ( remaining >= 2 )
+		{
+		*(pBuffer++) = *(pString++);
+		*(pBuffer++) = *(pString++);
+
+		remaining -= 2;
+
+		// Skip any fractional seconds...
+		if ( (remaining > 0) && (*pString == '.') )
+			{
+			pString++;
+			remaining--;
+
+			while ( (remaining > 0) && (*pString >= '0') && (*pString <= '9') )
+				{
+				pString++;
+				remaining--;
+				}
+			}
+		}
+
+	else
+		{
+		reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- additional char after time", fid));
+		return 0;
+		}
+
+	*(pBuffer++) = 'Z';
+	*(pBuffer++) = '\0';
+
+	time_t lSecondsFromUTC;
+
+	if ( remaining == 0 || *pString == 'Z' )
+		lSecondsFromUTC = 0;
+	else
+		{
+		if ( remaining < 5 )
+			{
+			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- not enough bytes remaining for offset", fid));
+			return 0;
+			}
+
+		if ((*pString != '+') && (*pString != '-'))
+			{
+			reporter->Weird(fmt("Could not parse time in X509 certificate (fuid %s) -- unknown offset type", fid));
+			return 0;
+			}
+
+		lSecondsFromUTC = ((pString[1] - '0') * 10 + (pString[2] - '0')) * 60;
+		lSecondsFromUTC += (pString[3] - '0') * 10 + (pString[4] - '0');
+
+		if (*pString == '-')
+			lSecondsFromUTC = -lSecondsFromUTC;
+		}
+
+	tm lTime;
+	lTime.tm_sec  = ((lBuffer[12] - '0') * 10) + (lBuffer[13] - '0');
+	lTime.tm_min  = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0');
+	lTime.tm_hour = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0');
+	lTime.tm_mday = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0');
+	lTime.tm_mon  = (((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0')) - 1;
+	lTime.tm_year = (lBuffer[0] - '0') * 1000 + (lBuffer[1] - '0') * 100 + ((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0');
+
+	if ( lTime.tm_year > 1900)
+		lTime.tm_year -= 1900;
+
+	lTime.tm_wday = 0;
+	lTime.tm_yday = 0;
+	lTime.tm_isdst = 0;  // No DST adjustment requested
+
+	lResult = mktime(&lTime);
+
+	if ( lResult )
+		{
+		if ( lTime.tm_isdst  != 0 )
+			lResult -= 3600;  // mktime may adjust for DST  (OS dependent)
+
+		lResult += lSecondsFromUTC;
+		}
+
+	else
+		lResult = 0;
+
+	return lResult;
+}
+
+void file_analysis::X509Common::ParseSignedCertificateTimestamps(X509_EXTENSION* ext)
+	{
+	// Ok, signed certificate timestamps are a bit of an odd case out; we don't
+	// want to use the (basically nonexistant) OpenSSL functionality to parse them.
+	// Instead we have our own, self-written binpac parser to parse just them,
+	// which we will initialize here and tear down immediately again.
+
+	ASN1_OCTET_STRING* ext_val = X509_EXTENSION_get_data(ext);
+	// the octet string of the extension contains the octet string which in turn
+	// contains the SCT. Obviously.
+
+	unsigned char* ext_val_copy = (unsigned char*) OPENSSL_malloc(ext_val->length);
+	unsigned char* ext_val_second_pointer = ext_val_copy;
+	memcpy(ext_val_copy, ext_val->data, ext_val->length);
+
+	ASN1_OCTET_STRING* inner = d2i_ASN1_OCTET_STRING(NULL, (const unsigned char**) &ext_val_copy, ext_val->length);
+	if ( !inner )
+		{
+		reporter->Error("X509::ParseSignedCertificateTimestamps could not parse inner octet string");
+		return;
+		}
+
+	binpac::X509Extension::MockConnection* conn = new binpac::X509Extension::MockConnection(this);
+	binpac::X509Extension::SignedCertTimestampExt* interp = new binpac::X509Extension::SignedCertTimestampExt(conn);
+
+	try
+		{
+		interp->NewData(inner->data, inner->data + inner->length);
+		}
+	catch( const binpac::Exception& e )
+		{
+		// throw a warning or sth
+		reporter->Error("X509::ParseSignedCertificateTimestamps could not parse SCT");
+		}
+
+	ASN1_OCTET_STRING_free(inner);
+	OPENSSL_free(ext_val_second_pointer);
+
+	interp->FlowEOF();
+
+	delete interp;
+	delete conn;
+	}
+
+void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, EventHandlerPtr h, bool global)
+	{
+	char name[256];
+	char oid[256];
+
+	ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex);
+	const char* short_name = OBJ_nid2sn(OBJ_obj2nid(ext_asn));
+
+	OBJ_obj2txt(name, 255, ext_asn, 0);
+	OBJ_obj2txt(oid, 255, ext_asn, 1);
+
+	int critical = 0;
+	if ( X509_EXTENSION_get_critical(ex) != 0 )
+		critical = 1;
+
+	BIO *bio = BIO_new(BIO_s_mem());
+	if( ! X509V3_EXT_print(bio, ex, 0, 0))
+		{
+		unsigned char *buf = nullptr;
+		int len = i2d_ASN1_OCTET_STRING(X509_EXTENSION_get_data(ex), &buf);
+		if ( len >=0 )
+			{
+			BIO_write(bio, buf, len);
+			OPENSSL_free(buf);
+			}
+		}
+
+	StringVal* ext_val = GetExtensionFromBIO(bio);
+
+	if ( ! ext_val )
+		ext_val = new StringVal(0, "");
+
+	RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension);
+	pX509Ext->Assign(0, new StringVal(name));
+
+	if ( short_name and strlen(short_name) > 0 )
+		pX509Ext->Assign(1, new StringVal(short_name));
+
+	pX509Ext->Assign(2, new StringVal(oid));
+	pX509Ext->Assign(3, new Val(critical, TYPE_BOOL));
+	pX509Ext->Assign(4, ext_val);
+
+	// send off generic extension event
+	//
+	// and then look if we have a specialized event for the extension we just
+	// parsed. And if we have it, we send the specialized event on top of the
+	// generic event that we just had. I know, that is... kind of not nice,
+	// but I am not sure if there is a better way to do it...
+	val_list* vl = new val_list();
+	vl->append(GetFile()->GetVal()->Ref());
+	vl->append(pX509Ext);
+	if ( h == ocsp_extension )
+		vl->append(new Val(global ? 1 : 0, TYPE_BOOL));
+
+	mgr.QueueEvent(h, vl);
+
+	// let individual analyzers parse more.
+	ParseExtensionsSpecific(ex, global, ext_asn, oid);
+	}
+
+StringVal* file_analysis::X509Common::GetExtensionFromBIO(BIO* bio)
+	{
+	BIO_flush(bio);
+	ERR_clear_error();
+	int length = BIO_pending(bio);
+
+	if ( ERR_peek_error() != 0 )
+		{
+		char tmp[120];
+		ERR_error_string_n(ERR_get_error(), tmp, sizeof(tmp));
+		reporter->Weird(fmt("X509::GetExtensionFromBIO: %s", tmp));
+		BIO_free_all(bio);
+		return 0;
+		}
+
+	if ( length == 0 )
+		{
+		BIO_free_all(bio);
+		return new StringVal("");
+		}
+
+	char* buffer = (char*) malloc(length);
+
+	if ( ! buffer )
+		{
+		// Just emit an error here and try to continue instead of aborting
+		// because it's unclear the length value is very reliable.
+		reporter->Error("X509::GetExtensionFromBIO malloc(%d) failed", length);
+		BIO_free_all(bio);
+		return 0;
+		}
+
+	BIO_read(bio, (void*) buffer, length);
+	StringVal* ext_val = new StringVal(length, buffer);
+
+	free(buffer);
+	BIO_free_all(bio);
+
+	return ext_val;
+	}
diff --git a/src/file_analysis/analyzer/x509/X509Common.h b/src/file_analysis/analyzer/x509/X509Common.h
new file mode 100644
index 0000000000..a7015bc235
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/X509Common.h
@@ -0,0 +1,44 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+// Common base class for the X509 and OCSP analyzer, which share a fair amount of
+// code
+
+#ifndef FILE_ANALYSIS_X509_COMMON
+#define FILE_ANALYSIS_X509_COMMON
+
+#include "file_analysis/File.h"
+#include "Analyzer.h"
+
+#include <openssl/x509.h>
+#include <openssl/asn1.h>
+
+namespace file_analysis {
+
+class X509Common : public file_analysis::Analyzer {
+public:
+	~X509Common() override {};
+
+	/**
+	 * Retrieve an X509 extension value from an OpenSSL BIO to which it was
+	 * written.
+	 *
+	 * @param bio the OpenSSL BIO to read. It will be freed by the function,
+	 * including when an error occurs.
+	 *
+	 * @return The X509 extension value.
+	 */
+	static StringVal* GetExtensionFromBIO(BIO* bio);
+
+	static double GetTimeFromAsn1(const ASN1_TIME* atime, const char* arg_fid, Reporter* reporter);
+
+protected:
+	X509Common(file_analysis::Tag arg_tag, RecordVal* arg_args, File* arg_file);
+
+	void ParseExtension(X509_EXTENSION* ex, EventHandlerPtr h, bool global);
+	void ParseSignedCertificateTimestamps(X509_EXTENSION* ext);
+	virtual void ParseExtensionsSpecific(X509_EXTENSION* ex, bool, ASN1_OBJECT*, const char*) = 0;
+};
+
+}
+
+#endif /* FILE_ANALYSIS_X509_COMMON */
diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif
index fcdeaa31d1..68afe5340a 100644
--- a/src/file_analysis/analyzer/x509/events.bif
+++ b/src/file_analysis/analyzer/x509/events.bif
@@ -1,4 +1,4 @@
-## Generated for encountered X509 certificates, e.g., in the clear SSL/TLS 
+## Generated for encountered X509 certificates, e.g., in the clear SSL/TLS
 ## connection handshake.
 ##
 ## See `Wikipedia <http://en.wikipedia.org/wiki/X.509>`__ for more information
@@ -13,7 +13,7 @@
 ##
 ## .. bro:see:: x509_extension x509_ext_basic_constraints
 ##              x509_ext_subject_alternative_name x509_parse x509_verify
-##              x509_get_certificate_string
+##              x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
 event x509_certificate%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate%);
 
 ## Generated for X509 extensions seen in a certificate.
@@ -27,7 +27,7 @@ event x509_certificate%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certif
 ##
 ## .. bro:see:: x509_certificate x509_ext_basic_constraints
 ##              x509_ext_subject_alternative_name x509_parse x509_verify
-##              x509_get_certificate_string
+##              x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
 event x509_extension%(f: fa_file, ext: X509::Extension%);
 
 ## Generated for the X509 basic constraints extension seen in a certificate.
@@ -39,7 +39,7 @@ event x509_extension%(f: fa_file, ext: X509::Extension%);
 ##
 ## .. bro:see:: x509_certificate x509_extension
 ##              x509_ext_subject_alternative_name x509_parse x509_verify
-##              x509_get_certificate_string
+##              x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
 event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%);
 
 ## Generated for the X509 subject alternative name extension seen in a certificate.
@@ -52,6 +52,34 @@ event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%);
 ## ext: The parsed subject alternative name extension.
 ##
 ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
-##              x509_parse x509_verify
+##              x509_parse x509_verify x509_ocsp_ext_signed_certificate_timestamp
 ##              x509_get_certificate_string
 event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternativeName%);
+
+## Generated for the signed_certificate_timestamp X509 extension as defined in
+## :rfc:`6962`. The extension is used to transmit signed proofs that are
+## used for Certificate Transparency. Raised when the extension is encountered
+## in an X.509 certificate or in an OCSP reply.
+##
+## f: The file.
+##
+## version: the version of the protocol to which the SCT conforms. Always
+##          should be 0 (representing version 1)
+##
+## logid: 32 bit key id
+##
+## timestamp: the NTP Time when the entry was logged measured since
+##            the epoch, ignoring leap seconds, in milliseconds.
+##
+## signature_and_hashalgorithm: signature and hash algorithm used for the
+##                              digitally_signed struct
+##
+## signature: signature part of the digitally_signed struct
+##
+## .. bro:see:: ssl_extension_signed_certificate_timestamp x509_extension x509_ext_basic_constraints
+##              x509_parse x509_verify x509_ext_subject_alternative_name
+##              x509_get_certificate_string ssl_extension_signed_certificate_timestamp
+##              sct_verify ocsp_request ocsp_request_certificate ocsp_response_status
+##              ocsp_response_bytes ocsp_response_certificate
+##              x509_ocsp_ext_signed_certificate_timestamp
+event x509_ocsp_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string%);
diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index ca23f77d28..3622e0d13a 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -1,6 +1,7 @@
 %%{
 #include "file_analysis/analyzer/x509/X509.h"
 #include "types.bif.h"
+#include "net_util.h"
 
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
@@ -108,21 +109,36 @@ STACK_OF(X509)* x509_get_untrusted_stack(VectorVal* certs_vec)
 
 // We need this function to be able to identify the signer certificate of an
 // OCSP request out of a list of possible certificates.
-X509* x509_get_ocsp_signer(STACK_OF(X509) *certs, OCSP_RESPID *rid)
+X509* x509_get_ocsp_signer(const STACK_OF(X509)* certs,
+                           OCSP_BASICRESP* basic_resp)
 	{
-	// We support two lookup types - either by response id or by key.
-	if ( rid->type == V_OCSP_RESPID_NAME )
-		return X509_find_by_subject(certs, rid->value.byName);
+	const ASN1_OCTET_STRING* key  = nullptr;
+	const X509_NAME*         name = nullptr;
 
-	// There only should be name and type - but let's be sure...
-	if ( rid->type != V_OCSP_RESPID_KEY )
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+	OCSP_RESPID* resp_id = basic_resp->tbsResponseData->responderId;
+
+	if ( resp_id->type == V_OCSP_RESPID_NAME )
+		name = resp_id->value.byName;
+	else if ( resp_id->type == V_OCSP_RESPID_KEY )
+		key = resp_id->value.byKey;
+	else
 		return 0;
+#else
+	if ( ! OCSP_resp_get0_id(basic_resp, &key, &name) )
+		return 0;
+#endif
+
+	if ( name )
+		return X509_find_by_subject(const_cast<STACK_OF(X509)*>(certs),
+									const_cast<X509_NAME*>(name));
 
 	// Just like OpenSSL, we just support SHA-1 lookups and bail out otherwhise.
-	if ( rid->value.byKey->length != SHA_DIGEST_LENGTH )
+	if ( key->length != SHA_DIGEST_LENGTH )
 		return 0;
 
-	unsigned char* key_hash = rid->value.byKey->data;
+	unsigned char* key_hash = key->data;
+
 	for ( int i = 0; i < sk_X509_num(certs); ++i )
 		{
 		unsigned char digest[SHA_DIGEST_LENGTH];
@@ -139,6 +155,35 @@ X509* x509_get_ocsp_signer(STACK_OF(X509) *certs, OCSP_RESPID *rid)
 	return 0;
 	}
 
+// Convert hash algorithm registry numbers to the OpenSSL EVP_MD.
+// Mapping at https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+const EVP_MD* hash_to_evp(int hash)
+	{
+	switch ( hash )
+		{
+		case 1:
+			return EVP_md5();
+			break;
+		case 2:
+			return EVP_sha1();
+			break;
+		case 3:
+			return EVP_sha224();
+			break;
+		case 4:
+			return EVP_sha256();
+			break;
+		case 5:
+			return EVP_sha384();
+			break;
+		case 6:
+			return EVP_sha512();
+			break;
+		default:
+			return nullptr;
+		}
+	}
+
 %%}
 
 ## Parses a certificate into an X509::Certificate structure.
@@ -252,6 +297,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 	OCSP_SINGLERESP *single = 0;
 	X509_STORE_CTX *csc = 0;
 	OCSP_CERTID *certid = 0;
+	stack_st_X509* ocsp_certs = nullptr;
 	int status = -1;
 	int out = -1;
 	int result = -1;
@@ -278,7 +324,6 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 		goto x509_ocsp_cleanup;
 		}
 
-
 	// the following code took me _forever_ to get right.
 	// The OCSP_basic_verify command takes a list of certificates. However (which is not immediately
 	// visible or understandable), those are only used to find the signer certificate. They are _not_
@@ -287,20 +332,10 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 	// the lookup.
 	// Yay.
 
-	if ( ! basic->certs )
-		{
-		basic->certs = sk_X509_new_null();
-		if ( ! basic->certs )
-			{
-			rval = x509_result_record(-1, "Could not allocate basic x509 stack");
-			goto x509_ocsp_cleanup;
-			}
-		}
-
 	issuer_certificate = 0;
 	for ( int i = 0; i < sk_X509_num(untrusted_certs); i++)
 		{
-		sk_X509_push(basic->certs, X509_dup(sk_X509_value(untrusted_certs, i)));
+		OCSP_basic_add1_cert(basic, sk_X509_value(untrusted_certs, i));
 
 		if ( X509_NAME_cmp(X509_get_issuer_name(cert), X509_get_subject_name(sk_X509_value(untrusted_certs, i))) == 0 )
 			issuer_certificate = sk_X509_value(untrusted_certs, i);
@@ -308,15 +343,19 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 
 	// Because we actually want to be able to give nice error messages that show why we were
 	// not able to verify the OCSP response - do our own verification logic first.
-	signer = x509_get_ocsp_signer(basic->certs, basic->tbsResponseData->responderId);
+#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
+	signer = x509_get_ocsp_signer(basic->certs, basic);
+#else
+	signer = x509_get_ocsp_signer(OCSP_resp_get0_certs(basic), basic);
+#endif
 
 	/*
 	Do this perhaps - OpenSSL also cannot do it, so I do not really feel bad about it.
 	Needs a different lookup because the root store is no stack of X509 certs
 
-	if ( !s igner )
+	if ( ! signer )
 		// if we did not find it in the certificates that were sent, search in the root store
-		signer = x509_get_ocsp_signer(basic->certs, basic->tbsResponseData->responderId);
+		signer = x509_get_ocsp_signer(ocsp_certs, basic);
 	*/
 
 	if ( ! signer )
@@ -325,16 +364,24 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 		goto x509_ocsp_cleanup;
 		}
 
+		{
+		auto basic_certs = OCSP_resp_get0_certs(basic);
+		if ( basic_certs )
+			ocsp_certs = sk_X509_dup(basic_certs);
+
+		assert(ocsp_certs);
+		}
+
 	csc = X509_STORE_CTX_new();
-	X509_STORE_CTX_init(csc, ctx, signer, basic->certs);
+	X509_STORE_CTX_init(csc, ctx, signer, ocsp_certs);
 	X509_STORE_CTX_set_time(csc, 0, (time_t) verify_time);
 	X509_STORE_CTX_set_purpose(csc, X509_PURPOSE_OCSP_HELPER);
 
 	result = X509_verify_cert(csc);
 	if ( result != 1 )
 		{
-		const char *reason = X509_verify_cert_error_string((*csc).error);
-		rval = x509_result_record(result, X509_verify_cert_error_string((*csc).error));
+		const char *reason = X509_verify_cert_error_string(X509_STORE_CTX_get_error(csc));
+		rval = x509_result_record(result, X509_verify_cert_error_string(X509_STORE_CTX_get_error(csc)));
 		goto x509_ocsp_cleanup;
 		}
 
@@ -350,7 +397,7 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 
 	// ok, now we verified the OCSP response. This means that we have a valid chain tying it
 	// to a root that we trust and that the signature also hopefully is valid. This does not yet
-	// mean that the ocsp response actually matches the certificate the server send us or that
+	// mean that the ocsp response actually matches the certificate the server sent us or that
 	// the OCSP response even says that the certificate is valid.
 
 	// let's start this out by checking that the response is actually for the certificate we want
@@ -362,15 +409,17 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 	else
 		{
 		// issuer not in list sent by server, check store
-		X509_OBJECT obj;
-		int lookup = X509_STORE_get_by_subject(csc, X509_LU_X509, X509_get_subject_name(cert), &obj);
+		X509_OBJECT *obj = X509_OBJECT_new();
+		int lookup = X509_STORE_get_by_subject(csc, X509_LU_X509, X509_get_subject_name(cert), obj);
 		if ( lookup <= 0)
 			{
 			rval = x509_result_record(lookup, "Could not find issuer of host certificate");
+			X509_OBJECT_free(obj);
 			goto x509_ocsp_cleanup;
 			}
 
-		certid = OCSP_cert_to_id(NULL, cert, obj.data.x509);
+		certid = OCSP_cert_to_id(NULL, cert,X509_OBJECT_get0_X509( obj));
+		X509_OBJECT_free(obj);
 		}
 
 
@@ -381,18 +430,22 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 		}
 
 	// for now, assume we have one reply...
-	single = sk_OCSP_SINGLERESP_value(basic->tbsResponseData->responses, 0);
+	single = OCSP_resp_get0(basic, 0);
 	if ( ! single )
 		{
 		rval = x509_result_record(-1, "Could not lookup OCSP response information");
 		goto x509_ocsp_cleanup;
 		}
 
-	if ( OCSP_id_cmp(certid, single->certId) != 0 )
+	if ( OCSP_id_cmp(certid, (OCSP_CERTID*)OCSP_SINGLERESP_get0_id(single)) != 0 )
 		return x509_result_record(-1, "OCSP reply is not for host certificate");
 
 	// next - check freshness of proof...
-	if ( ! ASN1_GENERALIZEDTIME_check(single->thisUpdate) || ! ASN1_GENERALIZEDTIME_check(single->nextUpdate) )
+	ASN1_GENERALIZEDTIME *thisUpdate;
+	ASN1_GENERALIZEDTIME *nextUpdate;
+	int type;
+	type = OCSP_single_get0_status(single, NULL, NULL, &thisUpdate, &nextUpdate);
+	if ( ! ASN1_GENERALIZEDTIME_check(thisUpdate) || ! ASN1_GENERALIZEDTIME_check(nextUpdate) )
 		{
 		rval = x509_result_record(-1, "OCSP reply contains invalid dates");
 		goto x509_ocsp_cleanup;
@@ -405,19 +458,22 @@ function x509_ocsp_verify%(certs: x509_opaque_vector, ocsp_reply: string, root_c
 	// Well, we will do it manually.
 
 
-	if ( X509_cmp_time(single->thisUpdate, &vtime) > 0 )
+	if ( X509_cmp_time(thisUpdate, &vtime) > 0 )
 		rval = x509_result_record(-1, "OCSP reply specifies time in future");
-	else if ( X509_cmp_time(single->nextUpdate, &vtime) < 0 )
+	else if ( X509_cmp_time(nextUpdate, &vtime) < 0 )
 		rval = x509_result_record(-1, "OCSP reply expired");
-	else if ( single->certStatus->type != V_OCSP_CERTSTATUS_GOOD )
-		rval = x509_result_record(-1, OCSP_cert_status_str(single->certStatus->type));
+	else if ( type != V_OCSP_CERTSTATUS_GOOD )
+		rval = x509_result_record(-1, OCSP_cert_status_str(type));
 
 	// if we have no error so far, we are done.
 	if ( !rval )
-		rval = x509_result_record(1, OCSP_cert_status_str(single->certStatus->type));
+		rval = x509_result_record(1, OCSP_cert_status_str(type));
 
 x509_ocsp_cleanup:
 
+	if ( ocsp_certs )
+		sk_X509_free(ocsp_certs);
+
 	if ( untrusted_certs )
 		sk_X509_free(untrusted_certs);
 
@@ -455,7 +511,7 @@ x509_ocsp_cleanup:
 ##
 ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
 ##              x509_ext_subject_alternative_name x509_parse
-##              x509_get_certificate_string x509_ocsp_verify
+##              x509_get_certificate_string x509_ocsp_verify sct_verify
 function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result
 	%{
 	X509_STORE* ctx = x509_get_root_store(root_certs->AsTableVal());
@@ -491,18 +547,18 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 	if ( ! untrusted_certs )
 		return x509_result_record(-1, "Problem initializing list of untrusted certificates");
 
-	X509_STORE_CTX csc;
-	X509_STORE_CTX_init(&csc, ctx, cert, untrusted_certs);
-	X509_STORE_CTX_set_time(&csc, 0, (time_t) verify_time);
-	X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_USE_CHECK_TIME);
+	X509_STORE_CTX *csc = X509_STORE_CTX_new();
+	X509_STORE_CTX_init(csc, ctx, cert, untrusted_certs);
+	X509_STORE_CTX_set_time(csc, 0, (time_t) verify_time);
+	X509_STORE_CTX_set_flags(csc, X509_V_FLAG_USE_CHECK_TIME);
 
-	int result = X509_verify_cert(&csc);
+	int result = X509_verify_cert(csc);
 
 	VectorVal* chainVector = 0;
 
 	if ( result == 1 ) // we have a valid chain. try to get it...
 		{
-		STACK_OF(X509)* chain = X509_STORE_CTX_get1_chain(&csc); // get1 = deep copy
+		STACK_OF(X509)* chain = X509_STORE_CTX_get1_chain(csc); // get1 = deep copy
 
 		if ( ! chain )
 			{
@@ -534,11 +590,306 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 
 x509_verify_chainerror:
 
-	X509_STORE_CTX_cleanup(&csc);
+	RecordVal* rrecord = x509_result_record(X509_STORE_CTX_get_error(csc), X509_verify_cert_error_string(X509_STORE_CTX_get_error(csc)), chainVector);
+
+	X509_STORE_CTX_cleanup(csc);
+	X509_STORE_CTX_free(csc);
 
 	sk_X509_free(untrusted_certs);
 
-	RecordVal* rrecord = x509_result_record(csc.error, X509_verify_cert_error_string(csc.error), chainVector);
-
 	return rrecord;
 	%}
+
+## Verifies a Signed Certificate Timestamp as used for Certificate Transparency.
+## See RFC6962 for more details.
+##
+## cert: Certificate against which the SCT should be validated.
+##
+## logid: Log id of the SCT.
+##
+## log_key: Public key of the Log that issued the SCT proof.
+##
+## timestamp: Timestamp at which the proof was generated.
+##
+## hash_algorithm: Hash algorithm that was used for the SCT proof.
+##
+## issuer_key_hash: The SHA-256 hash of the certificate issuer's public key.
+##                  This only has to be provided if the SCT was encountered in an X.509
+##                  certificate extension; in that case, it is necessary for validation.
+##
+## Returns: T if the validation could be performed succesfully, F otherwhise.
+##
+## .. bro:see:: ssl_extension_signed_certificate_timestamp
+##              x509_ocsp_ext_signed_certificate_timestamp
+##              x509_verify
+function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default=""%): bool
+	%{
+	assert(cert);
+	file_analysis::X509Val* h = (file_analysis::X509Val*) cert;
+	X509* x = ((file_analysis::X509Val*) h)->GetCertificate();
+
+	assert(sizeof(timestamp) >= 8);
+	uint64_t timestamp_network = htonll(timestamp);
+
+	bool precert = issuer_key_hash->Len() > 0;
+	if ( precert && issuer_key_hash->Len() != 32)
+		{
+		reporter->Error("Invalid issuer_key_hash length");
+		return new Val(0, TYPE_BOOL);
+		}
+
+	std::string data;
+	data.push_back(0); // version
+	data.push_back(0); // signature_type -> certificate_timestamp
+	data.append(reinterpret_cast<const char*>(&timestamp_network), sizeof(timestamp_network)); // timestamp -> 64 bits
+	if ( precert )
+		data.append("\0\1", 2); // entry-type: precert_entry
+	else
+		data.append("\0\0", 2); // entry-type: x509_entry
+
+	if ( precert )
+		{
+		x = X509_dup(x);
+		assert(x);
+		// In OpenSSL 1.0.2+, we can get the extension by using NID_ct_precert_scts.
+		// In OpenSSL <= 1.0.1, this is not yet defined yet, so we have to manually
+		// look it up by performing a string comparison on the oid.
+#ifdef NID_ct_precert_scts
+		int pos = X509_get_ext_by_NID(x, NID_ct_precert_scts, -1);
+		if ( pos < 0 )
+			{
+			reporter->Error("NID_ct_precert_scts not found");
+			return new Val(0, TYPE_BOOL);
+			}
+#else
+		int num_ext = X509_get_ext_count(x);
+		int pos = -1;
+		for ( int k = 0; k < num_ext; ++k )
+			{
+			char oid[256];
+			X509_EXTENSION* ex = X509_get_ext(x, k);
+			ASN1_OBJECT* ext_asn = X509_EXTENSION_get_object(ex);
+			OBJ_obj2txt(oid, 255, ext_asn, 1);
+			if ( strcmp(oid, "1.3.6.1.4.1.11129.2.4.2") == 0 )
+				{
+				pos = k;
+				break;
+				}
+			}
+#endif
+		X509_EXTENSION_free(X509_delete_ext(x, pos));
+#ifdef NID_ct_precert_scts
+		assert( X509_get_ext_by_NID(x, NID_ct_precert_scts, -1) == -1 );
+#endif
+		}
+
+	unsigned char *cert_out = nullptr;
+	uint32 cert_length;
+	if ( precert )
+		{
+#if (OPENSSL_VERSION_NUMBER < 0x10002000L || LIBRESSL_VERSION_NUMBER)
+		x->cert_info->enc.modified = 1;
+		cert_length = i2d_X509_CINF(x->cert_info, &cert_out);
+#else
+		cert_length = i2d_re_X509_tbs(x, &cert_out);
+#endif
+		data.append(reinterpret_cast<const char*>(issuer_key_hash->Bytes()), issuer_key_hash->Len());
+		}
+	else
+		cert_length = i2d_X509(x, &cert_out);
+	assert( cert_out );
+	uint32 cert_length_network = htonl(cert_length);
+	assert( sizeof(cert_length_network) == 4);
+
+	data.append(reinterpret_cast<const char*>(&cert_length_network)+1, 3); // 3 bytes certificate length
+	data.append(reinterpret_cast<const char*>(cert_out), cert_length); // der-encoded certificate
+	OPENSSL_free(cert_out);
+	if ( precert )
+		X509_free(x);
+	data.append("\0\0", 2); // no extensions
+
+	// key is given as a DER-encoded SubjectPublicKeyInfo.
+	const unsigned char *key_char = log_key->Bytes();
+	EVP_PKEY* key = d2i_PUBKEY(nullptr, &key_char, log_key->Len());
+
+	EVP_MD_CTX *mdctx = EVP_MD_CTX_create();
+	assert(mdctx);
+
+	string errstr;
+	int success = 0;
+
+	const EVP_MD* hash = hash_to_evp(hash_algorithm);
+	if ( ! hash )
+		{
+		errstr = "Unknown hash algorithm";
+		goto sct_verify_err;
+		}
+
+	if ( ! key )
+		{
+		errstr = "Could not load log key";
+		goto sct_verify_err;
+		}
+
+	if ( ! EVP_DigestVerifyInit(mdctx, NULL, hash, NULL, key) )
+		{
+		errstr = "Could not init signature verification";
+		goto sct_verify_err;
+		}
+
+	if ( ! EVP_DigestVerifyUpdate(mdctx, data.data(), data.size()) )
+		{
+		errstr = "Could not update digest for verification";
+		goto sct_verify_err;
+		}
+
+#ifdef NID_ct_precert_scts
+	success = EVP_DigestVerifyFinal(mdctx, signature->Bytes(), signature->Len());
+#else
+	// older versions of OpenSSL use a non-const-char *sigh*
+	// I don't think they actually manipulate the value though.
+	// todo - this needs a cmake test
+	success = EVP_DigestVerifyFinal(mdctx, (unsigned char*) signature->Bytes(), signature->Len());
+#endif
+	EVP_MD_CTX_destroy(mdctx);
+	EVP_PKEY_free(key);
+
+	return new Val(success, TYPE_BOOL);
+
+sct_verify_err:
+	if (mdctx)
+		EVP_MD_CTX_destroy(mdctx);
+	if (key)
+		EVP_PKEY_free(key);
+
+	reporter->Error("%s", errstr.c_str());
+	return new Val(0, TYPE_BOOL);
+	%}
+
+
+%%{
+/**
+ * 0 -> subject name
+ * 1 -> issuer name
+ * 2 -> pubkey
+ */
+StringVal* x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int hash_alg, unsigned int type)
+	{
+	assert(cert_handle);
+
+	if ( type > 2 )
+		{
+		reporter->InternalError("Unknown type in x509_entity_hash");
+		return nullptr;
+		}
+
+	X509 *cert_x509 = cert_handle->GetCertificate();
+	if ( cert_x509 == nullptr )
+		{
+		builtin_error("cannot get cert from opaque");
+		return nullptr;
+		}
+
+	X509_NAME *subject_name = X509_get_subject_name(cert_x509);
+	X509_NAME *issuer_name = X509_get_issuer_name(cert_x509);
+	if ( subject_name == nullptr || issuer_name == nullptr )
+		{
+		builtin_error("fail to get subject/issuer name from certificate");
+		return nullptr;
+		}
+
+	const EVP_MD *dgst = hash_to_evp(hash_alg);
+	if ( dgst == nullptr )
+		{
+		builtin_error("Unknown hash algorithm.");
+		return nullptr;
+		}
+
+	unsigned char md[EVP_MAX_MD_SIZE];
+	memset(md, 0, sizeof(md));
+	unsigned int len = 0;
+
+	int res = 0;
+
+	if ( type == 0 )
+		res = X509_NAME_digest(subject_name, dgst, md, &len);
+	else if ( type == 1 )
+		res = X509_NAME_digest(issuer_name, dgst, md, &len);
+	else if ( type == 2 )
+		{
+		unsigned char *spki = nullptr;
+		int pklen = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert_x509), &spki);
+		if ( ! pklen )
+			{
+			builtin_error("Could not get SPKI");
+			return nullptr;
+			}
+		res = EVP_Digest(spki, pklen, md, &len, dgst, nullptr);
+		OPENSSL_free(spki);
+		}
+
+	if ( ! res )
+		{
+		builtin_error("Could not perform hash");
+		return nullptr;
+		}
+
+	assert( len <= sizeof(md) );
+
+	return new StringVal(len, reinterpret_cast<const char*>(md));
+	}
+%%}
+
+## Get the hash of the subject's distinguished name.
+##
+## cert: The X509 certificate opaque handle.
+##
+## hash_alg: the hash algorithm to use, according to the IANA mapping at
+##           https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+##
+## Returns: The hash as a string.
+##
+## .. bro:see:: x509_issuer_name_hash x509_spki_hash
+##              x509_verify sct_verify
+function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string
+	%{
+	file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
+
+	return x509_entity_hash(cert_handle, hash_alg, 0);
+	%}
+
+## Get the hash of the issuer's distinguished name.
+##
+## cert: The X509 certificate opaque handle.
+##
+## hash_alg: the hash algorithm to use, according to the IANA mapping at
+##           https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+##
+## Returns: The hash as a string.
+##
+## .. bro:see:: x509_subject_name_hash x509_spki_hash
+##              x509_verify sct_verify
+function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string
+	%{
+	file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
+
+	return x509_entity_hash(cert_handle, hash_alg, 1);
+	%}
+
+## Get the hash of the Subject Public Key Information of the certificate.
+##
+## cert: The X509 certificate opaque handle.
+##
+## hash_alg: the hash algorithm to use, according to the IANA mapping at
+##           https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+##
+## Returns: The hash as a string.
+##
+## .. bro:see:: x509_subject_name_hash x509_issuer_name_hash
+##              x509_verify sct_verify
+function x509_spki_hash%(cert: opaque of x509, hash_alg: count%): string
+	%{
+	file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
+
+	return x509_entity_hash(cert_handle, hash_alg, 2);
+	%}
diff --git a/src/file_analysis/analyzer/x509/ocsp_events.bif b/src/file_analysis/analyzer/x509/ocsp_events.bif
new file mode 100644
index 0000000000..f49208d238
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/ocsp_events.bif
@@ -0,0 +1,117 @@
+## Event that is raised when encountering an OCSP request, e.g. in an HTTP
+## connection. See :rfc:`6960` for more details.
+##
+## This event is raised exactly once for each OCSP Request.
+##
+## f: The file.
+##
+## req: version: the version of the OCSP request. Typically 0 (Version 1).
+##
+## .. bro:see:: ocsp_request_certificate ocsp_response_status
+##              ocsp_response_bytes ocsp_response_certificate ocsp_extension
+##              x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_request%(f: fa_file, version: count%);
+
+## Event that is raised when encountering an OCSP request for a certificate,
+## e.g. in an HTTP connection. See :rfc:`6960` for more details.
+##
+## Note that a single OCSP request can contain requests for several certificates.
+## Thus this event can fire several times for one OCSP request, each time
+## requesting information for a different (or in theory even the same) certificate.
+##
+## f: The file.
+##
+## hashAlgorithm: The hash algorithm used for the issuerKeyHash.
+##
+## issuerKeyHash: Hash of the issuers public key.
+##
+## serialNumber: Serial number of the certificate for which the status is requested.
+##
+## .. bro:see:: ocsp_request ocsp_response_status
+##              ocsp_response_bytes ocsp_response_certificate ocsp_extension
+##              x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_request_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string%);
+
+## This event is raised when encountering an OCSP reply, e.g. in an HTTP
+## connection or a TLS extension. See :rfc:`6960` for more details.
+##
+## This event is raised exactly once for each OCSP reply.
+##
+## f: The file.
+##
+## status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).
+##
+## .. bro:see:: ocsp_request ocsp_request_certificate
+##              ocsp_response_bytes ocsp_response_certificate ocsp_extension
+##              x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_response_status%(f: fa_file, status: string%);
+
+## This event is raised when encountering an OCSP response that contains response information.
+## An OCSP reply can be encountered, for example, in an HTTP connection or
+## a TLS extension. See :rfc:`6960` for more details on OCSP.
+##
+## f: The file.
+##
+## req_ref: An opaque pointer to the underlying OpenSSL data structure of the
+##          OCSP response.
+##
+## status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).
+##
+## version: Version of the OCSP response (typically - for version 1).
+##
+## responderId: The id of the OCSP responder; either a public key hash or a distinguished name.
+##
+## producedAt: Time at which the reply was produced.
+##
+## signatureAlgorithm: Algorithm used for the OCSP signature.
+##
+## certs: Optional list of certificates that are sent with the OCSP response; these typically
+##        are needed to perform validation of the reply.
+##
+## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
+##              ocsp_response_certificate ocsp_extension
+##              x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_response_bytes%(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector%);
+
+## This event is raised for each SingleResponse contained in an OCSP response.
+## See :rfc:`6960` for more details on OCSP.
+##
+## f: The file.
+##
+## hashAlgorithm: The hash algorithm used for issuerNameHash and issuerKeyHash.
+##
+## issuerNameHash: Hash of the issuer's distinguished name.
+##
+## issuerKeyHash: Hash of the issuer's public key.
+##
+## serialNumber: Serial number of the affected certificate.
+##
+## certStatus: Status of the certificate.
+##
+## revokeTime: Time the certificate was revoked, 0 if not revoked.
+##
+## revokeTeason: Reason certificate was revoked; empty string if not revoked or not specified.
+##
+## thisUpdate: Time this response was generated.
+##
+## nextUpdate: Time next response will be ready; 0 if not supploed.
+##
+## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
+##              ocsp_response_bytes ocsp_extension
+##              x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_response_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revokeTime: time, revokeReason: string, thisUpdate: time, nextUpdate: time%);
+
+## This event is raised when an OCSP extension is encountered in an OCSP response.
+## See :rfc:`6960` for more details on OCSP.
+##
+## f: The file.
+##
+## ext: The parsed extension (same format as X.509 extensions).
+##
+## global_resp: T if extension encountered in the global response (in ResponseData),
+##              F when encountered in a SingleResponse.
+##
+## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
+##              ocsp_response_bytes ocsp_response_certificate
+##              x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_extension%(f: fa_file, ext: X509::Extension, global_resp: bool%);
diff --git a/src/file_analysis/analyzer/x509/x509-extension.pac b/src/file_analysis/analyzer/x509/x509-extension.pac
new file mode 100644
index 0000000000..396debbbbe
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/x509-extension.pac
@@ -0,0 +1,54 @@
+# Binpac analyzer for X.509 extensions
+# we just use it for the SignedCertificateTimestamp at the moment
+
+%include binpac.pac
+%include bro.pac
+
+%extern{
+#include "types.bif.h"
+#include "file_analysis/File.h"
+#include "events.bif.h"
+%}
+
+analyzer X509Extension withcontext {
+	connection: MockConnection;
+	flow:       SignedCertTimestampExt;
+};
+
+connection MockConnection(bro_analyzer: BroFileAnalyzer) {
+	upflow = SignedCertTimestampExt;
+	downflow = SignedCertTimestampExt;
+};
+
+%include x509-signed_certificate_timestamp.pac
+
+# The base record
+type HandshakeRecord() = record {
+	signed_certificate_timestamp_list: SignedCertificateTimestampList(this)[] &transient;
+} &byteorder = bigendian;
+
+flow SignedCertTimestampExt {
+	flowunit = HandshakeRecord withcontext(connection, this);
+};
+
+refine connection MockConnection += {
+
+	function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool
+		%{
+		BifEvent::generate_x509_ocsp_ext_signed_certificate_timestamp((analyzer::Analyzer *) bro_analyzer(),
+			bro_analyzer()->GetFile()->GetVal()->Ref(),
+			version,
+			new StringVal(logid.length(), reinterpret_cast<const char*>(logid.begin())),
+			timestamp,
+			digitally_signed_algorithms->HashAlgorithm(),
+			digitally_signed_algorithms->SignatureAlgorithm(),
+			new StringVal(digitally_signed_signature.length(), reinterpret_cast<const char*>(digitally_signed_signature.begin()))
+		);
+
+		return true;
+		%}
+};
+
+refine typeattr SignedCertificateTimestamp += &let {
+	proc : bool = $context.connection.proc_signedcertificatetimestamp(rec, version, logid, timestamp, digitally_signed_algorithms, digitally_signed_signature);
+};
diff --git a/src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac b/src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac
new file mode 120000
index 0000000000..88305ed8fd
--- /dev/null
+++ b/src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac
@@ -0,0 +1 @@
+../../../analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac
\ No newline at end of file
diff --git a/src/file_analysis/file_analysis.bif b/src/file_analysis/file_analysis.bif
index 480d8c84d8..d2c6c43394 100644
--- a/src/file_analysis/file_analysis.bif
+++ b/src/file_analysis/file_analysis.bif
@@ -71,6 +71,28 @@ function Files::__analyzer_name%(tag: Files::Tag%) : string
 	return new StringVal(file_mgr->GetComponentName(tag));
 	%}
 
+## :bro:see:`Files::file_exists`.
+function Files::__file_exists%(fuid: string%): bool
+	%{
+	if ( file_mgr->LookupFile(fuid->CheckString()) != nullptr )
+		return new Val(true, TYPE_BOOL);
+	else
+		return new Val(false, TYPE_BOOL);
+	%}
+
+## :bro:see:`Files::lookup_file`.
+function Files::__lookup_file%(fuid: string%): fa_file
+	%{
+	auto f = file_mgr->LookupFile(fuid->CheckString());
+	if ( f != nullptr )
+		{
+		return f->GetVal()->Ref();
+		}
+	
+	reporter->Error("file ID %s not a known file", fuid->CheckString());
+	return 0;
+	%}
+
 module GLOBAL;
 
 ## For use within a :bro:see:`get_file_handle` handler to set a unique
@@ -83,7 +105,9 @@ module GLOBAL;
 ## .. bro:see:: get_file_handle
 function set_file_handle%(handle: string%): any
 	%{
-	file_mgr->SetHandle(handle->CheckString());
+	auto bytes = reinterpret_cast<const char*>(handle->Bytes());
+	auto h = std::string(bytes, handle->Len());
+	file_mgr->SetHandle(h);
 	return 0;
 	%}
 
diff --git a/src/input.h b/src/input.h
index f0f402b23b..230a10073a 100644
--- a/src/input.h
+++ b/src/input.h
@@ -14,6 +14,7 @@ extern int yydebug;
 extern int brolex();
 extern char last_tok[128];
 
+extern void add_essential_input_file(const char* file);
 extern void add_input_file(const char* file);
 extern void add_input_file_at_front(const char* file);
 
@@ -22,7 +23,6 @@ extern void add_input_file_at_front(const char* file);
 extern void add_to_name_list(char* s, char delim, name_list& nl);
 
 extern void begin_RE();
-extern void end_RE();
 
 extern void do_atif(Expr* expr);
 extern void do_atifdef(const char* id);
diff --git a/src/input/Component.h b/src/input/Component.h
index ce24d447e5..cd3c1ea24d 100644
--- a/src/input/Component.h
+++ b/src/input/Component.h
@@ -37,7 +37,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	~Component();
+	~Component() override;
 
 	/**
 	 * Initialization function. This function has to be called before any
diff --git a/src/input/Manager.cc b/src/input/Manager.cc
index b84d822101..4cc084285d 100644
--- a/src/input/Manager.cc
+++ b/src/input/Manager.cc
@@ -711,7 +711,7 @@ bool Manager::CreateTableStream(RecordVal* fval)
 	return true;
 	}
 
-bool Manager::CheckErrorEventTypes(std::string stream_name, Func* ev, bool table)
+bool Manager::CheckErrorEventTypes(std::string stream_name, const Func* ev, bool table) const
 	{
 	if ( ev == nullptr )
 		return true;
@@ -899,7 +899,7 @@ bool Manager::RemoveStreamContinuation(ReaderFrontend* reader)
 	}
 
 bool Manager::UnrollRecordType(vector<Field*> *fields, const RecordType *rec,
-			       const string& nameprepend, bool allow_file_func)
+			       const string& nameprepend, bool allow_file_func) const
 	{
 	for ( int i = 0; i < rec->NumFields(); i++ )
 		{
@@ -1007,7 +1007,7 @@ bool Manager::ForceUpdate(const string &name)
 }
 
 
-Val* Manager::RecordValToIndexVal(RecordVal *r)
+Val* Manager::RecordValToIndexVal(RecordVal *r) const
 	{
 	Val* idxval;
 
@@ -1032,7 +1032,7 @@ Val* Manager::RecordValToIndexVal(RecordVal *r)
 	}
 
 
-Val* Manager::ValueToIndexVal(const Stream* i, int num_fields, const RecordType *type, const Value* const *vals, bool& have_error)
+Val* Manager::ValueToIndexVal(const Stream* i, int num_fields, const RecordType *type, const Value* const *vals, bool& have_error) const
 	{
 	Val* idxval;
 	int position = 0;
@@ -1810,7 +1810,7 @@ bool Manager::Delete(ReaderFrontend* reader, Value* *vals)
 	return success;
 	}
 
-bool Manager::CallPred(Func* pred_func, const int numvals, ...)
+bool Manager::CallPred(Func* pred_func, const int numvals, ...) const
 	{
 	bool result = false;
 	val_list vl(numvals);
@@ -1835,7 +1835,7 @@ bool Manager::CallPred(Func* pred_func, const int numvals, ...)
 // Raise everything in here as warnings so it is passed to scriptland without
 // looking "fatal". In addition to these warnings, ReaderBackend will queue
 // one reporter message.
-bool Manager::SendEvent(ReaderFrontend* reader, const string& name, const int num_vals, Value* *vals)
+bool Manager::SendEvent(ReaderFrontend* reader, const string& name, const int num_vals, Value* *vals) const
 	{
 	Stream *i = FindStream(reader);
 	if ( i == 0 )
@@ -1871,7 +1871,15 @@ bool Manager::SendEvent(ReaderFrontend* reader, const string& name, const int nu
 
 	val_list* vl = new val_list;
 	for ( int j = 0; j < num_vals; j++)
-		vl->append(ValueToVal(i, vals[j], type->FieldType(j), convert_error));
+		{
+		Val* v = ValueToVal(i, vals[j], convert_error);
+		vl->append(v);
+		if ( v && ! convert_error && ! same_type(type->FieldType(j), v->Type()) )
+			{
+			convert_error = true;
+			type->FieldType(j)->Error("SendEvent types do not match", v->Type());
+			}
+		}
 
 	delete_value_ptr_array(vals, num_vals);
 
@@ -1886,7 +1894,7 @@ bool Manager::SendEvent(ReaderFrontend* reader, const string& name, const int nu
 	return true;
 }
 
-void Manager::SendEvent(EventHandlerPtr ev, const int numvals, ...)
+void Manager::SendEvent(EventHandlerPtr ev, const int numvals, ...) const
 	{
 	val_list* vl = new val_list;
 
@@ -1905,7 +1913,7 @@ void Manager::SendEvent(EventHandlerPtr ev, const int numvals, ...)
 	mgr.QueueEvent(ev, vl, SOURCE_LOCAL);
 	}
 
-void Manager::SendEvent(EventHandlerPtr ev, list<Val*> events)
+void Manager::SendEvent(EventHandlerPtr ev, list<Val*> events) const
 	{
 	val_list* vl = new val_list;
 
@@ -1924,7 +1932,7 @@ void Manager::SendEvent(EventHandlerPtr ev, list<Val*> events)
 
 // Convert a bro list value to a bro record value.
 // I / we could think about moving this functionality to val.cc
-RecordVal* Manager::ListValToRecordVal(ListVal* list, RecordType *request_type, int* position)
+RecordVal* Manager::ListValToRecordVal(ListVal* list, RecordType *request_type, int* position) const
 	{
 	assert(position != 0 ); // we need the pointer to point to data;
 
@@ -1954,7 +1962,7 @@ RecordVal* Manager::ListValToRecordVal(ListVal* list, RecordType *request_type,
 
 // Convert a threading value to a record value
 RecordVal* Manager::ValueToRecordVal(const Stream* stream, const Value* const *vals,
-	                             RecordType *request_type, int* position, bool& have_error)
+	                             RecordType *request_type, int* position, bool& have_error) const
 	{
 	assert(position != 0); // we need the pointer to point to data.
 
@@ -1991,7 +1999,8 @@ RecordVal* Manager::ValueToRecordVal(const Stream* stream, const Value* const *v
 
 // Count the length of the values used to create a correct length buffer for
 // hashing later
-int Manager::GetValueLength(const Value* val) {
+int Manager::GetValueLength(const Value* val) const
+	{
 	assert( val->present ); // presence has to be checked elsewhere
 	int length = 0;
 
@@ -2081,7 +2090,7 @@ int Manager::GetValueLength(const Value* val) {
 
 // Given a threading::value, copy the raw data bytes into *data and return how many bytes were copied.
 // Used for hashing the values for lookup in the bro table
-int Manager::CopyValue(char *data, const int startpos, const Value* val)
+int Manager::CopyValue(char *data, const int startpos, const Value* val) const
 	{
 	assert( val->present ); // presence has to be checked elsewhere
 
@@ -2205,7 +2214,7 @@ int Manager::CopyValue(char *data, const int startpos, const Value* val)
 	}
 
 // Hash num_elements threading values and return the HashKey for them. At least one of the vals has to be ->present.
-HashKey* Manager::HashValues(const int num_elements, const Value* const *vals)
+HashKey* Manager::HashValues(const int num_elements, const Value* const *vals) const
 	{
 	int length = 0;
 
@@ -2251,19 +2260,19 @@ HashKey* Manager::HashValues(const int num_elements, const Value* const *vals)
 // have_error is a reference to a boolean which is set to true as soon as an error occured.
 // When have_error is set to true at the beginning of the function, it is assumed that
 // an error already occured in the past and processing is aborted.
-Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_type, bool& have_error)
+Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_type, bool& have_error) const
 	{
 	if ( have_error )
-		return 0;
+		return nullptr;
 
 	if ( request_type->Tag() != TYPE_ANY && request_type->Tag() != val->type )
 		{
 		reporter->InternalError("Typetags don't match: %d vs %d in stream %s", request_type->Tag(), val->type, i->name.c_str());
-		return 0;
+		return nullptr;
 		}
 
 	if ( !val->present )
-		return 0; // unset field
+		return nullptr; // unset field
 
 	switch ( val->type ) {
 	case TYPE_BOOL:
@@ -2287,7 +2296,7 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ
 		}
 
 	case TYPE_PORT:
-		return new PortVal(val->val.port_val.port, val->val.port_val.proto);
+		return port_mgr->Get(val->val.port_val.port, val->val.port_val.proto);
 
 	case TYPE_ADDR:
 		{
@@ -2312,7 +2321,7 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ
 
 	case TYPE_SUBNET:
 		{
-		IPAddr* addr = 0;
+		IPAddr* addr = nullptr;
 		switch ( val->val.subnet_val.prefix.family ) {
 		case IPv4:
 			addr = new IPAddr(val->val.subnet_val.prefix.in.in4);
@@ -2359,7 +2368,7 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ
 		VectorVal* v = new VectorVal(vt);
 		for ( int j = 0; j < val->val.vector_val.size; j++ )
 			{
-			v->Assign(j, ValueToVal(i, val->val.set_val.vals[j], type, have_error));
+			v->Assign(j, ValueToVal(i, val->val.vector_val.vals[j], type, have_error));
 			}
 
 		Unref(vt);
@@ -2380,11 +2389,11 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ
 		bro_int_t index = request_type->AsEnumType()->Lookup(module, var.c_str());
 		if ( index == -1 )
 			{
-			Warning(i, "Value not '%s' for stream '%s' is not a valid enum.",
+			Warning(i, "Value '%s' for stream '%s' is not a valid enum.",
 			                        enum_string.c_str(), i->name.c_str());
 
 			have_error = true;
-			return 0;
+			return nullptr;
 			}
 
 		return new EnumVal(index, request_type->Ref()->AsEnumType());
@@ -2398,9 +2407,178 @@ Val* Manager::ValueToVal(const Stream* i, const Value* val, BroType* request_typ
 	return NULL;
 	}
 
-Manager::Stream* Manager::FindStream(const string &name)
+Val* Manager::ValueToVal(const Stream* i, const Value* val, bool& have_error) const
 	{
-	for ( map<ReaderFrontend*, Stream*>::iterator s = readers.begin(); s != readers.end(); ++s )
+	if ( have_error )
+		return nullptr;
+
+	if ( ! val->present )
+		return nullptr; // unset field
+
+	switch ( val->type ) {
+	case TYPE_BOOL:
+	case TYPE_INT:
+		return new Val(val->val.int_val, val->type);
+		break;
+
+	case TYPE_COUNT:
+	case TYPE_COUNTER:
+		return new Val(val->val.uint_val, val->type);
+
+	case TYPE_DOUBLE:
+	case TYPE_TIME:
+	case TYPE_INTERVAL:
+		return new Val(val->val.double_val, val->type);
+
+	case TYPE_STRING:
+		{
+		BroString *s = new BroString((const u_char*)val->val.string_val.data, val->val.string_val.length, 1);
+		return new StringVal(s);
+		}
+
+	case TYPE_PORT:
+		return port_mgr->Get(val->val.port_val.port, val->val.port_val.proto);
+
+	case TYPE_ADDR:
+		{
+		IPAddr* addr = 0;
+		switch ( val->val.addr_val.family ) {
+		case IPv4:
+			addr = new IPAddr(val->val.addr_val.in.in4);
+			break;
+
+		case IPv6:
+			addr = new IPAddr(val->val.addr_val.in.in6);
+			break;
+
+		default:
+			assert(false);
+		}
+
+		AddrVal* addrval = new AddrVal(*addr);
+		delete addr;
+		return addrval;
+		}
+
+	case TYPE_SUBNET:
+		{
+		IPAddr* addr = nullptr;
+		switch ( val->val.subnet_val.prefix.family ) {
+		case IPv4:
+			addr = new IPAddr(val->val.subnet_val.prefix.in.in4);
+			break;
+
+		case IPv6:
+			addr = new IPAddr(val->val.subnet_val.prefix.in.in6);
+			break;
+
+		default:
+			assert(false);
+		}
+
+		SubNetVal* subnetval = new SubNetVal(*addr, val->val.subnet_val.length);
+		delete addr;
+		return subnetval;
+		}
+
+	case TYPE_TABLE:
+		{
+		TypeList* set_index;
+		if ( val->val.set_val.size == 0 && val->subtype == TYPE_VOID )
+			// don't know type - unspecified table.
+			set_index = new TypeList();
+		else
+			{
+			// all entries have to have the same type...
+			TypeTag stag = val->subtype;
+			if ( stag == TYPE_VOID )
+				TypeTag stag = val->val.set_val.vals[0]->type;
+
+			set_index = new TypeList(base_type(stag)->Ref());
+			set_index->Append(base_type(stag)->Ref());
+			}
+
+		SetType* s = new SetType(set_index, 0);
+		TableVal* t = new TableVal(s);
+		for ( int j = 0; j < val->val.set_val.size; j++ )
+			{
+			Val* assignval = ValueToVal(i, val->val.set_val.vals[j], have_error);
+
+			t->Assign(assignval, 0);
+			Unref(assignval); // index is not consumed by assign.
+			}
+
+		Unref(s);
+		return t;
+		}
+
+	case TYPE_VECTOR:
+		{
+		BroType* type;
+		if ( val->val.vector_val.size == 0  && val->subtype == TYPE_VOID )
+			// don't know type - unspecified table.
+			type = base_type(TYPE_ANY);
+		else
+			{
+			// all entries have to have the same type...
+			if ( val->subtype == TYPE_VOID )
+				type = base_type(val->val.vector_val.vals[0]->type);
+			else
+				type = base_type(val->subtype);
+			}
+
+		VectorType* vt = new VectorType(type->Ref());
+		VectorVal* v = new VectorVal(vt);
+		for ( int j = 0; j < val->val.vector_val.size; j++ )
+			{
+			v->Assign(j, ValueToVal(i, val->val.vector_val.vals[j], have_error));
+			}
+
+		Unref(vt);
+		return v;
+		}
+
+	case TYPE_ENUM: {
+		// Convert to string first to not have to deal with missing
+		// \0's...
+		string enum_string(val->val.string_val.data, val->val.string_val.length);
+
+		// let's try looking it up by global ID.
+		ID* id = lookup_ID(enum_string.c_str(), GLOBAL_MODULE_NAME);
+		if ( ! id || ! id->IsEnumConst() )
+			{
+			Warning(i, "Value '%s' for stream '%s' is not a valid enum.",
+			                        enum_string.c_str(), i->name.c_str());
+
+			have_error = true;
+			return nullptr;
+			}
+
+		EnumType* t = id->Type()->AsEnumType();
+		int intval = t->Lookup(id->ModuleName(), id->Name());
+		if ( intval < 0 )
+			{
+			Warning(i, "Enum value '%s' for stream '%s' not found.",
+			                        enum_string.c_str(), i->name.c_str());
+
+			have_error = true;
+			return nullptr;
+			}
+
+		return new EnumVal(intval, t);
+		}
+
+	default:
+		reporter->InternalError("Unsupported type for input_read in stream %s", i->name.c_str());
+	}
+
+	assert(false);
+	return NULL;
+	}
+
+Manager::Stream* Manager::FindStream(const string &name) const
+	{
+	for ( auto s = readers.begin(); s != readers.end(); ++s )
 		{
 		if ( (*s).second->name  == name )
 			return (*s).second;
@@ -2409,9 +2587,9 @@ Manager::Stream* Manager::FindStream(const string &name)
 	return 0;
 	}
 
-Manager::Stream* Manager::FindStream(ReaderFrontend* reader)
+Manager::Stream* Manager::FindStream(ReaderFrontend* reader) const
 	{
-	map<ReaderFrontend*, Stream*>::iterator s = readers.find(reader);
+	auto s = readers.find(reader);
 	if ( s != readers.end() )
 		return s->second;
 
@@ -2433,7 +2611,7 @@ void Manager::Terminate()
 
 	}
 
-void Manager::Info(ReaderFrontend* reader, const char* msg)
+void Manager::Info(ReaderFrontend* reader, const char* msg) const
 	{
 	Stream *i = FindStream(reader);
 	if ( !i )
@@ -2445,7 +2623,7 @@ void Manager::Info(ReaderFrontend* reader, const char* msg)
 	ErrorHandler(i, ErrorType::INFO, false, "%s", msg);
 	}
 
-void Manager::Warning(ReaderFrontend* reader, const char* msg)
+void Manager::Warning(ReaderFrontend* reader, const char* msg) const
 	{
 	Stream *i = FindStream(reader);
 	if ( !i )
@@ -2457,7 +2635,7 @@ void Manager::Warning(ReaderFrontend* reader, const char* msg)
 	ErrorHandler(i, ErrorType::WARNING, false, "%s", msg);
 	}
 
-void Manager::Error(ReaderFrontend* reader, const char* msg)
+void Manager::Error(ReaderFrontend* reader, const char* msg) const
 	{
 	Stream *i = FindStream(reader);
 	if ( !i )
@@ -2469,7 +2647,7 @@ void Manager::Error(ReaderFrontend* reader, const char* msg)
 	ErrorHandler(i, ErrorType::ERROR, false, "%s", msg);
 	}
 
-void Manager::Info(const Stream* i, const char* fmt, ...)
+void Manager::Info(const Stream* i, const char* fmt, ...) const
 	{
 	va_list ap;
 	va_start(ap, fmt);
@@ -2477,7 +2655,7 @@ void Manager::Info(const Stream* i, const char* fmt, ...)
 	va_end(ap);
 	}
 
-void Manager::Warning(const Stream* i, const char* fmt, ...)
+void Manager::Warning(const Stream* i, const char* fmt, ...) const
 	{
 	va_list ap;
 	va_start(ap, fmt);
@@ -2485,7 +2663,7 @@ void Manager::Warning(const Stream* i, const char* fmt, ...)
 	va_end(ap);
 	}
 
-void Manager::Error(const Stream* i, const char* fmt, ...)
+void Manager::Error(const Stream* i, const char* fmt, ...) const
 	{
 	va_list ap;
 	va_start(ap, fmt);
@@ -2493,7 +2671,7 @@ void Manager::Error(const Stream* i, const char* fmt, ...)
 	va_end(ap);
 	}
 
-void Manager::ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, ...)
+void Manager::ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, ...) const
 	{
 	va_list ap;
 	va_start(ap, fmt);
@@ -2501,7 +2679,7 @@ void Manager::ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, co
 	va_end(ap);
 	}
 
-void Manager::ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, va_list ap)
+void Manager::ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, va_list ap) const
 	{
 	char* buf;
 
@@ -2532,6 +2710,7 @@ void Manager::ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, co
 
 			default:
 				reporter->InternalError("Unknown error type while trying to report input error %s", fmt);
+				__builtin_unreachable();
 			}
 
 		StringVal* message = new StringVal(buf);
diff --git a/src/input/Manager.h b/src/input/Manager.h
index e7a1ebe2d6..abbf8793b5 100644
--- a/src/input/Manager.h
+++ b/src/input/Manager.h
@@ -98,6 +98,21 @@ public:
 	 */
 	void Terminate();
 
+	/**
+	 * Checks if a Bro type can be used for data reading. Note that
+	 * this function only applies to input streams; the logging framework
+	 * has an equivalent function; however we support logging of a wider
+	 * variety of types (e.g. functions).
+	 *
+	 * @param t The type to check.
+	 *
+	 * @param atomic_only Set to true to forbid non-atomic types
+	 *        (records/sets/vectors).
+	 *
+	 * @return True if the type is compatible with the input framework.
+	 */
+	static bool IsCompatibleType(BroType* t, bool atomic_only=false);
+
 protected:
 	friend class ReaderFrontend;
 	friend class PutMessage;
@@ -130,7 +145,7 @@ protected:
 	// Allows readers to directly send Bro events. The num_vals and vals
 	// must be the same the named event expects. Takes ownership of
 	// threading::Value fields.
-	bool SendEvent(ReaderFrontend* reader, const string& name, const int num_vals, threading::Value* *vals);
+	bool SendEvent(ReaderFrontend* reader, const string& name, const int num_vals, threading::Value* *vals) const;
 
 	// Instantiates a new ReaderBackend of the given type (note that
 	// doing so creates a new thread!).
@@ -147,9 +162,9 @@ protected:
 	// Signal Informational messages, warnings and errors. These will be
 	// passed to the error function in scriptland. Note that the messages
 	// are not passed to reporter - this is done in ReaderBackend.
-	void Info(ReaderFrontend* reader, const char* msg);
-	void Warning(ReaderFrontend* reader, const char* msg);
-	void Error(ReaderFrontend* reader, const char* msg);
+	void Info(ReaderFrontend* reader, const char* msg) const;
+	void Warning(ReaderFrontend* reader, const char* msg) const;
+	void Error(ReaderFrontend* reader, const char* msg) const;
 
 	/**
 	 * Deletes an existing input stream.
@@ -176,7 +191,7 @@ private:
 	// Check if the types of the error_ev event are correct. If table is
 	// true, check for tablestream type, otherwhise check for eventstream
 	// type.
-	bool CheckErrorEventTypes(std::string stream_name, Func* error_event, bool table);
+	bool CheckErrorEventTypes(std::string stream_name, const Func* error_event, bool table) const;
 
 	// SendEntry implementation for Table stream.
 	int SendEntryTable(Stream* i, const threading::Value* const *vals);
@@ -187,63 +202,63 @@ private:
 	// SendEntry and Put implementation for Event stream.
 	int SendEventStreamEvent(Stream* i, EnumVal* type, const threading::Value* const *vals);
 
-	// Checks that a Bro type can be used for data reading. The
-	// equivalend in threading cannot be used, because we have support
-	// different types from the log framework
-	bool IsCompatibleType(BroType* t, bool atomic_only=false);
 	// Check if a record is made up of compatible types and return a list
 	// of all fields that are in the record in order. Recursively unrolls
 	// records
-	bool UnrollRecordType(vector<threading::Field*> *fields, const RecordType *rec, const string& nameprepend, bool allow_file_func);
+	bool UnrollRecordType(vector<threading::Field*> *fields, const RecordType *rec, const string& nameprepend, bool allow_file_func) const;
 
 	// Send events
-	void SendEvent(EventHandlerPtr ev, const int numvals, ...);
-	void SendEvent(EventHandlerPtr ev, list<Val*> events);
+	void SendEvent(EventHandlerPtr ev, const int numvals, ...) const;
+	void SendEvent(EventHandlerPtr ev, list<Val*> events) const;
 
 	// Implementation of SendEndOfData (send end_of_data event).
 	void SendEndOfData(const Stream *i);
 
 	// Call predicate function and return result.
-	bool CallPred(Func* pred_func, const int numvals, ...);
+	bool CallPred(Func* pred_func, const int numvals, ...) const;
 
 	// Get a hashkey for a set of threading::Values.
-	HashKey* HashValues(const int num_elements, const threading::Value* const *vals);
+	HashKey* HashValues(const int num_elements, const threading::Value* const *vals) const;
 
 	// Get the memory used by a specific value.
-	int GetValueLength(const threading::Value* val);
+	int GetValueLength(const threading::Value* val) const;
 
 	// Copies the raw data in a specific threading::Value to position
 	// startpos.
-	int CopyValue(char *data, const int startpos, const threading::Value* val);
+	int CopyValue(char *data, const int startpos, const threading::Value* val) const;
 
 	// Convert Threading::Value to an internal Bro Type (works also with
 	// Records).
-	Val* ValueToVal(const Stream* i, const threading::Value* val, BroType* request_type, bool& have_error);
+	Val* ValueToVal(const Stream* i, const threading::Value* val, BroType* request_type, bool& have_error) const;
 
-	// Convert Threading::Value to an internal Bro List type.
-	Val* ValueToIndexVal(const Stream* i, int num_fields, const RecordType* type, const threading::Value* const *vals, bool& have_error);
+	// Convert Threading::Value to an internal Bro type just using the information given in the threading::Value.
+	// This allows more flexibility, especially given structures in script-land that contain any types.
+	Val* ValueToVal(const Stream* i, const threading::Value* val, bool& have_error) const;
+
+	// Convert Threading::Value to an internal Bro list type.
+	Val* ValueToIndexVal(const Stream* i, int num_fields, const RecordType* type, const threading::Value* const *vals, bool& have_error) const;
 
 	// Converts a threading::value to a record type. Mostly used by
 	// ValueToVal.
-	RecordVal* ValueToRecordVal(const Stream* i, const threading::Value* const *vals, RecordType *request_type, int* position, bool& have_error);
+	RecordVal* ValueToRecordVal(const Stream* i, const threading::Value* const *vals, RecordType *request_type, int* position, bool& have_error) const;
 
-	Val* RecordValToIndexVal(RecordVal *r);
+	Val* RecordValToIndexVal(RecordVal *r) const;
 
 	// Converts a Bro ListVal to a RecordVal given the record type.
-	RecordVal* ListValToRecordVal(ListVal* list, RecordType *request_type, int* position);
+	RecordVal* ListValToRecordVal(ListVal* list, RecordType *request_type, int* position) const;
 
 	// Internally signal errors, warnings, etc.
 	// These are sent on to input scriptland and reporter.log
-	void Info(const Stream* i, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
-	void Warning(const Stream* i, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
-	void Error(const Stream* i, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
+	void Info(const Stream* i, const char* fmt, ...) const __attribute__((format(printf, 3, 4)));
+	void Warning(const Stream* i, const char* fmt, ...) const __attribute__((format(printf, 3, 4)));
+	void Error(const Stream* i, const char* fmt, ...) const __attribute__((format(printf, 3, 4)));
 
 	enum class ErrorType { INFO, WARNING, ERROR };
-	void ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, ...) __attribute__((format(printf, 5, 6)));
-	void ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, va_list ap);
+	void ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, ...) const __attribute__((format(printf, 5, 6)));
+	void ErrorHandler(const Stream* i, ErrorType et, bool reporter_send, const char* fmt, va_list ap) const __attribute__((format(printf, 5, 0)));
 
-	Stream* FindStream(const string &name);
-	Stream* FindStream(ReaderFrontend* reader);
+	Stream* FindStream(const string &name) const;
+	Stream* FindStream(ReaderFrontend* reader) const;
 
 	enum StreamType { TABLE_STREAM, EVENT_STREAM, ANALYSIS_STREAM };
 
diff --git a/src/input/ReaderBackend.h b/src/input/ReaderBackend.h
index 944f059fb1..84f6635da5 100644
--- a/src/input/ReaderBackend.h
+++ b/src/input/ReaderBackend.h
@@ -68,7 +68,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	virtual ~ReaderBackend();
+	~ReaderBackend() override;
 
 	/**
 	 * A struct passing information to the reader at initialization time.
diff --git a/src/input/Tag.h b/src/input/Tag.h
index 78dd65676f..91d7539a39 100644
--- a/src/input/Tag.h
+++ b/src/input/Tag.h
@@ -98,14 +98,14 @@ protected:
 	 * @param subtype The sub type, which is left to an reader for
 	 * interpretation. By default it's set to zero.
 	 */
-	Tag(type_t type, subtype_t subtype = 0);
+	explicit Tag(type_t type, subtype_t subtype = 0);
 
 	/**
 	 * Constructor.
 	 *
 	 * @param val An enum value of script type \c Input::Reader.
 	 */
-	Tag(EnumVal* val) : ::Tag(val) {}
+	explicit Tag(EnumVal* val) : ::Tag(val) {}
 };
 
 }
diff --git a/src/input/readers/CMakeLists.txt b/src/input/readers/CMakeLists.txt
index 36b7439052..d653789847 100644
--- a/src/input/readers/CMakeLists.txt
+++ b/src/input/readers/CMakeLists.txt
@@ -2,5 +2,6 @@
 add_subdirectory(ascii)
 add_subdirectory(benchmark)
 add_subdirectory(binary)
+add_subdirectory(config)
 add_subdirectory(raw)
 add_subdirectory(sqlite)
diff --git a/src/input/readers/ascii/Ascii.cc b/src/input/readers/ascii/Ascii.cc
index 8b609bda04..d9120b91ae 100644
--- a/src/input/readers/ascii/Ascii.cc
+++ b/src/input/readers/ascii/Ascii.cc
@@ -49,6 +49,9 @@ FieldMapping FieldMapping::subType()
 Ascii::Ascii(ReaderFrontend *frontend) : ReaderBackend(frontend)
 	{
 	mtime = 0;
+	suppress_warnings = false;
+	fail_on_file_problem = false;
+	fail_on_invalid_lines = false;
 	}
 
 Ascii::~Ascii()
@@ -61,6 +64,8 @@ void Ascii::DoClose()
 
 bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fields)
 	{
+	suppress_warnings = false;
+
 	separator.assign( (const char*) BifConst::InputAscii::separator->Bytes(),
 	                 BifConst::InputAscii::separator->Len());
 
@@ -73,6 +78,9 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f
 	unset_field.assign( (const char*) BifConst::InputAscii::unset_field->Bytes(),
 	                   BifConst::InputAscii::unset_field->Len());
 
+	fail_on_invalid_lines = BifConst::InputAscii::fail_on_invalid_lines;
+	fail_on_file_problem = BifConst::InputAscii::fail_on_file_problem;
+
 	// Set per-filter configuration options.
 	for ( ReaderInfo::config_map::const_iterator i = info.config.begin(); i != info.config.end(); i++ )
 		{
@@ -87,6 +95,12 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f
 
 		else if ( strcmp(i->first, "unset_field") == 0 )
 			unset_field.assign(i->second);
+
+		else if ( strcmp(i->first, "fail_on_invalid_lines") == 0 )
+			fail_on_invalid_lines = (strncmp(i->second, "T", 1) == 0);
+
+		else if ( strcmp(i->first, "fail_on_file_problem") == 0 )
+			fail_on_file_problem = (strncmp(i->second, "T", 1) == 0);
 		}
 
 	if ( separator.size() != 1 )
@@ -98,26 +112,51 @@ bool Ascii::DoInit(const ReaderInfo& info, int num_fields, const Field* const* f
 	formatter::Ascii::SeparatorInfo sep_info(separator, set_separator, unset_field, empty_field);
 	formatter = unique_ptr<threading::formatter::Formatter>(new formatter::Ascii(this, sep_info));
 
-	file.open(info.source);
+	return DoUpdate();
+	}
+
+void Ascii::FailWarn(bool is_error, const char *msg, bool suppress_future)
+	{
+	if ( is_error )
+		Error(msg);
+	else
+		{
+		// suppress error message when we are already in error mode.
+		// There is no reason to repeat it every second.
+		if ( ! suppress_warnings )
+			Warning(msg);
+
+		if ( suppress_future )
+			suppress_warnings = true;
+		}
+	}
+
+bool Ascii::OpenFile()
+	{
+	if ( file.is_open() )
+		return true;
+
+	file.open(Info().source);
+
 	if ( ! file.is_open() )
 		{
-		Error(Fmt("Init: cannot open %s", info.source));
-		return false;
+		FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s", Info().source), true);
+
+		return ! fail_on_file_problem;
 		}
 
 	if ( ReadHeader(false) == false )
 		{
-		Error(Fmt("Init: cannot open %s; headers are incorrect", info.source));
+		FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s; problem reading file header", Info().source), true);
+
 		file.close();
-		return false;
+		return ! fail_on_file_problem;
 		}
 
-	DoUpdate();
-
+	suppress_warnings = false;
 	return true;
 	}
 
-
 bool Ascii::ReadHeader(bool useCached)
 	{
 	// try to read the header line...
@@ -128,7 +167,8 @@ bool Ascii::ReadHeader(bool useCached)
 		{
 		if ( ! GetLine(line) )
 			{
-			Error("could not read first line");
+			FailWarn(fail_on_file_problem, Fmt("Could not read input data file %s; first line could not be read",
+							 Info().source), true);
 			return false;
 			}
 
@@ -170,8 +210,9 @@ bool Ascii::ReadHeader(bool useCached)
 				continue;
 				}
 
-			Error(Fmt("Did not find requested field %s in input data file %s.",
-				  field->name, Info().source));
+			FailWarn(fail_on_file_problem, Fmt("Did not find requested field %s in input data file %s.",
+							 field->name, Info().source), true);
+
 			return false;
 			}
 
@@ -182,8 +223,9 @@ bool Ascii::ReadHeader(bool useCached)
 			map<string, uint32_t>::iterator fit2 = ifields.find(field->secondary_name);
 			if ( fit2 == ifields.end() )
 				{
-				Error(Fmt("Could not find requested port type field %s in input data file.",
-					  field->secondary_name));
+				FailWarn(fail_on_file_problem, Fmt("Could not find requested port type field %s in input data file.",
+								 field->secondary_name), true);
+
 				return false;
 				}
 
@@ -193,7 +235,6 @@ bool Ascii::ReadHeader(bool useCached)
 		columnMap.push_back(f);
 		}
 
-
 	// well, that seems to have worked...
 	return true;
 	}
@@ -224,6 +265,9 @@ bool Ascii::GetLine(string& str)
 // read the entire file and send appropriate thingies back to InputMgr
 bool Ascii::DoUpdate()
 	{
+	if ( ! OpenFile() )
+		return ! fail_on_file_problem;
+
 	switch ( Info().mode ) {
 		case MODE_REREAD:
 			{
@@ -231,8 +275,10 @@ bool Ascii::DoUpdate()
 			struct stat sb;
 			if ( stat(Info().source, &sb) == -1 )
 				{
-				Error(Fmt("Could not get stat for %s", Info().source));
-				return false;
+				FailWarn(fail_on_file_problem, Fmt("Could not get stat for %s", Info().source), true);
+
+				file.close();
+				return ! fail_on_file_problem;
 				}
 
 			if ( sb.st_mtime <= mtime ) // no change
@@ -254,8 +300,10 @@ bool Ascii::DoUpdate()
 				if ( Info().mode == MODE_STREAM )
 					{
 					file.clear(); // remove end of file evil bits
-					if ( !ReadHeader(true) )
-						return false; // header reading failed
+					if ( ! ReadHeader(true) )
+						{
+						return ! fail_on_file_problem; // header reading failed
+						}
 
 					break;
 					}
@@ -263,17 +311,7 @@ bool Ascii::DoUpdate()
 				file.close();
 				}
 
-			file.open(Info().source);
-			if ( ! file.is_open() )
-				{
-				Error(Fmt("cannot open %s", Info().source));
-				return false;
-				}
-
-			if ( ReadHeader(false) == false )
-				{
-				return false;
-				}
+			OpenFile();
 
 			break;
 			}
@@ -327,14 +365,23 @@ bool Ascii::DoUpdate()
 
 			if ( (*fit).position > pos || (*fit).secondary_position > pos )
 				{
-				Error(Fmt("Not enough fields in line %s. Found %d fields, want positions %d and %d",
-					  line.c_str(), pos,  (*fit).position, (*fit).secondary_position));
+				FailWarn(fail_on_invalid_lines, Fmt("Not enough fields in line %s. Found %d fields, want positions %d and %d",
+					  line.c_str(), pos, (*fit).position, (*fit).secondary_position));
 
-				for ( int i = 0; i < fpos; i++ )
-					delete fields[i];
+				if ( fail_on_invalid_lines )
+					{
+					for ( int i = 0; i < fpos; i++ )
+						delete fields[i];
 
-				delete [] fields;
-				return false;
+					delete [] fields;
+
+					return false;
+					}
+				else
+					{
+					error = true;
+					break;
+					}
 				}
 
 			Value* val = formatter->ParseValue(stringfields[(*fit).position], (*fit).name, (*fit).type, (*fit).subtype);
@@ -390,6 +437,9 @@ bool Ascii::DoUpdate()
 
 bool Ascii::DoHeartbeat(double network_time, double current_time)
 	{
+	if ( ! OpenFile() )
+		return ! fail_on_file_problem;
+
 	switch ( Info().mode )
 		{
 		case MODE_MANUAL:
diff --git a/src/input/readers/ascii/Ascii.h b/src/input/readers/ascii/Ascii.h
index 20a459968d..130fc25075 100644
--- a/src/input/readers/ascii/Ascii.h
+++ b/src/input/readers/ascii/Ascii.h
@@ -36,7 +36,7 @@ struct FieldMapping {
 class Ascii : public ReaderBackend {
 public:
 	explicit Ascii(ReaderFrontend* frontend);
-	~Ascii();
+	~Ascii() override;
 
 	// prohibit copying and moving
 	Ascii(const Ascii&) = delete;
@@ -55,6 +55,11 @@ protected:
 private:
 	bool ReadHeader(bool useCached);
 	bool GetLine(string& str);
+	bool OpenFile();
+	// Call Warning or Error, depending on the is_error boolean.
+	// In case of a warning, setting suppress_future to true will suppress all future warnings
+	// (by setting suppress_warnings to true, until suppress_warnings is set back to false)
+	void FailWarn(bool is_error, const char *msg, bool suppress_future = false);
 
 	ifstream file;
 	time_t mtime;
@@ -70,6 +75,12 @@ private:
 	string set_separator;
 	string empty_field;
 	string unset_field;
+	bool fail_on_invalid_lines;
+	bool fail_on_file_problem;
+
+	// this is an internal indicator in case the read is currently in a failed state
+	// it's used to suppress duplicate error messages.
+	bool suppress_warnings;
 
 	std::unique_ptr<threading::formatter::Formatter> formatter;
 };
diff --git a/src/input/readers/ascii/ascii.bif b/src/input/readers/ascii/ascii.bif
index 8bb3a96492..80ff4611e7 100644
--- a/src/input/readers/ascii/ascii.bif
+++ b/src/input/readers/ascii/ascii.bif
@@ -5,3 +5,5 @@ const separator: string;
 const set_separator: string;
 const empty_field: string;
 const unset_field: string;
+const fail_on_invalid_lines: bool;
+const fail_on_file_problem: bool;
diff --git a/src/input/readers/benchmark/Benchmark.cc b/src/input/readers/benchmark/Benchmark.cc
index 9d962c8c64..49e989909c 100644
--- a/src/input/readers/benchmark/Benchmark.cc
+++ b/src/input/readers/benchmark/Benchmark.cc
@@ -125,7 +125,7 @@ bool Benchmark::DoUpdate()
 
 threading::Value* Benchmark::EntryToVal(TypeTag type, TypeTag subtype)
 	{
-	Value* val = new Value(type, true);
+	Value* val = new Value(type, subtype, true);
 
 	// basically construct something random from the fields that we want.
 
diff --git a/src/input/readers/benchmark/Benchmark.h b/src/input/readers/benchmark/Benchmark.h
index 42501c1c29..2c71845723 100644
--- a/src/input/readers/benchmark/Benchmark.h
+++ b/src/input/readers/benchmark/Benchmark.h
@@ -13,16 +13,16 @@ namespace input { namespace reader {
  */
 class Benchmark : public ReaderBackend {
 public:
-	Benchmark(ReaderFrontend* frontend);
-	~Benchmark();
+	explicit Benchmark(ReaderFrontend* frontend);
+	~Benchmark() override;
 
 	static ReaderBackend* Instantiate(ReaderFrontend* frontend) { return new Benchmark(frontend); }
 
 protected:
-	virtual bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields);
-	virtual void DoClose();
-	virtual bool DoUpdate();
-	virtual bool DoHeartbeat(double network_time, double current_time);
+	bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields) override;
+	void DoClose() override;
+	bool DoUpdate() override;
+	bool DoHeartbeat(double network_time, double current_time) override;
 
 private:
 	double CurrTime();
diff --git a/src/input/readers/binary/Binary.h b/src/input/readers/binary/Binary.h
index 587d56cfa7..6fd5a3b001 100644
--- a/src/input/readers/binary/Binary.h
+++ b/src/input/readers/binary/Binary.h
@@ -14,19 +14,18 @@ namespace input { namespace reader {
  */
 class Binary : public ReaderBackend {
 public:
-	Binary(ReaderFrontend* frontend);
-
-	~Binary();
+	explicit Binary(ReaderFrontend* frontend);
+	~Binary() override;
 
 	static ReaderBackend* Instantiate(ReaderFrontend* frontend)
 		{ return new Binary(frontend); }
 
 protected:
-	virtual bool DoInit(const ReaderInfo& info, int arg_num_fields,
-	                    const threading::Field* const* fields);
-	virtual void DoClose();
-	virtual bool DoUpdate();
-	virtual bool DoHeartbeat(double network_time, double current_time);
+	bool DoInit(const ReaderInfo& info, int arg_num_fields,
+	            const threading::Field* const* fields) override;
+	void DoClose() override;
+	bool DoUpdate() override;
+	bool DoHeartbeat(double network_time, double current_time) override;
 
 private:
 	bool OpenInput();
diff --git a/src/input/readers/config/CMakeLists.txt b/src/input/readers/config/CMakeLists.txt
new file mode 100644
index 0000000000..8e4c1aa5aa
--- /dev/null
+++ b/src/input/readers/config/CMakeLists.txt
@@ -0,0 +1,9 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(Bro ConfigReader)
+bro_plugin_cc(Config.cc Plugin.cc)
+bro_plugin_bif(config.bif)
+bro_plugin_end()
diff --git a/src/input/readers/config/Config.cc b/src/input/readers/config/Config.cc
new file mode 100644
index 0000000000..e50b468a36
--- /dev/null
+++ b/src/input/readers/config/Config.cc
@@ -0,0 +1,319 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include <sstream>
+#include <unordered_set>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <errno.h>
+#include <regex.h>
+
+#include "Config.h"
+#include "config.bif.h"
+
+#include "input/Manager.h"
+#include "threading/SerialTypes.h"
+
+using namespace input::reader;
+using namespace threading;
+using threading::Value;
+using threading::Field;
+
+Config::Config(ReaderFrontend *frontend) : ReaderBackend(frontend)
+	{
+	mtime = 0;
+	suppress_warnings = false;
+	fail_on_file_problem = false;
+
+	// find all option names and their types.
+	auto globals = global_scope()->Vars();
+	auto c = globals->InitForIteration();
+
+	while ( auto id = globals->NextEntry(c) )
+		{
+		if ( id->IsInternalGlobal() || ! id->IsOption() )
+			continue;
+
+		if ( id->Type()->Tag() == TYPE_RECORD ||
+			 ! input::Manager::IsCompatibleType(id->Type()) )
+			{
+			option_types[id->Name()] = std::make_tuple(TYPE_ERROR, id->Type()->Tag());
+			continue;
+			}
+
+		TypeTag primary = id->Type()->Tag();
+		TypeTag secondary = TYPE_VOID;
+		if ( primary == TYPE_TABLE )
+			secondary = id->Type()->AsSetType()->Indices()->PureType()->Tag();
+		else if ( primary == TYPE_VECTOR )
+			secondary = id->Type()->AsVectorType()->YieldType()->Tag();
+
+		option_types[id->Name()] = std::make_tuple(primary, secondary);
+		}
+	}
+
+Config::~Config()
+	{
+	}
+
+void Config::DoClose()
+	{
+	}
+
+bool Config::DoInit(const ReaderInfo& info, int num_fields, const Field* const* fields)
+	{
+	fail_on_file_problem = BifConst::InputConfig::fail_on_file_problem;
+
+	set_separator.assign( (const char*) BifConst::InputConfig::set_separator->Bytes(),
+	                     BifConst::InputConfig::set_separator->Len());
+
+	empty_field.assign( (const char*) BifConst::InputConfig::empty_field->Bytes(),
+	                   BifConst::InputConfig::empty_field->Len());
+
+	formatter::Ascii::SeparatorInfo sep_info("\t", set_separator, "", empty_field);
+	formatter = unique_ptr<threading::formatter::Formatter>(new formatter::Ascii(this, sep_info));
+
+	return DoUpdate();
+	}
+
+bool Config::OpenFile()
+	{
+	if ( file.is_open() )
+		return true;
+
+	file.open(Info().source);
+
+	if ( ! file.is_open() )
+		{
+		FailWarn(fail_on_file_problem, Fmt("Init: cannot open %s", Info().source), true);
+		return ! fail_on_file_problem;
+		}
+
+	suppress_warnings = false;
+	return true;
+	}
+
+void Config::FailWarn(bool is_error, const char *msg, bool suppress_future)
+	{
+	if ( is_error )
+		Error(msg);
+	else
+		{
+		// suppress error message when we are already in error mode.
+		// There is no reason to repeat it every second.
+		if ( ! suppress_warnings )
+			Warning(msg);
+
+		if ( suppress_future )
+			suppress_warnings = true;
+		}
+	}
+
+bool Config::GetLine(string& str)
+	{
+	while ( getline(file, str) )
+		{
+		if ( ! str.size() )
+			continue;
+
+		if ( str.back() == '\r' ) // deal with \r\n by removing \r
+			str.pop_back();
+
+		if ( str[0] != '#' )
+			return true;
+		}
+
+	return false;
+	}
+
+// read the entire file and send appropriate thingies back to InputMgr
+bool Config::DoUpdate()
+	{
+	if ( ! OpenFile() )
+		return ! fail_on_file_problem;
+
+	switch ( Info().mode ) {
+		case MODE_REREAD:
+			{
+			// check if the file has changed
+			struct stat sb;
+			if ( stat(Info().source, &sb) == -1 )
+				{
+				FailWarn(fail_on_file_problem, Fmt("Could not get stat for %s", Info().source), true);
+
+				file.close();
+				return ! fail_on_file_problem;
+				}
+
+			if ( sb.st_mtime <= mtime ) // no change
+				return true;
+
+			mtime = sb.st_mtime;
+			// file changed. reread.
+
+			// fallthrough
+			}
+
+		case MODE_MANUAL:
+		case MODE_STREAM:
+			{
+			// dirty, fix me. (well, apparently after trying seeking, etc
+			// - this is not that bad)
+			if ( file.is_open() )
+				{
+				if ( Info().mode == MODE_STREAM )
+					{
+					file.clear(); // remove end of file evil bits
+					break;
+					}
+
+				file.close();
+				}
+
+			OpenFile();
+
+			break;
+			}
+
+		default:
+			assert(false);
+		}
+
+	string line;
+	file.sync();
+
+	// keep a list of options to remove because they were no longer in the input file.
+	// Start out with all element and removes while going along
+	std::unordered_set<std::string> unseen_options;
+	for ( auto i : option_values )
+		{
+		unseen_options.insert(i.first);
+		}
+
+	regex_t re;
+	if ( regcomp(&re, "^([^[:blank:]]+)[[:blank:]]+(.*)$", REG_EXTENDED) )
+		{
+		Error(Fmt("Failed to compile regex."));
+		return true;
+		}
+
+	while ( GetLine(line) )
+		{
+		regmatch_t match[3];
+		if ( regexec(&re, line.c_str(), 3, match, 0) )
+			{
+			Warning(Fmt("Could not parse '%s'; line has invalid format. Ignoring line.", line.c_str()));
+			continue;
+			}
+
+		string key = line.substr(match[1].rm_so, match[1].rm_eo - match[1].rm_so);
+		string value = line.substr(match[2].rm_so, match[2].rm_eo - match[2].rm_so);
+
+		auto typeit = option_types.find(key);
+		if ( typeit == option_types.end() )
+			{
+			Warning(Fmt("Option '%s' does not exist. Ignoring line.", key.c_str()));
+			continue;
+			}
+
+		if ( std::get<0>((*typeit).second) == TYPE_ERROR )
+			{
+			Warning(Fmt("Option '%s' has type '%s', which is not supported for file input. Ignoring line.", key.c_str(), type_name(std::get<1>((*typeit).second))));
+			continue;
+			}
+
+		Value* eventval = formatter->ParseValue(value, key, std::get<0>((*typeit).second), std::get<1>((*typeit).second));
+		if ( ! eventval )
+			{
+			Warning(Fmt("Could not convert line '%s' to value. Ignoring line.", line.c_str()));
+			continue;
+			}
+		else if ( ! eventval->present )
+			{
+			Warning(Fmt("Line '%s' has no value. Ignoring line.", line.c_str()));
+			delete eventval;
+			continue;
+			}
+
+		unseen_options.erase(key);
+
+		// we only send the event if the underlying value has changed. Let's check that.
+		// (Yes, this means we keep all configuration options in memory twice - once here in
+		// the reader and once in memory in Bro; that is difficult to change.
+		auto search = option_values.find(key);
+		if ( search != option_values.end() && search->second == value )
+			{
+			delete eventval;
+			continue;
+			}
+
+		option_values[key] = value;
+
+			{
+			Value** fields = new Value*[2];
+			Value* keyval = new threading::Value(TYPE_STRING, true);
+			keyval->val.string_val.length = key.size();
+			keyval->val.string_val.data = copy_string(key.c_str());
+			fields[0] = keyval;
+			Value* val = new threading::Value(TYPE_STRING, true);
+			val->val.string_val.length = value.size();
+			val->val.string_val.data = copy_string(value.c_str());
+			fields[1] = val;
+
+			if ( Info().mode  == MODE_STREAM )
+				Put(fields);
+			else
+				SendEntry(fields);
+			}
+
+			{
+			Value** vals = new Value*[4];
+			vals[0] = new Value(TYPE_STRING, true);
+			vals[0]->val.string_val.data = copy_string(Info().name);
+			vals[0]->val.string_val.length = strlen(Info().name);
+			vals[1] = new Value(TYPE_STRING, true);
+			vals[1]->val.string_val.data = copy_string(Info().source);
+			vals[1]->val.string_val.length = strlen(Info().source);
+			vals[2] = new Value(TYPE_STRING, true);
+			vals[2]->val.string_val.data = copy_string(key.c_str());
+			vals[2]->val.string_val.length = key.size();
+			vals[3] = eventval;
+
+			SendEvent("InputConfig::new_value", 4, vals);
+			}
+		}
+
+	regfree(&re);
+
+	if ( Info().mode != MODE_STREAM )
+		EndCurrentSend();
+
+	// clean up all options we did not see
+	for ( auto i : unseen_options )
+		option_values.erase(i);
+
+	return true;
+	}
+
+bool Config::DoHeartbeat(double network_time, double current_time)
+	{
+	switch ( Info().mode )
+		{
+		case MODE_MANUAL:
+			// yay, we do nothing :)
+			break;
+
+		case MODE_REREAD:
+		case MODE_STREAM:
+			Update(); // call update and not DoUpdate, because update
+				  // checks disabled.
+			break;
+
+		default:
+			assert(false);
+		}
+
+	return true;
+	}
+
diff --git a/src/input/readers/config/Config.h b/src/input/readers/config/Config.h
new file mode 100644
index 0000000000..b0dc83f725
--- /dev/null
+++ b/src/input/readers/config/Config.h
@@ -0,0 +1,67 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef INPUT_READERS_CONFIG_H
+#define INPUT_READERS_CONFIG_H
+
+#include <iostream>
+#include <vector>
+#include <fstream>
+#include <memory>
+#include <unordered_map>
+
+#include "input/ReaderBackend.h"
+#include "threading/formatters/Ascii.h"
+
+namespace input { namespace reader {
+
+/**
+ * Reader for Configuration files.
+ */
+class Config : public ReaderBackend {
+public:
+	explicit Config(ReaderFrontend* frontend);
+	~Config() override;
+
+	// prohibit copying and moving
+	Config(const Config&) = delete;
+	Config(Config&&) = delete;
+	Config& operator=(const Config&) = delete;
+	Config& operator=(Config&&) = delete;
+
+	static ReaderBackend* Instantiate(ReaderFrontend* frontend) { return new Config(frontend); }
+
+protected:
+	bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields) override;
+	void DoClose() override;
+	bool DoUpdate() override;
+	bool DoHeartbeat(double network_time, double current_time) override;
+
+private:
+	bool GetLine(string& str);
+	bool OpenFile();
+	// Call Warning or Error, depending on the is_error boolean.
+	// In case of a warning, setting suppress_future to true will suppress all future warnings
+	// (by setting suppress_warnings to true, until suppress_warnings is set back to false)
+	void FailWarn(bool is_error, const char *msg, bool suppress_future = false);
+
+	ifstream file;
+	time_t mtime;
+
+	bool fail_on_file_problem;
+	// this is an internal indicator in case the read is currently in a failed state
+	// it's used to suppress duplicate error messages.
+	bool suppress_warnings;
+
+	string set_separator;
+	string empty_field;
+
+	std::unique_ptr<threading::formatter::Formatter> formatter;
+	std::unordered_map<std::string, std::tuple<TypeTag, TypeTag>> option_types;
+	std::unordered_map<std::string, std::string> option_values;
+};
+
+
+}
+}
+
+#endif /* INPUT_READERS_CONFIG_H */
diff --git a/src/input/readers/config/Plugin.cc b/src/input/readers/config/Plugin.cc
new file mode 100644
index 0000000000..77c8a97091
--- /dev/null
+++ b/src/input/readers/config/Plugin.cc
@@ -0,0 +1,24 @@
+// See the file  in the main distribution directory for copyright.
+
+#include "plugin/Plugin.h"
+
+#include "Config.h"
+
+namespace plugin {
+namespace Bro_ConfigReader {
+
+class Plugin : public plugin::Plugin {
+public:
+	plugin::Configuration Configure()
+		{
+		AddComponent(new ::input::Component("Config", ::input::reader::Config::Instantiate));
+
+		plugin::Configuration config;
+		config.name = "Bro::ConfigReader";
+		config.description = "Configuration file input reader";
+		return config;
+		}
+} plugin;
+
+}
+}
diff --git a/src/input/readers/config/config.bif b/src/input/readers/config/config.bif
new file mode 100644
index 0000000000..4ca3ec6690
--- /dev/null
+++ b/src/input/readers/config/config.bif
@@ -0,0 +1,6 @@
+
+module InputConfig;
+
+const set_separator: string;
+const empty_field: string;
+const fail_on_file_problem: bool;
diff --git a/src/input/readers/raw/Plugin.cc b/src/input/readers/raw/Plugin.cc
index c7af84e34e..e16a233fe6 100644
--- a/src/input/readers/raw/Plugin.cc
+++ b/src/input/readers/raw/Plugin.cc
@@ -8,7 +8,6 @@ using namespace plugin::Bro_RawReader;
 
 Plugin::Plugin()
 	{
-	init = false;
 	}
 
 plugin::Configuration Plugin::Configure()
@@ -23,21 +22,14 @@ plugin::Configuration Plugin::Configure()
 
 void Plugin::InitPreScript()
 	{
-	if ( pthread_mutex_init(&fork_mutex, 0) != 0 )
-		reporter->FatalError("cannot initialize raw reader's mutex");
-
-	init = true;
 	}
 
 void Plugin::Done()
 	{
-	pthread_mutex_destroy(&fork_mutex);
-	init = false;
 	}
 
-pthread_mutex_t* Plugin::ForkMutex()
+std::unique_lock<std::mutex> Plugin::ForkMutex()
 	{
-	assert(init);
-	return &fork_mutex;
+	return std::unique_lock<std::mutex>(fork_mutex, std::defer_lock);
 	}
 
diff --git a/src/input/readers/raw/Plugin.h b/src/input/readers/raw/Plugin.h
index 59a5dfd2be..31fa611130 100644
--- a/src/input/readers/raw/Plugin.h
+++ b/src/input/readers/raw/Plugin.h
@@ -1,4 +1,6 @@
-// See the file  in the main distribution directory for copyright.
+// See the file in the main distribution directory for copyright.
+
+#include <mutex>
 
 #include "plugin/Plugin.h"
 
@@ -11,16 +13,15 @@ class Plugin : public plugin::Plugin {
 public:
 	Plugin();
 
-	plugin::Configuration Configure();
+	plugin::Configuration Configure() override;
 
-	virtual void InitPreScript();
-	virtual void Done();
+	void InitPreScript() override;
+	void Done() override;
 
-	pthread_mutex_t * ForkMutex();
+	std::unique_lock<std::mutex> ForkMutex();
 
 private:
-	bool init;
-	pthread_mutex_t fork_mutex;
+	std::mutex fork_mutex;
 
 };
 
diff --git a/src/input/readers/raw/Raw.cc b/src/input/readers/raw/Raw.cc
index cfa7b72602..27d8b0c685 100644
--- a/src/input/readers/raw/Raw.cc
+++ b/src/input/readers/raw/Raw.cc
@@ -90,30 +90,27 @@ bool Raw::SetFDFlags(int fd, int cmd, int flags)
 		return true;
 
 	char buf[256];
-	strerror_r(errno, buf, sizeof(buf));
+	bro_strerror_r(errno, buf, sizeof(buf));
 	Error(Fmt("failed to set fd flags: %s", buf));
 	return false;
 	}
 
 
-bool Raw::LockForkMutex()
+std::unique_lock<std::mutex> Raw::AcquireForkMutex()
 	{
-	int res = pthread_mutex_lock(plugin::Bro_RawReader::plugin.ForkMutex());
-	if ( res == 0 )
-		return true;
+	auto lock = plugin::Bro_RawReader::plugin.ForkMutex();
 
-	Error(Fmt("cannot lock fork mutex: %d", res));
-	return false;
-	}
+	try
+		{
+		lock.lock();
+		}
 
-bool Raw::UnlockForkMutex()
-	{
-	int res = pthread_mutex_unlock(plugin::Bro_RawReader::plugin.ForkMutex());
-	if ( res == 0 )
-		return true;
+	catch ( const std::system_error& e )
+		{
+		reporter->FatalErrorWithCore("cannot lock fork mutex: %s", e.what());
+		}
 
-	Error(Fmt("cannot unlock fork mutex: %d", res));
-	return false;
+	return lock;
 	}
 
 bool Raw::Execute()
@@ -126,12 +123,10 @@ bool Raw::Execute()
 	// never crops up... ("never" meaning I haven't seen in it in
 	// hundreds of tests using 50+ threads where before I'd see the issue
 	// w/ just 2 threads ~33% of the time).
-	if ( ! LockForkMutex() )
-		return false;
+	auto lock = AcquireForkMutex();
 
 	if ( pipe(pipes) != 0 || pipe(pipes+2) || pipe(pipes+4) )
 		{
-		UnlockForkMutex();
 		Error(Fmt("Could not open pipe: %d", errno));
 		return false;
 		}
@@ -139,7 +134,6 @@ bool Raw::Execute()
 	childpid = fork();
 	if ( childpid < 0 )
 		{
-		UnlockForkMutex();
 		Error(Fmt("Could not create child process: %d", errno));
 		return false;
 		}
@@ -203,13 +197,12 @@ bool Raw::Execute()
 			else
 				{
 				char buf[256];
-				strerror_r(errno, buf, sizeof(buf));
+				bro_strerror_r(errno, buf, sizeof(buf));
 				Warning(Fmt("Could not set child process group: %s", buf));
 				}
 			}
 
-		if ( ! UnlockForkMutex() )
-			return false;
+		lock.unlock();
 
 		ClosePipeEnd(stdout_out);
 
@@ -300,7 +293,7 @@ bool Raw::OpenInput()
 			if ( fseek(file.get(), pos, whence) < 0 )
 				{
 				char buf[256];
-				strerror_r(errno, buf, sizeof(buf));
+				bro_strerror_r(errno, buf, sizeof(buf));
 				Error(Fmt("Seek failed in init: %s", buf));
 				}
 			}
diff --git a/src/input/readers/raw/Raw.h b/src/input/readers/raw/Raw.h
index 2a166ae322..c6075cbe70 100644
--- a/src/input/readers/raw/Raw.h
+++ b/src/input/readers/raw/Raw.h
@@ -4,8 +4,8 @@
 #define INPUT_READERS_RAW_H
 
 #include <vector>
-#include <pthread.h>
 #include <memory>
+#include <mutex>
 
 #include "input/ReaderBackend.h"
 
@@ -18,7 +18,7 @@ namespace input { namespace reader {
 class Raw : public ReaderBackend {
 public:
 	explicit Raw(ReaderFrontend* frontend);
-	~Raw();
+	~Raw() override;
 
 	// prohibit copying and moving
 	Raw(const Raw&) = delete;
@@ -37,8 +37,7 @@ protected:
 private:
 	void ClosePipeEnd(int i);
 	bool SetFDFlags(int fd, int cmd, int flags);
-	bool LockForkMutex();
-	bool UnlockForkMutex();
+	std::unique_lock<std::mutex> AcquireForkMutex();
 
 	bool OpenInput();
 	bool CloseInput();
@@ -87,7 +86,6 @@ private:
 	};
 
 	static const int block_size;
-	static pthread_mutex_t fork_mutex;
 };
 
 }
diff --git a/src/input/readers/sqlite/SQLite.cc b/src/input/readers/sqlite/SQLite.cc
index c970e60182..40c0f8a063 100644
--- a/src/input/readers/sqlite/SQLite.cc
+++ b/src/input/readers/sqlite/SQLite.cc
@@ -128,7 +128,7 @@ bool SQLite::DoInit(const ReaderInfo& info, int arg_num_fields, const threading:
 Value* SQLite::EntryToVal(sqlite3_stmt *st, const threading::Field *field, int pos, int subpos)
 	{
 	if ( sqlite3_column_type(st, pos ) == SQLITE_NULL )
-		return new Value(field->type, false);
+		return new Value(field->type, field->subtype, false);
 
 	Value* val = new Value(field->type, true);
 
diff --git a/src/input/readers/sqlite/SQLite.h b/src/input/readers/sqlite/SQLite.h
index 5add678b16..2aa01017e1 100644
--- a/src/input/readers/sqlite/SQLite.h
+++ b/src/input/readers/sqlite/SQLite.h
@@ -16,16 +16,16 @@ namespace input { namespace reader {
 
 class SQLite : public ReaderBackend {
 public:
-	SQLite(ReaderFrontend* frontend);
-	~SQLite();
+	explicit SQLite(ReaderFrontend* frontend);
+	~SQLite() override;
 
 	static ReaderBackend* Instantiate(ReaderFrontend* frontend) { return new SQLite(frontend); }
 
 protected:
-	virtual bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* arg_fields);
-	virtual void DoClose();
-	virtual bool DoUpdate();
-	virtual bool DoHeartbeat(double network_time, double current_time)	{ return true; }
+	bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* arg_fields) override;
+	void DoClose() override;
+	bool DoUpdate() override;
+	bool DoHeartbeat(double network_time, double current_time) override { return true; }
 
 private:
 	bool checkError(int code);
diff --git a/src/iosource/Component.h b/src/iosource/Component.h
index 4a38a9cd22..2d9d19e799 100644
--- a/src/iosource/Component.h
+++ b/src/iosource/Component.h
@@ -27,17 +27,12 @@ public:
 	 * @param name A descriptive name for the component.  This name must
 	 * be unique across all components of this type.
 	 */
-	Component(const std::string& name);
-
-	/**
-	 * Copy constructor.
-	 */
-	Component(const Component& other);
+	explicit Component(const std::string& name);
 
 	/**
 	 * Destructor.
 	 */
-	~Component();
+	~Component() override;
 
 protected:
 	/**
@@ -85,7 +80,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	virtual ~PktSrcComponent();
+	~PktSrcComponent() override;
 
 	/**
 	 * Returns the prefix(es) passed to the constructor.
@@ -118,7 +113,7 @@ public:
 	 * Generates a human-readable description of the component. This goes
 	 * into the output of \c "bro -NN".
 	 */
-	virtual void DoDescribe(ODesc* d) const;
+	void DoDescribe(ODesc* d) const override;
 
 private:
 	std::vector<std::string> prefixes;
@@ -144,7 +139,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	~PktDumperComponent();
+	~PktDumperComponent() override;
 
 	/**
 	 * Returns the prefix(es) passed to the constructor.
@@ -165,7 +160,7 @@ public:
 	 * Generates a human-readable description of the component. This goes
 	 * into the output of \c "bro -NN".
 	 */
-	virtual void DoDescribe(ODesc* d) const;
+	void DoDescribe(ODesc* d) const override;
 
 private:
 	std::vector<std::string> prefixes;
diff --git a/src/iosource/Manager.cc b/src/iosource/Manager.cc
index 80fa5fe860..390449da81 100644
--- a/src/iosource/Manager.cc
+++ b/src/iosource/Manager.cc
@@ -81,7 +81,7 @@ IOSource* Manager::FindSoonest(double* ts)
 			all_idle = false;
 			double local_network_time = 0;
 			double ts = (*i)->src->NextTimestamp(&local_network_time);
-			if ( ts > 0 && ts < soonest_ts )
+			if ( ts >= 0 && ts < soonest_ts )
 				{
 				soonest_ts = ts;
 				soonest_src = (*i)->src;
@@ -162,7 +162,7 @@ IOSource* Manager::FindSoonest(double* ts)
 				{
 				double local_network_time = 0;
 				double ts = src->src->NextTimestamp(&local_network_time);
-				if ( ts > 0.0 && ts < soonest_ts )
+				if ( ts >= 0.0 && ts < soonest_ts )
 					{
 					soonest_ts = ts;
 					soonest_src = src->src;
diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc
index 91bba76ba6..3aa0e28b92 100644
--- a/src/iosource/Packet.cc
+++ b/src/iosource/Packet.cc
@@ -86,6 +86,9 @@ int Packet::GetLinkHeaderSize(int link_type)
 	case DLT_PPP_SERIAL:	// PPP_SERIAL
 		return 4;
 
+	case DLT_IEEE802_11:  // 802.11 monitor
+		return 34;
+
 	case DLT_IEEE802_11_RADIO:	// 802.11 plus RadioTap
 		return 59;
 
@@ -137,6 +140,20 @@ void Packet::ProcessLayer2()
 
 	case DLT_EN10MB:
 		{
+		// Skip past Cisco FabricPath to encapsulated ethernet frame.
+		if ( pdata[12] == 0x89 && pdata[13] == 0x03 )
+			{
+			auto constexpr cfplen = 16;
+
+			if ( pdata + cfplen + GetLinkHeaderSize(link_type) >= end_of_data )
+				{
+				Weird("truncated_link_header_cfp");
+				return;
+				}
+
+			pdata += cfplen;
+			}
+
 		// Get protocol being carried from the ethernet frame.
 		int protocol = (pdata[12] << 8) + pdata[13];
 
@@ -146,36 +163,17 @@ void Packet::ProcessLayer2()
 
 		pdata += GetLinkHeaderSize(link_type);
 
-		switch ( protocol )
+		bool saw_vlan = false;
+
+		while ( protocol == 0x8100 || protocol == 0x9100 ||
+				protocol == 0x8864 )
 			{
-			// MPLS carried over the ethernet frame.
-			case 0x8847:
-				have_mpls = true;
-				break;
-
-			// VLAN carried over the ethernet frame.
-			// 802.1q / 802.1ad
-			case 0x8100:
-			case 0x9100:
-				if ( pdata + 4 >= end_of_data )
-					{
-					Weird("truncated_link_header");
-					return;
-					}
-
-				vlan = ((pdata[0] << 8) + pdata[1]) & 0xfff;
-				protocol = ((pdata[2] << 8) + pdata[3]);
-				pdata += 4; // Skip the vlan header
-
-				// Check for MPLS in VLAN.
-				if ( protocol == 0x8847 )
-					{
-					have_mpls = true;
-					break;
-					}
-
-				// Check for double-tagged (802.1ad)
-				if ( protocol == 0x8100 || protocol == 0x9100 )
+			switch ( protocol )
+				{
+				// VLAN carried over the ethernet frame.
+				// 802.1q / 802.1ad
+				case 0x8100:
+				case 0x9100:
 					{
 					if ( pdata + 4 >= end_of_data )
 						{
@@ -183,39 +181,46 @@ void Packet::ProcessLayer2()
 						return;
 						}
 
-					inner_vlan = ((pdata[0] << 8) + pdata[1]) & 0xfff;
+					auto& vlan_ref = saw_vlan ? inner_vlan : vlan;
+					vlan_ref = ((pdata[0] << 8) + pdata[1]) & 0xfff;
 					protocol = ((pdata[2] << 8) + pdata[3]);
 					pdata += 4; // Skip the vlan header
+					saw_vlan = true;
+					eth_type = protocol;
 					}
+					break;
 
-				eth_type = protocol;
-				break;
-
-			// PPPoE carried over the ethernet frame.
-			case 0x8864:
-				if ( pdata + 8 >= end_of_data )
+				// PPPoE carried over the ethernet frame.
+				case 0x8864:
 					{
-					Weird("truncated_link_header");
-					return;
+					if ( pdata + 8 >= end_of_data )
+						{
+						Weird("truncated_link_header");
+						return;
+						}
+
+					protocol = (pdata[6] << 8) + pdata[7];
+					pdata += 8; // Skip the PPPoE session and PPP header
+
+					if ( protocol == 0x0021 )
+						l3_proto = L3_IPV4;
+					else if ( protocol == 0x0057 )
+						l3_proto = L3_IPV6;
+					else
+						{
+						// Neither IPv4 nor IPv6.
+						Weird("non_ip_packet_in_pppoe_encapsulation");
+						return;
+						}
 					}
-
-				protocol = (pdata[6] << 8) + pdata[7];
-				pdata += 8; // Skip the PPPoE session and PPP header
-
-				if ( protocol == 0x0021 )
-					l3_proto = L3_IPV4;
-				else if ( protocol == 0x0057 )
-					l3_proto = L3_IPV6;
-				else
-					{
-					// Neither IPv4 nor IPv6.
-					Weird("non_ip_packet_in_pppoe_encapsulation");
-					return;
-					}
-
-				break;
+					break;
+				}
 			}
 
+		// Check for MPLS in VLAN.
+		if ( protocol == 0x8847 )
+			have_mpls = true;
+
 		// Normal path to determine Layer 3 protocol.
 		if ( ! have_mpls && l3_proto == L3_UNKNOWN )
 			{
@@ -279,12 +284,15 @@ void Packet::ProcessLayer2()
 			}
 
 		pdata += rtheader_len;
+		}
 
+	case DLT_IEEE802_11:
+		{
 		u_char len_80211 = 24; // minimal length of data frames
 
 		if ( pdata + len_80211 >= end_of_data )
 			{
-			Weird("truncated_radiotap_header");
+			Weird("truncated_802_11_header");
 			return;
 			}
 
@@ -316,7 +324,7 @@ void Packet::ProcessLayer2()
 
 		if ( pdata + len_80211 >= end_of_data )
 			{
-			Weird("truncated_radiotap_header");
+			Weird("truncated_802_11_header");
 			return;
 			}
 
@@ -349,7 +357,7 @@ void Packet::ProcessLayer2()
 
 		if ( pdata + 8 >= end_of_data )
 			{
-			Weird("truncated_radiotap_header");
+			Weird("truncated_802_11_header");
 			return;
 			}
 		// Check that the DSAP and SSAP are both SNAP and that the control
@@ -374,9 +382,11 @@ void Packet::ProcessLayer2()
 			l3_proto = L3_IPV4;
 		else if ( protocol == 0x86DD )
 			l3_proto = L3_IPV6;
+		else if ( protocol == 0x0806 || protocol == 0x8035 )
+			l3_proto = L3_ARP;
 		else
 			{
-			Weird("non_ip_packet_in_ieee802_11_radio_encapsulation");
+			Weird("non_ip_packet_in_ieee802_11");
 			return;
 			}
 		pdata += 2;
diff --git a/src/iosource/PktDumper.h b/src/iosource/PktDumper.h
index dcfda2030b..4e53cd7aff 100644
--- a/src/iosource/PktDumper.h
+++ b/src/iosource/PktDumper.h
@@ -54,13 +54,6 @@ public:
 	 */
 	int HdrSize() const;
 
-	/**
-	 * Writes a packet to the dumper.
-	 *
-	 * @param pkt The packet to record.
-	 */
-	bool Record(const Packet* pkt);
-
 	// PktDumper interface for derived classes to implement.
 
 	/**
diff --git a/src/iosource/PktSrc.cc b/src/iosource/PktSrc.cc
index a9362a0b62..343801ab7d 100644
--- a/src/iosource/PktSrc.cc
+++ b/src/iosource/PktSrc.cc
@@ -10,6 +10,8 @@
 #include "Hash.h"
 #include "Net.h"
 #include "Sessions.h"
+#include "broker/Manager.h"
+#include "iosource/Manager.h"
 
 #include "pcap/pcap.bif.h"
 
@@ -304,13 +306,19 @@ bool PktSrc::ExtractNextPacketInternal()
 		return 1;
 		}
 
-	if ( pseudo_realtime && using_communication && ! IsOpen() )
+	if ( pseudo_realtime && ! IsOpen() )
 		{
-		// Source has gone dry, we're done.
-		if ( remote_trace_sync_interval )
-			remote_serializer->SendFinalSyncPoint();
-		else
-			remote_serializer->Terminate();
+		if ( using_communication )
+			{
+			// Source has gone dry, we're done.
+			if ( remote_trace_sync_interval )
+				remote_serializer->SendFinalSyncPoint();
+			else
+				remote_serializer->Terminate();
+			}
+
+		if ( broker_mgr->Active() )
+			iosource_mgr->Terminate();
 		}
 
 	SetIdle(true);
diff --git a/src/iosource/PktSrc.h b/src/iosource/PktSrc.h
index 25a743dc53..dcf5f38de8 100644
--- a/src/iosource/PktSrc.h
+++ b/src/iosource/PktSrc.h
@@ -57,7 +57,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	virtual ~PktSrc();
+	~PktSrc() override;
 
 	/**
 	 * Returns the path associated with the source. This is the interface
@@ -92,11 +92,6 @@ public:
 	 */
 	const char* ErrorMsg() const;
 
-	/**
-	 * Returns the size of the link-layer header for this source.
-	 */
-	int HdrSize() const;
-
 	/**
 	 * In pseudo-realtime mode, returns the logical timestamp of the
 	 * current packet. Undefined if not running pseudo-realtime mode.
@@ -350,13 +345,13 @@ private:
 	bool ExtractNextPacketInternal();
 
 	// IOSource interface implementation.
-	virtual void Init();
-	virtual void Done();
-	virtual void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
-	                    iosource::FD_Set* except);
-	virtual double NextTimestamp(double* local_network_time);
-	virtual void Process();
-	virtual const char* Tag();
+	void Init() override;
+	void Done() override;
+	void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
+	                    iosource::FD_Set* except) override;
+	double NextTimestamp(double* local_network_time) override;
+	void Process() override;
+	const char* Tag() override;
 
 	Properties props;
 
diff --git a/src/iosource/pcap/Dumper.h b/src/iosource/pcap/Dumper.h
index 7950912d56..19defc627f 100644
--- a/src/iosource/pcap/Dumper.h
+++ b/src/iosource/pcap/Dumper.h
@@ -15,15 +15,15 @@ namespace pcap {
 class PcapDumper : public PktDumper {
 public:
 	PcapDumper(const std::string& path, bool append);
-	virtual ~PcapDumper();
+	~PcapDumper() override;
 
 	static PktDumper* Instantiate(const std::string& path, bool appen);
 
 protected:
 	// PktDumper interface.
-	virtual void Open();
-	virtual void Close();
-	virtual bool Dump(const Packet* pkt);
+	void Open() override;
+	void Close() override;
+	bool Dump(const Packet* pkt) override;
 
 private:
 	Properties props;
diff --git a/src/iosource/pcap/Source.h b/src/iosource/pcap/Source.h
index f3c193d855..1672d1c10f 100644
--- a/src/iosource/pcap/Source.h
+++ b/src/iosource/pcap/Source.h
@@ -11,19 +11,19 @@ namespace pcap {
 class PcapSource : public iosource::PktSrc {
 public:
 	PcapSource(const std::string& path, bool is_live);
-	virtual ~PcapSource();
+	~PcapSource() override;
 
 	static PktSrc* Instantiate(const std::string& path, bool is_live);
 
 protected:
 	// PktSrc interface.
-	virtual void Open();
-	virtual void Close();
-	virtual bool ExtractNextPacket(Packet* pkt);
-	virtual void DoneWithPacket();
-	virtual bool PrecompileFilter(int index, const std::string& filter);
-	virtual bool SetFilter(int index);
-	virtual void Statistics(Stats* stats);
+	void Open() override;
+	void Close() override;
+	bool ExtractNextPacket(Packet* pkt) override;
+	void DoneWithPacket() override;
+	bool PrecompileFilter(int index, const std::string& filter) override;
+	bool SetFilter(int index) override;
+	void Statistics(Stats* stats) override;
 
 private:
 	void OpenLive();
diff --git a/src/logging/CMakeLists.txt b/src/logging/CMakeLists.txt
index f7ed586014..6553e2170f 100644
--- a/src/logging/CMakeLists.txt
+++ b/src/logging/CMakeLists.txt
@@ -6,6 +6,9 @@ include_directories(BEFORE
                     ${CMAKE_CURRENT_BINARY_DIR}
 )
 
+include_directories(BEFORE ${CAF_INCLUDE_DIR_CORE})
+include_directories(BEFORE ${CAF_INCLUDE_DIR_IO})
+
 add_subdirectory(writers)
 
 set(logging_SRCS
diff --git a/src/logging/Component.h b/src/logging/Component.h
index a7ef2a0c31..d99803b165 100644
--- a/src/logging/Component.h
+++ b/src/logging/Component.h
@@ -37,7 +37,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	~Component();
+	~Component() override;
 
 	/**
 	 * Initialization function. This function has to be called before any
diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc
index e1a314d4d6..ce32165177 100644
--- a/src/logging/Manager.cc
+++ b/src/logging/Manager.cc
@@ -8,6 +8,7 @@
 #include "../Net.h"
 #include "../Type.h"
 
+#include "broker/Manager.h"
 #include "threading/Manager.h"
 #include "threading/SerialTypes.h"
 
@@ -15,10 +16,8 @@
 #include "WriterFrontend.h"
 #include "WriterBackend.h"
 #include "logging.bif.h"
-
-#ifdef ENABLE_BROKER
-#include "broker/Manager.h"
-#endif
+#include "../plugin/Plugin.h"
+#include "../plugin/Manager.h"
 
 using namespace logging;
 
@@ -62,6 +61,7 @@ struct Manager::WriterInfo {
 	WriterFrontend* writer;
 	WriterBackend::WriterInfo* info;
 	bool from_remote;
+	bool hook_initialized;
 	string instantiating_filter;
 	};
 
@@ -79,10 +79,7 @@ struct Manager::Stream {
 
 	WriterMap writers;	// Writers indexed by id/path pair.
 
-#ifdef ENABLE_BROKER
 	bool enable_remote;
-	int remote_flags;
-#endif
 
 	~Stream();
 	};
@@ -307,10 +304,7 @@ bool Manager::CreateStream(EnumVal* id, RecordVal* sval)
 	streams[idx]->event = event ? event_registry->Lookup(event->Name()) : 0;
 	streams[idx]->columns = columns->Ref()->AsRecordType();
 
-#ifdef ENABLE_BROKER
 	streams[idx]->enable_remote = internal_val("Log::enable_remote_logging")->AsBool();
-	streams[idx]->remote_flags = broker::PEERS;
-#endif
 
 	DBG_LOG(DBG_LOGGING, "Created new logging stream '%s', raising event %s",
 		streams[idx]->name.c_str(), event ? streams[idx]->event->Name() : "<none>");
@@ -840,12 +834,26 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
 			path = filter->path = filter->path_val->AsString()->CheckString();
 			}
 
+		WriterBackend::WriterInfo* info = 0;
 		WriterFrontend* writer = 0;
 
 		if ( w != stream->writers.end() )
 			{
 			// We know this writer already.
 			writer = w->second->writer;
+			info = w->second->info;
+
+			if ( ! w->second->hook_initialized )
+				{
+				auto wi = w->second;
+				wi->hook_initialized = true;
+				PLUGIN_HOOK_VOID(HOOK_LOG_INIT,
+				                 HookLogInit(filter->writer->Type()->AsEnumType()->Lookup(filter->writer->InternalInt()),
+				                             wi->instantiating_filter, filter->local,
+				                             filter->remote, *wi->info,
+				                             filter->num_fields,
+				                             filter->fields));
+				}
 			}
 
 		else
@@ -874,7 +882,7 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
 				arg_fields[j] = new threading::Field(*filter->fields[j]);
 				}
 
-			WriterBackend::WriterInfo* info = new WriterBackend::WriterInfo;
+			info = new WriterBackend::WriterInfo;
 			info->path = copy_string(path.c_str());
 			info->network_time = network_time;
 
@@ -909,6 +917,22 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
 
 		threading::Value** vals = RecordToFilterVals(stream, filter, columns);
 
+		if ( ! PLUGIN_HOOK_WITH_RESULT(HOOK_LOG_WRITE,
+		                               HookLogWrite(filter->writer->Type()->AsEnumType()->Lookup(filter->writer->InternalInt()),
+		                                            filter->name, *info,
+		                                            filter->num_fields,
+		                                            filter->fields, vals),
+		                               true) )
+			{
+			DeleteVals(filter->num_fields, vals);
+
+#ifdef DEBUG
+			DBG_LOG(DBG_LOGGING, "Hook prevented writing to filter '%s' on stream '%s'",
+				filter->name.c_str(), stream->name.c_str());
+#endif
+			return true;
+			}
+
 		// Write takes ownership of vals.
 		assert(writer);
 		writer->Write(filter->num_fields, vals);
@@ -919,12 +943,6 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
 #endif
 		}
 
-#ifdef ENABLE_BROKER
-	if ( stream->enable_remote &&
-	     ! broker_mgr->Log(id, columns, stream->columns, stream->remote_flags) )
-			stream->enable_remote = false;
-#endif
-
 	Unref(columns);
 
 	return true;
@@ -1121,23 +1139,46 @@ threading::Value** Manager::RecordToFilterVals(Stream* stream, Filter* filter,
 	return vals;
 	}
 
+bool Manager::CreateWriterForRemoteLog(EnumVal* id, EnumVal* writer, WriterBackend::WriterInfo* info,
+			   int num_fields, const threading::Field* const* fields)
+	{
+	return CreateWriter(id, writer, info, num_fields, fields, true, false, true);
+	}
+
+static void delete_info_and_fields(WriterBackend::WriterInfo* info, int num_fields, const threading::Field* const* fields)
+	{
+	for ( int i = 0; i < num_fields; i++ )
+		delete fields[i];
+
+	delete [] fields;
+	delete info;
+	}
+
 WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, WriterBackend::WriterInfo* info,
-				int num_fields, const threading::Field* const*  fields, bool local, bool remote, bool from_remote,
+				int num_fields, const threading::Field* const* fields, bool local, bool remote, bool from_remote,
 				const string& instantiating_filter)
 	{
+	WriterFrontend* result = 0;
+
 	Stream* stream = FindStream(id);
 
 	if ( ! stream )
+		{
 		// Don't know this stream.
+		delete_info_and_fields(info, num_fields, fields);
 		return 0;
+		}
 
 	Stream::WriterMap::iterator w =
 		stream->writers.find(Stream::WriterPathPair(writer->AsEnum(), info->path));
 
 	if ( w != stream->writers.end() )
+		{
 		// If we already have a writer for this. That's fine, we just
 		// return it.
+		delete_info_and_fields(info, num_fields, fields);
 		return w->second->writer;
+		}
 
 	WriterInfo* winfo = new WriterInfo;
 	winfo->type = writer->Ref()->AsEnumVal();
@@ -1148,6 +1189,7 @@ WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, WriterBacken
 	winfo->postprocessor = 0;
 	winfo->info = info;
 	winfo->from_remote = from_remote;
+	winfo->hook_initialized = false;
 	winfo->instantiating_filter = instantiating_filter;
 
 	// Search for a corresponding filter for the writer/path pair and use its
@@ -1193,6 +1235,15 @@ WriterFrontend* Manager::CreateWriter(EnumVal* id, EnumVal* writer, WriterBacken
 	winfo->writer = new WriterFrontend(*winfo->info, id, writer, local, remote);
 	winfo->writer->Init(num_fields, fields);
 
+	if ( ! from_remote )
+		{
+		winfo->hook_initialized = true;
+		PLUGIN_HOOK_VOID(HOOK_LOG_INIT,
+		                 HookLogInit(writer->Type()->AsEnumType()->Lookup(writer->InternalInt()),
+		                             instantiating_filter, local, remote,
+		                             *winfo->info, num_fields, fields));
+		}
+
 	InstallRotationTimer(winfo);
 
 	return winfo->writer;
@@ -1207,8 +1258,8 @@ void Manager::DeleteVals(int num_fields, threading::Value** vals)
 	delete [] vals;
 	}
 
-bool Manager::Write(EnumVal* id, EnumVal* writer, string path, int num_fields,
-		   threading::Value** vals)
+bool Manager::WriteFromRemote(EnumVal* id, EnumVal* writer, string path, int num_fields,
+			      threading::Value** vals)
 	{
 	Stream* stream = FindStream(id);
 
@@ -1262,7 +1313,7 @@ void Manager::SendAllWritersTo(RemoteSerializer::PeerID peer)
 		{
 		Stream* stream = (*s);
 
-		if ( ! stream )
+		if ( ! (stream && stream->enable_remote) )
 			continue;
 
 		for ( Stream::WriterMap::iterator i = stream->writers.begin();
@@ -1280,6 +1331,31 @@ void Manager::SendAllWritersTo(RemoteSerializer::PeerID peer)
 		}
 	}
 
+void Manager::SendAllWritersTo(const broker::endpoint_info& ei)
+	{
+	for ( vector<Stream *>::iterator s = streams.begin(); s != streams.end(); ++s )
+		{
+		Stream* stream = (*s);
+
+		if ( ! (stream && stream->enable_remote) )
+			continue;
+
+		for ( Stream::WriterMap::iterator i = stream->writers.begin();
+		      i != stream->writers.end(); i++ )
+			{
+			WriterFrontend* writer = i->second->writer;
+
+			EnumVal writer_val(i->first.first, internal_type("Log::Writer")->AsEnumType());
+			broker_mgr->PublishLogCreate((*s)->id,
+						     &writer_val,
+						     *i->second->info,
+						     writer->NumFields(),
+						     writer->Fields(),
+						     ei);
+			}
+		}
+	}
+
 bool Manager::SetBuf(EnumVal* id, bool enabled)
 	{
 	Stream* stream = FindStream(id);
@@ -1326,9 +1402,7 @@ void Manager::Terminate()
 		}
 	}
 
-#ifdef ENABLE_BROKER
-
-bool Manager::EnableRemoteLogs(EnumVal* stream_id, int flags)
+bool Manager::EnableRemoteLogs(EnumVal* stream_id)
 	{
 	auto stream = FindStream(stream_id);
 
@@ -1336,7 +1410,6 @@ bool Manager::EnableRemoteLogs(EnumVal* stream_id, int flags)
 		return false;
 
 	stream->enable_remote = true;
-	stream->remote_flags = flags;
 	return true;
 	}
 
@@ -1371,8 +1444,6 @@ RecordType* Manager::StreamColumns(EnumVal* stream_id)
 	return stream->columns;
 	}
 
-#endif
-
 // Timer which on dispatching rotates the filter.
 class RotationTimer : public Timer {
 public:
diff --git a/src/logging/Manager.h b/src/logging/Manager.h
index 5d3372fb9b..d04def7938 100644
--- a/src/logging/Manager.h
+++ b/src/logging/Manager.h
@@ -5,6 +5,8 @@
 #ifndef LOGGING_MANAGER_H
 #define LOGGING_MANAGER_H
 
+#include <broker/endpoint_info.hh>
+
 #include "../Val.h"
 #include "../Tag.h"
 #include "../EventHandler.h"
@@ -129,6 +131,52 @@ public:
 	 */
 	bool Write(EnumVal* id, RecordVal* columns);
 
+	/**
+	 * Create a new log writer frontend. This is exposed so that the
+	 * communication system can recreate remote log streams locally.
+	 *
+	 * @param id The enum value corresponding to the log stream.
+	 *
+	 * @param writer The enum value corresponding to the desired log writer.
+	 *
+	 * @param info A fully initialized object defining the
+	 * characteristics of the backend writer instance. The method takes
+	 * ownership of this.
+	 *
+	 * @param num_fields The number of log fields to write.
+	 *
+	 * @param vals An array of log fields to write, of size num_fields.
+	 * The method takes ownership of the array.
+	 *
+	 * @return Returns true if the writer was successfully created.
+	 */
+	bool CreateWriterForRemoteLog(EnumVal* id, EnumVal* writer, WriterBackend::WriterInfo* info,
+				      int num_fields, const threading::Field* const* fields);
+
+	/**
+	 * Writes out log entries that have already passed through all
+	 * filters (and have raised any events). This is meant called for logs
+	 * received already processed from remote.
+	 *
+	 * @param stream The enum value corresponding to the log stream.
+	 *
+	 * @param writer The enum value corresponding to the desired log writer.
+	 *
+	 * @param path The path of the target log stream to write to.
+	 *
+	 * @param num_fields The number of log values to write.
+	 *
+	 * @param vals An array of log values to write, of size num_fields.
+	 * The method takes ownership of the array.
+	 */
+	bool WriteFromRemote(EnumVal* stream, EnumVal* writer, string path,
+			     int num_fields, threading::Value** vals);
+
+	/**
+	 * Announces all instantiated writers to a given Broker peer.
+	 */
+	void SendAllWritersTo(const broker::endpoint_info& ei);
+
 	/**
 	 * Sets log streams buffering state. This adjusts all associated
 	 * writers to the new state.
@@ -157,14 +205,12 @@ public:
 	 */
 	void Terminate();
 
-#ifdef ENABLE_BROKER
 	/**
 	 * Enable remote logs for a given stream.
 	 * @param stream_id the stream to enable remote logs for.
-	 * @param flags tune behavior of how log entries are sent to peer endpoints.
 	 * @return true if remote logs are enabled.
 	 */
-	bool EnableRemoteLogs(EnumVal* stream_id, int flags);
+	bool EnableRemoteLogs(EnumVal* stream_id);
 
 	/**
 	 * Disable remote logs for a given stream.
@@ -183,7 +229,6 @@ public:
 	 * a given log stream.
 	 */
 	RecordType* StreamColumns(EnumVal* stream_id);
-#endif
 
 protected:
 	friend class WriterFrontend;
@@ -203,10 +248,6 @@ protected:
 				int num_fields, const threading::Field* const* fields,
 				bool local, bool remote, bool from_remote, const string& instantiating_filter="");
 
-	// Takes ownership of values..
-	bool Write(EnumVal* id, EnumVal* writer, string path,
-		   int num_fields, threading::Value** vals);
-
 	// Announces all instantiated writers to peer.
 	void SendAllWritersTo(RemoteSerializer::PeerID peer);
 
@@ -233,7 +274,6 @@ private:
 	void RemoveDisabledWriters(Stream* stream);
 	void InstallRotationTimer(WriterInfo* winfo);
 	void Rotate(WriterInfo* info);
-	Filter* FindFilter(EnumVal* id, StringVal* filter);
 	WriterInfo* FindWriter(WriterFrontend* writer);
 	bool CompareFields(const Filter* filter, const WriterFrontend* writer);
 	bool CheckFilterWriterConflict(const WriterInfo* winfo, const Filter* filter);
diff --git a/src/logging/Tag.h b/src/logging/Tag.h
index bcb7af946b..ab0a702d47 100644
--- a/src/logging/Tag.h
+++ b/src/logging/Tag.h
@@ -98,14 +98,14 @@ protected:
 	 * @param subtype The sub type, which is left to an writer for
 	 * interpretation. By default it's set to zero.
 	 */
-	Tag(type_t type, subtype_t subtype = 0);
+	explicit Tag(type_t type, subtype_t subtype = 0);
 
 	/**
 	 * Constructor.
 	 *
 	 * @param val An enum value of script type \c Log::Writer.
 	 */
-	Tag(EnumVal* val) : ::Tag(val) {}
+	explicit Tag(EnumVal* val) : ::Tag(val) {}
 };
 
 }
diff --git a/src/logging/WriterBackend.cc b/src/logging/WriterBackend.cc
index 3e868f067a..4416e41d17 100644
--- a/src/logging/WriterBackend.cc
+++ b/src/logging/WriterBackend.cc
@@ -1,5 +1,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include <broker/data.hh>
+
 #include "util.h"
 #include "threading/SerialTypes.h"
 
@@ -119,6 +121,55 @@ bool WriterBackend::WriterInfo::Write(SerializationFormat* fmt) const
 	return true;
 	}
 
+broker::data WriterBackend::WriterInfo::ToBroker() const
+	{
+	auto t = broker::table();
+
+	for ( config_map::const_iterator i = config.begin(); i != config.end(); ++i )
+		{
+		auto key = std::string(i->first);
+		auto value = std::string(i->second);
+		t.insert(std::make_pair(key, value));
+		}
+
+	return broker::vector({path, rotation_base, rotation_interval, network_time, std::move(t)});
+	}
+
+bool WriterBackend::WriterInfo::FromBroker(broker::data d)
+	{
+	if ( ! caf::holds_alternative<broker::vector>(d) )
+		return false;
+
+	auto v = caf::get<broker::vector>(d);
+	auto bpath = caf::get_if<std::string>(&v[0]);
+	auto brotation_base = caf::get_if<double>(&v[1]);
+	auto brotation_interval = caf::get_if<double>(&v[2]);
+	auto bnetwork_time = caf::get_if<double>(&v[3]);
+	auto bconfig = caf::get_if<broker::table>(&v[4]);
+
+	if ( ! (bpath && brotation_base && brotation_interval && bnetwork_time && bconfig) )
+		return false;
+
+	path = copy_string(bpath->c_str());
+	rotation_base = *brotation_base;
+	rotation_interval = *brotation_interval;
+	network_time = *bnetwork_time;
+
+	for ( auto i : *bconfig )
+		{
+		auto k = caf::get_if<std::string>(&i.first);
+		auto v = caf::get_if<std::string>(&i.second);
+
+		if ( ! (k && v) )
+			return false;
+
+		auto p = std::make_pair(copy_string(k->c_str()), copy_string(v->c_str()));
+		config.insert(p);
+		}
+
+	return true;
+	}
+
 WriterBackend::WriterBackend(WriterFrontend* arg_frontend) : MsgThread()
 	{
 	num_fields = 0;
diff --git a/src/logging/WriterBackend.h b/src/logging/WriterBackend.h
index 2a93e8fefc..74541d8586 100644
--- a/src/logging/WriterBackend.h
+++ b/src/logging/WriterBackend.h
@@ -11,6 +11,8 @@
 
 class RemoteSerializer;
 
+namespace broker { class data; }
+
 namespace logging  {
 
 class WriterFrontend;
@@ -43,7 +45,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	virtual ~WriterBackend();
+	~WriterBackend() override;
 
 	/**
 	 * A struct passing information to the writer at initialization time.
@@ -110,15 +112,15 @@ public:
 				}
 			}
 
-		private:
-		const WriterInfo& operator=(const WriterInfo& other); // Disable.
-
-		friend class ::RemoteSerializer;
-
 		// Note, these need to be adapted when changing the struct's
 		// fields. They serialize/deserialize the struct.
 		bool Read(SerializationFormat* fmt);
 		bool Write(SerializationFormat* fmt) const;
+		broker::data ToBroker() const;
+		bool FromBroker(broker::data d);
+
+		private:
+		const WriterInfo& operator=(const WriterInfo& other); // Disable.
 		};
 
 	/**
diff --git a/src/logging/WriterFrontend.cc b/src/logging/WriterFrontend.cc
index 14e131c755..56bbf68161 100644
--- a/src/logging/WriterFrontend.cc
+++ b/src/logging/WriterFrontend.cc
@@ -1,6 +1,7 @@
 
 #include "Net.h"
 #include "threading/SerialTypes.h"
+#include "broker/Manager.h"
 
 #include "Manager.h"
 #include "WriterFrontend.h"
@@ -167,12 +168,20 @@ void WriterFrontend::Init(int arg_num_fields, const Field* const * arg_fields)
 		backend->SendIn(new InitMessage(backend, arg_num_fields, arg_fields));
 
 	if ( remote )
+		{
 		remote_serializer->SendLogCreateWriter(stream,
 						       writer,
 						       *info,
 						       arg_num_fields,
 						       arg_fields);
 
+		broker_mgr->PublishLogCreate(stream,
+					     writer,
+					     *info,
+					     arg_num_fields,
+					     arg_fields);
+		}
+
 	}
 
 void WriterFrontend::Write(int arg_num_fields, Value** vals)
@@ -191,12 +200,20 @@ void WriterFrontend::Write(int arg_num_fields, Value** vals)
 		}
 
 	if ( remote )
+		{
 		remote_serializer->SendLogWrite(stream,
 						writer,
 						info->path,
 						num_fields,
 						vals);
 
+		broker_mgr->PublishLogWrite(stream,
+				writer,
+				info->path,
+				num_fields,
+				vals);
+		}
+
 	if ( ! backend )
 		{
 		DeleteVals(arg_num_fields, vals);
diff --git a/src/logging/WriterFrontend.h b/src/logging/WriterFrontend.h
index e343f326bf..bdfdddad18 100644
--- a/src/logging/WriterFrontend.h
+++ b/src/logging/WriterFrontend.h
@@ -34,11 +34,9 @@ public:
 	 *
 	 * info: The meta information struct for the writer.
 	 *
-	 * writer_name: A descriptive name for the writer's type.
-	 *
 	 * local: If true, the writer will instantiate a local backend.
 	 *
-	 * remote: If true, the writer will forward all data to remote
+	 * remote: If true, the writer will forward logs to remote
 	 * clients.
 	 *
 	 * Frontends must only be instantiated by the main thread.
@@ -137,19 +135,6 @@ public:
 	 */
 	void Rotate(const char* rotated_path, double open, double close, bool terminating);
 
-	/**
-	 * Finalizes writing to this tream.
-	 *
-	 * This method generates a message to the backend writer and triggers
-	 * the corresponding message there. If the backend method fails, it
-	 * sends a message back that will asynchronously call Disable().
-	 *
-	 * This method must only be called from the main thread.
-	 *
-	 * @param network_time The network time when the finish was triggered.
-	 */
-	void Finish(double network_time);
-
 	/**
 	 * Explicitly triggers a transfer of all potentially buffered Write()
 	 * operations over to the backend.
diff --git a/src/logging/writers/ascii/Ascii.cc b/src/logging/writers/ascii/Ascii.cc
index d6f5daa7e7..baaba22665 100644
--- a/src/logging/writers/ascii/Ascii.cc
+++ b/src/logging/writers/ascii/Ascii.cc
@@ -24,6 +24,8 @@ Ascii::Ascii(WriterFrontend* frontend) : WriterBackend(frontend)
 	tsv = false;
 	use_json = false;
 	formatter = 0;
+	gzip_level = 0;
+	gzfile = nullptr;
 
 	InitConfigOptions();
 	init_options = InitFilterOptions();
@@ -34,6 +36,7 @@ void Ascii::InitConfigOptions()
 	output_to_stdout = BifConst::LogAscii::output_to_stdout;
 	include_meta = BifConst::LogAscii::include_meta;
 	use_json = BifConst::LogAscii::use_json;
+	gzip_level = BifConst::LogAscii::gzip_level;
 
 	separator.assign(
 			(const char*) BifConst::LogAscii::separator->Bytes(),
@@ -89,6 +92,16 @@ bool Ascii::InitFilterOptions()
 				}
 			}
 
+		else if ( strcmp(i->first, "gzip_level" ) == 0 )
+			{
+			gzip_level = atoi(i->second);
+
+			if ( gzip_level < 0 || gzip_level > 9 )
+				{
+				Error("invalid value for 'gzip_level', must be a number between 0 and 9.");
+				return false;
+				}
+			}
 		else if ( strcmp(i->first, "use_json") == 0 )
 			{
 			if ( strcmp(i->second, "T") == 0 )
@@ -192,7 +205,7 @@ bool Ascii::WriteHeaderField(const string& key, const string& val)
 	{
 	string str = meta_prefix + key + separator + val + "\n";
 
-	return safe_write(fd, str.c_str(), str.length());
+	return InternalWrite(fd, str.c_str(), str.length());
 	}
 
 void Ascii::CloseFile(double t)
@@ -203,8 +216,9 @@ void Ascii::CloseFile(double t)
 	if ( include_meta && ! tsv )
 		WriteHeaderField("close", Timestamp(0));
 
-	safe_close(fd);
+	InternalClose(fd);
 	fd = 0;
+	gzfile = nullptr;
 	}
 
 bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const * fields)
@@ -219,7 +233,8 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
 	if ( output_to_stdout )
 		path = "/dev/stdout";
 
-	fname = IsSpecial(path) ? path : path + "." + LogExt();
+	fname = IsSpecial(path) ? path : path + "." + LogExt() +
+	                          (gzip_level > 0 ? ".gz" : "");
 
 	fd = open(fname.c_str(), O_WRONLY | O_CREAT | O_TRUNC, 0666);
 
@@ -231,6 +246,31 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const Field* const *
 		return false;
 		}
 
+	if ( gzip_level > 0 )
+		{
+		if ( gzip_level < 0 || gzip_level > 9 )
+			{
+			Error("invalid value for 'gzip_level', must be a number between 0 and 9.");
+			return false;
+			}
+
+		char mode[4];
+		snprintf(mode, sizeof(mode), "wb%d", gzip_level);
+		errno = 0; // errno will only be set under certain circumstances by gzdopen.
+		gzfile = gzdopen(fd, mode);
+
+		if ( gzfile == nullptr )
+			{
+			Error(Fmt("cannot gzip %s: %s", fname.c_str(),
+			                                Strerror(errno)));
+			return false;
+			}
+		}
+	else
+		{
+		gzfile = nullptr;
+		}
+
 	if ( ! WriteHeader(path) )
 		{
 		Error(Fmt("error writing to %s: %s", fname.c_str(), Strerror(errno)));
@@ -264,7 +304,7 @@ bool Ascii::WriteHeader(const string& path)
 		{
 		// A single TSV-style line is all we need.
 		string str = names + "\n";
-		if ( ! safe_write(fd, str.c_str(), str.length()) )
+		if ( ! InternalWrite(fd, str.c_str(), str.length()) )
 			return false;
 
 		return true;
@@ -275,7 +315,7 @@ bool Ascii::WriteHeader(const string& path)
 		+ get_escaped_string(separator, false)
 		+ "\n";
 
-	if ( ! safe_write(fd, str.c_str(), str.length()) )
+	if ( ! InternalWrite(fd, str.c_str(), str.length()) )
 		return false;
 
 	if ( ! (WriteHeaderField("set_separator", get_escaped_string(set_separator, false)) &&
@@ -337,14 +377,14 @@ bool Ascii::DoWrite(int num_fields, const Field* const * fields,
 		char hex[4] = {'\\', 'x', '0', '0'};
 		bytetohex(bytes[0], hex + 2);
 
-		if ( ! safe_write(fd, hex, 4) )
+		if ( ! InternalWrite(fd, hex, 4) )
 			goto write_error;
 
 		++bytes;
 		--len;
 		}
 
-	if ( ! safe_write(fd, bytes, len) )
+	if ( ! InternalWrite(fd, bytes, len) )
 		goto write_error;
 
         if ( ! IsBuf() )
@@ -368,12 +408,13 @@ bool Ascii::DoRotate(const char* rotated_path, double open, double close, bool t
 
 	CloseFile(close);
 
-	string nname = string(rotated_path) + "." + LogExt();
+	string nname = string(rotated_path) + "." + LogExt() +
+	               (gzip_level > 0 ? ".gz" : "");
 
 	if ( rename(fname.c_str(), nname.c_str()) != 0 )
 		{
 		char buf[256];
-		strerror_r(errno, buf, sizeof(buf));
+		bro_strerror_r(errno, buf, sizeof(buf));
 		Error(Fmt("failed to rename %s to %s: %s", fname.c_str(),
 		          nname.c_str(), buf));
 		FinishedRotation();
@@ -434,4 +475,58 @@ string Ascii::Timestamp(double t)
 	return tmp;
 	}
 
+bool Ascii::InternalWrite(int fd, const char* data, int len)
+	{
+	if ( ! gzfile )
+		return safe_write(fd, data, len);
+
+	while ( len > 0 )
+		{
+		int n = gzwrite(gzfile, data, len);
+
+		if ( n <= 0 )
+			{
+			const char* err = gzerror(gzfile, &n);
+			Error(Fmt("Ascii::InternalWrite error: %s\n", err));
+			return false;
+			}
+
+		data += n;
+		len -= n;
+		}
+
+	return true;
+	}
+
+bool Ascii::InternalClose(int fd)
+	{
+	if ( ! gzfile )
+		{
+		safe_close(fd);
+		return true;
+		}
+
+	int res = gzclose(gzfile);
+
+	if ( res == Z_OK )
+		return true;
+
+	switch ( res ) {
+	case Z_STREAM_ERROR:
+		Error("Ascii::InternalClose gzclose error: invalid file stream");
+		break;
+	case Z_BUF_ERROR:
+		Error("Ascii::InternalClose gzclose error: "
+		      "no compression progress possible during buffer flush");
+		break;
+	case Z_ERRNO:
+		Error(Fmt("Ascii::InternalClose gzclose error: %s\n", Strerror(errno)));
+		break;
+	default:
+		Error("Ascii::InternalClose invalid gzclose result");
+		break;
+	}
+
+	return false;
+	}
 
diff --git a/src/logging/writers/ascii/Ascii.h b/src/logging/writers/ascii/Ascii.h
index 8648070111..d1a6f2d0f3 100644
--- a/src/logging/writers/ascii/Ascii.h
+++ b/src/logging/writers/ascii/Ascii.h
@@ -8,13 +8,14 @@
 #include "logging/WriterBackend.h"
 #include "threading/formatters/Ascii.h"
 #include "threading/formatters/JSON.h"
+#include "zlib.h"
 
 namespace logging { namespace writer {
 
 class Ascii : public WriterBackend {
 public:
-	Ascii(WriterFrontend* frontend);
-	~Ascii();
+	explicit Ascii(WriterFrontend* frontend);
+	~Ascii() override;
 
 	static string LogExt();
 
@@ -22,19 +23,19 @@ public:
 		{ return new Ascii(frontend); }
 
 protected:
-	virtual bool DoInit(const WriterInfo& info, int num_fields,
-			    const threading::Field* const* fields);
-	virtual bool DoWrite(int num_fields, const threading::Field* const* fields,
-			     threading::Value** vals);
-	virtual bool DoSetBuf(bool enabled);
-	virtual bool DoRotate(const char* rotated_path, double open,
-			      double close, bool terminating);
-	virtual bool DoFlush(double network_time);
-	virtual bool DoFinish(double network_time);
-	virtual bool DoHeartbeat(double network_time, double current_time);
+	bool DoInit(const WriterInfo& info, int num_fields,
+			    const threading::Field* const* fields) override;
+	bool DoWrite(int num_fields, const threading::Field* const* fields,
+			     threading::Value** vals) override;
+	bool DoSetBuf(bool enabled) override;
+	bool DoRotate(const char* rotated_path, double open,
+			      double close, bool terminating) override;
+	bool DoFlush(double network_time) override;
+	bool DoFinish(double network_time) override;
+	bool DoHeartbeat(double network_time, double current_time) override;
 
 private:
-	bool IsSpecial(string path) 	{ return path.find("/dev/") == 0; }
+	bool IsSpecial(const string &path) 	{ return path.find("/dev/") == 0; }
 	bool WriteHeader(const string& path);
 	bool WriteHeaderField(const string& key, const string& value);
 	void CloseFile(double t);
@@ -42,8 +43,11 @@ private:
 	void InitConfigOptions();
 	bool InitFilterOptions();
 	bool InitFormatter();
+	bool InternalWrite(int fd, const char* data, int len);
+	bool InternalClose(int fd);
 
 	int fd;
+	gzFile gzfile;
 	string fname;
 	ODesc desc;
 	bool ascii_done;
@@ -59,6 +63,7 @@ private:
 	string unset_field;
 	string meta_prefix;
 
+	int gzip_level; // level > 0 enables gzip compression
 	bool use_json;
 	string json_timestamps;
 
diff --git a/src/logging/writers/ascii/ascii.bif b/src/logging/writers/ascii/ascii.bif
index 2817511152..b12b14f1a0 100644
--- a/src/logging/writers/ascii/ascii.bif
+++ b/src/logging/writers/ascii/ascii.bif
@@ -12,3 +12,4 @@ const empty_field: string;
 const unset_field: string;
 const use_json: bool;
 const json_timestamps: JSON::TimestampFormat;
+const gzip_level: count;
diff --git a/src/logging/writers/none/None.h b/src/logging/writers/none/None.h
index fda9a35330..24193341b5 100644
--- a/src/logging/writers/none/None.h
+++ b/src/logging/writers/none/None.h
@@ -11,24 +11,23 @@ namespace logging { namespace writer {
 
 class None : public WriterBackend {
 public:
-	None(WriterFrontend* frontend) : WriterBackend(frontend)	{}
-	~None()	{};
+	explicit None(WriterFrontend* frontend) : WriterBackend(frontend)	{}
+	~None() override {};
 
 	static WriterBackend* Instantiate(WriterFrontend* frontend)
 		{ return new None(frontend); }
 
 protected:
-	virtual bool DoInit(const WriterInfo& info, int num_fields,
-			    const threading::Field* const * fields);
-
-	virtual bool DoWrite(int num_fields, const threading::Field* const* fields,
-			     threading::Value** vals)	{ return true; }
-	virtual bool DoSetBuf(bool enabled)	{ return true; }
-	virtual bool DoRotate(const char* rotated_path, double open,
-			      double close, bool terminating);
-	virtual bool DoFlush(double network_time)	{ return true; }
-	virtual bool DoFinish(double network_time)	{ return true; }
-	virtual bool DoHeartbeat(double network_time, double current_time)	{ return true; }
+	bool DoInit(const WriterInfo& info, int num_fields,
+			    const threading::Field* const * fields) override;
+	bool DoWrite(int num_fields, const threading::Field* const* fields,
+			     threading::Value** vals) override { return true; }
+	bool DoSetBuf(bool enabled) override { return true; }
+	bool DoRotate(const char* rotated_path, double open,
+			      double close, bool terminating) override;
+	bool DoFlush(double network_time) override { return true; }
+	bool DoFinish(double network_time) override { return true; }
+	bool DoHeartbeat(double network_time, double current_time) override { return true; }
 };
 
 }
diff --git a/src/logging/writers/sqlite/Plugin.cc b/src/logging/writers/sqlite/Plugin.cc
index 75e6497c99..f48ec838f1 100644
--- a/src/logging/writers/sqlite/Plugin.cc
+++ b/src/logging/writers/sqlite/Plugin.cc
@@ -10,7 +10,7 @@ namespace Bro_SQLiteWriter {
 
 class Plugin : public plugin::Plugin {
 public:
-	plugin::Configuration Configure()
+	plugin::Configuration Configure() override
 		{
 		AddComponent(new ::logging::Component("SQLite", ::logging::writer::SQLite::Instantiate));
 
diff --git a/src/logging/writers/sqlite/SQLite.h b/src/logging/writers/sqlite/SQLite.h
index 1db53614a2..3ad535e543 100644
--- a/src/logging/writers/sqlite/SQLite.h
+++ b/src/logging/writers/sqlite/SQLite.h
@@ -15,23 +15,23 @@ namespace logging { namespace writer {
 
 class SQLite : public WriterBackend {
 public:
-	SQLite(WriterFrontend* frontend);
-	~SQLite();
+	explicit SQLite(WriterFrontend* frontend);
+	~SQLite() override;
 
 	static WriterBackend* Instantiate(WriterFrontend* frontend)
 		{ return new SQLite(frontend); }
 
 protected:
-	virtual bool DoInit(const WriterInfo& info, int arg_num_fields,
-			    const threading::Field* const* arg_fields);
-	virtual bool DoWrite(int num_fields, const threading::Field* const* fields,
-			     threading::Value** vals);
-	virtual bool DoSetBuf(bool enabled) { return true; }
-	virtual bool DoRotate(const char* rotated_path, double open,
-			      double close, bool terminating);
-	virtual bool DoFlush(double network_time)	{ return true; }
-	virtual bool DoFinish(double network_time)	{ return true; }
-	virtual bool DoHeartbeat(double network_time, double current_time)	{ return true; }
+	bool DoInit(const WriterInfo& info, int arg_num_fields,
+			    const threading::Field* const* arg_fields) override;
+	bool DoWrite(int num_fields, const threading::Field* const* fields,
+			     threading::Value** vals) override;
+	bool DoSetBuf(bool enabled) override { return true; }
+	bool DoRotate(const char* rotated_path, double open,
+			      double close, bool terminating) override;
+	bool DoFlush(double network_time) override { return true; }
+	bool DoFinish(double network_time) override { return true; }
+	bool DoHeartbeat(double network_time, double current_time) override { return true; }
 
 private:
 	bool checkError(int code);
diff --git a/src/main.cc b/src/main.cc
index 55636a9496..757b09351f 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -21,8 +21,6 @@ extern "C" {
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 
-extern "C" void OPENSSL_add_all_algorithms_conf(void);
-
 #include "bsd-getopt-long.h"
 #include "input.h"
 #include "DNS_Mgr.h"
@@ -46,6 +44,7 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void);
 #include "EventRegistry.h"
 #include "Stats.h"
 #include "Brofiler.h"
+#include "Traverse.h"
 
 #include "threading/Manager.h"
 #include "input/Manager.h"
@@ -58,15 +57,12 @@ extern "C" void OPENSSL_add_all_algorithms_conf(void);
 #include "file_analysis/Manager.h"
 #include "broxygen/Manager.h"
 #include "iosource/Manager.h"
+#include "broker/Manager.h"
 
 #include "binpac_bro.h"
 
 #include "3rdparty/sqlite3.h"
 
-#ifdef ENABLE_BROKER
-#include "broker/Manager.h"
-#endif
-
 Brofiler brofiler;
 
 #ifndef HAVE_STRSEP
@@ -87,6 +83,7 @@ int perftools_profile = 0;
 
 DNS_Mgr* dns_mgr;
 TimerMgr* timer_mgr;
+PortManager* port_mgr = 0;
 logging::Manager* log_mgr = 0;
 threading::Manager* thread_mgr = 0;
 input::Manager* input_mgr = 0;
@@ -95,9 +92,7 @@ analyzer::Manager* analyzer_mgr = 0;
 file_analysis::Manager* file_mgr = 0;
 broxygen::Manager* broxygen_mgr = 0;
 iosource::Manager* iosource_mgr = 0;
-#ifdef ENABLE_BROKER
 bro_broker::Manager* broker_mgr = 0;
-#endif
 
 const char* prog;
 char* writefile = 0;
@@ -120,6 +115,7 @@ char* command_line_policy = 0;
 vector<string> params;
 set<string> requested_plugins;
 char* proc_status_file = 0;
+int old_comm_usage_count = 0;
 
 OpaqueType* md5_type = 0;
 OpaqueType* sha1_type = 0;
@@ -129,6 +125,7 @@ OpaqueType* cardinality_type = 0;
 OpaqueType* topk_type = 0;
 OpaqueType* bloomfilter_type = 0;
 OpaqueType* x509_opaque_type = 0;
+OpaqueType* ocsp_resp_opaque_type = 0;
 
 // Keep copy of command line
 int bro_argc;
@@ -366,6 +363,7 @@ void terminate_bro()
 	log_mgr->Terminate();
 	input_mgr->Terminate();
 	thread_mgr->Terminate();
+	broker_mgr->Terminate();
 
 	mgr.Drain();
 
@@ -382,7 +380,9 @@ void terminate_bro()
 	delete log_mgr;
 	delete plugin_mgr;
 	delete reporter;
+	// broker_mgr is deleted via iosource_mgr
 	delete iosource_mgr;
+	delete port_mgr;
 
 	reporter = 0;
 	}
@@ -426,6 +426,70 @@ static void bro_new_handler()
 	out_of_memory("new");
 	}
 
+static auto old_comm_ids = std::set<const char*, CompareString>{
+	"connect",
+	"disconnect",
+	"request_remote_events",
+	"request_remote_sync",
+	"request_remote_logs",
+	"set_accept_state",
+	"set_compression_level",
+	"listen",
+	"send_id",
+	"terminate_communication",
+	"complete_handshake",
+	"send_ping",
+	"send_current_packet",
+	"get_event_peer",
+	"send_capture_filter",
+	"suspend_state_updates",
+	"resume_state_updates",
+};
+
+static bool is_old_comm_usage(const ID* id)
+	{
+	auto name = id->Name();
+
+	if ( old_comm_ids.find(name) == old_comm_ids.end() )
+		return false;
+
+	return true;
+	}
+
+class OldCommUsageTraversalCallback : public TraversalCallback {
+public:
+	virtual TraversalCode PreExpr(const Expr* expr) override
+		{
+		switch ( expr->Tag() ) {
+		case EXPR_CALL:
+			{
+			const CallExpr* call = static_cast<const CallExpr*>(expr);
+			auto func = call->Func();
+
+			if ( func->Tag() == EXPR_NAME )
+				{
+				const NameExpr* ne = static_cast<const NameExpr*>(func);
+				auto id = ne->Id();
+
+				if ( is_old_comm_usage(id) )
+					++old_comm_usage_count;
+				}
+			}
+			break;
+		default:
+			break;
+		}
+
+		return TC_CONTINUE;
+		}
+};
+
+static void find_old_comm_usages()
+	{
+	OldCommUsageTraversalCallback cb;
+	traverse_all(&cb);
+	}
+
 int main(int argc, char** argv)
 	{
 	std::set_new_handler(bro_new_handler);
@@ -595,7 +659,7 @@ int main(int argc, char** argv)
 			break;
 
 		case 'v':
-			fprintf(stderr, "%s version %s\n", prog, bro_version());
+			fprintf(stdout, "%s version %s\n", prog, bro_version());
 			exit(0);
 			break;
 
@@ -710,6 +774,7 @@ int main(int argc, char** argv)
 
 	bro_start_time = current_time(true);
 
+	port_mgr = new PortManager();
 	reporter = new Reporter();
 	thread_mgr = new threading::Manager();
 	plugin_mgr = new plugin::Manager();
@@ -756,7 +821,9 @@ int main(int argc, char** argv)
 
 	broxygen_mgr = new broxygen::Manager(broxygen_config, bro_argv[0]);
 
-	add_input_file("base/init-bare.bro");
+	add_essential_input_file("base/init-bare.bro");
+	add_essential_input_file("base/init-frameworks-and-bifs.bro");
+
 	if ( ! bare_mode )
 		add_input_file("base/init-default.bro");
 
@@ -798,10 +865,7 @@ int main(int argc, char** argv)
 	log_mgr = new logging::Manager();
 	input_mgr = new input::Manager();
 	file_mgr = new file_analysis::Manager();
-
-#ifdef ENABLE_BROKER
-	broker_mgr = new bro_broker::Manager();
-#endif
+	broker_mgr = new bro_broker::Manager(read_files.length() > 0);
 
 	plugin_mgr->InitPreScript();
 	analyzer_mgr->InitPreScript();
@@ -839,6 +903,7 @@ int main(int argc, char** argv)
 	topk_type = new OpaqueType("topk");
 	bloomfilter_type = new OpaqueType("bloomfilter");
 	x509_opaque_type = new OpaqueType("x509");
+	ocsp_resp_opaque_type = new OpaqueType("ocsp_resp");
 
 	// The leak-checker tends to produce some false
 	// positives (memory which had already been
@@ -851,7 +916,27 @@ int main(int argc, char** argv)
 	HeapLeakChecker::Disabler disabler;
 #endif
 
+	is_parsing = true;
 	yyparse();
+	is_parsing = false;
+
+	find_old_comm_usages();
+
+	if ( old_comm_usage_count )
+		{
+		auto old_comm_ack_id = global_scope()->Lookup("old_comm_usage_is_ok");
+
+		if ( ! old_comm_ack_id->ID_Val()->AsBool() )
+			reporter->FatalError("Detected old, deprecated communication "
+								 "system usages that will not work unless "
+								 "you explicitly take action to initizialize "
+								 "and set up the old comm. system.  "
+								 "Set the 'old_comm_usage_is_ok' flag "
+								 "to bypass this error if you've taken such "
+								 "actions.");
+		}
+
+	RecordVal::ResizeParseTimeRecords();
 
 	init_general_global_var();
 	init_net_var();
@@ -864,6 +949,7 @@ int main(int argc, char** argv)
 
 	plugin_mgr->InitPostScript();
 	broxygen_mgr->InitPostScript();
+	broker_mgr->InitPostScript();
 
 	if ( print_plugins )
 		{
@@ -1096,6 +1182,7 @@ int main(int argc, char** argv)
 	// Drain the event queue here to support the protocols framework configuring DPM
 	mgr.Drain();
 
+	broker_mgr->BroInitDone();
 	analyzer_mgr->DumpDebug();
 
 	have_pending_timers = ! reading_traces && timer_mgr->Size() > 0;
diff --git a/src/nb_dns.c b/src/nb_dns.c
index 35059ab4f0..a1f0d018dd 100644
--- a/src/nb_dns.c
+++ b/src/nb_dns.c
@@ -131,27 +131,43 @@ nb_dns_init(char *errstr)
 		free(nd);
 		return (NULL);
 	}
-	nd->s = socket(PF_INET, SOCK_DGRAM, 0);
-	if (nd->s < 0) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "socket(): %s",
-		    my_strerror(errno));
-		free(nd);
-		return (NULL);
-	}
 
-	/* XXX should use resolver config */
-	nd->server = _res.nsaddr_list[0];
+	int i;
 
-	if (connect(nd->s, (struct sockaddr *)&nd->server,
-	    sizeof(struct sockaddr)) < 0) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "connect(%s): %s",
-		    inet_ntoa(nd->server.sin_addr), my_strerror(errno));
-		close(nd->s);
-		free(nd);
-		return (NULL);
-	}
+	for ( i = 0; i < _res.nscount; ++i )
+		{
+		nd->server = _res.nsaddr_list[i];
 
-	return (nd);
+		/* XXX support IPv6 */
+		if ( nd->server.sin_family != AF_INET )
+			continue;
+
+		nd->s = socket(nd->server.sin_family, SOCK_DGRAM, 0);
+
+		if ( nd->s < 0 )
+			{
+			snprintf(errstr, NB_DNS_ERRSIZE, "socket(): %s",
+			         my_strerror(errno));
+			free(nd);
+			return (NULL);
+			}
+
+		if ( connect(nd->s, (struct sockaddr *)&nd->server,
+		             sizeof(struct sockaddr)) < 0 )
+			{
+			snprintf(errstr, NB_DNS_ERRSIZE, "connect(%s): %s",
+			         inet_ntoa(nd->server.sin_addr), my_strerror(errno));
+			close(nd->s);
+			free(nd);
+			return (NULL);
+			}
+
+		return (nd);
+		}
+
+	snprintf(errstr, NB_DNS_ERRSIZE, "no valid nameservers in resolver config");
+	free(nd);
+	return (NULL);
 }
 
 void
diff --git a/src/option.bif b/src/option.bif
new file mode 100644
index 0000000000..6a0ba777ee
--- /dev/null
+++ b/src/option.bif
@@ -0,0 +1,197 @@
+##! Definitions of built-in functions that allow the scripting layer to
+##! change the value of options and to be notified when option values change.
+
+module Option;
+
+%%{
+#include "NetVar.h"
+#include "broker/Data.h"
+
+static bool call_option_handlers_and_set_value(StringVal* name, ID* i, Val* val,
+                                               StringVal* location)
+	{
+	val->Ref();
+	if ( i->HasOptionHandlers() )
+		{
+		for ( auto handler_function : i->GetOptionHandlers() )
+			{
+			val_list vl(2);
+			vl.append(name->Ref());
+			vl.append(val);
+			if ( handler_function->FType()->AsFuncType()->ArgTypes()->Types()->length() == 3 )
+				vl.append(location->Ref());
+
+			val = handler_function->Call(&vl); // consumed by next call.
+			if ( ! val )
+				{
+				// Someone messed up, don't change value and just return
+				return false;
+				}
+			}
+		}
+
+	// clone to prevent changes
+	i->SetVal(val->Clone());
+	Unref(val); // Either ref'd once or function call result.
+	return true;
+	}
+%%}
+
+## Set an option to a new value. This change will also cause the option change
+## handlers to be called.
+##
+## ID: The ID of the option to update.
+##
+## val: The new value of the option.
+##
+## location: Optional parameter detailing where this change originated from.
+##
+## Returns: true on success, false when an error occurred.
+##
+## .. bro:see:: Option::set_change_handler Config::set_value
+##
+## .. note:: :bro:id:`Option::set` only works on one node and does not distribute
+##           new values across a cluster. The higher-level :bro:id:`Config::set_value`
+##           supports clusterization and should typically be used instead of this
+##           lower-level function.
+function Option::set%(ID: string, val: any, location: string &default=""%): bool
+	%{
+	auto i = global_scope()->Lookup(ID->CheckString());
+	if ( ! i )
+		{
+		builtin_error(fmt("Could not find ID named '%s'", ID->CheckString()));
+		return new Val(0, TYPE_BOOL);
+		}
+
+	if ( ! i->HasVal() )
+		{
+		// should be impossible because initialization is enforced
+		builtin_error(fmt("ID '%s' has no value", ID->CheckString()));
+		return new Val(0, TYPE_BOOL);
+		}
+
+	if ( ! i->IsOption() )
+		{
+		builtin_error(fmt("ID '%s' is not an option", ID->CheckString()));
+		return new Val(0, TYPE_BOOL);
+		}
+
+	if ( same_type(val->Type(), bro_broker::DataVal::ScriptDataType()) )
+		{
+		auto dv = static_cast<bro_broker::DataVal*>(val->AsRecordVal()->Lookup(0));
+		auto val_from_data = dv->castTo(i->Type());
+
+		if ( ! val_from_data )
+			{
+			builtin_error(fmt("Incompatible type for set of ID '%s': got broker data '%s', need '%s'",
+				ID->CheckString(), dv->data.get_type_name(), type_name(i->Type()->Tag())));
+			return new Val(0, TYPE_BOOL);
+			}
+
+		auto rval = call_option_handlers_and_set_value(ID, i, val_from_data, location);
+		Unref(val_from_data);
+		return new Val(rval, TYPE_BOOL);
+		}
+
+	if ( ! same_type(i->Type(), val->Type()) )
+		{
+		builtin_error(fmt("Incompatible type for set of ID '%s': got '%s', need '%s'",
+			ID->CheckString(), type_name(val->Type()->Tag()), type_name(i->Type()->Tag())));
+		return new Val(0, TYPE_BOOL);
+		}
+
+	auto rval = call_option_handlers_and_set_value(ID, i, val, location);
+	return new Val(rval, TYPE_BOOL);
+	%}
+
+## Set a change handler for an option. The change handler will be
+## called anytime :bro:id:`Option::set` is called for the option.
+##
+## ID: The ID of the option for which change notifications are desired.
+##
+## on_change: The function that will be called when a change occurs. The
+##            function can choose to receive two or three parameters: the first
+##            parameter is a string containing *ID*, the second parameter is
+##            the new option value. The third, optional, parameter is the
+##            location string as passed to Option::set. Note that the global
+##            value is not yet changed when the function is called. The passed
+##            function has to return the new value that it wants the option to
+##            be set to. This enables it to reject changes, or change values
+##            that are being set. When several change handlers are set for an
+##            option they are chained; the second change handler will see the
+##            return value of the first change handler as the "new value".
+##
+## priority: The priority of the function that was added; functions with higher
+##           priority are called first, functions with the same priority are
+##           called in the order in which they were added.
+##
+## Returns: true when the change handler was set, false when an error occurred.
+##
+## .. bro:see:: Option::set
+function Option::set_change_handler%(ID: string, on_change: any, priority: int &default=0%): bool
+	%{
+	auto i = global_scope()->Lookup(ID->CheckString());
+	if ( ! i )
+		{
+		builtin_error(fmt("Could not find ID named '%s'", ID->CheckString()));
+		return new Val(0, TYPE_BOOL);
+		}
+
+	if ( ! i->IsOption() )
+		{
+		builtin_error(fmt("ID '%s' is not an option", ID->CheckString()));
+		return new Val(0, TYPE_BOOL);
+		}
+
+	if ( on_change->Type()->Tag() != TYPE_FUNC )
+		{
+		builtin_error(fmt("Option::on_change needs function argument; got '%s' for ID '%s'",
+			type_name(on_change->Type()->Tag()), ID->CheckString()));
+		return new Val(0, TYPE_BOOL);
+		}
+
+	if ( on_change->Type()->AsFuncType()->Flavor() != FUNC_FLAVOR_FUNCTION )
+		{
+		builtin_error("Option::on_change needs function argument; not hook or event");
+		return new Val(0, TYPE_BOOL);
+		}
+
+	const type_list* args = on_change->Type()->AsFuncType()->ArgTypes()->Types();
+	if ( args->length() < 2 || args->length() > 3 )
+		{
+		builtin_error(fmt("Wrong number of arguments for passed function in Option::on_change for ID '%s'; expected 2 or 3, got %d",
+			ID->CheckString(), args->length()));
+		return new Val(0, TYPE_BOOL);
+		}
+
+	if ( (*args)[0]->Tag() != TYPE_STRING )
+		{
+		builtin_error(fmt("First argument of passed function has to be string in Option::on_change for ID '%s'; got '%s'",
+			ID->CheckString(), type_name((*args)[0]->Tag())));
+		return new Val(0, TYPE_BOOL);
+		}
+
+	if ( ! same_type((*args)[1], i->Type()) )
+		{
+		builtin_error(fmt("Second argument of passed function has to be %s in Option::on_change for ID '%s'; got '%s'",
+			type_name(i->Type()->Tag()), ID->CheckString(), type_name((*args)[1]->Tag())));
+		return new Val(0, TYPE_BOOL);
+		}
+
+	if ( args->length() == 3 && (*args)[2]->Tag() != TYPE_STRING )
+		{
+		builtin_error(fmt("Third argument of passed function has to be string in Option::on_change for ID '%s'; got '%s'",
+			ID->CheckString(), type_name((*args)[2]->Tag())));
+		return new Val(0, TYPE_BOOL);
+		}
+
+	if ( ! same_type(on_change->Type()->AsFuncType()->YieldType(), i->Type()) )
+		{
+		builtin_error(fmt("Passed function needs to return type '%s' for ID '%s'; got '%s'",
+			type_name(i->Type()->Tag()), ID->CheckString(), type_name(on_change->Type()->AsFuncType()->YieldType()->Tag())));
+		return new Val(0, TYPE_BOOL);
+		}
+
+	i->AddOptionHandler(on_change->Ref()->AsFunc(), -priority);
+	return new Val(1, TYPE_BOOL);
+	%}
diff --git a/src/parse.y b/src/parse.y
index facd7e55ed..25b6c17873 100644
--- a/src/parse.y
+++ b/src/parse.y
@@ -2,21 +2,24 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 %}
 
-%expect 78
+// Switching parser table type fixes ambiguity problems.
+%define lr.type ielr
+
+%expect 141
 
 %token TOK_ADD TOK_ADD_TO TOK_ADDR TOK_ANY
 %token TOK_ATENDIF TOK_ATELSE TOK_ATIF TOK_ATIFDEF TOK_ATIFNDEF
-%token TOK_BOOL TOK_BREAK TOK_CASE TOK_CONST
+%token TOK_BOOL TOK_BREAK TOK_CASE TOK_OPTION TOK_CONST
 %token TOK_CONSTANT TOK_COPY TOK_COUNT TOK_COUNTER TOK_DEFAULT TOK_DELETE
 %token TOK_DOUBLE TOK_ELSE TOK_ENUM TOK_EVENT TOK_EXPORT TOK_FALLTHROUGH
 %token TOK_FILE TOK_FOR TOK_FUNCTION TOK_GLOBAL TOK_HOOK TOK_ID TOK_IF TOK_INT
 %token TOK_INTERVAL TOK_LIST TOK_LOCAL TOK_MODULE
-%token TOK_NEXT TOK_OF TOK_OPAQUE TOK_PATTERN TOK_PATTERN_TEXT
+%token TOK_NEXT TOK_OF TOK_OPAQUE TOK_PATTERN TOK_PATTERN_END TOK_PATTERN_TEXT
 %token TOK_PORT TOK_PRINT TOK_RECORD TOK_REDEF
 %token TOK_REMOVE_FROM TOK_RETURN TOK_SCHEDULE TOK_SET
 %token TOK_STRING TOK_SUBNET TOK_SWITCH TOK_TABLE
 %token TOK_TIME TOK_TIMEOUT TOK_TIMER TOK_TYPE TOK_UNION TOK_VECTOR TOK_WHEN
-%token TOK_WHILE
+%token TOK_WHILE TOK_AS TOK_IS
 
 %token TOK_ATTR_ADD_FUNC TOK_ATTR_ENCRYPT TOK_ATTR_DEFAULT
 %token TOK_ATTR_OPTIONAL TOK_ATTR_REDEF TOK_ATTR_ROTATE_INTERVAL
@@ -31,28 +34,31 @@
 
 %token TOK_NO_TEST
 
-%left ',' '|'
+%left ','
 %right '=' TOK_ADD_TO TOK_REMOVE_FROM
 %right '?' ':'
-%left TOK_OR
-%left TOK_AND
+%left TOK_OR_OR
+%left TOK_AND_AND
 %nonassoc TOK_HOOK
 %nonassoc '<' '>' TOK_LE TOK_GE TOK_EQ TOK_NE
 %left TOK_IN TOK_NOT_IN
+%left '|'
+%left '^'
+%left '&'
 %left '+' '-'
 %left '*' '/' '%'
 %left TOK_INCR TOK_DECR
-%right '!'
+%right '!' '~'
 %left '$' '[' ']' '(' ')' TOK_HAS_FIELD TOK_HAS_ATTR
+%nonassoc TOK_AS TOK_IS
 
-%type <b> opt_no_test opt_no_test_block opt_deprecated
-%type <str> TOK_ID TOK_PATTERN_TEXT single_pattern
-%type <id> local_id global_id def_global_id event_id global_or_event_id resolve_id begin_func
-%type <id_l> local_id_list
+%type <b> opt_no_test opt_no_test_block opt_deprecated TOK_PATTERN_END
+%type <str> TOK_ID TOK_PATTERN_TEXT
+%type <id> local_id global_id def_global_id event_id global_or_event_id resolve_id begin_func case_type
+%type <id_l> local_id_list case_type_list
 %type <ic> init_class
 %type <expr> opt_init
 %type <val> TOK_CONSTANT
-%type <re> pattern
 %type <expr> expr opt_expr init anonymous_function
 %type <event_expr> event
 %type <stmt> stmt stmt_list func_body for_head
@@ -334,6 +340,12 @@ expr:
 			$$ = new NotExpr($2);
 			}
 
+	|	'~' expr
+			{
+			set_location(@1, @2);
+			$$ = new ComplementExpr($2);
+			}
+
 	|	'-' expr	%prec '!'
 			{
 			set_location(@1, @2);
@@ -388,16 +400,34 @@ expr:
 			$$ = new ModExpr($1, $3);
 			}
 
-	|	expr TOK_AND expr
+	|	expr '&' expr
 			{
 			set_location(@1, @3);
-			$$ = new BoolExpr(EXPR_AND, $1, $3);
+			$$ = new BitExpr(EXPR_AND, $1, $3);
 			}
 
-	|	expr TOK_OR expr
+	|	expr '|' expr
 			{
 			set_location(@1, @3);
-			$$ = new BoolExpr(EXPR_OR, $1, $3);
+			$$ = new BitExpr(EXPR_OR, $1, $3);
+			}
+
+	|	expr '^' expr
+			{
+			set_location(@1, @3);
+			$$ = new BitExpr(EXPR_XOR, $1, $3);
+			}
+
+	|	expr TOK_AND_AND expr
+			{
+			set_location(@1, @3);
+			$$ = new BoolExpr(EXPR_AND_AND, $1, $3);
+			}
+
+	|	expr TOK_OR_OR expr
+			{
+			set_location(@1, @3);
+			$$ = new BoolExpr(EXPR_OR_OR, $1, $3);
 			}
 
 	|	expr TOK_EQ expr
@@ -693,18 +723,37 @@ expr:
 			$$ = new ConstExpr($1);
 			}
 
-	|	pattern
+	|	'/' { begin_RE(); } TOK_PATTERN_TEXT TOK_PATTERN_END
 			{
-			set_location(@1);
-			$1->Compile();
-			$$ = new ConstExpr(new PatternVal($1));
+			set_location(@3);
+
+			RE_Matcher* re = new RE_Matcher($3);
+			delete [] $3;
+
+			if ( $4 )
+				re->MakeCaseInsensitive();
+
+			re->Compile();
+			$$ = new ConstExpr(new PatternVal(re));
 			}
 
-	|       '|' expr '|'
+	|       '|' expr '|'	%prec '('
 			{
 			set_location(@1, @3);
 			$$ = new SizeExpr($2);
 			}
+
+	|       expr TOK_AS type
+			{
+			set_location(@1, @3);
+			$$ = new CastExpr($1, $3);
+			}
+
+	|       expr TOK_IS type
+			{
+			set_location(@1, @3);
+			$$ = new IsExpr($1, $3);
+			}
 	;
 
 expr_list:
@@ -727,25 +776,6 @@ opt_expr_list:
 		{ $$ = new ListExpr(); }
 	;
 
-pattern:
-		pattern '|' single_pattern
-			{
-			$1->AddPat($3);
-			delete [] $3;
-			}
-
-	|	single_pattern
-			{
-			$$ = new RE_Matcher($1);
-			delete [] $1;
-			}
-	;
-
-single_pattern:
-		'/' { begin_RE(); } TOK_PATTERN_TEXT { end_RE(); } '/'
-			{ $$ = $3; }
-	;
-
 enum_body:
 		enum_body_list
 			{
@@ -1059,6 +1089,12 @@ decl:
 			broxygen_mgr->Identifier($2);
 			}
 
+	|	TOK_OPTION def_global_id opt_type init_class opt_init opt_attr ';'
+			{
+			add_global($2, $3, $4, $5, $6, VAR_OPTION);
+			broxygen_mgr->Identifier($2);
+			}
+
 	|	TOK_CONST def_global_id opt_type init_class opt_init opt_attr ';'
 			{
 			add_global($2, $3, $4, $5, $6, VAR_CONST);
@@ -1500,12 +1536,48 @@ case_list:
 
 case:
 		TOK_CASE expr_list ':' stmt_list
-			{ $$ = new Case($2, $4); }
+			{ $$ = new Case($2, 0, $4); }
+	|
+		TOK_CASE case_type_list ':' stmt_list
+			{ $$ = new Case(0, $2, $4); }
 	|
 		TOK_DEFAULT ':' stmt_list
-			{ $$ = new Case(0, $3); }
+			{ $$ = new Case(0, 0, $3); }
 	;
 
+case_type_list:
+		case_type_list ',' case_type
+			{ $1->append($3); }
+	|
+		case_type
+			{
+			$$ = new id_list;
+			$$->append($1);
+			}
+	;
+
+case_type:
+		TOK_TYPE type
+			{
+			$$ = new ID(0, SCOPE_FUNCTION, 0);
+			$$->SetType($2);
+			}
+
+	|	TOK_TYPE type TOK_AS TOK_ID
+			{
+			const char* name = $4;
+			BroType* type = $2;
+			ID* case_var = lookup_ID(name, current_module.c_str());
+
+			if ( case_var && case_var->IsGlobal() )
+				case_var->Error("already a global identifier");
+			else
+				case_var = install_ID(name, current_module.c_str(), false, false);
+
+			add_local(case_var, type, INIT_NONE, 0, 0, VAR_REGULAR);
+			$$ = case_var;
+			}
+
 for_head:
 		TOK_FOR '(' TOK_ID TOK_IN expr ')'
 			{
diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc
index c672614957..836520d03a 100644
--- a/src/plugin/Manager.cc
+++ b/src/plugin/Manager.cc
@@ -243,10 +243,6 @@ bool Manager::ActivateDynamicPluginInternal(const std::string& name, bool ok_if_
 
 			plugins_by_path.insert(std::make_pair(normalize_path(dir), current_plugin));
 
-			if ( current_plugin->APIVersion() != BRO_PLUGIN_API_VERSION )
-				reporter->FatalError("plugin's API version does not match Bro (expected %d, got %d in %s)",
-						     BRO_PLUGIN_API_VERSION, current_plugin->APIVersion(), path);
-
 			// We execute the pre-script initialization here; this in
 			// fact could be *during* script initialization if we got
 			// triggered via @load-plugin.
@@ -573,32 +569,20 @@ void Manager::RequestBroObjDtor(BroObj* obj, Plugin* plugin)
 	obj->NotifyPluginsOnDtor();
 	}
 
-int Manager::HookLoadFile(const string& file)
+int Manager::HookLoadFile(const Plugin::LoadType type, const string& file, const string& resolved)
 	{
 	HookArgumentList args;
 
 	if ( HavePluginForHook(META_HOOK_PRE) )
 		{
+		args.push_back(HookArgument(type));
 		args.push_back(HookArgument(file));
+		args.push_back(HookArgument(resolved));
 		MetaHookPre(HOOK_LOAD_FILE, args);
 		}
 
 	hook_list* l = hooks[HOOK_LOAD_FILE];
 
-	size_t i = file.find_last_of("./");
-
-	string ext;
-	string normalized_file = file;
-
-	if ( i != string::npos && file[i] == '.' )
-		ext = file.substr(i + 1);
-	else
-		{
-		// Add .bro as default extension.
-		normalized_file = file + ".bro";
-		ext = "bro";
-		}
-
 	int rc = -1;
 
 	if ( l )
@@ -606,7 +590,7 @@ int Manager::HookLoadFile(const string& file)
 			{
 			Plugin* p = (*i).second;
 
-			rc = p->HookLoadFile(normalized_file, ext);
+			rc = p->HookLoadFile(type, file, resolved);
 
 			if ( rc >= 0 )
 				break;
@@ -712,7 +696,7 @@ void Manager::HookSetupAnalyzerTree(Connection *conn) const
 
 	if ( HavePluginForHook(META_HOOK_PRE) )
 		{
-		args.push_back(conn);
+		args.push_back(HookArgument(conn));
 		MetaHookPre(HOOK_SETUP_ANALYZER_TREE, args);
 		}
 
@@ -739,7 +723,7 @@ void Manager::HookUpdateNetworkTime(double network_time) const
 
 	if ( HavePluginForHook(META_HOOK_PRE) )
 		{
-		args.push_back(network_time);
+		args.push_back(HookArgument(network_time));
 		MetaHookPre(HOOK_UPDATE_NETWORK_TIME, args);
 		}
 
@@ -762,7 +746,7 @@ void Manager::HookBroObjDtor(void* obj) const
 
 	if ( HavePluginForHook(META_HOOK_PRE) )
 		{
-		args.push_back(obj);
+		args.push_back(HookArgument(obj));
 		MetaHookPre(HOOK_BRO_OBJ_DTOR, args);
 		}
 
@@ -779,6 +763,130 @@ void Manager::HookBroObjDtor(void* obj) const
 		MetaHookPost(HOOK_BRO_OBJ_DTOR, args, HookArgument());
 	}
 
+void Manager::HookLogInit(const std::string& writer,
+                          const std::string& instantiating_filter,
+                          bool local, bool remote,
+                          const logging::WriterBackend::WriterInfo& info,
+                          int num_fields,
+                          const threading::Field* const* fields) const
+	{
+	HookArgumentList args;
+
+	if ( HavePluginForHook(META_HOOK_PRE) )
+		{
+		args.push_back(HookArgument(writer));
+		args.push_back(HookArgument(instantiating_filter));
+		args.push_back(HookArgument(local));
+		args.push_back(HookArgument(remote));
+		args.push_back(HookArgument(&info));
+		args.push_back(HookArgument(num_fields));
+		args.push_back(HookArgument(std::make_pair(num_fields, fields)));
+		MetaHookPre(HOOK_LOG_INIT, args);
+		}
+
+	hook_list* l = hooks[HOOK_LOG_INIT];
+
+	if ( l )
+		for ( hook_list::iterator i = l->begin(); i != l->end(); ++i )
+			{
+			Plugin* p = (*i).second;
+			p->HookLogInit(writer, instantiating_filter, local, remote, info,
+			               num_fields, fields);
+			}
+
+	if ( HavePluginForHook(META_HOOK_POST) )
+		MetaHookPost(HOOK_LOG_INIT, args, HookArgument());
+	}
+
+bool Manager::HookLogWrite(const std::string& writer,
+                           const std::string& filter,
+                           const logging::WriterBackend::WriterInfo& info,
+                           int num_fields,
+                           const threading::Field* const* fields,
+                           threading::Value** vals) const
+	{
+	HookArgumentList args;
+
+	if ( HavePluginForHook(META_HOOK_PRE) )
+		{
+		args.push_back(HookArgument(writer));
+		args.push_back(HookArgument(filter));
+		args.push_back(HookArgument(&info));
+		args.push_back(HookArgument(num_fields));
+		args.push_back(HookArgument(std::make_pair(num_fields, fields)));
+		args.push_back(HookArgument(vals));
+		MetaHookPre(HOOK_LOG_WRITE, args);
+		}
+
+	hook_list* l = hooks[HOOK_LOG_WRITE];
+
+	bool result = true;
+
+	if ( l )
+		for ( hook_list::iterator i = l->begin(); i != l->end(); ++i )
+			{
+			Plugin* p = (*i).second;
+
+			if ( ! p->HookLogWrite(writer, filter, info, num_fields, fields,
+			                       vals) )
+				{
+				result = false;
+				break;
+				}
+			}
+
+	if ( HavePluginForHook(META_HOOK_POST) )
+		MetaHookPost(HOOK_LOG_WRITE, args, HookArgument(result));
+
+	return result;
+	}
+
+bool Manager::HookReporter(const std::string& prefix, const EventHandlerPtr event,
+			   const Connection* conn, const val_list* addl, bool location,
+			   const Location* location1, const Location* location2,
+			   bool time, const std::string& message)
+
+	{
+	HookArgumentList args;
+
+	if ( HavePluginForHook(META_HOOK_PRE) )
+		{
+		args.push_back(HookArgument(prefix));
+		args.push_back(HookArgument(conn));
+		args.push_back(HookArgument(addl));
+		args.push_back(HookArgument(location1));
+		args.push_back(HookArgument(location2));
+		args.push_back(HookArgument(location));
+		args.push_back(HookArgument(time));
+		args.push_back(HookArgument(message));
+		MetaHookPre(HOOK_REPORTER, args);
+		}
+
+	hook_list* l = hooks[HOOK_REPORTER];
+
+	bool result = true;
+
+	if ( l )
+		{
+		for ( hook_list::iterator i = l->begin(); i != l->end(); ++i )
+			{
+			Plugin* p = (*i).second;
+
+			if ( ! p->HookReporter(prefix, event, conn, addl, location, location1, location2, time, message) )
+				{
+				result = false;
+				break;
+				}
+			}
+		}
+
+	if ( HavePluginForHook(META_HOOK_POST) )
+		MetaHookPost(HOOK_REPORTER, args, HookArgument(result));
+
+	return result;
+	}
+
+
 void Manager::MetaHookPre(HookType hook, const HookArgumentList& args) const
 	{
 	hook_list* l = hooks[HOOK_CALL_FUNCTION];
diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h
index 2a394b39ee..61b8dc1047 100644
--- a/src/plugin/Manager.h
+++ b/src/plugin/Manager.h
@@ -237,7 +237,7 @@ public:
 	 * if a plugin took over the file but had trouble loading it; and -1 if
 	 * no plugin was interested in the file at all.
 	 */
-	virtual int HookLoadFile(const string& file);
+	virtual int HookLoadFile(const Plugin::LoadType type, const string& file, const string& resolved);
 
 	/**
 	 * Hook that filters calls to a script function/event/hook.
@@ -291,6 +291,103 @@ public:
 	 */
 	void HookBroObjDtor(void* obj) const;
 
+	/**
+	 * Hook into log initialization. This method will be called when a
+	 * logging writer is created. A writer represents a single logging
+	 * filter. The method is called in the main thread, on the node that
+	 * causes a log line to be written. It will _not_ be called on the logger
+	 * node. The function will be called once for every instantiated writer.
+	 *
+	 * @param writer The name of the writer being instantiated.
+	 *
+	 * @param instantiating_filter Name of the filter causing the
+	 *        writer instantiation.
+	 *
+	 * @param local True if the filter is logging locally (writer
+	 *              thread will be located in same process).
+	 *
+	 * @param remote True if filter is logging remotely (writer thread
+	 *               will be located in different thread, typically
+	 *               in manager or logger node).
+	 *
+	 * @param info WriterBackend::WriterInfo with information about the writer.
+	 *
+	 * @param num_fields number of fields in the record being written.
+	 *
+	 * @param fields threading::Field description of the fields being logged.
+	 */
+	void HookLogInit(const std::string& writer,
+	                 const std::string& instantiating_filter,
+	                 bool local, bool remote,
+	                 const logging::WriterBackend::WriterInfo& info,
+	                 int num_fields,
+	                 const threading::Field* const* fields) const;
+
+	/**
+	 * Hook into log writing. This method will be called for each log line
+	 * being written by each writer. Each writer represents a single logging
+	 * filter. The method is called in the main thread, on the node that
+	 * causes a log line to be written. It will _not_ be called on the logger
+	 * node.
+	 * This function allows plugins to modify or skip logging of information.
+	 * Note - once a log line is skipped (by returning false), it will not
+	 * passed on to hooks that have not yet been called.
+	 *
+	 * @param writer The name of the writer.
+	 *
+	 * @param filter Name of the filter being written to.
+	 *
+	 * @param info WriterBackend::WriterInfo with information about the writer.
+	 *
+	 * @param num_fields number of fields in the record being written.
+	 *
+	 * @param fields threading::Field description of the fields being logged.
+	 *
+	 * @param vals threading::Values containing the values being written. Values
+	 *             can be modified in the Hook.
+	 *
+	 * @return true if log line should be written, false if log line should be
+	 *         skipped and not passed on to the writer.
+	 */
+	bool HookLogWrite(const std::string& writer,
+	                  const std::string& filter,
+	                  const logging::WriterBackend::WriterInfo& info,
+	                  int num_fields, const threading::Field* const* fields,
+	                  threading::Value** vals) const;
+
+	/**
+	 * Hook into reporting. This method will be called for each reporter call
+	 * made; this includes weirds. The method cannot manipulate the data at
+	 * the current time; however it is possible to prevent script-side events
+	 * from being called by returning false.
+	 *
+	 * @param prefix The prefix passed by the reporter framework
+	 *
+	 * @param event The event to be called
+	 *
+	 * @param conn The associated connection
+	 *
+	 * @param addl Additional Bro values; typically will be passed to the event
+	 *             by the reporter framework.
+	 *
+	 * @param location True if event expects location information
+	 *
+	 * @param location1 First location
+	 *
+	 * @param location2 Second location
+	 *
+	 * @param time True if event expects time information
+	 *
+	 * @param message Message supplied by the reporter framework
+	 *
+	 * @return true if event should be called by the reporter framework, false
+	 *         if the event call should be skipped
+	 */
+	bool HookReporter(const std::string& prefix, const EventHandlerPtr event,
+	                  const Connection* conn, const val_list* addl, bool location,
+	                  const Location* location1, const Location* location2,
+	                  bool time, const std::string& message);
+
 	/**
 	 * Internal method that registers a freshly instantiated plugin with
 	 * the manager.
diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc
index b0eb19a628..1264759d02 100644
--- a/src/plugin/Plugin.cc
+++ b/src/plugin/Plugin.cc
@@ -10,6 +10,8 @@
 
 #include "../Desc.h"
 #include "../Event.h"
+#include "../Conn.h"
+#include "threading/SerialTypes.h"
 
 using namespace plugin;
 
@@ -24,6 +26,8 @@ const char* plugin::hook_name(HookType h)
 		"UpdateNetworkTime",
 		"BroObjDtor",
 		"SetupAnalyzerTree",
+		"LogInit",
+		"LogWrite",
 		// MetaHooks
 		"MetaHookPre",
 		"MetaHookPost",
@@ -84,6 +88,11 @@ void HookArgument::Describe(ODesc* d) const
 			d->Add("<null>");
 		break;
 
+	case CONN:
+		if ( arg.conn )
+			arg.conn->Describe(d);
+		break;
+
 	case FUNC_RESULT:
 		if ( func_result.first )
 			{
@@ -145,6 +154,70 @@ void HookArgument::Describe(ODesc* d) const
 	case VOIDP:
 		d->Add("<void ptr>");
 		break;
+
+	case WRITER_INFO:
+		{
+		d->Add(arg.winfo->path);
+		d->Add("(");
+		d->Add(arg.winfo->network_time);
+		d->Add(",");
+		d->Add(arg.winfo->rotation_interval);
+		d->Add(",");
+		d->Add(arg.winfo->rotation_base);
+
+		if ( arg.winfo->config.size() > 0 )
+			{
+			bool first = true;
+			d->Add("config: {");
+
+			for ( auto& v: arg.winfo->config )
+				{
+				if ( ! first )
+					d->Add(", ");
+
+				d->Add(v.first);
+				d->Add(": ");
+				d->Add(v.second);
+				first = false;
+				}
+
+			d->Add("}");
+			}
+
+		d->Add(")");
+		}
+		break;
+
+	case THREAD_FIELDS:
+		{
+		d->Add("{");
+
+		for ( int i=0; i < tfields.first; i++ )
+			{
+			const threading::Field* f = tfields.second[i];
+
+			if ( i > 0 )
+				d->Add(", ");
+
+			d->Add(f->name);
+			d->Add(" (");
+			d->Add(f->TypeName());
+			d->Add(")");
+			}
+
+		d->Add("}");
+		}
+		break;
+
+	case LOCATION:
+		if ( arg.loc )
+			{
+			arg.loc->Describe(d);
+			}
+		else
+		 {
+			d->Add("<no location>");
+		 }
 	}
 	}
 
@@ -179,11 +252,6 @@ VersionNumber Plugin::Version() const
 	return config.version;
 	}
 
-int Plugin::APIVersion() const
-	{
-	return config.api_version;
-	}
-
 bool Plugin::DynamicPlugin() const
 	{
 	return dynamic;
@@ -287,7 +355,7 @@ void Plugin::RequestBroObjDtor(BroObj* obj)
 	plugin_mgr->RequestBroObjDtor(obj, this);
 	}
 
-int Plugin::HookLoadFile(const std::string& file, const std::string& ext)
+int Plugin::HookLoadFile(const LoadType type, const std::string& file, const std::string& resolved)
 	{
 	return -1;
 	}
@@ -319,6 +387,30 @@ void Plugin::HookBroObjDtor(void* obj)
 	{
 	}
 
+void Plugin::HookLogInit(const std::string& writer,
+                         const std::string& instantiating_filter,
+                         bool local, bool remote,
+                         const logging::WriterBackend::WriterInfo& info,
+                         int num_fields, const threading::Field* const* fields)
+	{
+	}
+
+bool Plugin::HookLogWrite(const std::string& writer, const std::string& filter,
+                          const logging::WriterBackend::WriterInfo& info,
+                          int num_fields, const threading::Field* const* fields,
+                          threading::Value** vals)
+	{
+	return true;
+	}
+
+bool Plugin::HookReporter(const std::string& prefix, const EventHandlerPtr event,
+			  const Connection* conn, const val_list* addl, bool location,
+			  const Location* location1, const Location* location2,
+			  bool time, const std::string& message)
+	{
+	return true;
+	}
+
 void Plugin::MetaHookPre(HookType hook, const HookArgumentList& args)
 	{
 	}
diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h
index 54451dcfb6..9c5416230b 100644
--- a/src/plugin/Plugin.h
+++ b/src/plugin/Plugin.h
@@ -11,16 +11,22 @@
 #include "analyzer/Component.h"
 #include "file_analysis/Component.h"
 #include "iosource/Component.h"
+#include "logging/WriterBackend.h"
 
-// We allow to override this externally for testing purposes.
-#ifndef BRO_PLUGIN_API_VERSION
-#define BRO_PLUGIN_API_VERSION 4
-#endif
+// Increase this when making incompatible changes to the plugin API. Note
+// that the constant is never used in C code. It's picked up on by CMake.
+#define BRO_PLUGIN_API_VERSION 6
+
+#define BRO_PLUGIN_BRO_VERSION BRO_VERSION_FUNCTION
 
 class ODesc;
 class Func;
 class Event;
 
+namespace threading {
+struct Field;
+}
+
 namespace plugin  {
 
 class Manager;
@@ -40,6 +46,9 @@ enum HookType {
 	HOOK_UPDATE_NETWORK_TIME,	//< Activates Plugin::HookUpdateNetworkTime.
 	HOOK_BRO_OBJ_DTOR,		//< Activates Plugin::HookBroObjDtor.
 	HOOK_SETUP_ANALYZER_TREE,	//< Activates Plugin::HookAddToAnalyzerTree
+	HOOK_LOG_INIT,			//< Activates Plugin::HookLogInit
+	HOOK_LOG_WRITE,			//< Activates Plugin::HookLogWrite
+	HOOK_REPORTER,			//< Activates Plugin::HookReporter
 
 	// Meta hooks.
 	META_HOOK_PRE,			//< Activates Plugin::MetaHookPre().
@@ -69,7 +78,7 @@ struct VersionNumber {
 	/**
 	 *  Returns true if the version is set to a non-negative value.
 	 */
-	operator bool() const { return major >= 0 && minor >= 0; }
+	explicit operator bool() const { return major >= 0 && minor >= 0; }
 };
 
 /**
@@ -86,16 +95,21 @@ public:
 	// strong hint.). The attribute seems generally available.
 	inline Configuration() __attribute__((always_inline));
 
+        /**
+         * One can assign BRO_PLUGIN_BRO_VERSION to this to catch
+         * version mismatches at link(!) time.
+         */
+	const char* (*bro_version)();
+
 private:
 	friend class Plugin;
-	int api_version;	// Current BRO_PLUGIN_API_VERSION. Automatically set.
 };
 
 inline Configuration::Configuration()
 		{
 		name = "";
 		description = "";
-		api_version = BRO_PLUGIN_API_VERSION;
+		bro_version = BRO_PLUGIN_BRO_VERSION;
 		}
 
 /**
@@ -158,7 +172,8 @@ public:
 	 * Type of the argument.
 	 */
 	enum Type {
-		BOOL, DOUBLE, EVENT, FRAME, FUNC, FUNC_RESULT, INT, STRING, VAL, VAL_LIST, VOID, VOIDP
+		BOOL, DOUBLE, EVENT, FRAME, FUNC, FUNC_RESULT, INT, STRING, VAL,
+		VAL_LIST, VOID, VOIDP, WRITER_INFO, CONN, THREAD_FIELDS, LOCATION
 	};
 
 	/**
@@ -169,57 +184,77 @@ public:
 	/**
 	 * Constructor with a boolean argument.
 	 */
-	HookArgument(bool a)	{ type = BOOL; arg.bool_ = a; }
+	explicit HookArgument(bool a)	{ type = BOOL; arg.bool_ = a; }
 
 	/**
 	 * Constructor with a double argument.
 	 */
-	HookArgument(double a)	{ type = DOUBLE; arg.double_ = a; }
+	explicit HookArgument(double a)	{ type = DOUBLE; arg.double_ = a; }
 
 	/**
 	 * Constructor with an event argument.
 	 */
-	HookArgument(const Event* a)	{ type = EVENT; arg.event = a; }
+	explicit HookArgument(const Event* a)	{ type = EVENT; arg.event = a; }
+
+	/**
+	 * Constructor with an connection argument.
+	 */
+	explicit HookArgument(const Connection* c)	{ type = CONN; arg.conn = c; }
 
 	/**
 	 * Constructor with a function argument.
 	 */
-	HookArgument(const Func* a)	{ type = FUNC; arg.func = a; }
+	explicit HookArgument(const Func* a)	{ type = FUNC; arg.func = a; }
 
 	/**
 	 * Constructor with an integer  argument.
 	 */
-	HookArgument(int a)	{ type = INT; arg.int_ = a; }
+	explicit HookArgument(int a)	{ type = INT; arg.int_ = a; }
 
 	/**
 	 * Constructor with a string argument.
 	 */
-	HookArgument(const std::string& a)	{ type = STRING; arg_string = a; }
+	explicit HookArgument(const std::string& a)	{ type = STRING; arg_string = a; }
 
 	/**
 	 * Constructor with a Bro value argument.
 	 */
-	HookArgument(const Val* a)	{ type = VAL; arg.val = a; }
+	explicit HookArgument(const Val* a)	{ type = VAL; arg.val = a; }
 
 	/**
 	 * Constructor with a list of Bro values argument.
 	 */
-	HookArgument(const val_list* a)	{ type = VAL_LIST; arg.vals = a; }
+	explicit HookArgument(const val_list* a)	{ type = VAL_LIST; arg.vals = a; }
 
 	/**
 	 * Constructor with a void pointer argument.
 	 */
-	HookArgument(void* p)	{ type = VOIDP; arg.voidp = p; }
+	explicit HookArgument(void* p)	{ type = VOIDP; arg.voidp = p; }
 
 	/**
 	 * Constructor with a function result argument.
 	 */
-	HookArgument(std::pair<bool, Val*> fresult)	{ type = FUNC_RESULT; func_result = fresult; }
+	explicit HookArgument(std::pair<bool, Val*> fresult)	{ type = FUNC_RESULT; func_result = fresult; }
 
 	/**
 	 * Constructor with a Frame argument.
 	 */
-	HookArgument(Frame* f)	{ type = FRAME; arg.frame = f; }
+	explicit HookArgument(Frame* f)	{ type = FRAME; arg.frame = f; }
+
+	/**
+	 * Constructor with a WriterInfo argument.
+	 */
+	explicit HookArgument(const logging::WriterBackend::WriterInfo* i)	{ type = WRITER_INFO; arg.winfo = i; }
+
+	/**
+	 * Constructor with a threading field argument.
+	 */
+	explicit HookArgument(const std::pair<int, const threading::Field* const*> fpair)	{ type = THREAD_FIELDS; tfields = fpair; }
+
+	/**
+	 * Constructor with a location argument.
+	 */
+	explicit HookArgument(const Location* location)	{ type = LOCATION; arg.loc = location; }
 
 	/**
 	 * Returns the value for a boolen argument. The argument's type must
@@ -239,6 +274,12 @@ public:
 	 */
 	const Event* AsEvent() const	{ assert(type == EVENT); return arg.event; }
 
+	/**
+	 * Returns the value for an connection argument. The argument's type must
+	 * match accordingly.
+	 */
+	const Connection* AsConnection() const	{ assert(type == CONN); return arg.conn; }
+
 	/**
 	 * Returns the value for a function argument. The argument's type must
 	 * match accordingly.
@@ -275,6 +316,18 @@ public:
 	 */
 	const Frame* AsFrame() const { assert(type == FRAME); return arg.frame; }
 
+	/**
+	 * Returns the value for a logging WriterInfo argument.  The argument's type must
+	 * match accordingly.
+	 */
+	const logging::WriterBackend::WriterInfo* AsWriterInfo() const { assert(type == WRITER_INFO); return arg.winfo; }
+
+	/**
+	 * Returns the value for a threading fields argument.  The argument's type must
+	 * match accordingly.
+	 */
+	const std::pair<int, const threading::Field* const*> AsThreadFields() const { assert(type == THREAD_FIELDS); return tfields; }
+
 	/**
 	 * Returns the value for a list of Bro values argument. The argument's type must
 	 * match accordingly.
@@ -305,16 +358,20 @@ private:
 		bool bool_;
 		double double_;
 		const Event* event;
+		const Connection* conn;
 		const Func* func;
 		const Frame* frame;
 		int int_;
 		const Val* val;
 		const val_list* vals;
 		const void* voidp;
+		const logging::WriterBackend::WriterInfo* winfo;
+		const Location* loc;
 	} arg;
 
 	// Outside union because these have dtors.
 	std::pair<bool, Val*> func_result;
+	std::pair<int, const threading::Field* const*> tfields;
 	std::string arg_string;
 };
 
@@ -353,6 +410,13 @@ public:
 	typedef std::list<BifItem> bif_item_list;
 	typedef std::list<std::pair<HookType, int> > hook_list;
 
+	/**
+	 * The different types of @loads supported by HookLoadFile.
+	 */
+	enum LoadType {
+		SCRIPT, SIGNATURES, PLUGIN
+	};
+
 	/**
 	 * Constructor.
 	 */
@@ -398,15 +462,6 @@ public:
 	 **/
 	const std::string& PluginPath() const;
 
-	/**
-	 * Returns the internal version of the Bro API that this plugin
-	 * relies on. Only plugins that match Bro's current API version can
-	 * be used. For statically compiled plugins this is automatically the
-	 * case, but dynamically loaded plugins may cause a mismatch if they
-	 * were compiled for a different Bro version.
-	 */
-	int APIVersion() const;
-
 	/**
 	 * Returns a list of all components the plugin provides.
 	 */
@@ -570,10 +625,15 @@ protected:
 	 * script directives. The hook can take over the file, in which case
 	 * Bro will not further process it otherwise.
 	 *
-	 * @param file The filename to be loaded, including extension.
+	 * @param type The type of load encountered: script load, signatures load,
+	 *             or plugin load.
 	 *
-	 * @param ext The extension of the filename. This is provided
-	 * separately just for convenience. The dot is excluded.
+	 * @param file The filename that was passed to @load. Only includes
+	 *             an extension if it was given in @load.
+	 *
+	 * @param resolved The file or directory name Bro resolved from
+	 *                 the given path and is going to load. Empty string
+	 *                 if Bro was not able to resolve a path.
 	 *
 	 * @return 1 if the plugin took over the file and loaded it
 	 * successfully; 0 if the plugin took over the file but had trouble
@@ -581,7 +641,7 @@ protected:
 	 * have printed an error message); and -1 if the plugin wasn't
 	 * interested in the file at all.
 	 */
-	virtual int HookLoadFile(const std::string& file, const std::string& ext);
+	virtual int HookLoadFile(const LoadType type, const std::string& file, const std::string& resolved);
 
 	/**
 	 * Hook into executing a script-level function/event/hook. Whenever
@@ -642,6 +702,13 @@ protected:
 	 */
 	virtual void HookUpdateNetworkTime(double network_time);
 
+	/**
+	 * Hook that executes when a connection's initial analyzer tree
+	 * has been fully set up. The hook can manipulate the tree at this time,
+	 * for example by adding further analyzers.
+	 *
+	 * @param conn The connection.
+	 */
 	virtual void HookSetupAnalyzerTree(Connection *conn);
 
 	/**
@@ -656,6 +723,104 @@ protected:
 	 */
 	virtual void HookBroObjDtor(void* obj);
 
+	/**
+	 * Hook into log initialization. This method will be called when a
+	 * logging writer is created. A writer represents a single logging
+	 * filter. The method is called in the main thread, on the node that
+	 * causes a log line to be written. It will _not_ be called on the logger
+	 * node. The function will be called each for every instantiated writer.
+	 *
+	 * @param writer The name of the writer being insantiated.
+	 *
+	 * @param instantiating_filter Name of the filter causing the
+	 *        writer instantiation.
+	 *
+	 * @param local True if the filter is logging locally (writer
+	 *              thread will be located in same process).
+	 *
+	 * @param remote True if filter is logging remotely (writer thread
+	 *               will be located in different thread, typically
+	 *               in manager or logger node).
+	 *
+	 * @param info WriterBackend::WriterInfo with information about the writer.
+	 *
+	 * @param num_fields number of fields in the record being written.
+	 *
+	 * @param fields threading::Field description of the fields being logged.
+	 */
+	virtual void HookLogInit(const std::string& writer,
+	                         const std::string& instantiating_filter,
+	                         bool local, bool remote,
+	                         const logging::WriterBackend::WriterInfo& info,
+	                         int num_fields,
+	                         const threading::Field* const* fields);
+
+	/**
+	 * Hook into log writing. This method will be called for each log line
+	 * being written by each writer. Each writer represents a single logging
+	 * filter. The method is called in the main thread, on the node that
+	 * causes a log line to be written. It will _not_ be called on the logger
+	 * node.
+	 * This function allows plugins to modify or skip logging of information.
+	 * Note - once a log line is skipped (by returning false), it will not
+	 * passed on to hooks that have not yet been called.
+	 *
+	 * @param writer The name of the writer.
+	 *
+	 * @param filter Name of the filter being written to.
+	 *
+	 * @param info WriterBackend::WriterInfo with information about the writer.
+	 *
+	 * @param num_fields number of fields in the record being written.
+	 *
+	 * @param fields threading::Field description of the fields being logged.
+	 *
+	 * @param vals threading::Values containing the values being written. Values
+	 *             can be modified in the Hook.
+	 *
+	 * @return true if log line should be written, false if log line should be
+	 *         skipped and not passed on to the writer.
+	 */
+	virtual bool HookLogWrite(const std::string& writer,
+	                          const std::string& filter,
+	                          const logging::WriterBackend::WriterInfo& info,
+	                          int num_fields,
+	                          const threading::Field* const* fields,
+	                          threading::Value** vals);
+
+	/**
+	 * Hook into reporting. This method will be called for each reporter call
+	 * made; this includes weirds. The method cannot manipulate the data at
+	 * the current time; however it is possible to prevent script-side events
+	 * from being called by returning false.
+	 *
+	 * @param prefix The prefix passed by the reporter framework
+	 *
+	 * @param event The event to be called
+	 *
+	 * @param conn The associated connection
+	 *
+	 * @param addl Additional Bro values; typically will be passed to the event
+	 *             by the reporter framework.
+	 *
+	 * @param location True if event expects location information
+	 *
+	 * @param location1 First location
+	 *
+	 * @param location2 Second location
+	 *
+	 * @param time True if event expects time information
+	 *
+	 * @param message Message supplied by the reporter framework
+	 *
+	 * @return true if event should be called by the reporter framework, false
+	 *         if the event call should be skipped
+	 */
+	virtual bool HookReporter(const std::string& prefix, const EventHandlerPtr event,
+	                          const Connection* conn, const val_list* addl, bool location,
+	                          const Location* location1, const Location* location2,
+	                          bool time, const std::string& message);
+
 	// Meta hooks.
 
 	/**
diff --git a/src/plugin/TaggedComponent.h b/src/plugin/TaggedComponent.h
index 4c7adc1bd6..2d507660c2 100644
--- a/src/plugin/TaggedComponent.h
+++ b/src/plugin/TaggedComponent.h
@@ -25,7 +25,7 @@ public:
 	 * and component instances can accordingly access it via Tag().
 	 * If not used, leave at zero.
 	 */
-	TaggedComponent(typename T::subtype_t subtype = 0);
+	explicit TaggedComponent(typename T::subtype_t subtype = 0);
 
 	/**
 	 * Initializes tag by creating the unique tag value for thos componend.
diff --git a/src/probabilistic/BloomFilter.h b/src/probabilistic/BloomFilter.h
index 7fc32a9442..288a24d416 100644
--- a/src/probabilistic/BloomFilter.h
+++ b/src/probabilistic/BloomFilter.h
@@ -19,7 +19,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	virtual ~BloomFilter();
+	~BloomFilter() override;
 
 	/**
 	 * Adds an element to the Bloom filter.
@@ -103,7 +103,7 @@ protected:
 	 *
 	 * @param hasher The hasher to use for this Bloom filter.
 	 */
-	BloomFilter(const Hasher* hasher);
+	explicit BloomFilter(const Hasher* hasher);
 
 	const Hasher* hasher;
 };
@@ -127,7 +127,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	~BasicBloomFilter();
+	~BasicBloomFilter() override;
 
 	/**
 	 * Computes the number of cells based on a given false positive rate
@@ -158,11 +158,11 @@ public:
 	static size_t K(size_t cells, size_t capacity);
 
 	// Overridden from BloomFilter.
-	virtual bool Empty() const override;
-	virtual void Clear() override;
-	virtual bool Merge(const BloomFilter* other) override;
-	virtual BasicBloomFilter* Clone() const override;
-	virtual string InternalState() const override;
+	bool Empty() const override;
+	void Clear() override;
+	bool Merge(const BloomFilter* other) override;
+	BasicBloomFilter* Clone() const override;
+	string InternalState() const override;
 
 protected:
 	DECLARE_SERIAL(BasicBloomFilter);
@@ -173,8 +173,8 @@ protected:
 	BasicBloomFilter();
 
 	// Overridden from BloomFilter.
-	virtual void Add(const HashKey* key) override;
-	virtual size_t Count(const HashKey* key) const override;
+	void Add(const HashKey* key) override;
+	size_t Count(const HashKey* key) const override;
 
 private:
 	BitVector* bits;
@@ -200,14 +200,14 @@ public:
 	/**
 	 * Destructor.
 	 */
-	~CountingBloomFilter();
+	~CountingBloomFilter() override;
 
 	// Overridden from BloomFilter.
-	virtual bool Empty() const override;
-	virtual void Clear() override;
-	virtual bool Merge(const BloomFilter* other) override;
-	virtual CountingBloomFilter* Clone() const override;
-	virtual string InternalState() const override;
+	bool Empty() const override;
+	void Clear() override;
+	bool Merge(const BloomFilter* other) override;
+	CountingBloomFilter* Clone() const override;
+	string InternalState() const override;
 
 protected:
 	DECLARE_SERIAL(CountingBloomFilter);
@@ -218,8 +218,8 @@ protected:
 	CountingBloomFilter();
 
 	// Overridden from BloomFilter.
-	virtual void Add(const HashKey* key) override;
-	virtual size_t Count(const HashKey* key) const override;
+	void Add(const HashKey* key) override;
+	size_t Count(const HashKey* key) const override;
 
 private:
 	CounterVector* cells;
diff --git a/src/probabilistic/CounterVector.h b/src/probabilistic/CounterVector.h
index 247a646eb1..422d172292 100644
--- a/src/probabilistic/CounterVector.h
+++ b/src/probabilistic/CounterVector.h
@@ -26,7 +26,7 @@ public:
 	 *
 	 * @pre `cells > 0 && width > 0`
 	 */
-	CounterVector(size_t width, size_t cells = 1024);
+	explicit CounterVector(size_t width, size_t cells = 1024);
 
 	/**
 	 * Copy-constructs a counter vector.
@@ -38,7 +38,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	~CounterVector();
+	~CounterVector() override;
 
 	/**
 	 * Increments a given cell.
diff --git a/src/probabilistic/Hasher.h b/src/probabilistic/Hasher.h
index da83104e9d..7fd2e4fb2f 100644
--- a/src/probabilistic/Hasher.h
+++ b/src/probabilistic/Hasher.h
@@ -43,7 +43,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	virtual ~Hasher() { }
+	~Hasher() override { }
 
 	/**
 	 * Computes hash values for an element.
@@ -138,7 +138,7 @@ public:
 	 *
 	 * @param arg_seed The seed to use for this instance.
 	 */
-	UHF(Hasher::seed_t arg_seed);
+	explicit UHF(Hasher::seed_t arg_seed);
 
 	template <typename T>
 	Hasher::digest operator()(const T& x) const
@@ -204,9 +204,9 @@ public:
 	DefaultHasher(size_t k, Hasher::seed_t seed);
 
 	// Overridden from Hasher.
-	virtual digest_vector Hash(const void* x, size_t n) const final;
-	virtual DefaultHasher* Clone() const final;
-	virtual bool Equals(const Hasher* other) const final;
+	digest_vector Hash(const void* x, size_t n) const final;
+	DefaultHasher* Clone() const final;
+	bool Equals(const Hasher* other) const final;
 
 	DECLARE_SERIAL(DefaultHasher);
 
@@ -232,9 +232,9 @@ public:
 	DoubleHasher(size_t k, Hasher::seed_t seed);
 
 	// Overridden from Hasher.
-	virtual digest_vector Hash(const void* x, size_t n) const final;
-	virtual DoubleHasher* Clone() const final;
-	virtual bool Equals(const Hasher* other) const final;
+	digest_vector Hash(const void* x, size_t n) const final;
+	DoubleHasher* Clone() const final;
+	bool Equals(const Hasher* other) const final;
 
 	DECLARE_SERIAL(DoubleHasher);
 
diff --git a/src/probabilistic/Topk.h b/src/probabilistic/Topk.h
index a9a0d80818..fac677a454 100644
--- a/src/probabilistic/Topk.h
+++ b/src/probabilistic/Topk.h
@@ -45,12 +45,12 @@ public:
 	 *
 	 * @return A newly initialized TopkVal
 	 */
-	TopkVal(uint64 size);
+	explicit TopkVal(uint64 size);
 
 	/**
 	 * Destructor.
 	 */
-	~TopkVal();
+	~TopkVal() override;
 
 	/**
 	 * Call this when a new value is encountered. Note that on the first
diff --git a/src/re-parse.y b/src/re-parse.y
index 3847c06f29..95573f6a22 100644
--- a/src/re-parse.y
+++ b/src/re-parse.y
@@ -11,11 +11,12 @@
 int csize = 256;
 int syntax_error = 0;
 
+int cupper(int sym);
 int clower(int sym);
 void yyerror(const char msg[]);
 %}
 
-%token TOK_CHAR TOK_NUMBER TOK_CCL TOK_CCE
+%token TOK_CHAR TOK_NUMBER TOK_CCL TOK_CCE TOK_CASE_INSENSITIVE
 
 %union {
 	int int_val;
@@ -126,12 +127,11 @@ singleton	:  singleton '*'
 		|  '(' re ')'
 			{ $$ = $2; }
 
+		|  TOK_CASE_INSENSITIVE re ')'
+			{ $$ = $2; case_insensitive = 0; }
+
 		|  TOK_CHAR
-			{
-			if ( case_insensitive && $1 >= 'A' && $1 <= 'Z' )
-				$1 = clower($1);
-			$$ = new NFA_Machine(new NFA_State($1, rem->EC()));
-			}
+			{ $$ = new NFA_Machine(new NFA_State($1, rem->EC())); }
 
 		|  '^'
 			{
@@ -158,17 +158,29 @@ full_ccl	:  '[' ccl ']'
 
 ccl		:  ccl TOK_CHAR '-' TOK_CHAR
 			{
-			if ( case_insensitive )
-				{
-				if ( $2 >= 'A' && $2 <= 'Z' )
-					$2 = clower($2);
-				if ( $4 >= 'A' && $4 <= 'Z' )
-					$4 = clower($4);
-				}
-
 			if ( $2 > $4 )
 				synerr("negative range in character class");
 
+			else if ( case_insensitive &&
+				  (isalpha($2) || isalpha($4)) )
+				{
+				if ( isalpha($2) && isalpha($4) &&
+				     isupper($2) == isupper($4) )
+					{ // Compatible range, do both versions
+					int l2 = tolower($2);
+					int l4 = tolower($4);
+
+					for ( int i = l2; i<= l4; ++i )
+						{
+						$1->Add(i);
+						$1->Add(toupper(i));
+						}
+					}
+
+				else
+					synerr("ambiguous case-insensitive character class");
+				}
+
 			else
 				{
 				for ( int i = $2; i <= $4; ++i )
@@ -178,10 +190,13 @@ ccl		:  ccl TOK_CHAR '-' TOK_CHAR
 
 		|  ccl TOK_CHAR
 			{
-			if ( case_insensitive && $2 >= 'A' && $2 <= 'Z' )
-				$2 = clower($2);
-
-			$1->Add($2);
+			if ( case_insensitive && isalpha($2) )
+				{
+				$1->Add(clower($2));
+				$1->Add(cupper($2));
+				}
+			else
+				$1->Add($2);
 			}
 
 		|  ccl ccl_expr
@@ -200,9 +215,10 @@ ccl_expr:	   TOK_CCE
 
 string		:  string TOK_CHAR
 			{
-			if ( case_insensitive && $2 >= 'A' && $2 <= 'Z' )
-				$2 = clower($2);
-
+			// Even if case-insensitivity is set,
+			// leave this alone; that provides a way
+			// of "escaping" out of insensitivity
+			// if needed.
 			$1->AppendState(new NFA_State($2, rem->EC()));
 			}
 
@@ -211,6 +227,11 @@ string		:  string TOK_CHAR
 		;
 %%
 
+int cupper(int sym)
+	{
+	return (isascii(sym) && islower(sym)) ?  toupper(sym) : sym;
+	}
+
 int clower(int sym)
 	{
 	return (isascii(sym) && isupper(sym)) ?  tolower(sym) : sym;
diff --git a/src/re-scan.l b/src/re-scan.l
index 0d737f08a6..292f7a2e02 100644
--- a/src/re-scan.l
+++ b/src/re-scan.l
@@ -114,6 +114,25 @@ CCL_EXPR	("[:"[[:alpha:]]+":]")
 				}
 			}
 
+	"(?i:"		case_insensitive = 1; return TOK_CASE_INSENSITIVE;
+
+	[a-zA-Z]	{
+			if ( case_insensitive )
+				{
+				char c = yytext[0];	// unput trashes yytext!
+				// Push back the character inside a CCL,
+				// so the parser can then expand it.
+				unput(']');
+				unput(c);
+				unput('[');
+				}
+			else
+				{
+				yylval.int_val = yytext[0];
+				return TOK_CHAR;
+				}
+			}
+
 	[|*+?.(){}]	return yytext[0];
 	.		yylval.int_val = yytext[0]; return TOK_CHAR;
 	\n		return 0;	// treat as end of pattern
@@ -149,15 +168,22 @@ CCL_EXPR	("[:"[[:alpha:]]+":]")
 	"[:cntrl:]"	RET_CCE(my_iscntrl)
 	"[:digit:]"	RET_CCE(my_isdigit)
 	"[:graph:]"	RET_CCE(my_isgraph)
-	"[:lower:]"	RET_CCE(my_islower)
 	"[:print:]"	RET_CCE(my_isprint)
 	"[:punct:]"	RET_CCE(my_ispunct)
 	"[:space:]"	RET_CCE(my_isspace)
 	"[:xdigit:]"	RET_CCE(my_isxdigit)
+
+	"[:lower:]"	{
+			BEGIN(SC_CCL);
+			yylval.cce_val =
+				case_insensitive ? my_isalpha : my_islower;
+			return TOK_CCE;
+			}
+
 	"[:upper:]"	{
 			BEGIN(SC_CCL);
 			yylval.cce_val =
-				case_insensitive ? my_isupper : my_islower;
+				case_insensitive ? my_isalpha : my_isupper;
 			return TOK_CCE;
 			}
 
@@ -196,8 +222,15 @@ CCL_EXPR	("[:"[[:alpha:]]+":]")
 
 %%
 
+YY_BUFFER_STATE RE_buf;
+
 void RE_set_input(const char* str)
 	{
 	RE_parse_input = str;
-	yy_scan_string(str);
+	RE_buf = yy_scan_string(str);
+	}
+
+void RE_done_with_scan()
+	{
+	yy_delete_buffer(RE_buf);
 	}
diff --git a/src/scan.l b/src/scan.l
index 4fd2aac1c3..ffdec4d640 100644
--- a/src/scan.l
+++ b/src/scan.l
@@ -193,7 +193,7 @@ ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
 	RET_CONST(new SubNetVal(IPPrefix(IPAddr(ip), len)))
 }
 
-[!%*/+\-,:;<=>?()\[\]{}~$|]	return yytext[0];
+[!%*/+\-,:;<=>?()\[\]{}~$|&^]	return yytext[0];
 
 "--"	return TOK_DECR;
 "++"	return TOK_INCR;
@@ -206,15 +206,17 @@ ESCSEQ	(\\([^\n]|[0-7]+|x[[:xdigit:]]+))
 ">="	return TOK_GE;
 "<="	return TOK_LE;
 
-"&&"	return TOK_AND;
-"||"	return TOK_OR;
+"&&"	return TOK_AND_AND;
+"||"	return TOK_OR_OR;
 
 add	return TOK_ADD;
 addr	return TOK_ADDR;
 any	return TOK_ANY;
+as	return TOK_AS;
 bool	return TOK_BOOL;
 break	return TOK_BREAK;
 case	return TOK_CASE;
+option	return TOK_OPTION;
 const	return TOK_CONST;
 copy	return TOK_COPY;
 count	return TOK_COUNT;
@@ -239,6 +241,7 @@ in	return TOK_IN;
 "!"{OWS}in/[^A-Za-z0-9]	return TOK_NOT_IN;	/* don't confuse w "! infoo"! */
 int	return TOK_INT;
 interval	return TOK_INTERVAL;
+is	return TOK_IS;
 list	return TOK_LIST;
 local	return TOK_LOCAL;
 module	return TOK_MODULE;
@@ -287,14 +290,12 @@ when	return TOK_WHEN;
 	}
 
 &mergeable {
-	// Not yet deprecated, but soon.
-	//deprecated_attr(yytext);
+	deprecated_attr(yytext);
 	return TOK_ATTR_MERGEABLE;
 	}
 
 &persistent {
-	// Not yet deprecated, but soon.
-	//deprecated_attr(yytext);
+	deprecated_attr(yytext);
 	return TOK_ATTR_PERSISTENT;
 	}
 
@@ -309,8 +310,8 @@ when	return TOK_WHEN;
 	}
 
 &synchronized  {
-	// Not yet deprecated, but soon.
-	//deprecated_attr(yytext);
+	++old_comm_usage_count;
+	deprecated_attr(yytext);
 	return TOK_ATTR_SYNCHRONIZED;
 	}
 
@@ -348,17 +349,60 @@ when	return TOK_WHEN;
 @load-sigs{WS}{FILE} {
 	const char* file = skip_whitespace(yytext + 10);
 	string path = find_relative_file(file, "sig");
+	int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(plugin::Plugin::SIGNATURES, file, path), -1);
 
-	if ( path.empty() )
-		reporter->Error("failed to find file associated with @load-sigs %s",
-		                file);
-	else
-		sig_files.push_back(copy_string(path.c_str()));
+	switch ( rc ) {
+	case -1:
+		// No plugin in charge of this file.
+		if ( path.empty() )
+			reporter->Error("failed to find file associated with @load-sigs %s",
+			                file);
+		else
+			sig_files.push_back(copy_string(path.c_str()));
+		break;
+
+	case 0:
+		if ( ! reporter->Errors() )
+			reporter->Error("Plugin reported error loading signatures %s", file);
+
+		exit(1);
+		break;
+
+	case 1:
+		// A plugin took care of it, just skip.
+		break;
+
+	default:
+		assert(false);
+		break;
+	}
 	}
 
 @load-plugin{WS}{ID} {
 	const char* plugin = skip_whitespace(yytext + 12);
-	plugin_mgr->ActivateDynamicPlugin(plugin);
+	int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(plugin::Plugin::PLUGIN, plugin, ""), -1);
+
+	switch ( rc ) {
+	case -1:
+		// No plugin in charge of this file.
+		plugin_mgr->ActivateDynamicPlugin(plugin);
+		break;
+
+	case 0:
+		if ( ! reporter->Errors() )
+			reporter->Error("Plugin reported error loading plugin %s", plugin);
+
+		exit(1);
+		break;
+
+	case 1:
+		// A plugin took care of it, just skip.
+		break;
+
+	default:
+		assert(false);
+		break;
+	}
 }
 
 @unload{WS}{FILE}	{
@@ -431,7 +475,7 @@ F	RET_CONST(new Val(false, TYPE_BOOL))
 			reporter->Error("bad port number - %s", yytext);
 			p = 0;
 			}
-		RET_CONST(new PortVal(p, TRANSPORT_TCP))
+		RET_CONST(port_mgr->Get(p, TRANSPORT_TCP))
 		}
 {D}"/udp"	{
 		uint32 p = atoi(yytext);
@@ -440,7 +484,7 @@ F	RET_CONST(new Val(false, TYPE_BOOL))
 			reporter->Error("bad port number - %s", yytext);
 			p = 0;
 			}
-		RET_CONST(new PortVal(p, TRANSPORT_UDP))
+		RET_CONST(port_mgr->Get(p, TRANSPORT_UDP))
 		}
 {D}"/icmp"	{
 		uint32 p = atoi(yytext);
@@ -449,7 +493,7 @@ F	RET_CONST(new Val(false, TYPE_BOOL))
 			reporter->Error("bad port number - %s", yytext);
 			p = 0;
 			}
-		RET_CONST(new PortVal(p, TRANSPORT_ICMP))
+		RET_CONST(port_mgr->Get(p, TRANSPORT_ICMP))
 		}
 {D}"/unknown"	{
 		uint32 p = atoi(yytext);
@@ -458,7 +502,7 @@ F	RET_CONST(new Val(false, TYPE_BOOL))
 			reporter->Error("bad port number - %s", yytext);
 			p = 0;
 			}
-		RET_CONST(new PortVal(p, TRANSPORT_UNKNOWN))
+		RET_CONST(port_mgr->Get(p, TRANSPORT_UNKNOWN))
 		}
 
 {FLOAT}{OWS}day(s?)	RET_CONST(new IntervalVal(atof(yytext),Days))
@@ -510,7 +554,19 @@ F	RET_CONST(new Val(false, TYPE_BOOL))
 	return TOK_PATTERN_TEXT;
 	}
 
-<RE>[/\\\n]	return yytext[0];
+<RE>"/"	{
+	BEGIN(INITIAL);
+	yylval.b = false;
+	return TOK_PATTERN_END;
+	}
+
+<RE>"/i"	{
+	BEGIN(INITIAL);
+	yylval.b = true;
+	return TOK_PATTERN_END;
+	}
+
+<RE>[\\\n]	return yytext[0];	// should cause a parse error
 
 <*>.	reporter->Error("unrecognized character - %s", yytext);
 
@@ -547,7 +603,8 @@ static bool already_scanned(const string& path)
 
 static int load_files(const char* orig_file)
 	{
-	int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(orig_file), -1);
+	string file_path = find_relative_file(orig_file, "bro");
+	int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(plugin::Plugin::SCRIPT, orig_file, file_path), -1);
 
 	if ( rc == 1 )
 		return 0; // A plugin took care of it, just skip.
@@ -568,7 +625,6 @@ static int load_files(const char* orig_file)
 	// Whether we pushed on a FileInfo that will restore the
 	// current module after the final file has been scanned.
 	bool did_module_restore = false;
-	string file_path;
 	FILE* f = 0;
 
 	if ( streq(orig_file, "-") )
@@ -585,8 +641,6 @@ static int load_files(const char* orig_file)
 
 	else
 		{
-		file_path = find_relative_file(orig_file, "bro");
-
 		if ( file_path.empty() )
 			reporter->FatalError("can't find %s", orig_file);
 
@@ -636,6 +690,8 @@ static int load_files(const char* orig_file)
 
 	broxygen_mgr->Script(file_path);
 
+	DBG_LOG(DBG_SCRIPTS, "Loading %s", file_path.c_str());
+
 	// "orig_file", could be an alias for yytext, which is ephemeral
 	//  and will be zapped after the yy_switch_to_buffer() below.
 	yy_switch_to_buffer(yy_create_buffer(f, YY_BUF_SIZE));
@@ -654,11 +710,6 @@ void begin_RE()
 	BEGIN(RE);
 	}
 
-void end_RE()
-	{
-	BEGIN(INITIAL);
-	}
-
 class LocalNameFinder : public TraversalCallback {
 public:
 	LocalNameFinder()
@@ -778,6 +829,18 @@ void do_atendif()
 // are referred to (in order to save the locations of tokens and statements,
 // for error reporting and debugging).
 static name_list input_files;
+static name_list essential_input_files;
+
+void add_essential_input_file(const char* file)
+	{
+	if ( ! file )
+		reporter->InternalError("empty filename");
+
+	if ( ! filename )
+		(void) load_files(file);
+	else
+		essential_input_files.append(copy_string(file));
+	}
 
 void add_input_file(const char* file)
 	{
@@ -826,7 +889,7 @@ int yywrap()
 	if ( ! did_builtin_init && file_stack.length() == 1 )
 		{
 		// ### This is a gross hack - we know that the first file
-		// we parse is bro.init, and after it it's safe to initialize
+		// we parse is init-bare.bro, and after it it's safe to initialize
 		// the built-ins.  Furthermore, we want to initialize the
 		// built-in's *right* after parsing bro.init, so that other
 		// source files can use built-in's when initializing globals.
@@ -842,19 +905,22 @@ int yywrap()
 		return 0;
 
 	// Stack is now empty.
-	while ( input_files.length() > 0 )
+	while ( essential_input_files.length() > 0 || input_files.length() > 0 )
 		{
-		if ( load_files(input_files[0]) )
+		name_list& files = essential_input_files.length() > 0 ?
+		             essential_input_files : input_files;
+
+		if ( load_files(files[0]) )
 			{
 			// Don't delete the filename - it's pointed to by
 			// every BroObj created when parsing it.
-			(void) input_files.remove_nth(0);
+			(void) files.remove_nth(0);
 			return 0;
 			}
 
 		// We already scanned the file.  Pop it and try the next,
 		// if any.
-		(void) input_files.remove_nth(0);
+		(void) files.remove_nth(0);
 		}
 
 	// For each file scanned so far, and for each @prefix, look for a
diff --git a/src/stats.bif b/src/stats.bif
index e901b5e777..2a525a1790 100644
--- a/src/stats.bif
+++ b/src/stats.bif
@@ -2,6 +2,7 @@
 %%{ // C segment
 #include "util.h"
 #include "threading/Manager.h"
+#include "broker/Manager.h"
 
 RecordType* ProcStats;
 RecordType* NetStats;
@@ -14,6 +15,7 @@ RecordType* EventStats;
 RecordType* ThreadStats;
 RecordType* TimerStats;
 RecordType* FileAnalysisStats;
+RecordType* BrokerStats;
 %%}
 
 ## Returns packet capture statistics. Statistics include the number of
@@ -32,6 +34,7 @@ RecordType* FileAnalysisStats;
 ##              get_reassembler_stats
 ##              get_thread_stats
 ##              get_timer_stats
+##              get_broker_stats
 function get_net_stats%(%): NetStats
 	%{
 	uint64 recv = 0;
@@ -79,6 +82,7 @@ function get_net_stats%(%): NetStats
 ##              get_reassembler_stats
 ##              get_thread_stats
 ##              get_timer_stats
+##              get_broker_stats
 function get_conn_stats%(%): ConnStats
 	%{
 	RecordVal* r = new RecordVal(ConnStats);
@@ -128,6 +132,7 @@ function get_conn_stats%(%): ConnStats
 ##              get_reassembler_stats
 ##              get_thread_stats
 ##              get_timer_stats
+##              get_broker_stats
 function get_proc_stats%(%): ProcStats
 	%{
 	struct rusage ru;
@@ -183,6 +188,7 @@ function get_proc_stats%(%): ProcStats
 ##              get_reassembler_stats
 ##              get_thread_stats
 ##              get_timer_stats
+##              get_broker_stats
 function get_event_stats%(%): EventStats
 	%{
 	RecordVal* r = new RecordVal(EventStats);
@@ -208,6 +214,7 @@ function get_event_stats%(%): EventStats
 ##              get_proc_stats
 ##              get_thread_stats
 ##              get_timer_stats
+##              get_broker_stats
 function get_reassembler_stats%(%): ReassemblerStats
 	%{
 	RecordVal* r = new RecordVal(ReassemblerStats);
@@ -235,6 +242,7 @@ function get_reassembler_stats%(%): ReassemblerStats
 ##              get_reassembler_stats
 ##              get_thread_stats
 ##              get_timer_stats
+##              get_broker_stats
 function get_dns_stats%(%): DNSStats
 	%{
 	RecordVal* r = new RecordVal(DNSStats);
@@ -267,6 +275,7 @@ function get_dns_stats%(%): DNSStats
 ##              get_proc_stats
 ##              get_reassembler_stats
 ##              get_thread_stats
+##              get_broker_stats
 function get_timer_stats%(%): TimerStats
 	%{
 	RecordVal* r = new RecordVal(TimerStats);
@@ -293,6 +302,7 @@ function get_timer_stats%(%): TimerStats
 ##              get_reassembler_stats
 ##              get_thread_stats
 ##              get_timer_stats
+##              get_broker_stats
 function get_file_analysis_stats%(%): FileAnalysisStats
 	%{
 	RecordVal* r = new RecordVal(FileAnalysisStats);
@@ -319,6 +329,7 @@ function get_file_analysis_stats%(%): FileAnalysisStats
 ##              get_proc_stats
 ##              get_reassembler_stats
 ##              get_timer_stats
+##              get_broker_stats
 function get_thread_stats%(%): ThreadStats
 	%{
 	RecordVal* r = new RecordVal(ThreadStats);
@@ -343,6 +354,7 @@ function get_thread_stats%(%): ThreadStats
 ##              get_reassembler_stats
 ##              get_thread_stats
 ##              get_timer_stats
+##              get_broker_stats
 function get_gap_stats%(%): GapStats
 	%{
 	RecordVal* r = new RecordVal(GapStats);
@@ -373,6 +385,7 @@ function get_gap_stats%(%): GapStats
 ##              get_reassembler_stats
 ##              get_thread_stats
 ##              get_timer_stats
+##              get_broker_stats
 function get_matcher_stats%(%): MatcherStats
 	%{
 	RecordVal* r = new RecordVal(MatcherStats);
@@ -394,29 +407,37 @@ function get_matcher_stats%(%): MatcherStats
 	return r;
 	%}
 
-# function get_broker_stats%(%): BrokerStats
-# 	%{
-# 	RecordVal* r = new RecordVal(CommunicationStats);
-# 	int n = 0;
-#
-# #ifdef ENABLE_BROKER
-# 	auto cs = broker_mgr->ConsumeStatistics();
-#
-# 	r->Assign(n++, new Val(cs.outgoing_peer_count, TYPE_COUNT));
-# 	r->Assign(n++, new Val(cs.data_store_count, TYPE_COUNT));
-# 	r->Assign(n++, new Val(cs.pending_query_count, TYPE_COUNT));
-# 	r->Assign(n++, new Val(cs.response_count, TYPE_COUNT));
-# 	r->Assign(n++, new Val(cs.outgoing_conn_status_count, TYPE_COUNT));
-# 	r->Assign(n++, new Val(cs.incoming_conn_status_count, TYPE_COUNT));
-# 	r->Assign(n++, new Val(cs.report_count, TYPE_COUNT));
-#
-# 	//for ( const auto& s : cs.print_count )
-# 	//	file->Write(fmt("    %-25s prints dequeued=%zu\n", s.first.data(), s.second));
-# 	//for ( const auto& s : cs.event_count )
-# 	//	file->Write(fmt("    %-25s events dequeued=%zu\n", s.first.data(), s.second));
-# 	//for ( const auto& s : cs.log_count )
-# 	//	file->Write(fmt("    %-25s logs dequeued=%zu\n", s.first.data(), s.second));
-# #endif
-#
-# 	return r;
-# 	%}
+## Returns statistics about Broker communication.
+##
+## Returns: A record with Broker statistics.
+##
+## .. bro:see:: get_conn_stats
+##              get_dns_stats
+##              get_event_stats
+##              get_file_analysis_stats
+##              get_gap_stats
+##              get_matcher_stats
+##              get_net_stats
+##              get_proc_stats
+##              get_reassembler_stats
+##              get_thread_stats
+##              get_timer_stats
+##              get_broker_stats
+function get_broker_stats%(%): BrokerStats
+	%{
+	RecordVal* r = new RecordVal(BrokerStats);
+	int n = 0;
+	
+	auto cs = broker_mgr->GetStatistics();
+	r->Assign(n++, new Val(static_cast<uint64_t>(cs.num_peers), TYPE_COUNT));
+	r->Assign(n++, new Val(static_cast<uint64_t>(cs.num_stores), TYPE_COUNT));
+	r->Assign(n++, new Val(static_cast<uint64_t>(cs.num_pending_queries), TYPE_COUNT));
+	r->Assign(n++, new Val(static_cast<uint64_t>(cs.num_events_incoming), TYPE_COUNT));
+	r->Assign(n++, new Val(static_cast<uint64_t>(cs.num_events_outgoing), TYPE_COUNT));
+	r->Assign(n++, new Val(static_cast<uint64_t>(cs.num_logs_incoming), TYPE_COUNT));
+	r->Assign(n++, new Val(static_cast<uint64_t>(cs.num_logs_outgoing), TYPE_COUNT));
+	r->Assign(n++, new Val(static_cast<uint64_t>(cs.num_ids_incoming), TYPE_COUNT));
+	r->Assign(n++, new Val(static_cast<uint64_t>(cs.num_ids_outgoing), TYPE_COUNT));
+
+	return r;
+	%}
diff --git a/src/threading/BasicThread.cc b/src/threading/BasicThread.cc
index 86d7d7b560..3b6f5d6532 100644
--- a/src/threading/BasicThread.cc
+++ b/src/threading/BasicThread.cc
@@ -5,6 +5,7 @@
 #include "bro-config.h"
 #include "BasicThread.h"
 #include "Manager.h"
+#include "pthread.h"
 
 #ifdef HAVE_LINUX
 #include <sys/prctl.h>
@@ -21,7 +22,6 @@ BasicThread::BasicThread()
 	started = false;
 	terminating = false;
 	killed = false;
-	pthread = 0;
 
 	buf_len = STD_FMT_BUF_LEN;
 	buf = (char*) safe_malloc(buf_len);
@@ -50,6 +50,7 @@ void BasicThread::SetName(const char* arg_name)
 
 void BasicThread::SetOSName(const char* arg_name)
 	{
+	static_assert(std::is_same<std::thread::native_handle_type, pthread_t>::value, "libstdc++ doesn't use pthread_t");
 
 #ifdef HAVE_LINUX
 	prctl(PR_SET_NAME, arg_name, 0, 0, 0);
@@ -60,7 +61,7 @@ void BasicThread::SetOSName(const char* arg_name)
 #endif
 
 #ifdef FREEBSD
-	pthread_set_name_np(pthread_self(), arg_name, arg_name);
+	pthread_set_name_np(thread.native_handle(), arg_name, arg_name);
 #endif
 	}
 
@@ -97,7 +98,7 @@ const char* BasicThread::Strerror(int err)
 	if ( ! strerr_buffer )
 		strerr_buffer = new char[256];
 
-	strerror_r(err, strerr_buffer, 256);
+	bro_strerror_r(err, strerr_buffer, 256);
 	return strerr_buffer;
 	}
 
@@ -108,9 +109,7 @@ void BasicThread::Start()
 
 	started = true;
 
-	int err = pthread_create(&pthread, 0, BasicThread::launcher, this);
-	if ( err != 0 )
-		reporter->FatalError("Cannot create thread %s: %s", name, Strerror(err));
+	thread = std::thread(&BasicThread::launcher, this);
 
 	DBG_LOG(DBG_THREADING, "Started thread %s", name);
 
@@ -147,17 +146,21 @@ void BasicThread::Join()
 	if ( ! started )
 		return;
 
-	if ( ! pthread )
+	if ( ! thread.joinable() )
 		return;
 
 	assert(terminating);
 
-	if ( pthread_join(pthread, 0) != 0  )
-		reporter->FatalError("Failure joining thread %s", name);
+	try
+		{
+		thread.join();
+		}
+	catch ( const std::system_error& e )
+		{
+		reporter->FatalError("Failure joining thread %s with error %s", name, e.what());
+		}
 
 	DBG_LOG(DBG_THREADING, "Joined with thread %s", name);
-
-	pthread = 0;
 	}
 
 void BasicThread::Kill()
@@ -180,6 +183,7 @@ void BasicThread::Done()
 
 void* BasicThread::launcher(void *arg)
 	{
+	static_assert(std::is_same<std::thread::native_handle_type, pthread_t>::value, "libstdc++ doesn't use pthread_t");
 	BasicThread* thread = (BasicThread *)arg;
 
 	// Block signals in thread. We handle signals only in the main
diff --git a/src/threading/BasicThread.h b/src/threading/BasicThread.h
index 6386e5ae66..ea829fce54 100644
--- a/src/threading/BasicThread.h
+++ b/src/threading/BasicThread.h
@@ -2,8 +2,7 @@
 #ifndef THREADING_BASICTHREAD_H
 #define THREADING_BASICTHREAD_H
 
-#include <pthread.h>
-#include <semaphore.h>
+#include <thread>
 
 #include "util.h"
 
@@ -35,6 +34,9 @@ public:
 	 */
 	BasicThread();
 
+	BasicThread(BasicThread const&) = delete;
+	BasicThread& operator =(BasicThread const&) = delete;
+
 	/**
 	 * Returns a descriptive name for the thread. If not set via
 	 * SetName(). If not set, a default name is choosen automatically.
@@ -192,11 +194,11 @@ protected:
 	void Done();
 
 private:
-	// pthread entry function.
+	// thread entry function.
 	static void* launcher(void *arg);
 
 	const char* name;
-	pthread_t pthread;
+	std::thread thread;
 	bool started; 		// Set to to true once running.
 	bool terminating;	// Set to to true to signal termination.
 	bool killed;	// Set to true once forcefully killed.
diff --git a/src/threading/Formatter.cc b/src/threading/Formatter.cc
index 3f366de90a..b881962732 100644
--- a/src/threading/Formatter.cc
+++ b/src/threading/Formatter.cc
@@ -22,7 +22,7 @@ Formatter::~Formatter()
 	{
 	}
 
-string Formatter::Render(const threading::Value::addr_t& addr) const
+string Formatter::Render(const threading::Value::addr_t& addr)
 	{
 	if ( addr.family == IPv4 )
 		{
@@ -90,7 +90,7 @@ threading::Value::addr_t Formatter::ParseAddr(const string &s) const
 	return val;
 	}
 
-string Formatter::Render(const threading::Value::subnet_t& subnet) const
+string Formatter::Render(const threading::Value::subnet_t& subnet)
 	{
 	char l[16];
 
@@ -104,7 +104,7 @@ string Formatter::Render(const threading::Value::subnet_t& subnet) const
 	return s;
 	}
 
-string Formatter::Render(double d) const
+string Formatter::Render(double d)
 	{
 	char buf[256];
 	modp_dtoa(d, buf, 6);
diff --git a/src/threading/Formatter.h b/src/threading/Formatter.h
index c8337959bf..c564f3c945 100644
--- a/src/threading/Formatter.h
+++ b/src/threading/Formatter.h
@@ -87,7 +87,7 @@ public:
 	 *
 	 * @return An ASCII representation of the address.
 	 */
-	string Render(const threading::Value::addr_t& addr) const;
+	static string Render(const threading::Value::addr_t& addr);
 
 	/**
 	 * Convert an subnet value into a string.
@@ -98,7 +98,7 @@ public:
 	 *
 	 * @return An ASCII representation of the subnet.
 	 */
-	string Render(const threading::Value::subnet_t& subnet) const;
+	static string Render(const threading::Value::subnet_t& subnet);
 
 	/**
 	 * Convert a double into a string. This renders the double with Bro's
@@ -110,7 +110,7 @@ public:
 	 *
 	 * @return An ASCII representation of the double.
 	 */
-	string Render(double d) const;
+	static string Render(double d);
 
 	/**
 	 * Convert a string into a TransportProto. The string must be one of
diff --git a/src/threading/Manager.h b/src/threading/Manager.h
index 70e592fa10..dce35cde3a 100644
--- a/src/threading/Manager.h
+++ b/src/threading/Manager.h
@@ -33,7 +33,7 @@ public:
 	/**
 	 * Destructir.
 	 */
-	~Manager();
+	~Manager() override;
 
 	/**
 	 * Terminates the manager's processor. The method signals all threads
@@ -103,23 +103,23 @@ protected:
 	/**
 	 * Part of the IOSource interface.
 	 */
-	virtual void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
-	                    iosource::FD_Set* except);
+	void GetFds(iosource::FD_Set* read, iosource::FD_Set* write,
+	                    iosource::FD_Set* except) override;
 
 	/**
 	 * Part of the IOSource interface.
 	 */
-	virtual double NextTimestamp(double* network_time);
+	double NextTimestamp(double* network_time) override;
 
 	/**
 	 * Part of the IOSource interface.
 	 */
-	virtual void Process();
+	void Process() override;
 
 	/**
 	 * Part of the IOSource interface.
 	 */
-	virtual const char* Tag()	{ return "threading::Manager"; }
+	const char* Tag() override { return "threading::Manager"; }
 
 private:
 	typedef std::list<BasicThread*> all_thread_list;
diff --git a/src/threading/MsgThread.h b/src/threading/MsgThread.h
index 96da68e1d0..60da2d9668 100644
--- a/src/threading/MsgThread.h
+++ b/src/threading/MsgThread.h
@@ -2,8 +2,6 @@
 #ifndef THREADING_MSGTHREAD_H
 #define THREADING_MSGTHREAD_H
 
-#include <pthread.h>
-
 #include "DebugLogger.h"
 
 #include "BasicThread.h"
@@ -341,7 +339,7 @@ protected:
 	 * @param arg_name A descriptive name for the type of message. Used
 	 * mainly for debugging purposes.
 	 */
-	Message(const char* arg_name)
+	explicit Message(const char* arg_name)
 		{ name = copy_string(arg_name); }
 
 private:
@@ -360,7 +358,7 @@ protected:
 	 * @param name A descriptive name for the type of message. Used
 	 * mainly for debugging purposes.
 	 */
-	BasicInputMessage(const char* name) : Message(name)	{}
+	explicit BasicInputMessage(const char* name) : Message(name)	{}
 };
 
 /**
@@ -375,7 +373,7 @@ protected:
 	 * @param name A descriptive name for the type of message. Used
 	 * mainly for debugging purposes.
 	 */
-	BasicOutputMessage(const char* name) : Message(name)	{}
+	explicit BasicOutputMessage(const char* name) : Message(name)	{}
 };
 
 /**
diff --git a/src/threading/Queue.h b/src/threading/Queue.h
index 6d21bfd998..9ac9268a7a 100644
--- a/src/threading/Queue.h
+++ b/src/threading/Queue.h
@@ -1,7 +1,8 @@
 #ifndef THREADING_QUEUE_H
 #define THREADING_QUEUE_H
 
-#include <pthread.h>
+#include <mutex>
+#include <condition_variable>
 #include <queue>
 #include <deque>
 #include <stdint.h>
@@ -22,7 +23,7 @@ namespace threading {
  *
  * All Queue instances must be instantiated by Bro's main thread.
  *
- * TODO: Unclear how critical performance is for this qeueue. We could like;y
+ * TODO: Unclear how critical performance is for this qeueue. We could likely
  * optimize it further if helpful.
  */
 template<typename T>
@@ -71,9 +72,10 @@ public:
 	 */
 	bool MaybeReady() { return (num_reads != num_writes); }
 
-	/** Wake up the reader if it's currently blocked for input. This is
-	 primarily to give it a chance to check termination quickly.
-	**/
+	/**
+	 * Wake up the reader if it's currently blocked for input. This is
+	 * primarily to give it a chance to check termination quickly.
+	 */
 	void WakeUp();
 
 	/**
@@ -94,14 +96,17 @@ public:
 	 * Returns statistics about the queue's usage.
 	 *
 	 * @param stats A pointer to a structure that will be filled with
-	 * current numbers. */
+	 * current numbers.
+	 */
 	void GetStats(Stats* stats);
 
 private:
 	static const int NUM_QUEUES = 8;
 
-	pthread_mutex_t mutex[NUM_QUEUES];	// Mutex protected shared accesses.
-	pthread_cond_t has_data[NUM_QUEUES];	// Signals when data becomes available
+	std::vector<std::unique_lock<std::mutex>> LocksForAllQueues();
+
+	std::mutex mutex[NUM_QUEUES];	// Mutex protected shared accesses.
+	std::condition_variable has_data[NUM_QUEUES];	// Signals when data becomes available
 	std::queue<T> messages[NUM_QUEUES];	// Actually holds the queued messages
 
 	int read_ptr;	// Where the next operation will read from
@@ -115,17 +120,18 @@ private:
 	uint64_t num_writes;
 };
 
-inline static void safe_lock(pthread_mutex_t* mutex)
+inline static std::unique_lock<std::mutex> acquire_lock(std::mutex& m)
 	{
-	int res = pthread_mutex_lock(mutex);
-	if ( res != 0 )
-		reporter->FatalErrorWithCore("cannot lock mutex: %d(%s)", res, strerror(res));
-	}
-
-inline static void safe_unlock(pthread_mutex_t* mutex)
-	{
-	if ( pthread_mutex_unlock(mutex) != 0 )
-		reporter->FatalErrorWithCore("cannot unlock mutex");
+	try
+		{
+		return std::unique_lock<std::mutex>(m);
+		}
+	catch ( const std::system_error& e )
+		{
+		reporter->FatalErrorWithCore("cannot lock mutex: %s", e.what());
+		// Never gets here.
+		throw std::exception();
+		}
 	}
 
 template<typename T>
@@ -136,50 +142,28 @@ inline Queue<T>::Queue(BasicThread* arg_reader, BasicThread* arg_writer)
 	num_reads = num_writes = 0;
 	reader = arg_reader;
 	writer = arg_writer;
-
-	for( int i = 0; i < NUM_QUEUES; ++i )
-		{
-		if ( pthread_cond_init(&has_data[i], 0) != 0 )
-			reporter->FatalError("cannot init queue condition variable");
-
-		if ( pthread_mutex_init(&mutex[i], 0) != 0 )
-			reporter->FatalError("cannot init queue mutex");
-		}
 	}
 
 template<typename T>
 inline Queue<T>::~Queue()
 	{
-	for( int i = 0; i < NUM_QUEUES; ++i )
-		{
-		pthread_cond_destroy(&has_data[i]);
-		pthread_mutex_destroy(&mutex[i]);
-		}
 	}
 
 template<typename T>
 inline T Queue<T>::Get()
 	{
-	safe_lock(&mutex[read_ptr]);
+	auto lock = acquire_lock(mutex[read_ptr]);
 
 	int old_read_ptr = read_ptr;
 
 	if ( messages[read_ptr].empty() && ! ((reader && reader->Killed()) || (writer && writer->Killed())) )
 		{
-		struct timespec ts;
-		ts.tv_sec = time(0) + 5;
-		ts.tv_nsec = 0;
-
-		pthread_cond_timedwait(&has_data[read_ptr], &mutex[read_ptr], &ts);
-		safe_unlock(&mutex[read_ptr]);
-		return 0;
+		if ( has_data[read_ptr].wait_for(lock, std::chrono::seconds(5)) == std::cv_status::timeout )
+			return nullptr;
 		}
 
-	else if ( messages[read_ptr].empty() )
-		{
-		safe_unlock(&mutex[read_ptr]);
-		return 0;
-		}
+	if ( messages[read_ptr].empty() )
+		return nullptr;
 
 	T data = messages[read_ptr].front();
 	messages[read_ptr].pop();
@@ -187,15 +171,13 @@ inline T Queue<T>::Get()
 	read_ptr = (read_ptr + 1) % NUM_QUEUES;
 	++num_reads;
 
-	safe_unlock(&mutex[old_read_ptr]);
-
 	return data;
 	}
 
 template<typename T>
 inline void Queue<T>::Put(T data)
 	{
-	safe_lock(&mutex[write_ptr]);
+	auto lock = acquire_lock(mutex[write_ptr]);
 
 	int old_write_ptr = write_ptr;
 
@@ -203,43 +185,59 @@ inline void Queue<T>::Put(T data)
 
 	messages[write_ptr].push(data);
 
-	if ( need_signal )
-		pthread_cond_signal(&has_data[write_ptr]);
-
 	write_ptr = (write_ptr + 1) % NUM_QUEUES;
 	++num_writes;
 
-	safe_unlock(&mutex[old_write_ptr]);
+	if ( need_signal )
+		{
+		lock.unlock();
+		has_data[old_write_ptr].notify_one();
+		}
 	}
 
 
 template<typename T>
 inline bool Queue<T>::Ready()
 	{
-	safe_lock(&mutex[read_ptr]);
+	auto lock = acquire_lock(mutex[read_ptr]);
 
 	bool ret = (messages[read_ptr].size());
 
-	safe_unlock(&mutex[read_ptr]);
-
 	return ret;
 	}
 
+template<typename T>
+inline std::vector<std::unique_lock<std::mutex>> Queue<T>::LocksForAllQueues()
+	{
+	std::vector<std::unique_lock<std::mutex>> locks;
+
+	try
+		{
+		for ( int i = 0; i < NUM_QUEUES; i++ )
+			locks.emplace_back(std::unique_lock<std::mutex>(mutex[i]));
+		}
+
+	catch ( const std::system_error& e )
+		{
+		reporter->FatalErrorWithCore("cannot lock all mutexes: %s", e.what());
+		// Never gets here.
+		throw std::exception();
+		}
+
+	return locks;
+	}
+
 template<typename T>
 inline uint64_t Queue<T>::Size()
 	{
 	// Need to lock all queues.
-	for ( int i = 0; i < NUM_QUEUES; i++ )
-		safe_lock(&mutex[i]);
+	auto locks = LocksForAllQueues();
 
 	uint64_t size = 0;
 
 	for ( int i = 0; i < NUM_QUEUES; i++ )
 		size += messages[i].size();
 
-	for ( int i = 0; i < NUM_QUEUES; i++ )
-		safe_unlock(&mutex[i]);
-
 	return size;
 	}
 
@@ -248,29 +246,19 @@ inline void Queue<T>::GetStats(Stats* stats)
 	{
 	// To be safe, we look all queues. That's probably unneccessary, but
 	// doesn't really hurt.
-	for ( int i = 0; i < NUM_QUEUES; i++ )
-		safe_lock(&mutex[i]);
+	auto locks = LocksForAllQueues();
 
 	stats->num_reads = num_reads;
 	stats->num_writes = num_writes;
-
-	for ( int i = 0; i < NUM_QUEUES; i++ )
-		safe_unlock(&mutex[i]);
 	}
 
 template<typename T>
 inline void Queue<T>::WakeUp()
 	{
 	for ( int i = 0; i < NUM_QUEUES; i++ )
-		{
-		safe_lock(&mutex[i]);
-		pthread_cond_signal(&has_data[i]);
-		safe_unlock(&mutex[i]);
-		}
+		has_data[i].notify_all();
 	}
 
 }
 
-
 #endif
-
diff --git a/src/threading/SerialTypes.cc b/src/threading/SerialTypes.cc
index 3836638e5c..8468d19ea8 100644
--- a/src/threading/SerialTypes.cc
+++ b/src/threading/SerialTypes.cc
@@ -161,12 +161,13 @@ bool Value::IsCompatibleType(BroType* t, bool atomic_only)
 
 bool Value::Read(SerializationFormat* fmt)
 	{
-	int ty;
+	int ty, sty;
 
-	if ( ! (fmt->Read(&ty, "type") && fmt->Read(&present, "present")) )
+	if ( ! (fmt->Read(&ty, "type") && fmt->Read(&sty, "subtype") && fmt->Read(&present, "present")) )
 		return false;
 
 	type = (TypeTag)(ty);
+	subtype = (TypeTag)(sty);
 
 	if ( ! present )
 		return true;
@@ -311,6 +312,7 @@ bool Value::Read(SerializationFormat* fmt)
 bool Value::Write(SerializationFormat* fmt) const
 	{
 	if ( ! (fmt->Write((int)type, "type") &&
+		fmt->Write((int)subtype, "subtype") &&
 		fmt->Write(present, "present")) )
 		return false;
 
diff --git a/src/threading/SerialTypes.h b/src/threading/SerialTypes.h
index e056f6c170..5a8361feba 100644
--- a/src/threading/SerialTypes.h
+++ b/src/threading/SerialTypes.h
@@ -26,7 +26,7 @@ struct Field {
 	//! port, one for the type), and this specifies the secondary name.
 	const char* secondary_name;
 	TypeTag type;	//! Type of the field.
-	TypeTag subtype;	//! Inner type for sets.
+	TypeTag subtype;	//! Inner type for sets and vectors.
 	bool optional;	//! True if field is optional.
 
 	/**
@@ -92,13 +92,14 @@ private:
  */
 struct Value {
 	TypeTag type;	//! The type of the value.
+	TypeTag subtype;	//! Inner type for sets and vectors.
 	bool present;	//! False for optional record fields that are not set.
 
 	struct set_t { bro_int_t size; Value** vals; };
 	typedef set_t vec_t;
 	struct port_t { bro_uint_t port; TransportProto proto; };
 
-        struct addr_t {
+	struct addr_t {
 		IPFamily family;
 		union {
 			struct in_addr in4;
@@ -106,6 +107,13 @@ struct Value {
 		} in;
 	};
 
+	// A small note for handling subnet values: Subnet values emitted from
+	// the logging framework will always have a length that is based on the
+	// internal IPv6 representation (so you have to substract 96 from it to
+	// get the correct value for IPv4).
+	// However, the Input framework expects the "normal" length for an IPv4
+	// address (so do not add 96 to it), because the underlying constructors
+	// for the SubNet type want it like this.
 	struct subnet_t { addr_t prefix; uint8_t length; };
 
 	/**
@@ -139,7 +147,20 @@ struct Value {
 	* that is not set.
 	 */
 	Value(TypeTag arg_type = TYPE_ERROR, bool arg_present = true)
-		: type(arg_type), present(arg_present)	{}
+		: type(arg_type), subtype(TYPE_VOID), present(arg_present)	{}
+
+	/**
+	* Constructor.
+	*
+	* arg_type: The type of the value.
+	*
+	* arg_type: The subtype of the value for sets and vectors.
+	*
+	* arg_present: False if the value represents an optional record field
+	* that is not set.
+	 */
+	Value(TypeTag arg_type, TypeTag arg_subtype, bool arg_present = true)
+		: type(arg_type), subtype(arg_subtype), present(arg_present)	{}
 
 	/**
 	 * Destructor.
@@ -178,4 +199,4 @@ private:
 
 }
 
-#endif /* THREADING_SERIALIZATIONTZPES_H */
+#endif /* THREADING_SERIALIZATIONTYPES_H */
diff --git a/src/threading/formatters/Ascii.cc b/src/threading/formatters/Ascii.cc
index bf36c361cc..0ea7d07d16 100644
--- a/src/threading/formatters/Ascii.cc
+++ b/src/threading/formatters/Ascii.cc
@@ -207,13 +207,14 @@ bool Ascii::Describe(ODesc* desc, threading::Value* val, const string& name) con
 
 threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag type, TypeTag subtype) const
 	{
-	if ( s.compare(separators.unset_field) == 0 )  // field is not set...
+	if ( ! separators.unset_field.empty() && s.compare(separators.unset_field) == 0 )  // field is not set...
 		return new threading::Value(type, false);
 
-	threading::Value* val = new threading::Value(type, true);
+	threading::Value* val = new threading::Value(type, subtype, true);
 	const char* start = s.c_str();
 	char* end = 0;
 	errno = 0;
+	size_t pos;
 
 	switch ( type ) {
 	case TYPE_ENUM:
@@ -226,9 +227,9 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
 		}
 
 	case TYPE_BOOL:
-		if ( s == "T" )
+		if ( s == "T" || s == "1" )
 			val->val.int_val = 1;
-		else if ( s == "F" )
+		else if ( s == "F" || s == "0" )
 			val->val.int_val = 0;
 		else
 			{
@@ -260,11 +261,34 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
 		break;
 
 	case TYPE_PORT:
+		{
+		val->val.port_val.proto = TRANSPORT_UNKNOWN;
+		pos = s.find('/');
+		string numberpart;
+		if ( pos != std::string::npos && s.length() > pos + 1 )
+			{
+			auto proto = s.substr(pos+1);
+			if ( strtolower(proto) == "tcp" )
+				val->val.port_val.proto = TRANSPORT_TCP;
+			else if ( strtolower(proto) == "udp" )
+				val->val.port_val.proto = TRANSPORT_UDP;
+			else if ( strtolower(proto) == "icmp" )
+				val->val.port_val.proto = TRANSPORT_ICMP;
+			else if ( strtolower(proto) == "unknown" )
+				val->val.port_val.proto = TRANSPORT_UNKNOWN;
+			else
+				GetThread()->Warning(GetThread()->Fmt("Port '%s' contained unknown protocol '%s'", s.c_str(), proto.c_str()));
+			}
+
+		if ( pos != std::string::npos && pos > 0 )
+			{
+			numberpart = s.substr(0, pos);
+			start = numberpart.c_str();
+			}
 		val->val.port_val.port = strtoull(start, &end, 10);
 		if ( CheckNumberError(start, end) )
 			goto parse_error;
-
-		val->val.port_val.proto = TRANSPORT_UNKNOWN;
+		}
 		break;
 
 	case TYPE_SUBNET:
@@ -318,6 +342,9 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
 		if ( separators.empty_field.size() > 0 && s.compare(separators.empty_field) == 0 )
 			length = 0;
 
+		if ( separators.empty_field.empty() && s.empty() )
+			length = 0;
+
 		threading::Value** lvals = new threading::Value* [length];
 
 		if ( type == TYPE_TABLE )
@@ -389,6 +416,9 @@ threading::Value* Ascii::ParseValue(const string& s, const string& name, TypeTag
 			for ( unsigned int i = 0; i < pos; i++ )
 				delete lvals[i];
 
+			// and set the length of the set to 0, otherwhise the destructor will crash.
+			val->val.vector_val.size = 0;
+
 			goto parse_error;
 		}
 
diff --git a/src/threading/formatters/JSON.h b/src/threading/formatters/JSON.h
index 04209fbde9..4984f74067 100644
--- a/src/threading/formatters/JSON.h
+++ b/src/threading/formatters/JSON.h
@@ -20,12 +20,12 @@ public:
 		};
 
 	JSON(threading::MsgThread* t, TimeFormat tf);
-	virtual ~JSON();
+	~JSON() override;
 
-	virtual bool Describe(ODesc* desc, threading::Value* val, const string& name = "") const;
-	virtual bool Describe(ODesc* desc, int num_fields, const threading::Field* const * fields,
-	                      threading::Value** vals) const;
-	virtual threading::Value* ParseValue(const string& s, const string& name, TypeTag type, TypeTag subtype = TYPE_ERROR) const;
+	bool Describe(ODesc* desc, threading::Value* val, const string& name = "") const override;
+	bool Describe(ODesc* desc, int num_fields, const threading::Field* const * fields,
+	                      threading::Value** vals) const override;
+	threading::Value* ParseValue(const string& s, const string& name, TypeTag type, TypeTag subtype = TYPE_ERROR) const override;
 
 	void SurroundingBraces(bool use_braces);
 
diff --git a/src/types.bif b/src/types.bif
index 500c8c9851..145a8af89e 100644
--- a/src/types.bif
+++ b/src/types.bif
@@ -13,12 +13,49 @@ enum rpc_status %{
 	RPC_UNKNOWN_ERROR,
 %}
 
+module MOUNT3;
+
+enum proc_t %{ # MOUNT3 procedures
+	PROC_NULL         = 0,  # done
+	PROC_MNT          = 1,  # done
+	PROC_DUMP         = 2,  # not implemented
+	PROC_UMNT         = 3,  # done
+	PROC_UMNT_ALL     = 4,  # done
+	PROC_EXPORT       = 5,  # not implemented
+	PROC_END_OF_PROCS = 6,	# not implemented
+%}
+
+enum status_t %{ # MOUNT3 return status
+	MNT3_OK             = 0,
+	MNT3ERR_PERM        = 1,
+	MNT3ERR_NOENT       = 2,
+	MNT3ERR_IO          = 5,
+	MNT3ERR_ACCES       = 13,
+	MNT3ERR_NOTDIR      = 20,
+	MNT3ERR_INVAL       = 22,
+	MNT3ERR_NAMETOOLONG = 63,
+	MNT3ERR_NOTSUPP     = 10004,
+	MNT3ERR_SERVERFAULT = 10006,
+	MOUNT3ERR_UNKNOWN   = 0xffffffff,
+%}
+
+enum auth_flavor_t %{ # MOUNT3 auth flavors
+	AUTH_NULL   = 0,
+	AUTH_UNIX   = 1,
+	AUTH_SHORT  = 2,
+	AUTH_DES    = 3,
+%}
+
+type info_t: record;
+type mnt_reply_t: record;
+type dirmntargs_t: record;
+
 module NFS3;
 
 enum proc_t %{	# NFSv3 procedures
 	PROC_NULL     = 0,	# done
 	PROC_GETATTR  = 1,	# done
-	PROC_SETATTR  = 2,	# not implemented
+	PROC_SETATTR  = 2,	# done
 	PROC_LOOKUP   = 3,	# done
 	PROC_ACCESS   = 4,	# not implemented
 	PROC_READLINK = 5,	# done
@@ -26,12 +63,12 @@ enum proc_t %{	# NFSv3 procedures
 	PROC_WRITE    = 7,	# done
 	PROC_CREATE   = 8,	# partial
 	PROC_MKDIR    = 9,	# partial
-	PROC_SYMLINK  = 10,	# not implemented
+	PROC_SYMLINK  = 10,	# done
 	PROC_MKNOD    = 11,	# not implemented
 	PROC_REMOVE   = 12,	# done
 	PROC_RMDIR    = 13,	# done
-	PROC_RENAME   = 14,	# not implemented
-	PROC_LINK     = 15,	# not implemented
+	PROC_RENAME   = 14,	# done
+	PROC_LINK     = 15,	# done
 	PROC_READDIR  = 16,	# done
 	PROC_READDIRPLUS  = 17,	# done
 	PROC_FSSTAT   = 18,	# not implemented
@@ -74,6 +111,12 @@ enum status_t %{	# NFSv3 return status
 	NFS3ERR_UNKNOWN     = 0xffffffff,
 %}
 
+enum time_how_t %{
+	DONT_CHANGE = 0,
+	SET_TO_SERVER_TIME = 1,
+	SET_TO_CLIENT_TIME = 2,
+%}
+
 enum file_type_t %{
 	FTYPE_REG   = 1,
 	FTYPE_DIR   = 2,
@@ -84,6 +127,7 @@ enum file_type_t %{
 	FTYPE_FIFO  = 7,
 %}
 
+
 enum stable_how_t %{
 	UNSTABLE = 0,
 	DATA_SYNC = 1,
@@ -100,16 +144,25 @@ enum createmode_t %{
 # defined in init-bare.bro.
 type info_t: record;
 type fattr_t: record;
+type sattr_t: record;
+type symlinkdata_t: record;
 type diropargs_t: record;
+type symlinkargs_t: record;
+type sattrargs_t: record;
+type linkargs_t: record;
+type renameopargs_t: record;
+type sattr_reply_t: record;
 type lookup_reply_t: record;
 type readargs_t: record;
 type read_reply_t: record;
 type readlink_reply_t: record;
+type link_reply_t: record;
 type writeargs_t: record;
 type wcc_attr_t: record;
 type write_reply_t: record;
 type newobj_reply_t: record;
 type delobj_reply_t: record;
+type renameobj_reply_t: record;
 type readdirargs_t: record;
 type direntry_t: record;
 type direntry_vec_t: vector;
diff --git a/src/util.cc b/src/util.cc
index acfcb19573..35db6f131c 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -542,7 +542,7 @@ const char* fmt_bytes(const char* data, int len)
 	return buf;
 	}
 
-const char* fmt(const char* format, ...)
+const char* fmt(const char* format, va_list al)
 	{
 	static char* buf = 0;
 	static unsigned int buf_len = 1024;
@@ -550,28 +550,34 @@ const char* fmt(const char* format, ...)
 	if ( ! buf )
 		buf = (char*) safe_malloc(buf_len);
 
-	va_list al;
-	va_start(al, format);
+	va_list alc;
+	va_copy(alc, al);
 	int n = safe_vsnprintf(buf, buf_len, format, al);
-	va_end(al);
 
 	if ( (unsigned int) n >= buf_len )
 		{ // Not enough room, grow the buffer.
 		buf_len = n + 32;
 		buf = (char*) safe_realloc(buf, buf_len);
 
-		// Is it portable to restart?
-		va_start(al, format);
-		n = safe_vsnprintf(buf, buf_len, format, al);
-		va_end(al);
+		n = safe_vsnprintf(buf, buf_len, format, alc);
 
 		if ( (unsigned int) n >= buf_len )
 			reporter->InternalError("confusion reformatting in fmt()");
 		}
 
+	va_end(alc);
 	return buf;
 	}
 
+const char* fmt(const char* format, ...)
+	{
+	va_list al;
+	va_start(al, format);
+	auto rval = fmt(format, al);
+	va_end(al);
+	return rval;
+	}
+
 const char* fmt_access_time(double t)
 	{
 	static char buf[256];
@@ -1012,7 +1018,7 @@ FILE* open_file(const string& path, const string& mode)
 	if ( ! rval )
 		{
 		char buf[256];
-		strerror_r(errno, buf, sizeof(buf));
+		bro_strerror_r(errno, buf, sizeof(buf));
 		reporter->Error("Failed to open file %s: %s", filename, buf);
 		}
 
@@ -1396,9 +1402,13 @@ void _set_processing_status(const char* status)
 	if ( fd < 0 )
 		{
 		char buf[256];
-		strerror_r(errno, buf, sizeof(buf));
-		reporter->Error("Failed to open process status file '%s': %s",
-		                proc_status_file, buf);
+		bro_strerror_r(errno, buf, sizeof(buf));
+		if ( reporter )
+			reporter->Error("Failed to open process status file '%s': %s",
+			                proc_status_file, buf);
+		else
+			fprintf(stderr, "Failed to open process status file '%s': %s\n",
+			                proc_status_file, buf);
 		errno = old_errno;
 		return;
 		}
@@ -1612,7 +1622,7 @@ void safe_close(int fd)
 	if ( close(fd) < 0 && errno != EINTR )
 		{
 		char buf[128];
-		strerror_r(errno, buf, sizeof(buf));
+		bro_strerror_r(errno, buf, sizeof(buf));
 		fprintf(stderr, "safe_close error %d: %s\n", errno, buf);
 		abort();
 		}
@@ -1745,3 +1755,24 @@ std::string canonify_name(const std::string& name)
 
 	return nname;
 	}
+
+static void strerror_r_helper(char* result, char* buf, size_t buflen)
+	{
+	// Seems the GNU flavor of strerror_r may return a pointer to a static
+	// string. So try to copy as much as possible into desired buffer.
+	auto len = strlen(result);
+	strncpy(buf, result, buflen);
+
+	if ( len >= buflen )
+		buf[buflen - 1] = 0;
+	}
+
+static void strerror_r_helper(int result, char* buf, size_t buflen)
+	{ /* XSI flavor of strerror_r, no-op. */ }
+
+void bro_strerror_r(int bro_errno, char* buf, size_t buflen)
+	{
+	auto res = strerror_r(bro_errno, buf, buflen);
+	// GNU vs. XSI flavors make it harder to use strerror_r.
+	strerror_r_helper(res, buf, buflen);
+	}
diff --git a/src/util.h b/src/util.h
index a2c1b78db3..cdba01a9a0 100644
--- a/src/util.h
+++ b/src/util.h
@@ -3,6 +3,15 @@
 #ifndef util_h
 #define util_h
 
+#ifdef __GNUC__
+    #define BRO_DEPRECATED(msg) __attribute__ ((deprecated(msg)))
+#elif defined(_MSC_VER)
+    #define BRO_DEPRECATED(msg) __declspec(deprecated(msg)) func
+#else
+	#pragma message("Warning: BRO_DEPRECATED macro not implemented")
+	#define BRO_DEPRECATED(msg)
+#endif
+
 // Expose C99 functionality from inttypes.h, which would otherwise not be
 // available in C++.
 #ifndef __STDC_FORMAT_MACROS
@@ -157,6 +166,8 @@ extern std::string strtolower(const std::string& s);
 
 extern const char* fmt_bytes(const char* data, int len);
 
+// Note: returns a pointer into a shared buffer.
+extern const char* fmt(const char* format, va_list args);
 // Note: returns a pointer into a shared buffer.
 extern const char* fmt(const char* format, ...)
 	__attribute__((format (printf, 1, 2)));
@@ -227,6 +238,13 @@ typedef ptr_compat_uint SourceID;
 #define PRI_SOURCE_ID PRI_PTR_COMPAT_UINT
 static const SourceID SOURCE_LOCAL = 0;
 
+// TODO: This is a temporary marker to flag events coming in via Broker.
+// Those are remote events but we don't have any further peer informationa
+// available for them (as the old communication code would have). Once we
+// remove RemoteSerializer, we can turn the SourceID into a simple boolean
+// indicating whether it's a local or remote event.
+static const SourceID SOURCE_BROKER = 0xffffffff;
+
 extern void pinpoint();
 extern int int_list_cmp(const void* v1, const void* v2);
 
@@ -266,8 +284,8 @@ protected:
 class SafeDirname : public SafePathOp {
 public:
 
-	SafeDirname(const char* path, bool error_aborts = true);
-	SafeDirname(const std::string& path, bool error_aborts = true);
+	explicit SafeDirname(const char* path, bool error_aborts = true);
+	explicit SafeDirname(const std::string& path, bool error_aborts = true);
 
 private:
 
@@ -277,8 +295,8 @@ private:
 class SafeBasename : public SafePathOp {
 public:
 
-	SafeBasename(const char* path, bool error_aborts = true);
-	SafeBasename(const std::string& path, bool error_aborts = true);
+	explicit SafeBasename(const char* path, bool error_aborts = true);
+	explicit SafeBasename(const std::string& path, bool error_aborts = true);
 
 private:
 
@@ -516,4 +534,10 @@ struct CompareString
  */
 std::string canonify_name(const std::string& name);
 
+/**
+ * Reentrant version of strerror(). Takes care of the difference between the
+ * XSI-compliant and the GNU-specific version of strerror_r().
+ */
+void bro_strerror_r(int bro_errno, char* buf, size_t buflen);
+
 #endif
diff --git a/src/version.c.in b/src/version.c.in
index 86c4b16f24..65df65da00 100644
--- a/src/version.c.in
+++ b/src/version.c.in
@@ -1 +1,13 @@
+
+#include "bro-config.h"
+
 char version[] = "@VERSION@";
+
+// A C function that has the current version built into its name.
+// One can link a shared library against this to ensure that it won't
+// load if the version of the main Bro binary differs compared to
+// what the library was compiled against.
+const char* BRO_VERSION_FUNCTION()
+{
+    return "@VERSION_C_IDENT@";
+}
diff --git a/testing/Makefile b/testing/Makefile
index e83ec09396..98c6b239a2 100644
--- a/testing/Makefile
+++ b/testing/Makefile
@@ -8,6 +8,7 @@ brief: make-brief coverage
 distclean:
 	@rm -f coverage.log
 	$(MAKE) -C btest $@
+	$(MAKE) -C coverage $@
 
 make-verbose:
 	@for repo in $(DIRS); do (cd $$repo && make -s ); done
@@ -22,4 +23,6 @@ coverage:
 	@echo "Complete test suite code coverage:"
 	@./scripts/coverage-calc "brocov.tmp.*" coverage.log `pwd`/../scripts
 	@rm -f brocov.tmp.*
+	@cd coverage && make coverage
 
+.PHONY: coverage
diff --git a/testing/btest/Baseline/bifs.directory_operations/out b/testing/btest/Baseline/bifs.directory_operations/out
new file mode 100644
index 0000000000..8465596a92
--- /dev/null
+++ b/testing/btest/Baseline/bifs.directory_operations/out
@@ -0,0 +1,10 @@
+T
+T
+T
+T
+T
+T
+F
+F
+F
+F
diff --git a/testing/btest/Baseline/bifs.dump_current_packet/1.pcap b/testing/btest/Baseline/bifs.dump_current_packet/1.pcap
new file mode 100644
index 0000000000..786971a6cf
Binary files /dev/null and b/testing/btest/Baseline/bifs.dump_current_packet/1.pcap differ
diff --git a/testing/btest/Baseline/bifs.dump_current_packet/2.pcap b/testing/btest/Baseline/bifs.dump_current_packet/2.pcap
new file mode 100644
index 0000000000..6045568b4b
Binary files /dev/null and b/testing/btest/Baseline/bifs.dump_current_packet/2.pcap differ
diff --git a/testing/btest/Baseline/bifs.hll_large_estimate/out b/testing/btest/Baseline/bifs.hll_large_estimate/out
index 6897673f4e..c0bbe2b31d 100644
--- a/testing/btest/Baseline/bifs.hll_large_estimate/out
+++ b/testing/btest/Baseline/bifs.hll_large_estimate/out
@@ -1,3 +1,3 @@
 Ok error
-171249.90868
+167377.950902
 Ok error
diff --git a/testing/btest/Baseline/bifs.order/out b/testing/btest/Baseline/bifs.order/out
index e77fbd310c..fd9ecd62c2 100644
--- a/testing/btest/Baseline/bifs.order/out
+++ b/testing/btest/Baseline/bifs.order/out
@@ -6,3 +6,5 @@
 [1, 2, 0]
 [3.03, 3.01, 3.02, 3.015]
 [1, 3, 2, 0]
+[2304, 1156, 13, 42, 4294967296]
+[2, 3, 1, 0, 4]
diff --git a/testing/btest/Baseline/bifs.sort/out b/testing/btest/Baseline/bifs.sort/out
index fed75265b9..f46ccaff68 100644
--- a/testing/btest/Baseline/bifs.sort/out
+++ b/testing/btest/Baseline/bifs.sort/out
@@ -14,3 +14,5 @@
 [10.0.0.157, 192.168.0.3, 192.168.123.200]
 [3.01, 3.015, 3.02, 3.03]
 [3.01, 3.015, 3.02, 3.03]
+[2304, 1156, 11, 42, 4294967296]
+[11, 42, 1156, 2304, 4294967296]
diff --git a/testing/btest/Baseline/bifs.to_int/out b/testing/btest/Baseline/bifs.to_int/out
index cde0c82987..e50334896d 100644
--- a/testing/btest/Baseline/bifs.to_int/out
+++ b/testing/btest/Baseline/bifs.to_int/out
@@ -1,3 +1,4 @@
 1
 -1
+4294967296
 0
diff --git a/testing/btest/Baseline/bifs.x509_verify/.stdout b/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.0
similarity index 100%
rename from testing/btest/Baseline/bifs.x509_verify/.stdout
rename to testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.0
diff --git a/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.1 b/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.1
new file mode 100644
index 0000000000..29660eade5
--- /dev/null
+++ b/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.1
@@ -0,0 +1,6 @@
+Validation result: certificate has expired
+Validation result: ok
+Resulting chain:
+Fingerprint: 70829f77ff4b6e908324a3f4e1940fce6c489098, Subject: CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP
+Fingerprint: 5deb8f339e264c19f6686f5f8f32b54a4c46b476, Subject: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
+Fingerprint: 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5, Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
diff --git a/testing/btest/Baseline/broker.clone_store/clone.clone.out b/testing/btest/Baseline/broker.clone_store/clone.clone.out
deleted file mode 100644
index 3db1dd4e00..0000000000
--- a/testing/btest/Baseline/broker.clone_store/clone.clone.out
+++ /dev/null
@@ -1,5 +0,0 @@
-clone keys, [status=Broker::SUCCESS, result=[d=broker::data{[one, two, myset, myvec]}]]
-lookup, two, [status=Broker::SUCCESS, result=[d=broker::data{222}]]
-lookup, one, [status=Broker::SUCCESS, result=[d=broker::data{111}]]
-lookup, myvec, [status=Broker::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
-lookup, myset, [status=Broker::SUCCESS, result=[d=broker::data{{a, c, d}}]]
diff --git a/testing/btest/Baseline/broker.connect-on-retry/recv.recv.out b/testing/btest/Baseline/broker.connect-on-retry/recv.recv.out
new file mode 100644
index 0000000000..78a9b50a5c
--- /dev/null
+++ b/testing/btest/Baseline/broker.connect-on-retry/recv.recv.out
@@ -0,0 +1,6 @@
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+receiver got ping: my-message, 1
+receiver got ping: my-message, 2
+receiver got ping: my-message, 3
+receiver got ping: my-message, 4
+receiver got ping: my-message, 5
diff --git a/testing/btest/Baseline/broker.connect-on-retry/send.send.out b/testing/btest/Baseline/broker.connect-on-retry/send.send.out
new file mode 100644
index 0000000000..f5a9d54af0
--- /dev/null
+++ b/testing/btest/Baseline/broker.connect-on-retry/send.send.out
@@ -0,0 +1,6 @@
+sender added peer: endpoint=127.0.0.1 msg=received handshake from remote core
+sender got pong: my-message, 1
+sender got pong: my-message, 2
+sender got pong: my-message, 3
+sender got pong: my-message, 4
+sender lost peer: endpoint=127.0.0.1 msg=lost remote peer
diff --git a/testing/btest/Baseline/broker.connection_updates/recv.recv.out b/testing/btest/Baseline/broker.connection_updates/recv.recv.out
deleted file mode 100644
index d246bf153f..0000000000
--- a/testing/btest/Baseline/broker.connection_updates/recv.recv.out
+++ /dev/null
@@ -1,2 +0,0 @@
-Broker::incoming_connection_established, connector
-Broker::incoming_connection_broken, connector
diff --git a/testing/btest/Baseline/broker.connection_updates/send.send.out b/testing/btest/Baseline/broker.connection_updates/send.send.out
deleted file mode 100644
index 205782c8f0..0000000000
--- a/testing/btest/Baseline/broker.connection_updates/send.send.out
+++ /dev/null
@@ -1 +0,0 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp, listener
diff --git a/testing/btest/Baseline/broker.data/out b/testing/btest/Baseline/broker.data/out
deleted file mode 100644
index 8703ca6a0c..0000000000
--- a/testing/btest/Baseline/broker.data/out
+++ /dev/null
@@ -1,118 +0,0 @@
-Broker::BOOL
-Broker::INT
-Broker::COUNT
-Broker::DOUBLE
-Broker::STRING
-Broker::ADDR
-Broker::SUBNET
-Broker::PORT
-Broker::TIME
-Broker::INTERVAL
-Broker::ENUM
-Broker::SET
-Broker::TABLE
-Broker::VECTOR
-Broker::RECORD
-***************************
-T
-F
-1
-0
--1
-1
-0
-1.1
--11.1
-hello
-1.2.3.4
-192.168.0.0/16
-22/tcp
-42.0
-180.0
-Broker::BOOL
-{
-two,
-one,
-three
-}
-{
-[two] = 2,
-[one] = 1,
-[three] = 3
-}
-[zero, one, two]
-[a=<uninitialized>, b=bee, c=1]
-[a=test, b=bee, c=1]
-[a=test, b=testagain, c=1]
-***************************
-0
-T
-1
-T
-F
-T
-2
-F
-2
-T
-1
-F
-{
-bye
-}
-T
-0
-{
-
-}
-***************************
-0
-[d=<uninitialized>]
-1
-T
-42
-F
-[d=<uninitialized>]
-2
-[d=broker::data{7}]
-2
-37
-[d=broker::data{42}]
-1
-[d=<uninitialized>]
-1
-T
-0
-{
-
-}
-***************************
-0
-T
-T
-T
-T
-[hi, salutations, hello, greetings]
-4
-[d=broker::data{hello}]
-[d=broker::data{bah}]
-[d=broker::data{hi}]
-[hi, salutations, bah, greetings]
-[d=broker::data{bah}]
-[hi, salutations, greetings]
-3
-T
-0
-[]
-***************************
-3
-T
-T
-T
-[d=broker::data{hi}]
-[d=broker::data{hello}]
-[d=broker::data{37}]
-3
-T
-3
-[d=broker::data{goodbye}]
diff --git a/testing/btest/Baseline/broker.disconnect/recv.recv.out b/testing/btest/Baseline/broker.disconnect/recv.recv.out
new file mode 100644
index 0000000000..c7c5a6ea33
--- /dev/null
+++ b/testing/btest/Baseline/broker.disconnect/recv.recv.out
@@ -0,0 +1,2 @@
+peer added, handshake successful
+receiver got event, 1
diff --git a/testing/btest/Baseline/broker.disconnect/recv2.recv2.out b/testing/btest/Baseline/broker.disconnect/recv2.recv2.out
new file mode 100644
index 0000000000..09a0133c8d
--- /dev/null
+++ b/testing/btest/Baseline/broker.disconnect/recv2.recv2.out
@@ -0,0 +1,2 @@
+peer added, handshake successful
+receiver got event, 2
diff --git a/testing/btest/Baseline/broker.disconnect/send.send.out b/testing/btest/Baseline/broker.disconnect/send.send.out
new file mode 100644
index 0000000000..f75d91dc23
--- /dev/null
+++ b/testing/btest/Baseline/broker.disconnect/send.send.out
@@ -0,0 +1,4 @@
+peer added, received handshake from remote core
+peer lost, lost remote peer
+peer added, received handshake from remote core
+peer lost, lost remote peer
diff --git a/testing/btest/Baseline/broker.enable-and-exit/output b/testing/btest/Baseline/broker.enable-and-exit/output
deleted file mode 100644
index 6df9e9b67f..0000000000
--- a/testing/btest/Baseline/broker.enable-and-exit/output
+++ /dev/null
@@ -1,3 +0,0 @@
-1
-2
-terminating
diff --git a/testing/btest/Baseline/broker.error/send.out b/testing/btest/Baseline/broker.error/send.out
new file mode 100644
index 0000000000..ed6a72b2b1
--- /dev/null
+++ b/testing/btest/Baseline/broker.error/send.out
@@ -0,0 +1 @@
+error, Broker::PEER_INVALID, (invalid-node, *1.2.3.4:1947, "no such peer when unpeering")
diff --git a/testing/btest/Baseline/broker.master_store/master.out b/testing/btest/Baseline/broker.master_store/master.out
deleted file mode 100644
index 1983d0bccc..0000000000
--- a/testing/btest/Baseline/broker.master_store/master.out
+++ /dev/null
@@ -1,14 +0,0 @@
-lookup(two): [status=Broker::SUCCESS, result=[d=broker::data{222}]]
-lookup(myset): [status=Broker::SUCCESS, result=[d=broker::data{{a, c, d}}]]
-lookup(one): [status=Broker::SUCCESS, result=[d=broker::data{111}]]
-lookup(myvec): [status=Broker::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
-lookup(four): [status=Broker::SUCCESS, result=[d=<uninitialized>]]
-exists(two): [status=Broker::SUCCESS, result=[d=broker::data{0}]]
-exists(myset): [status=Broker::SUCCESS, result=[d=broker::data{1}]]
-exists(one): [status=Broker::SUCCESS, result=[d=broker::data{1}]]
-exists(four): [status=Broker::SUCCESS, result=[d=broker::data{0}]]
-pop_left(myvec): [status=Broker::SUCCESS, result=[d=broker::data{delta}]]
-pop_right(myvec): [status=Broker::SUCCESS, result=[d=broker::data{omega}]]
-keys: [status=Broker::SUCCESS, result=[d=broker::data{[myvec, myset, one]}]]
-size: [status=Broker::SUCCESS, result=[d=broker::data{3}]]
-size (after clear): [status=Broker::SUCCESS, result=[d=broker::data{0}]]
diff --git a/testing/btest/Baseline/broker.remote_event/recv.recv.out b/testing/btest/Baseline/broker.remote_event/recv.recv.out
index 7dab0284ea..54b7d375fb 100644
--- a/testing/btest/Baseline/broker.remote_event/recv.recv.out
+++ b/testing/btest/Baseline/broker.remote_event/recv.recv.out
@@ -1,6 +1,12 @@
-got event msg, ping, 0
-got event msg, ping, 1
-got event msg, ping, 2
-got event msg, ping, 3
-got event msg, ping, 4
-got event msg, ping, 5
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+is_remote should be T, and is, T
+receiver got ping: my-message, 1
+is_remote should be T, and is, T
+receiver got ping: my-message, 2
+is_remote should be T, and is, T
+receiver got ping: my-message, 3
+is_remote should be T, and is, T
+receiver got ping: my-message, 4
+is_remote should be T, and is, T
+receiver got ping: my-message, 5
+[num_peers=1, num_stores=0, num_pending_queries=0, num_events_incoming=5, num_events_outgoing=4, num_logs_incoming=0, num_logs_outgoing=1, num_ids_incoming=0, num_ids_outgoing=0]
diff --git a/testing/btest/Baseline/broker.remote_event/send.send.out b/testing/btest/Baseline/broker.remote_event/send.send.out
index 2d61135abe..b8be473e40 100644
--- a/testing/btest/Baseline/broker.remote_event/send.send.out
+++ b/testing/btest/Baseline/broker.remote_event/send.send.out
@@ -1,11 +1,11 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
-got event msg, pong, 0
-got auto event msg, ping, 0
-got event msg, pong, 1
-got auto event msg, ping, 1
-got event msg, pong, 2
-got auto event msg, ping, 2
-got event msg, pong, 3
-got auto event msg, ping, 3
-got event msg, pong, 4
-got auto event msg, ping, 4
+is_remote should be F, and is, F
+sender added peer: endpoint=127.0.0.1 msg=received handshake from remote core
+is_remote should be T, and is, T
+sender got pong: my-message, 1
+is_remote should be T, and is, T
+sender got pong: my-message, 2
+is_remote should be T, and is, T
+sender got pong: my-message, 3
+is_remote should be T, and is, T
+sender got pong: my-message, 4
+sender lost peer: endpoint=127.0.0.1 msg=lost remote peer
diff --git a/testing/btest/Baseline/broker.remote_event_any/recv.recv.out b/testing/btest/Baseline/broker.remote_event_any/recv.recv.out
new file mode 100644
index 0000000000..54b7d375fb
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_event_any/recv.recv.out
@@ -0,0 +1,12 @@
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+is_remote should be T, and is, T
+receiver got ping: my-message, 1
+is_remote should be T, and is, T
+receiver got ping: my-message, 2
+is_remote should be T, and is, T
+receiver got ping: my-message, 3
+is_remote should be T, and is, T
+receiver got ping: my-message, 4
+is_remote should be T, and is, T
+receiver got ping: my-message, 5
+[num_peers=1, num_stores=0, num_pending_queries=0, num_events_incoming=5, num_events_outgoing=4, num_logs_incoming=0, num_logs_outgoing=1, num_ids_incoming=0, num_ids_outgoing=0]
diff --git a/testing/btest/Baseline/broker.remote_event_any/send.send.out b/testing/btest/Baseline/broker.remote_event_any/send.send.out
new file mode 100644
index 0000000000..b8be473e40
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_event_any/send.send.out
@@ -0,0 +1,11 @@
+is_remote should be F, and is, F
+sender added peer: endpoint=127.0.0.1 msg=received handshake from remote core
+is_remote should be T, and is, T
+sender got pong: my-message, 1
+is_remote should be T, and is, T
+sender got pong: my-message, 2
+is_remote should be T, and is, T
+sender got pong: my-message, 3
+is_remote should be T, and is, T
+sender got pong: my-message, 4
+sender lost peer: endpoint=127.0.0.1 msg=lost remote peer
diff --git a/testing/btest/Baseline/broker.remote_event_auto/recv.recv.out b/testing/btest/Baseline/broker.remote_event_auto/recv.recv.out
new file mode 100644
index 0000000000..78a9b50a5c
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_event_auto/recv.recv.out
@@ -0,0 +1,6 @@
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+receiver got ping: my-message, 1
+receiver got ping: my-message, 2
+receiver got ping: my-message, 3
+receiver got ping: my-message, 4
+receiver got ping: my-message, 5
diff --git a/testing/btest/Baseline/broker.remote_event_auto/send.send.out b/testing/btest/Baseline/broker.remote_event_auto/send.send.out
new file mode 100644
index 0000000000..f5a9d54af0
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_event_auto/send.send.out
@@ -0,0 +1,6 @@
+sender added peer: endpoint=127.0.0.1 msg=received handshake from remote core
+sender got pong: my-message, 1
+sender got pong: my-message, 2
+sender got pong: my-message, 3
+sender got pong: my-message, 4
+sender lost peer: endpoint=127.0.0.1 msg=lost remote peer
diff --git a/testing/btest/Baseline/broker.remote_event_ssl_auth/recv.recv.out b/testing/btest/Baseline/broker.remote_event_ssl_auth/recv.recv.out
new file mode 100644
index 0000000000..88b8207c91
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_event_ssl_auth/recv.recv.out
@@ -0,0 +1,7 @@
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+receiver got ping: my-message, 1
+receiver got ping: my-message, 2
+receiver got ping: my-message, 3
+receiver got ping: my-message, 4
+receiver got ping: my-message, 5
+[num_peers=1, num_stores=0, num_pending_queries=0, num_events_incoming=5, num_events_outgoing=4, num_logs_incoming=0, num_logs_outgoing=1, num_ids_incoming=0, num_ids_outgoing=0]
diff --git a/testing/btest/Baseline/broker.remote_event_ssl_auth/send.send.out b/testing/btest/Baseline/broker.remote_event_ssl_auth/send.send.out
new file mode 100644
index 0000000000..f5a9d54af0
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_event_ssl_auth/send.send.out
@@ -0,0 +1,6 @@
+sender added peer: endpoint=127.0.0.1 msg=received handshake from remote core
+sender got pong: my-message, 1
+sender got pong: my-message, 2
+sender got pong: my-message, 3
+sender got pong: my-message, 4
+sender lost peer: endpoint=127.0.0.1 msg=lost remote peer
diff --git a/testing/btest/Baseline/broker.remote_id/recv.recv.out b/testing/btest/Baseline/broker.remote_id/recv.recv.out
new file mode 100644
index 0000000000..4df78bcdd6
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_id/recv.recv.out
@@ -0,0 +1,4 @@
+intial val, init
+peer added
+peer lost
+updated val, newval
diff --git a/testing/btest/Baseline/broker.remote_log/recv.recv.out b/testing/btest/Baseline/broker.remote_log/recv.recv.out
index 2f4a31df51..e69de29bb2 100644
--- a/testing/btest/Baseline/broker.remote_log/recv.recv.out
+++ b/testing/btest/Baseline/broker.remote_log/recv.recv.out
@@ -1,6 +0,0 @@
-wrote log, [msg=ping, nolog=no, num=0]
-wrote log, [msg=ping, nolog=no, num=1]
-wrote log, [msg=ping, nolog=no, num=2]
-wrote log, [msg=ping, nolog=no, num=3]
-wrote log, [msg=ping, nolog=no, num=4]
-wrote log, [msg=ping, nolog=no, num=5]
diff --git a/testing/btest/Baseline/broker.remote_log/recv.test.log b/testing/btest/Baseline/broker.remote_log/recv.test.log
index 0d6dae756c..f0f279a626 100644
--- a/testing/btest/Baseline/broker.remote_log/recv.test.log
+++ b/testing/btest/Baseline/broker.remote_log/recv.test.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	test
-#open	2015-01-26-22-47-11
+#open	2017-04-26-01-04-25
 #fields	msg	num
 #types	string	count
 ping	0
@@ -12,4 +12,4 @@ ping	2
 ping	3
 ping	4
 ping	5
-#close	2015-01-26-22-47-11
+#close	2017-04-26-01-04-26
diff --git a/testing/btest/Baseline/broker.remote_log/send.send.out b/testing/btest/Baseline/broker.remote_log/send.send.out
index 632279e697..c2520da821 100644
--- a/testing/btest/Baseline/broker.remote_log/send.send.out
+++ b/testing/btest/Baseline/broker.remote_log/send.send.out
@@ -1 +1 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Broker::peer_added, 127.0.0.1
diff --git a/testing/btest/Baseline/broker.remote_log/send.test.log b/testing/btest/Baseline/broker.remote_log/send.test.log
index 0d6dae756c..f0f279a626 100644
--- a/testing/btest/Baseline/broker.remote_log/send.test.log
+++ b/testing/btest/Baseline/broker.remote_log/send.test.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	test
-#open	2015-01-26-22-47-11
+#open	2017-04-26-01-04-25
 #fields	msg	num
 #types	string	count
 ping	0
@@ -12,4 +12,4 @@ ping	2
 ping	3
 ping	4
 ping	5
-#close	2015-01-26-22-47-11
+#close	2017-04-26-01-04-26
diff --git a/src/analyzer/protocol/ayiya/events.bif b/testing/btest/Baseline/broker.remote_log_late_join/recv.recv.out
similarity index 100%
rename from src/analyzer/protocol/ayiya/events.bif
rename to testing/btest/Baseline/broker.remote_log_late_join/recv.recv.out
diff --git a/testing/btest/Baseline/broker.remote_log_late_join/recv.test.log b/testing/btest/Baseline/broker.remote_log_late_join/recv.test.log
new file mode 100644
index 0000000000..d2c086a2e0
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_log_late_join/recv.test.log
@@ -0,0 +1,14 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2017-05-07-23-57-46
+#fields	msg	num
+#types	string	count
+ping	1
+ping	2
+ping	3
+ping	4
+ping	5
+#close	2017-05-07-23-57-47
diff --git a/testing/btest/Baseline/broker.remote_log_late_join/send.send.out b/testing/btest/Baseline/broker.remote_log_late_join/send.send.out
new file mode 100644
index 0000000000..c2520da821
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_log_late_join/send.send.out
@@ -0,0 +1 @@
+Broker::peer_added, 127.0.0.1
diff --git a/testing/btest/Baseline/broker.remote_log_late_join/send.test.log b/testing/btest/Baseline/broker.remote_log_late_join/send.test.log
new file mode 100644
index 0000000000..2052699fe5
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_log_late_join/send.test.log
@@ -0,0 +1,15 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2017-05-07-23-57-44
+#fields	msg	num
+#types	string	count
+ping	0
+ping	1
+ping	2
+ping	3
+ping	4
+ping	5
+#close	2017-05-07-23-57-47
diff --git a/src/analyzer/protocol/pia/events.bif b/testing/btest/Baseline/broker.remote_log_types/recv.recv.out
similarity index 100%
rename from src/analyzer/protocol/pia/events.bif
rename to testing/btest/Baseline/broker.remote_log_types/recv.recv.out
diff --git a/testing/btest/Baseline/broker.remote_log_types/recv.test.log b/testing/btest/Baseline/broker.remote_log_types/recv.test.log
new file mode 100644
index 0000000000..eb2b066cd4
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_log_types/recv.test.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2017-02-11-02-17-35
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	f
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	set[count]	set[string]	set[string]	vector[count]	vector[string]	func
+T	-42	Test::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1486779455.703438	100.000000	hurz	1	AA	(empty)	10,20,30	(empty)	foo\x0a{ \x0aif (0 < i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
+#close	2017-02-11-02-17-35
diff --git a/testing/btest/Baseline/broker.remote_log_types/send.send.out b/testing/btest/Baseline/broker.remote_log_types/send.send.out
new file mode 100644
index 0000000000..c2520da821
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_log_types/send.send.out
@@ -0,0 +1 @@
+Broker::peer_added, 127.0.0.1
diff --git a/testing/btest/Baseline/broker.remote_log_types/send.test.log b/testing/btest/Baseline/broker.remote_log_types/send.test.log
new file mode 100644
index 0000000000..59987c5998
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_log_types/send.test.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2017-02-11-02-17-35
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	f
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	set[count]	set[string]	set[string]	vector[count]	vector[string]	func
+T	-42	Test::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1486779455.703438	100.000000	hurz	1	AA	(empty)	10,20,30	(empty)	foo\x0a{ \x0aif (0 < i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
+#close	2017-02-11-02-17-36
diff --git a/testing/btest/Baseline/broker.remote_print/recv.recv.out b/testing/btest/Baseline/broker.remote_print/recv.recv.out
deleted file mode 100644
index 6e5a37abbf..0000000000
--- a/testing/btest/Baseline/broker.remote_print/recv.recv.out
+++ /dev/null
@@ -1,6 +0,0 @@
-got print msg, ping 0
-got print msg, ping 1
-got print msg, ping 2
-got print msg, ping 3
-got print msg, ping 4
-got print msg, ping 5
diff --git a/testing/btest/Baseline/broker.remote_print/send.send.out b/testing/btest/Baseline/broker.remote_print/send.send.out
deleted file mode 100644
index 861dd64a8a..0000000000
--- a/testing/btest/Baseline/broker.remote_print/send.send.out
+++ /dev/null
@@ -1,6 +0,0 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
-got print msg, pong 0
-got print msg, pong 1
-got print msg, pong 2
-got print msg, pong 3
-got print msg, pong 4
diff --git a/testing/btest/Baseline/broker.remote_publish_and_relay_event/one.one.out b/testing/btest/Baseline/broker.remote_publish_and_relay_event/one.one.out
new file mode 100644
index 0000000000..45c18d28be
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_publish_and_relay_event/one.one.out
@@ -0,0 +1,3 @@
+sender added peer: endpoint=127.0.0.1 msg=received handshake from remote core
+got ready event
+sender lost peer: endpoint=127.0.0.1 msg=lost remote peer
diff --git a/testing/btest/Baseline/broker.remote_publish_and_relay_event/three.three.out b/testing/btest/Baseline/broker.remote_publish_and_relay_event/three.three.out
new file mode 100644
index 0000000000..8193829fd4
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_publish_and_relay_event/three.three.out
@@ -0,0 +1,2 @@
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+got my_event, hello world
diff --git a/testing/btest/Baseline/broker.remote_publish_and_relay_event/two.two.out b/testing/btest/Baseline/broker.remote_publish_and_relay_event/two.two.out
new file mode 100644
index 0000000000..7bedece7d2
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_publish_and_relay_event/two.two.out
@@ -0,0 +1,5 @@
+receiver added peer: endpoint=127.0.0.1 msg=received handshake from remote core
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+sending ready event
+got my_event, hello world
+receiver lost peer: endpoint=127.0.0.1 msg=lost remote peer
diff --git a/testing/btest/Baseline/broker.remote_relay_event/one.one.out b/testing/btest/Baseline/broker.remote_relay_event/one.one.out
new file mode 100644
index 0000000000..45c18d28be
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_relay_event/one.one.out
@@ -0,0 +1,3 @@
+sender added peer: endpoint=127.0.0.1 msg=received handshake from remote core
+got ready event
+sender lost peer: endpoint=127.0.0.1 msg=lost remote peer
diff --git a/testing/btest/Baseline/broker.remote_relay_event/three.three.out b/testing/btest/Baseline/broker.remote_relay_event/three.three.out
new file mode 100644
index 0000000000..8193829fd4
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_relay_event/three.three.out
@@ -0,0 +1,2 @@
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+got my_event, hello world
diff --git a/testing/btest/Baseline/broker.remote_relay_event/two.two.out b/testing/btest/Baseline/broker.remote_relay_event/two.two.out
new file mode 100644
index 0000000000..21378cdd92
--- /dev/null
+++ b/testing/btest/Baseline/broker.remote_relay_event/two.two.out
@@ -0,0 +1,4 @@
+receiver added peer: endpoint=127.0.0.1 msg=received handshake from remote core
+receiver added peer: endpoint=127.0.0.1 msg=handshake successful
+sending ready event
+receiver lost peer: endpoint=127.0.0.1 msg=lost remote peer
diff --git a/src/analyzer/protocol/zip/events.bif b/testing/btest/Baseline/broker.ssl_auth_failure/recv.recv.out
similarity index 100%
rename from src/analyzer/protocol/zip/events.bif
rename to testing/btest/Baseline/broker.ssl_auth_failure/recv.recv.out
diff --git a/testing/btest/Baseline/broker.ssl_auth_failure/send.send.out b/testing/btest/Baseline/broker.ssl_auth_failure/send.send.out
new file mode 100644
index 0000000000..af1061d460
--- /dev/null
+++ b/testing/btest/Baseline/broker.ssl_auth_failure/send.send.out
@@ -0,0 +1 @@
+sender error: code=Broker::PEER_UNAVAILABLE msg=(invalid-node, *127.0.0.1:9999, "remote endpoint unavailable")
diff --git a/testing/btest/Baseline/broker.store.clone/clone.clone.out b/testing/btest/Baseline/broker.store.clone/clone.clone.out
new file mode 100644
index 0000000000..9ae8d91491
--- /dev/null
+++ b/testing/btest/Baseline/broker.store.clone/clone.clone.out
@@ -0,0 +1,24 @@
+----
+clone, one, Broker::SUCCESS, [data=broker::data{110}]
+clone, two, Broker::SUCCESS, [data=broker::data{223}]
+clone, [1, 2], Broker::SUCCESS, [data=broker::data{1947/tcp}]
+clone, three, Broker::FAILURE, [data=<uninitialized>]
+clone, four, Broker::FAILURE, [data=<uninitialized>]
+clone, five, Broker::FAILURE, [data=<uninitialized>]
+clone, six, Broker::FAILURE, [data=<uninitialized>]
+----
+clone, one, Broker::SUCCESS, [data=broker::data{110}]
+clone, two, Broker::SUCCESS, [data=broker::data{223}]
+clone, [1, 2], Broker::SUCCESS, [data=broker::data{1947/tcp}]
+clone, three, Broker::SUCCESS, [data=broker::data{3.140000}]
+clone, four, Broker::SUCCESS, [data=broker::data{1.2.3.4}]
+clone, five, Broker::FAILURE, [data=<uninitialized>]
+clone, six, Broker::FAILURE, [data=<uninitialized>]
+----
+clone, one, Broker::SUCCESS, [data=broker::data{110}]
+clone, two, Broker::SUCCESS, [data=broker::data{223}]
+clone, [1, 2], Broker::SUCCESS, [data=broker::data{1947/tcp}]
+clone, three, Broker::SUCCESS, [data=broker::data{3.140000}]
+clone, four, Broker::FAILURE, [data=<uninitialized>]
+clone, five, Broker::SUCCESS, [data=broker::data{555}]
+clone, six, Broker::SUCCESS, [data=broker::data{666}]
diff --git a/testing/btest/Baseline/broker.store.clone/master.master.out b/testing/btest/Baseline/broker.store.clone/master.master.out
new file mode 100644
index 0000000000..0d19efd785
--- /dev/null
+++ b/testing/btest/Baseline/broker.store.clone/master.master.out
@@ -0,0 +1,8 @@
+----
+master, one, Broker::SUCCESS, [data=broker::data{110}]
+master, two, Broker::SUCCESS, [data=broker::data{223}]
+master, [1, 2], Broker::SUCCESS, [data=broker::data{1947/tcp}]
+master, three, Broker::SUCCESS, [data=broker::data{3.140000}]
+master, four, Broker::FAILURE, [data=<uninitialized>]
+master, five, Broker::SUCCESS, [data=broker::data{555}]
+master, six, Broker::SUCCESS, [data=broker::data{666}]
diff --git a/testing/btest/Baseline/broker.store.local/master.out b/testing/btest/Baseline/broker.store.local/master.out
new file mode 100644
index 0000000000..89ef24ba49
--- /dev/null
+++ b/testing/btest/Baseline/broker.store.local/master.out
@@ -0,0 +1,2 @@
+string, 110
+count, 223
diff --git a/testing/btest/Baseline/broker.store.ops/master.out b/testing/btest/Baseline/broker.store.ops/master.out
new file mode 100644
index 0000000000..afb7c84fb4
--- /dev/null
+++ b/testing/btest/Baseline/broker.store.ops/master.out
@@ -0,0 +1,25 @@
+[1], one, Broker::SUCCESS, [data=broker::data{110}]
+[2], two, Broker::SUCCESS, [data=broker::data{220}]
+[3], three, Broker::SUCCESS, [data=broker::data{330}]
+[4], four, Broker::SUCCESS, [data=broker::data{{1, 2, 3}}]
+[5], five, Broker::FAILURE, [data=<uninitialized>]
+[6], {
+y,
+x
+}, Broker::SUCCESS, [data=broker::data{[1/tcp, 2/tcp, 3/tcp]}]
+[7], two, Broker::SUCCESS, [data=broker::data{230}]
+[8], three, Broker::SUCCESS, [data=broker::data{320}]
+[9], four, Broker::SUCCESS, [data=broker::data{{1, 2, 3}}]
+keys, [status=Broker::SUCCESS, result=[data=broker::data{{four, one, set, str, table, three, two, vec, {x, y}}}]]
+[11], str, Broker::SUCCESS, [data=broker::data{foobar}]
+[12], set, Broker::SUCCESS, [data=broker::data{{A, B, C}}]
+[13], table, Broker::SUCCESS, [data=broker::data{{a -> 1, c -> 3}}]
+[14], vec, Broker::SUCCESS, [data=broker::data{[1, 2, 3, 4]}]
+[15], one, [status=Broker::SUCCESS, result=[data=broker::data{T}]]
+[16], NOPE, [status=Broker::SUCCESS, result=[data=broker::data{F}]]
+[17], vec, Broker::SUCCESS, [data=broker::data{2}]
+[18], set, Broker::SUCCESS, [data=broker::data{T}]
+[19], table, Broker::SUCCESS, [data=broker::data{1}]
+[20], table, Broker::FAILURE, [data=<uninitialized>]
+keys, [status=Broker::SUCCESS, result=[data=broker::data{{one, set, str, table, three, two, vec, {x, y}}}]]
+keys, [status=Broker::SUCCESS, result=[data=broker::data{{}}]]
diff --git a/testing/btest/Baseline/broker.store.record/master.out b/testing/btest/Baseline/broker.store.record/master.out
new file mode 100644
index 0000000000..9e82505b41
--- /dev/null
+++ b/testing/btest/Baseline/broker.store.record/master.out
@@ -0,0 +1,19 @@
+3
+T
+T
+T
+[data=broker::data{[hi, hello, 37]}], [s1=hi, s2=hello, c=37]
+
+[data=broker::data{hi}]
+[data=broker::data{hello}]
+[data=broker::data{37}]
+3
+T
+3
+[data=broker::data{goodbye}]
+[data=broker::data{[hi, goodbye, 37]}], [s1=hi, s2=goodbye, c=37]
+
+| [data=broker::data{hi}]
+| [data=broker::data{goodbye}]
+| [data=broker::data{37}]
+
diff --git a/testing/btest/Baseline/broker.store.set/master.out b/testing/btest/Baseline/broker.store.set/master.out
new file mode 100644
index 0000000000..4d0ad144ad
--- /dev/null
+++ b/testing/btest/Baseline/broker.store.set/master.out
@@ -0,0 +1,29 @@
+0
+T
+1
+T
+F
+T
+[data=broker::data{{bye, hi}}], {
+bye,
+hi
+}
+| [data=broker::data{bye}]
+| [data=broker::data{hi}]
+
+2
+F
+2
+T
+1
+F
+[data=broker::data{{bye}}], {
+bye
+}
+
+T
+0
+[data=broker::data{{}}], {
+
+}
+
diff --git a/testing/btest/Baseline/broker.store.sqlite/out b/testing/btest/Baseline/broker.store.sqlite/out
new file mode 100644
index 0000000000..621474aef2
--- /dev/null
+++ b/testing/btest/Baseline/broker.store.sqlite/out
@@ -0,0 +1,13 @@
+Run, 1
+Inserting
+Run, 2
+Retrieving
+one, Broker::SUCCESS, [data=broker::data{110}]
+two, Broker::SUCCESS, [data=broker::data{220}]
+three, Broker::SUCCESS, [data=broker::data{330}]
+four, Broker::SUCCESS, [data=broker::data{{1, 2, 3}}]
+five, Broker::FAILURE, [data=<uninitialized>]
+{
+y,
+x
+}, Broker::SUCCESS, [data=broker::data{[1/tcp, 2/tcp, 3/tcp]}]
diff --git a/testing/btest/Baseline/broker.store.table/master.out b/testing/btest/Baseline/broker.store.table/master.out
new file mode 100644
index 0000000000..3ab2a3abd0
--- /dev/null
+++ b/testing/btest/Baseline/broker.store.table/master.out
@@ -0,0 +1,33 @@
+0
+[data=<uninitialized>]
+1
+T
+42
+F
+[data=<uninitialized>]
+2
+[data=broker::data{{bye -> 7, hi -> 42}}], {
+[bye] = 7,
+[hi] = 42
+}
+| [key=[data=broker::data{bye}], val=[data=broker::data{7}]]
+| [key=[data=broker::data{hi}], val=[data=broker::data{42}]]
+
+[data=broker::data{7}]
+[data=broker::data{{bye -> 37, hi -> 42}}], {
+[bye] = 37,
+[hi] = 42
+}
+
+2
+37
+[data=broker::data{42}]
+1
+[data=<uninitialized>]
+1
+T
+0
+[data=broker::data{{}}], {
+
+}
+
diff --git a/testing/btest/Baseline/broker.store.type-conversion/master.out b/testing/btest/Baseline/broker.store.type-conversion/master.out
new file mode 100644
index 0000000000..0ef9bd4144
--- /dev/null
+++ b/testing/btest/Baseline/broker.store.type-conversion/master.out
@@ -0,0 +1,47 @@
+Broker::BOOL
+Broker::INT
+Broker::COUNT
+Broker::DOUBLE
+Broker::STRING
+Broker::ADDR
+Broker::SUBNET
+Broker::PORT
+Broker::TIME
+Broker::INTERVAL
+Broker::ENUM
+Broker::SET
+Broker::TABLE
+Broker::VECTOR
+Broker::VECTOR
+Broker::VECTOR
+***************************
+T
+F
+1
+0
+-1
+1
+0
+1.1
+-11.1
+hello
+1.2.3.4
+192.168.0.0/16
+22/tcp
+42.0
+180.0
+Broker::BOOL
+{
+two,
+one,
+three
+}
+{
+[two] = 2,
+[one] = 1,
+[three] = 3
+}
+[zero, one, two]
+[s=abc]
+[c=123, r1=[s=xyz]]
+opaque of sha256, T
diff --git a/testing/btest/Baseline/broker.store.vector/master.out b/testing/btest/Baseline/broker.store.vector/master.out
new file mode 100644
index 0000000000..e442646af8
--- /dev/null
+++ b/testing/btest/Baseline/broker.store.vector/master.out
@@ -0,0 +1,27 @@
+0
+T
+T
+T
+T
+4
+[data=broker::data{[hi, salutations, hello, greetings]}], [hi, salutations, hello, greetings]
+| [data=broker::data{hi}]
+| [data=broker::data{salutations}]
+| [data=broker::data{hello}]
+| [data=broker::data{greetings}]
+
+[data=broker::data{hello}]
+[data=broker::data{[hi, salutations, bah, greetings]}], [hi, salutations, bah, greetings]
+
+[data=broker::data{bah}]
+[data=broker::data{hi}]
+[data=broker::data{[hi, salutations, bah, greetings]}], [hi, salutations, bah, greetings]
+
+[data=broker::data{bah}]
+[data=broker::data{[hi, salutations, greetings]}], [hi, salutations, greetings]
+
+3
+T
+0
+[data=broker::data{[]}], []
+
diff --git a/testing/btest/Baseline/broker.unpeer/recv.broker.filtered.log b/testing/btest/Baseline/broker.unpeer/recv.broker.filtered.log
new file mode 100644
index 0000000000..ccdfd7e510
--- /dev/null
+++ b/testing/btest/Baseline/broker.unpeer/recv.broker.filtered.log
@@ -0,0 +1,2 @@
+1499913965.846216 Broker::STATUS peer-added 127.0.0.1 XXX handshake successful
+1499913969.834114 Broker::STATUS connection-terminated 127.0.0.1 XXX lost remote peer
diff --git a/testing/btest/Baseline/broker.unpeer/recv.recv.out b/testing/btest/Baseline/broker.unpeer/recv.recv.out
new file mode 100644
index 0000000000..ea871a634b
--- /dev/null
+++ b/testing/btest/Baseline/broker.unpeer/recv.recv.out
@@ -0,0 +1 @@
+Something receiver, 1
diff --git a/testing/btest/Baseline/broker.unpeer/send.broker.filtered.log b/testing/btest/Baseline/broker.unpeer/send.broker.filtered.log
new file mode 100644
index 0000000000..78964fd30a
--- /dev/null
+++ b/testing/btest/Baseline/broker.unpeer/send.broker.filtered.log
@@ -0,0 +1,2 @@
+1499913965.830809 Broker::STATUS peer-added 127.0.0.1 XXX received handshake from remote core
+1499913969.832007 Broker::STATUS peer-removed 127.0.0.1 XXX removed peering
diff --git a/testing/btest/Baseline/broker.unpeer/send.send.out b/testing/btest/Baseline/broker.unpeer/send.send.out
new file mode 100644
index 0000000000..b657b44f8c
--- /dev/null
+++ b/testing/btest/Baseline/broker.unpeer/send.send.out
@@ -0,0 +1,3 @@
+Something sender, 1
+unpeering
+Something sender, 2
diff --git a/testing/btest/Baseline/core.check-unused-event-handlers/.stderr b/testing/btest/Baseline/core.check-unused-event-handlers/.stderr
index 1a32ad442c..8c4e4def40 100644
--- a/testing/btest/Baseline/core.check-unused-event-handlers/.stderr
+++ b/testing/btest/Baseline/core.check-unused-event-handlers/.stderr
@@ -1,2 +1,3 @@
 warning in <params>, line 1: event handler never invoked: this_is_never_used
+warning in <params>, line 1: event handler never invoked: InputConfig::new_value
 warning in <params>, line 1: event handler never invoked: InputRaw::process_finished
diff --git a/testing/btest/Baseline/core.cisco-fabric-path/conn.log b/testing/btest/Baseline/core.cisco-fabric-path/conn.log
new file mode 100644
index 0000000000..eae407aceb
--- /dev/null
+++ b/testing/btest/Baseline/core.cisco-fabric-path/conn.log
@@ -0,0 +1,41 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2018-07-09-14-17-29
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1529347003.860008	C7fIlMZDuRiqjpYbb	1.1.1.6	57005	2.2.2.2	48879	tcp	-	0.001018	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.861732	CykQaM33ztNt0csB9a	1.1.1.4	57005	2.2.2.2	48879	tcp	-	0.000928	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.863372	CtxTCR2Yer0FR1tIBg	1.1.1.14	57005	2.2.2.2	48879	tcp	-	0.000928	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.865002	CpmdRlaUoJLN3uIRa	1.1.1.12	57005	2.2.2.2	48879	tcp	-	0.000926	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.866648	C1Xkzz2MaGtLrc1Tla	1.1.1.0	57005	2.2.2.2	48879	tcp	-	0.001042	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.868394	CqlVyW1YwZ15RhTBc4	1.1.1.2	57005	2.2.2.2	48879	tcp	-	0.000920	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.870014	CLNN1k2QMum1aexUK7	1.1.1.8	57005	2.2.2.2	48879	tcp	-	0.000930	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.871649	CBA8792iHmnhPLksKa	1.1.1.10	57005	2.2.2.2	48879	tcp	-	0.000928	0	0	S0	-	-	0	S	2	80	0	0	-
+1529347003.873385	CGLPPc35OzDQij1XX8	1234::e	57005	5678::	48879	tcp	-	0.001139	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.875322	CiyBAq1bBLNaTiTAc	1234::c	57005	5678::	48879	tcp	-	0.001027	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.877182	CFSwNi4CNGxcuffo49	1234::6	57005	5678::	48879	tcp	-	0.001055	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.879034	Cipfzj1BEnhejw8cGf	1234::4	57005	5678::	48879	tcp	-	0.001018	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.881330	CV5WJ42jPYbNW9JNWf	1234::8	57005	5678::	48879	tcp	-	0.001029	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.883152	CPhDKt12KQPUVbQz06	1234::a	57005	5678::	48879	tcp	-	0.001005	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.884945	CAnFrb2Cvxr5T7quOc	1234::	57005	5678::	48879	tcp	-	0.001005	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.886751	C8rquZ3DjgNW06JGLl	1234::2	57005	5678::	48879	tcp	-	0.001120	0	0	S0	-	-	0	S	2	120	0	0	-
+1529347003.851951	CFLRIC3zaTU1loLGxh	1234::4	57005	5678::	48879	udp	-	0.000905	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.855232	Ck51lg1bScffFj34Ri	1234::a	57005	5678::	48879	udp	-	0.000894	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.839636	CtPZjS20MLrsMUOJi2	1.1.1.12	57005	2.2.2.2	48879	udp	-	0.000847	0	0	S0	-	-	0	D	2	56	0	0	-
+1529347003.858393	CNnMIj2QSd84NKf7U3	1234::2	57005	5678::	48879	udp	-	0.000902	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.842649	CmES5u32sYpV7JYN	1.1.1.2	57005	2.2.2.2	48879	udp	-	0.000830	0	0	S0	-	-	0	D	2	56	0	0	-
+1529347003.850367	C0LAHyvtKSQHyJxIl	1234::6	57005	5678::	48879	udp	-	0.000898	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.848776	CwjjYJ2WqgTbAqiHl6	1234::c	57005	5678::	48879	udp	-	0.000902	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.856801	C9mvWx3ezztgzcexV7	1234::	57005	5678::	48879	udp	-	0.000898	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.841103	CUM0KZ3MLUfNB0cl11	1.1.1.0	57005	2.2.2.2	48879	udp	-	0.000926	0	0	S0	-	-	0	D	2	56	0	0	-
+1529347003.845524	C37jN32gN3y3AZzyf6	1.1.1.10	57005	2.2.2.2	48879	udp	-	0.000843	0	0	S0	-	-	0	D	2	56	0	0	-
+1529347003.847079	C3eiCBGOLw3VtHfOj	1234::e	57005	5678::	48879	udp	-	0.001014	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.853544	C9rXSW3KSpTYvPrlI1	1234::8	57005	5678::	48879	udp	-	0.001010	0	0	S0	-	-	0	D	2	96	0	0	-
+1529347003.836659	ClEkJM2Vm5giqnMf4h	1.1.1.4	57005	2.2.2.2	48879	udp	-	0.000847	0	0	S0	-	-	0	D	2	56	0	0	-
+1529347003.838130	C4J4Th3PJpwUYZZ6gc	1.1.1.14	57005	2.2.2.2	48879	udp	-	0.000880	0	0	S0	-	-	0	D	2	56	0	0	-
+1529347003.844086	CP5puj4I8PtEU4qzYg	1.1.1.8	57005	2.2.2.2	48879	udp	-	0.000830	0	0	S0	-	-	0	D	2	56	0	0	-
+1529347003.834704	CHhAvVGS1DHFjwGM9	1.1.1.6	57005	2.2.2.2	48879	udp	-	0.001243	0	0	S0	-	-	0	D	2	56	0	0	-
+#close	2018-07-09-14-17-29
diff --git a/testing/btest/Baseline/core.embedded-null/.stdout b/testing/btest/Baseline/core.embedded-null/.stdout
new file mode 100644
index 0000000000..edf309beb0
--- /dev/null
+++ b/testing/btest/Baseline/core.embedded-null/.stdout
@@ -0,0 +1 @@
+error: string with embedded NUL: "hi\x00there"
diff --git a/testing/btest/Baseline/core.erspan/tunnel.log b/testing/btest/Baseline/core.erspan/tunnel.log
new file mode 100644
index 0000000000..76d2784a7a
--- /dev/null
+++ b/testing/btest/Baseline/core.erspan/tunnel.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2017-02-03-20-27-11
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1442309933.472798	CHhAvVGS1DHFjwGM9	10.200.0.3	0	10.200.0.224	0	Tunnel::GRE	Tunnel::DISCOVER
+#close	2017-02-03-20-27-11
diff --git a/testing/btest/Baseline/core.event-arg-reuse/output b/testing/btest/Baseline/core.event-arg-reuse/output
new file mode 100644
index 0000000000..52024ab5f2
--- /dev/null
+++ b/testing/btest/Baseline/core.event-arg-reuse/output
@@ -0,0 +1,2 @@
+f1, 2
+f2, 1
diff --git a/testing/btest/Baseline/core.history-flip/conn.log b/testing/btest/Baseline/core.history-flip/conn.log
index b04a28b1cb..8e2d5627f1 100644
--- a/testing/btest/Baseline/core.history-flip/conn.log
+++ b/testing/btest/Baseline/core.history-flip/conn.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2016-07-13-17-58-11
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1128727435.633408	CHhAvVGS1DHFjwGM9	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.550793	98	9417	SF	-	-	0	^hADdFaf	11	670	10	9945	(empty)
-#close	2016-07-13-17-58-11
+#open	2017-01-30-23-13-15
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	orig_l2_addr	resp_l2_addr
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	string	string
+1128727435.633408	CHhAvVGS1DHFjwGM9	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.550793	98	9417	SF	-	-	0	^hADdFaf	11	670	10	9945	-	00:d0:03:3b:f4:00	00:b0:c2:86:ec:00
+#close	2017-01-30-23-13-15
diff --git a/testing/btest/Baseline/core.ip-broken-header/weird.log b/testing/btest/Baseline/core.ip-broken-header/weird.log
new file mode 100644
index 0000000000..a416f90e66
--- /dev/null
+++ b/testing/btest/Baseline/core.ip-broken-header/weird.log
@@ -0,0 +1,465 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2017-10-19-17-20-30
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1500557630.000000	-	b100:7265::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	b100:7265:6300::8004:ef	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:ff:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557630.000000	-	255.255.0.0	0	255.255.255.223	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:9ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6900:0:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:2304:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:28fd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:6369:2a29::	0	0:80:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6900:0:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fb2a:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffbf:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:fcff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff02:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff32:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929:1000:0:6904:27ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:3afd:ffff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:69ff:ffff:ffff:ffff:ffff	0	3b1e:400:ff:0:6929:c200:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:700:fe:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	40:3bff:bf:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:21ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:ffff:ffff:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:ff7f:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:ff3a	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:0:ff00:69:2980:0:69	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:e374:6929::6927:ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:2705:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:63ce:80:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29:0:4:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7df	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:0:ffff:ff01::	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:71fd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:2:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	0:7265:6374:6929:ff:0:27ff:28	0	126:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:fffe:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:69ff:ff00:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:fef9:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ff3a:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:6904:40	0	bf:ff3b:0:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:8000::ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	38bf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:69ff:ffff:ffff:ffff:ffff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:80:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:5:1ff:f7ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:ff:ff00:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:180::	0	bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:0:ff00:69:2980:0:29	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929:600:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7463:2a72:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b000:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	255.255.0.0	0	255.255.255.237	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	0:7265:6374:6929:ff:27:a800:ff	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:f9fe:ffbf:ffff:0:ff28:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	-	-	-	-	ip_hdr_len_zero	-	F	bro
+1500557631.000000	-	0.0.0.0	0	0.0.65.95	0	invalid_IP_header_size	-	F	bro
+1500557631.000000	-	b100:7265:6374:7129:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b101:0:74:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7fd	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fb03:12ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	400:fffe:bfff::ecec:ecfc:ecec	0	ecec:ecec:ecec:ec00:ffff:ffff:fffd:ffff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:6369:aa29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:2600:0:8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:8000:40:0:16ef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:0:1000:6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	ff00:bf3b:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b800:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:f2:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:3a40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:91:8bd6:ff00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:5445:52ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:8b:0:ffff:ffff:f7fd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fff7:820	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:9d8b:d5d5:ffff:fffc:ffff:ffff	0	3bbf:ff00:40:6e:756d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b198:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929:0:100:6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:0:100:0:480:ffbf	0	3bff:0:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29:2:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:fff8:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9cc2:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:f8fe:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ff21:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6b74:6929::6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:ffff:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7229:6374:6929::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:f7fd:ffff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b104:7265:6374:2a29::6904:ff	0	3bbf:ff03:40:0:ffff:ffff:f5fd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:8000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	0.0.0.0	0	0.0.255.255	0	invalid_IP_header_size	-	F	bro
+1500557631.000000	-	b100:7265:6374:6900:8000:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:4900:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:636f:6d29::5704:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:723a:6374:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00::ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	0:7265:6374:6929:ff:0:27ff:28	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929:100:0:6127:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:0:ffff:6804:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6927:0	0	80bf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6827:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:440:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff00:40::80ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:908	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00::ffff:ff03:bffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:6300:0:8000:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:8e00:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:9f74:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f701	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300::8004:ff	0	3b3f:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:6e:7d6d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:fbff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:9529:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:3600:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bb7:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	0.0.0.0	0	0.53.0.0	0	invalid_IP_header_size	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:39:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:ffff:fbfd:ffff:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929:0:8000:6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7228:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff80::ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7fc	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c00:7265:6374:6929::6927:ff	0	100:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7200:6300:4:ff27:65fe:bfff:ff	0	ffff:0:ffff:ff3a:f700:8000:20:8ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:47:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f706	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:e369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265::6904:2aff	0	c540:ff:ffbf:ffde:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300::8001:0	0	::40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	0:7265:6374:6929:ff:27:2800:ff	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:f8:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:900:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7d8	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	ffff:ff27:ffff:ffff::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:f7ff:fdff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:0:3a00:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:0:ff40:ff00:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:63ce:29:69:7400:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:6500:72:6369:2a:2900:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:2100::8004:ef	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:6e:756d:5f70:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:100::	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	0.0.0.0	0	0.0.0.0	0	invalid_IP_header_size	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:1:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:ff:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929:0:69:4:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557631.000000	-	b100:7265:6374:6929::ff:3bff	0	4bf:8080:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:0:4ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:63f4:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6900:0:400:2a29:2aff	0	3bbf:ff00:3a:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:637b:6929::6904:ff	0	3b00:40:ffbf:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:340:80:ffef:ffff:fffd:f7fb	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b300:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:ae74:6929:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:6929::6904:1	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929:ff:ffff:ffff:ffff	0	ffbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ff01:1:ffff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929:0:4:0:80ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:0:40ff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ff7a:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:434f:4e54:454e:5453:5f44	0	4ebf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:ff:ff:fff7:ffff:fdff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:0:80::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:900	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3b01::ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929:3a00:0:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::692a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:ffff:ffd8:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:40:8:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6927:bf	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:69a9::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:5265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::97fb:ff00	0	c440:108:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:8000	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	32.0.8.99	0	0.0.0.0	0	invalid_IP_header_size	-	F	bro
+1500557632.000000	-	b100:6500:72:6369:2a29:0:6980:ff	0	3bbf:8000:40:0:16ef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::693b:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	0.0.0.0	0	0.255.255.255	0	invalid_IP_header_size	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6928:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:5049:415f:5544:5000:0:6904:5544	0	50bf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929:0:1000:8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:3c0:ffff::fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	fe:8d9a:948b:96d6:ff00:21:6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::8014:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6301::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:63ce:69:7421:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:69:d529:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff27:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff02:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	ffff:ffff:ffff:ff00:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	7200:65:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7263:692a:7429::6904:ff	0	3b:bf00:40ff:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6306:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffe:1ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	50ff:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6900:2900:0:6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6305:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	101.99.116.105	0	41.0.255.0	0	invalid_IP_header_size	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	::40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	0:7265:6374:6900:0:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	2700:7265:6300:0:100:0:8004:ff00	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7200:400:65:6327:101:3ffe:ff	0	ffff:0:ffff:ff3a:2000:f8d4:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:ff:ff00:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:637c:6900:0:400:2a29:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:e374:6929::6904:ff	0	3bbf:ff00:40:a:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:fd00:40:0:fffc:ffff:f720:fd3a	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:722a:2374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ef	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:2a29:ffff:ffff:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ff01:0	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:fff2:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:2704:40:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8004:ff	0	6800:f265:6374:6929:11:27:c00:68	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:725f:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7200:400:65:6327:fffe:bfff:0	0	5000:ff:ffff:ffff:fdf7:ff3a:2000:800	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:8000:0	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:722a:6374:6929:400:4:0:ff69	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	7dbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8084:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929:0:ffff:ffff:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:2a29:100:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ff00:ffff:3a20:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ff7d:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6369:2a22:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b300:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40::ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:80:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8004:3a	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff00:0:8080	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2008:2b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:3b00:ff:0:6929:0:f7fd:ffff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929:9:0:9704:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:80fd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ffcc:c219:aa00:0:c9:640d:eb3c	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:a78b:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bff:4000:bf00:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:5265:6300::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7218:400:65:6327:fffe:bfff:ff	0	ffff:20:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	71.97.99.109	0	0.16.0.41	0	invalid_IP_header_size	-	F	bro
+1500557632.000000	-	b100:7221:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929:ffff:ffff:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:7fef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:d0d6:ffff:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:0:29ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:6:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:0:ecff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffef:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:e929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:27ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	3a00:7265:6374:6929::8004:ff	0	c540:fe:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:40:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	65:63b1:7274:6929::8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::2104:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6328:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	f100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:72:6328:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7200:400:65:ffff:ffff:ffff:ffff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:fdff:ffff:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6127:fb	0	3bbf:6500:6fd:188:4747:4747:61fd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	0.0.0.255	0	11.0.255.0	0	invalid_IP_header_size_in_tunnel	-	F	bro
+1500557632.000000	-	b100:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:7fff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:27ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff4e:5654:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374::80:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8004:3b	0	ff:ffbf:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:6500:91:6369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:ff3a:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:840:ff:ffff:feff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6301::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:ffff:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	40:0:ff3b:bf:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6927:10ff	0	0:7265:6374:6929::6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6329:ffff:2a74:ffff:ffff:ffff	0	3bbf:ff00:40:6e:756d:3b70:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	143.9.0.0	0	0.98.0.237	0	invalid_IP_header_size	-	F	bro
+1500557632.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:feff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	fffb:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7200:6365::8004:ff	0	3bbf:ff00:840:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	0:7265:6374:6929:ff:27:2800:ff	0	100:0:143:4f4e:5445:4e00:0:704c	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ff02:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557632.000000	-	b100:7265:6374:6909::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:100:0:4:ff	0	3bbf:ff00:40:0:feff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:2a60	0	3bbf:ff00:40:21:ffff:ffff:ffbd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:6929::6127:ff	0	3bbf:ff00:8040:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	2a72:6300:b165:7429:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:639a:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::ff00:480	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:0:8::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b000:7265:63ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:21e6:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6301:0:29:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:ff:ff40:0:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::3b04:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::8804:ff	0	3bbf:ff80:40:0:ffff:ffff:102:800	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	33bf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3b9f:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b13b:bfff:0:4000:ff:ffff:ffff:fdf7	0	ff3a:2000:800:1e04:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:0	0	::80:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b165:6300:7274:6929::400:ff	0	3bbf:ff00:40:0:ffff:ffff:f7fd:ffff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff3b	0	0:bfff:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::3b:bfff	0	ff04:0:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:69:74a9:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bbf:ff00:40:0:ffff:2aff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:6374:65:69:7229:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6377:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300::4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b128:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:4:0:6904:ff	0	3b1e:400:ff:0:6929:2700:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:722a:6374:6929::6904:ff	0	3bbf:fd00:40:0:ffff:ffff:ffff:3af7	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:722a:6374:6929::6968:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:69:7429:0:6904:ff	0	3bff:bf00:40:0:ffff:ffff:fffd:e7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7261:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:7929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:df00::80ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7263:65ce:69:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	ffff:ffff:ffff:ffff::8004:ff	0	3bbf:ff01:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:f8:0:ff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:692d::6927:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::4:fd	0	c3bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:3b	0	bf:ffff:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6900:ec00:400:2a29:6aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	e21e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6928:ffff:fd00:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:40:0:ffff:ff3b:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::ff00:bfff	0	3b00:400:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:520:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ffff	0	ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	3bbf:ff00:28:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::80fb:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c2a:7200:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:693a::6127:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c20:722a:6374:6929:800:0:6904:ff	0	3bbf:ff00:40:0:ffff:ff7f:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:6929:0:fffe:bfff:ff	0	ffff:ff68:0:4000:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:82b:0:f7ef	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:2700:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:6929::6904:ff	0	3bbf:ff00:40:27:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::2a:0	0	::6a:ffff:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6900:a:400:2a29:3b2a	0	ffbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b1ff:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:6500:72:6369:2a29:3b00:690a:ff	0	3bbf:fb00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:722a:6374::	0	ffff:ffff:ffff:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:722a:6374:6929:1000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:2aff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29:ffff:ffff:ffff:ffff	0	3bbf:ff00:40:9500:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7200:63:65::8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:fc	0	ffff:0:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6900:0	0	80bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:63ce:69:2129:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:6500:72:6369:2a29:0:690a:ff	0	3bbf:ff00:40:3a:ffef:ff:ffff:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3bbf:ff00:c1:800:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:9265:6300:69:7429:0:690a:ff	0	40:3bff:bf:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:dffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::	0	80:ff00:40:0:1ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:724a:6374:6929::	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:f6	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:0	0	ffff:ff:ffff:ff3a:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6500:0:100:0:8004:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:0:a:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6900::2900:0	0	80:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	68.80.95.104	0	109.115.117.0	0	invalid_IP_header_size	-	F	bro
+1500557633.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6374:692b::6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6900:29:0:6914:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:6500:72:e369:2a29:0:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	8:1e:400:ff00:0:3200:8004:ff	0	3bff:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:f7fd	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:8ba:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300::8004:ff	0	48bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7365:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ff3a:5600:800:2b00:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:4021:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	0:7265:6374:6929:ff:6:27ff:28	0	100:0:143:4f4e:5445:4e54:535f:524c	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:6929::6927:ff	0	0:7265:6b74:6909::6904:ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::4:ff	0	3bbf:ff00:40:0:ffff:ff48:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:7400:2969:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:69:7429:0:690a:ff	0	40:3bff:c5:0:ffff:ffff:fdff:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265::6904:2a3a	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:f9ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7261:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:9fd6:ffff:2:800	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6300:69:7429:8000:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	ffff:ffff:ffff:ffff::	0	::40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff80:40:400:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:6929::ff00:ff	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:2aff	0	3bbf:ff00:40:21:fffe:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:ffff::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	4f00:7265:6374:6929::6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929::6904:ff	0	3b1e:8000::6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:1:400:8004:ff	0	3bbf:ff80:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	0.255.255.0	0	0.0.0.0	0	invalid_IP_header_size	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:4:0:6904:ff	0	3b1e:400:ff:0:6929:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7200:400:65:6327:fffe:bfff:ff	0	ffff:0:ffff:ff3a:2000:342b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:6929:400:0:4:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:7265:6374:6929::6927:ff	0	3bbf:ffa8:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:6374:2a29::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffdd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	b100:7265:1::69	0	c400:ff3b:bfff:0:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557633.000000	-	9c00:722a:6374:6929:400:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:ffff:ffff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	9c00:722a:6374:6929:1001:900:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6374:6929::8004:ff	0	3bbf:ff00:40:0:40:0:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	9c00:722a:6374:6929::6904:eff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	ffdb:ffff:3b00::ff:ffff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:60:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6374:6929:ffff:ffff:8004:ff	0	3bbf:ff80:ffff:0:4000:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6300:669:7429:0:690a:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6374:6929::693b:bdff	0	0:4000:ff:ffff:fdff:fff7:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	0.71.103.97	0	99.116.0.128	0	invalid_IP_header_size	-	F	bro
+1500557634.000000	-	b100:7265:6300::8004:ff	0	3bbf:ff00:40:ff00:ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:63ce:69:7429:0:690a:b1	0	3bbf:ff00:40:0:ffff:ffff:ffe6:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:63ce:69:7429:db00:690a:ff	0	3bbf:ff00:40:0:29ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	6500:0:6fd:188:4747:4747:6163:7400	0	0:2c29:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	9c00:722a:6374:6929:8000:0:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:6500:72:6369:2900:2a00:690a:ff	0	3bbf:ff00:40:0:ffef:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6374:2a29::6904:ff	0	29bf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6374:6929::6904:ff	0	3b00:40:ffbf:10:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	9c00:7265:6374:6929::612f:fb	0	3bbf:ff00:40:0:ffff:ffff:fbfd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6300:2704:0:fffe:bfff:ff	0	ffff:0:ffff:ffc3:2000:82b:0:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	9c00:722a:6374:6929:1000:100:6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f728	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:6374:6929:ff:ffff:ff04:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	b100:7265:0:ff00:69:2980:0:69	0	c4ff:bf00:ff00:3b:40ff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+1500557634.000000	-	9c00:7265:6374:69d1::6904:ff	0	3bbf:ff00:40:0:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+#close	2017-10-19-17-20-30
diff --git a/testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out b/testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out
index ef997abeb8..9ae8d91491 100644
--- a/testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out
+++ b/testing/btest/Baseline/core.leaks.broker.clone_store/clone.clone.out
@@ -1,5 +1,24 @@
-clone keys, [status=Broker::SUCCESS, result=[d=broker::data{[one, two, myset, myvec]}]]
-lookup, one, [status=Broker::SUCCESS, result=[d=broker::data{111}]]
-lookup, two, [status=Broker::SUCCESS, result=[d=broker::data{222}]]
-lookup, myset, [status=Broker::SUCCESS, result=[d=broker::data{{a, c, d}}]]
-lookup, myvec, [status=Broker::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
+----
+clone, one, Broker::SUCCESS, [data=broker::data{110}]
+clone, two, Broker::SUCCESS, [data=broker::data{223}]
+clone, [1, 2], Broker::SUCCESS, [data=broker::data{1947/tcp}]
+clone, three, Broker::FAILURE, [data=<uninitialized>]
+clone, four, Broker::FAILURE, [data=<uninitialized>]
+clone, five, Broker::FAILURE, [data=<uninitialized>]
+clone, six, Broker::FAILURE, [data=<uninitialized>]
+----
+clone, one, Broker::SUCCESS, [data=broker::data{110}]
+clone, two, Broker::SUCCESS, [data=broker::data{223}]
+clone, [1, 2], Broker::SUCCESS, [data=broker::data{1947/tcp}]
+clone, three, Broker::SUCCESS, [data=broker::data{3.140000}]
+clone, four, Broker::SUCCESS, [data=broker::data{1.2.3.4}]
+clone, five, Broker::FAILURE, [data=<uninitialized>]
+clone, six, Broker::FAILURE, [data=<uninitialized>]
+----
+clone, one, Broker::SUCCESS, [data=broker::data{110}]
+clone, two, Broker::SUCCESS, [data=broker::data{223}]
+clone, [1, 2], Broker::SUCCESS, [data=broker::data{1947/tcp}]
+clone, three, Broker::SUCCESS, [data=broker::data{3.140000}]
+clone, four, Broker::FAILURE, [data=<uninitialized>]
+clone, five, Broker::SUCCESS, [data=broker::data{555}]
+clone, six, Broker::SUCCESS, [data=broker::data{666}]
diff --git a/testing/btest/Baseline/core.leaks.broker.data/bro..stdout b/testing/btest/Baseline/core.leaks.broker.data/bro..stdout
index 8703ca6a0c..a58dc4a480 100644
--- a/testing/btest/Baseline/core.leaks.broker.data/bro..stdout
+++ b/testing/btest/Baseline/core.leaks.broker.data/bro..stdout
@@ -12,7 +12,7 @@ Broker::ENUM
 Broker::SET
 Broker::TABLE
 Broker::VECTOR
-Broker::RECORD
+Broker::VECTOR
 ***************************
 T
 F
@@ -67,19 +67,19 @@ T
 }
 ***************************
 0
-[d=<uninitialized>]
+[data=<uninitialized>]
 1
 T
 42
 F
-[d=<uninitialized>]
+[data=<uninitialized>]
 2
-[d=broker::data{7}]
+[data=broker::data{7}]
 2
 37
-[d=broker::data{42}]
+[data=broker::data{42}]
 1
-[d=<uninitialized>]
+[data=<uninitialized>]
 1
 T
 0
@@ -94,11 +94,11 @@ T
 T
 [hi, salutations, hello, greetings]
 4
-[d=broker::data{hello}]
-[d=broker::data{bah}]
-[d=broker::data{hi}]
+[data=broker::data{hello}]
+[data=broker::data{bah}]
+[data=broker::data{hi}]
 [hi, salutations, bah, greetings]
-[d=broker::data{bah}]
+[data=broker::data{bah}]
 [hi, salutations, greetings]
 3
 T
@@ -109,10 +109,10 @@ T
 T
 T
 T
-[d=broker::data{hi}]
-[d=broker::data{hello}]
-[d=broker::data{37}]
+[data=broker::data{hi}]
+[data=broker::data{hello}]
+[data=broker::data{37}]
 3
 T
 3
-[d=broker::data{goodbye}]
+[data=broker::data{goodbye}]
diff --git a/testing/btest/Baseline/core.leaks.broker.master_store/bro..stdout b/testing/btest/Baseline/core.leaks.broker.master_store/bro..stdout
deleted file mode 100644
index 9eebc797e5..0000000000
--- a/testing/btest/Baseline/core.leaks.broker.master_store/bro..stdout
+++ /dev/null
@@ -1,14 +0,0 @@
-lookup(two): [status=Broker::SUCCESS, result=[d=broker::data{222}]]
-lookup(four): [status=Broker::SUCCESS, result=[d=<uninitialized>]]
-lookup(myset): [status=Broker::SUCCESS, result=[d=broker::data{{a, c, d}}]]
-lookup(one): [status=Broker::SUCCESS, result=[d=broker::data{111}]]
-lookup(myvec): [status=Broker::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]]
-exists(one): [status=Broker::SUCCESS, result=[d=broker::data{1}]]
-exists(two): [status=Broker::SUCCESS, result=[d=broker::data{0}]]
-exists(myset): [status=Broker::SUCCESS, result=[d=broker::data{1}]]
-exists(four): [status=Broker::SUCCESS, result=[d=broker::data{0}]]
-pop_right(myvec): [status=Broker::SUCCESS, result=[d=broker::data{omega}]]
-pop_left(myvec): [status=Broker::SUCCESS, result=[d=broker::data{delta}]]
-keys: [status=Broker::SUCCESS, result=[d=broker::data{[myvec, myset, one]}]]
-size: [status=Broker::SUCCESS, result=[d=broker::data{3}]]
-size (after clear): [status=Broker::SUCCESS, result=[d=broker::data{0}]]
diff --git a/testing/btest/Baseline/core.leaks.broker.remote_event/send.send.out b/testing/btest/Baseline/core.leaks.broker.remote_event/send.send.out
index 2d61135abe..61c732410c 100644
--- a/testing/btest/Baseline/core.leaks.broker.remote_event/send.send.out
+++ b/testing/btest/Baseline/core.leaks.broker.remote_event/send.send.out
@@ -1,4 +1,4 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Broker peer added, [address=127.0.0.1, bound_port=9999/tcp]
 got event msg, pong, 0
 got auto event msg, ping, 0
 got event msg, pong, 1
diff --git a/testing/btest/Baseline/core.leaks.broker.remote_log/recv.recv.out b/testing/btest/Baseline/core.leaks.broker.remote_log/recv.recv.out
index 3e0957442d..e69de29bb2 100644
--- a/testing/btest/Baseline/core.leaks.broker.remote_log/recv.recv.out
+++ b/testing/btest/Baseline/core.leaks.broker.remote_log/recv.recv.out
@@ -1,6 +0,0 @@
-wrote log, [msg=ping, num=0]
-wrote log, [msg=ping, num=1]
-wrote log, [msg=ping, num=2]
-wrote log, [msg=ping, num=3]
-wrote log, [msg=ping, num=4]
-wrote log, [msg=ping, num=5]
diff --git a/testing/btest/Baseline/core.leaks.broker.remote_log/recv.test.log b/testing/btest/Baseline/core.leaks.broker.remote_log/recv.test.log
index 4fe7790779..f0f279a626 100644
--- a/testing/btest/Baseline/core.leaks.broker.remote_log/recv.test.log
+++ b/testing/btest/Baseline/core.leaks.broker.remote_log/recv.test.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	test
-#open	2015-02-12-17-33-13
+#open	2017-04-26-01-04-25
 #fields	msg	num
 #types	string	count
 ping	0
@@ -12,4 +12,4 @@ ping	2
 ping	3
 ping	4
 ping	5
-#close	2015-02-12-17-33-14
+#close	2017-04-26-01-04-26
diff --git a/testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out b/testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out
index 632279e697..f1d017bb24 100644
--- a/testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out
+++ b/testing/btest/Baseline/core.leaks.broker.remote_log/send.send.out
@@ -1 +1 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Broker peer added, [address=127.0.0.1, bound_port=9999/tcp]
diff --git a/testing/btest/Baseline/core.leaks.broker.remote_log/send.test.log b/testing/btest/Baseline/core.leaks.broker.remote_log/send.test.log
index 884517b252..f0f279a626 100644
--- a/testing/btest/Baseline/core.leaks.broker.remote_log/send.test.log
+++ b/testing/btest/Baseline/core.leaks.broker.remote_log/send.test.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	test
-#open	2015-02-12-17-33-13
+#open	2017-04-26-01-04-25
 #fields	msg	num
 #types	string	count
 ping	0
@@ -12,4 +12,4 @@ ping	2
 ping	3
 ping	4
 ping	5
-#close	2015-02-12-17-33-15
+#close	2017-04-26-01-04-26
diff --git a/testing/btest/Baseline/core.leaks.broker.remote_print/recv.recv.out b/testing/btest/Baseline/core.leaks.broker.remote_print/recv.recv.out
deleted file mode 100644
index 6e5a37abbf..0000000000
--- a/testing/btest/Baseline/core.leaks.broker.remote_print/recv.recv.out
+++ /dev/null
@@ -1,6 +0,0 @@
-got print msg, ping 0
-got print msg, ping 1
-got print msg, ping 2
-got print msg, ping 3
-got print msg, ping 4
-got print msg, ping 5
diff --git a/testing/btest/Baseline/core.leaks.broker.remote_print/send.send.out b/testing/btest/Baseline/core.leaks.broker.remote_print/send.send.out
deleted file mode 100644
index 861dd64a8a..0000000000
--- a/testing/btest/Baseline/core.leaks.broker.remote_print/send.send.out
+++ /dev/null
@@ -1,6 +0,0 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
-got print msg, pong 0
-got print msg, pong 1
-got print msg, pong 2
-got print msg, pong 3
-got print msg, pong 4
diff --git a/testing/btest/Baseline/core.leaks.remote/sender.test.failure.log b/testing/btest/Baseline/core.leaks.remote/sender.test.failure.log
deleted file mode 100644
index 71e1d18c73..0000000000
--- a/testing/btest/Baseline/core.leaks.remote/sender.test.failure.log
+++ /dev/null
@@ -1,12 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	test.failure
-#open	2012-07-20-01-50-18
-#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-#types	time	addr	port	addr	port	string	string
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	US
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	UK
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	MX
-#close	2012-07-20-01-50-18
diff --git a/testing/btest/Baseline/core.leaks.remote/sender.test.log b/testing/btest/Baseline/core.leaks.remote/sender.test.log
deleted file mode 100644
index bc3dac5a1a..0000000000
--- a/testing/btest/Baseline/core.leaks.remote/sender.test.log
+++ /dev/null
@@ -1,14 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	test
-#open	2012-07-20-01-50-18
-#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-#types	time	addr	port	addr	port	string	string
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	success	unknown
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	US
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	UK
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	success	BR
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	MX
-#close	2012-07-20-01-50-18
diff --git a/testing/btest/Baseline/core.leaks.remote/sender.test.success.log b/testing/btest/Baseline/core.leaks.remote/sender.test.success.log
deleted file mode 100644
index f0b26454b4..0000000000
--- a/testing/btest/Baseline/core.leaks.remote/sender.test.success.log
+++ /dev/null
@@ -1,11 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	test.success
-#open	2012-07-20-01-50-18
-#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-#types	time	addr	port	addr	port	string	string
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	success	unknown
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	success	BR
-#close	2012-07-20-01-50-18
diff --git a/testing/btest/Baseline/core.mpls-in-vlan/conn.log b/testing/btest/Baseline/core.mpls-in-vlan/conn.log
index 8408056be2..5cbd2c5405 100644
--- a/testing/btest/Baseline/core.mpls-in-vlan/conn.log
+++ b/testing/btest/Baseline/core.mpls-in-vlan/conn.log
@@ -6,7 +6,7 @@
 #open	2016-07-13-16-12-55
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1371685686.536606	CHhAvVGS1DHFjwGM9	65.65.65.65	19244	65.65.65.65	80	tcp	-	-	-	-	OTH	-	-	0	D	1	257	0	0	(empty)
-1371686961.479321	C4J4Th3PJpwUYZZ6gc	65.65.65.65	61193	65.65.65.65	80	tcp	-	-	-	-	OTH	-	-	0	D	1	710	0	0	(empty)
-1371686961.156859	ClEkJM2Vm5giqnMf4h	65.65.65.65	32828	65.65.65.65	80	tcp	-	-	-	-	OTH	-	-	0	^d	0	0	1	1500	(empty)
+1371685686.536606	CHhAvVGS1DHFjwGM9	65.65.65.65	19244	65.65.65.65	80	tcp	-	-	-	-	OTH	-	-	0	D	1	257	0	0	-
+1371686961.479321	C4J4Th3PJpwUYZZ6gc	65.65.65.65	61193	65.65.65.65	80	tcp	-	-	-	-	OTH	-	-	0	D	1	710	0	0	-
+1371686961.156859	ClEkJM2Vm5giqnMf4h	65.65.65.65	32828	65.65.65.65	80	tcp	-	-	-	-	OTH	-	-	0	^d	0	0	1	1500	-
 #close	2016-07-13-16-12-55
diff --git a/testing/btest/Baseline/core.old_comm_usage/out b/testing/btest/Baseline/core.old_comm_usage/out
new file mode 100644
index 0000000000..28585d78ba
--- /dev/null
+++ b/testing/btest/Baseline/core.old_comm_usage/out
@@ -0,0 +1,2 @@
+warning in /Users/jon/projects/bro/bro/testing/btest/.tmp/core.old_comm_usage/old_comm_usage.bro, line 6: deprecated (terminate_communication)
+fatal error: Detected old, deprecated communication system usages that will not work unless you explicitly take action to initizialize and set up the old comm. system.  Set the 'old_comm_usage_is_ok' flag to bypass this error if you've taken such actions.
diff --git a/testing/btest/Baseline/core.option-errors-2/.stderr b/testing/btest/Baseline/core.option-errors-2/.stderr
new file mode 100644
index 0000000000..90011d5c85
--- /dev/null
+++ b/testing/btest/Baseline/core.option-errors-2/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors-2/option-errors.bro, line 2: option variable must be initialized (testbool)
diff --git a/testing/btest/Baseline/core.option-errors-3/.stderr b/testing/btest/Baseline/core.option-errors-3/.stderr
new file mode 100644
index 0000000000..ffe699c739
--- /dev/null
+++ b/testing/btest/Baseline/core.option-errors-3/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors-3/option-errors.bro, line 3: option is not a modifiable lvalue (testopt)
diff --git a/testing/btest/Baseline/core.option-errors/.stderr b/testing/btest/Baseline/core.option-errors/.stderr
new file mode 100644
index 0000000000..27a73e180d
--- /dev/null
+++ b/testing/btest/Baseline/core.option-errors/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-errors/option-errors.bro, line 4: no type given (testbool)
diff --git a/testing/btest/Baseline/core.option-priorities/.stdout b/testing/btest/Baseline/core.option-priorities/.stdout
new file mode 100644
index 0000000000..5565a18a92
--- /dev/null
+++ b/testing/btest/Baseline/core.option-priorities/.stdout
@@ -0,0 +1,6 @@
+Old value, T
+Higher prio - Value of testbool changed from T to F at location ''
+Value of testbool changed from T to T
+Higher prio - Value of testbool changed from T to F at location 'here'
+Value of testbool changed from T to T
+New value, T
diff --git a/testing/btest/Baseline/core.option-redef/.stdout b/testing/btest/Baseline/core.option-redef/.stdout
new file mode 100644
index 0000000000..baf1966653
--- /dev/null
+++ b/testing/btest/Baseline/core.option-redef/.stdout
@@ -0,0 +1,2 @@
+6
+7
diff --git a/testing/btest/Baseline/core.option-runtime-errors-10/.stderr b/testing/btest/Baseline/core.option-runtime-errors-10/.stderr
new file mode 100644
index 0000000000..3b4cf422f5
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-10/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-10/option-runtime-errors.bro, line 7: ID 'A' is not an option (Option::set_change_handler(A, option_changed, (coerce 0 to int)))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-11/.stderr b/testing/btest/Baseline/core.option-runtime-errors-11/.stderr
new file mode 100644
index 0000000000..8fd7de5d2e
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-11/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-11/option-runtime-errors.bro, line 4: Option::on_change needs function argument; got 'count' for ID 'A' (Option::set_change_handler(A, A, (coerce 0 to int)))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-12/.stderr b/testing/btest/Baseline/core.option-runtime-errors-12/.stderr
new file mode 100644
index 0000000000..635b287c6b
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-12/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-12/option-runtime-errors.bro, line 7: Third argument of passed function has to be string in Option::on_change for ID 'A'; got 'count' (Option::set_change_handler(A, option_changed, (coerce 0 to int)))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-13/.stderr b/testing/btest/Baseline/core.option-runtime-errors-13/.stderr
new file mode 100644
index 0000000000..7b58339d8b
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-13/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-13/option-runtime-errors.bro, line 7: Wrong number of arguments for passed function in Option::on_change for ID 'A'; expected 2 or 3, got 4 (Option::set_change_handler(A, option_changed, (coerce 0 to int)))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-2/.stderr b/testing/btest/Baseline/core.option-runtime-errors-2/.stderr
new file mode 100644
index 0000000000..ad027f69db
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-2/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-2/option-runtime-errors.bro, line 3: Incompatible type for set of ID 'A': got 'string', need 'count' (Option::set(A, hi, ))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-3/.stderr b/testing/btest/Baseline/core.option-runtime-errors-3/.stderr
new file mode 100644
index 0000000000..2c98b170b7
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-3/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-3/option-runtime-errors.bro, line 3: ID 'A' is not an option (Option::set(A, 6, ))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-4/.stderr b/testing/btest/Baseline/core.option-runtime-errors-4/.stderr
new file mode 100644
index 0000000000..a965ddd3ae
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-4/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-4/option-runtime-errors.bro, line 7: Second argument of passed function has to be count in Option::on_change for ID 'A'; got 'bool' (Option::set_change_handler(A, option_changed, (coerce 0 to int)))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-5/.stderr b/testing/btest/Baseline/core.option-runtime-errors-5/.stderr
new file mode 100644
index 0000000000..d931ff062a
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-5/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-5/option-runtime-errors.bro, line 7: Wrong number of arguments for passed function in Option::on_change for ID 'A'; expected 2 or 3, got 1 (Option::set_change_handler(A, option_changed, (coerce 0 to int)))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-6/.stderr b/testing/btest/Baseline/core.option-runtime-errors-6/.stderr
new file mode 100644
index 0000000000..593c239155
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-6/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-6/option-runtime-errors.bro, line 7: Passed function needs to return type 'count' for ID 'A'; got 'bool' (Option::set_change_handler(A, option_changed, (coerce 0 to int)))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-7/.stderr b/testing/btest/Baseline/core.option-runtime-errors-7/.stderr
new file mode 100644
index 0000000000..57f7b5c21b
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-7/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-7/option-runtime-errors.bro, line 7: Option::on_change needs function argument; not hook or event (Option::set_change_handler(A, option_changed, (coerce 0 to int)))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-8/.stderr b/testing/btest/Baseline/core.option-runtime-errors-8/.stderr
new file mode 100644
index 0000000000..2e7735f433
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-8/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-8/option-runtime-errors.bro, line 7: Option::on_change needs function argument; not hook or event (Option::set_change_handler(A, option_changed, (coerce 0 to int)))
diff --git a/testing/btest/Baseline/core.option-runtime-errors-9/.stderr b/testing/btest/Baseline/core.option-runtime-errors-9/.stderr
new file mode 100644
index 0000000000..a95196eef7
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors-9/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors-9/option-runtime-errors.bro, line 5: Could not find ID named 'A' (Option::set_change_handler(A, option_changed, (coerce 0 to int)))
diff --git a/testing/btest/Baseline/core.option-runtime-errors/.stderr b/testing/btest/Baseline/core.option-runtime-errors/.stderr
new file mode 100644
index 0000000000..f3ad46d382
--- /dev/null
+++ b/testing/btest/Baseline/core.option-runtime-errors/.stderr
@@ -0,0 +1 @@
+error in /Users/johanna/corelight/bro/testing/btest/.tmp/core.option-runtime-errors/option-runtime-errors.bro, line 8: Could not find ID named 'B' (Option::set(B, 6, ))
diff --git a/testing/btest/Baseline/core.pcap.dynamic-filter/conn.log b/testing/btest/Baseline/core.pcap.dynamic-filter/conn.log
index d410538d28..8518a0a68a 100644
--- a/testing/btest/Baseline/core.pcap.dynamic-filter/conn.log
+++ b/testing/btest/Baseline/core.pcap.dynamic-filter/conn.log
@@ -6,20 +6,20 @@
 #open	2016-07-13-16-12-55
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475167.096535	CHhAvVGS1DHFjwGM9	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
-1300475168.853899	C4J4Th3PJpwUYZZ6gc	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.854378	CtPZjS20MLrsMUOJi2	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475168.854837	CUM0KZ3MLUfNB0cl11	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.857956	CmES5u32sYpV7JYN	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.858306	CP5puj4I8PtEU4qzYg	141.142.220.118	59816	141.142.2.2	53	udp	dns	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475168.858713	C37jN32gN3y3AZzyf6	141.142.220.118	59714	141.142.2.2	53	udp	dns	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.891644	C3eiCBGOLw3VtHfOj	141.142.220.118	58206	141.142.2.2	53	udp	dns	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.892037	CwjjYJ2WqgTbAqiHl6	141.142.220.118	38911	141.142.2.2	53	udp	dns	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475168.892414	C0LAHyvtKSQHyJxIl	141.142.220.118	59746	141.142.2.2	53	udp	dns	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.893988	CFLRIC3zaTU1loLGxh	141.142.220.118	45000	141.142.2.2	53	udp	dns	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.894422	C9rXSW3KSpTYvPrlI1	141.142.220.118	48479	141.142.2.2	53	udp	dns	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475168.894787	Ck51lg1bScffFj34Ri	141.142.220.118	48128	141.142.2.2	53	udp	dns	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.901749	C9mvWx3ezztgzcexV7	141.142.220.118	56056	141.142.2.2	53	udp	dns	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)
-1300475168.902195	CNnMIj2QSd84NKf7U3	141.142.220.118	55092	141.142.2.2	53	udp	dns	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)
-1300475168.652003	ClEkJM2Vm5giqnMf4h	141.142.220.118	35634	208.80.152.2	80	tcp	-	-	-	-	OTH	-	-	0	D	1	515	0	0	(empty)
+1300475167.096535	CHhAvVGS1DHFjwGM9	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	73	0	0	-
+1300475168.853899	C4J4Th3PJpwUYZZ6gc	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.854378	CtPZjS20MLrsMUOJi2	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475168.854837	CUM0KZ3MLUfNB0cl11	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.857956	CmES5u32sYpV7JYN	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.858306	CP5puj4I8PtEU4qzYg	141.142.220.118	59816	141.142.2.2	53	udp	dns	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475168.858713	C37jN32gN3y3AZzyf6	141.142.220.118	59714	141.142.2.2	53	udp	dns	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.891644	C3eiCBGOLw3VtHfOj	141.142.220.118	58206	141.142.2.2	53	udp	dns	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.892037	CwjjYJ2WqgTbAqiHl6	141.142.220.118	38911	141.142.2.2	53	udp	dns	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475168.892414	C0LAHyvtKSQHyJxIl	141.142.220.118	59746	141.142.2.2	53	udp	dns	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.893988	CFLRIC3zaTU1loLGxh	141.142.220.118	45000	141.142.2.2	53	udp	dns	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.894422	C9rXSW3KSpTYvPrlI1	141.142.220.118	48479	141.142.2.2	53	udp	dns	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475168.894787	Ck51lg1bScffFj34Ri	141.142.220.118	48128	141.142.2.2	53	udp	dns	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.901749	C9mvWx3ezztgzcexV7	141.142.220.118	56056	141.142.2.2	53	udp	dns	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-
+1300475168.902195	CNnMIj2QSd84NKf7U3	141.142.220.118	55092	141.142.2.2	53	udp	dns	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-
+1300475168.652003	ClEkJM2Vm5giqnMf4h	141.142.220.118	35634	208.80.152.2	80	tcp	-	-	-	-	OTH	-	-	0	D	1	515	0	0	-
 #close	2016-07-13-16-12-55
diff --git a/testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log b/testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log
index 1959602389..b9c04a357e 100644
--- a/testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log
+++ b/testing/btest/Baseline/core.pcap.read-trace-with-filter/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-12-56
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475168.892936	CHhAvVGS1DHFjwGM9	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)
+1300475168.892936	CHhAvVGS1DHFjwGM9	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-
 #close	2016-07-13-16-12-56
diff --git a/testing/btest/Baseline/core.pppoe-over-qinq/conn.log b/testing/btest/Baseline/core.pppoe-over-qinq/conn.log
new file mode 100644
index 0000000000..028dd982fb
--- /dev/null
+++ b/testing/btest/Baseline/core.pppoe-over-qinq/conn.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2018-08-01-20-09-03
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1523351398.449222	CHhAvVGS1DHFjwGM9	1.1.1.1	20394	2.2.2.2	443	tcp	-	273.626833	11352	4984	SF	-	-	0	ShADdtaTTFf	44	25283	42	13001	-
+#close	2018-08-01-20-09-03
diff --git a/testing/btest/Baseline/core.pppoe/conn.log b/testing/btest/Baseline/core.pppoe/conn.log
index e2f4a62533..cb6579e9e2 100644
--- a/testing/btest/Baseline/core.pppoe/conn.log
+++ b/testing/btest/Baseline/core.pppoe/conn.log
@@ -6,11 +6,11 @@
 #open	2016-07-13-16-12-57
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1284385417.962560	CUM0KZ3MLUfNB0cl11	fe80::ce05:eff:fe88:0	546	ff02::1:2	547	udp	-	0.078000	114	0	S0	-	-	0	D	2	210	0	0	(empty)
-1284385418.014560	CmES5u32sYpV7JYN	fe80::c801:eff:fe88:8	547	fe80::ce05:eff:fe88:0	546	udp	-	0.096000	192	0	S0	-	-	0	D	2	288	0	0	(empty)
-1284385411.035560	CHhAvVGS1DHFjwGM9	fe80::c801:eff:fe88:8	143	ff02::16	0	icmp	-	0.835000	160	0	OTH	-	-	0	-	8	608	0	0	(empty)
-1284385451.658560	CP5puj4I8PtEU4qzYg	fc00:0:2:100::1:1	128	fc00::1	129	icmp	-	0.156000	260	260	OTH	-	-	0	-	5	500	5	500	(empty)
-1284385412.963560	C4J4Th3PJpwUYZZ6gc	fe80::ce05:eff:fe88:0	133	ff02::2	134	icmp	-	-	-	-	OTH	-	-	0	-	1	48	0	0	(empty)
-1284385413.027560	CtPZjS20MLrsMUOJi2	fe80::c801:eff:fe88:8	134	fe80::ce05:eff:fe88:0	133	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	(empty)
-1284385411.091560	ClEkJM2Vm5giqnMf4h	fe80::c801:eff:fe88:8	136	ff02::1	135	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	(empty)
+1284385417.962560	CUM0KZ3MLUfNB0cl11	fe80::ce05:eff:fe88:0	546	ff02::1:2	547	udp	-	0.078000	114	0	S0	-	-	0	D	2	210	0	0	-
+1284385418.014560	CmES5u32sYpV7JYN	fe80::c801:eff:fe88:8	547	fe80::ce05:eff:fe88:0	546	udp	-	0.096000	192	0	S0	-	-	0	D	2	288	0	0	-
+1284385411.035560	CHhAvVGS1DHFjwGM9	fe80::c801:eff:fe88:8	143	ff02::16	0	icmp	-	0.835000	160	0	OTH	-	-	0	-	8	608	0	0	-
+1284385451.658560	CP5puj4I8PtEU4qzYg	fc00:0:2:100::1:1	128	fc00::1	129	icmp	-	0.156000	260	260	OTH	-	-	0	-	5	500	5	500	-
+1284385412.963560	C4J4Th3PJpwUYZZ6gc	fe80::ce05:eff:fe88:0	133	ff02::2	134	icmp	-	-	-	-	OTH	-	-	0	-	1	48	0	0	-
+1284385413.027560	CtPZjS20MLrsMUOJi2	fe80::c801:eff:fe88:8	134	fe80::ce05:eff:fe88:0	133	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	-
+1284385411.091560	ClEkJM2Vm5giqnMf4h	fe80::c801:eff:fe88:8	136	ff02::1	135	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	-
 #close	2016-07-13-16-12-57
diff --git a/testing/btest/Baseline/core.print-bpf-filters/conn.log b/testing/btest/Baseline/core.print-bpf-filters/conn.log
index aa954a972e..e7f8f8714a 100644
--- a/testing/btest/Baseline/core.print-bpf-filters/conn.log
+++ b/testing/btest/Baseline/core.print-bpf-filters/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-12-58
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1278600802.069419	CHhAvVGS1DHFjwGM9	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	-	0	ShADadfF	7	381	7	3801	(empty)
+1278600802.069419	CHhAvVGS1DHFjwGM9	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	-	0	ShADadfF	7	381	7	3801	-
 #close	2016-07-13-16-12-59
diff --git a/testing/btest/Baseline/core.print-bpf-filters/output2 b/testing/btest/Baseline/core.print-bpf-filters/output2
index 53d4189bf7..26a4b5fa85 100644
--- a/testing/btest/Baseline/core.print-bpf-filters/output2
+++ b/testing/btest/Baseline/core.print-bpf-filters/output2
@@ -1,6 +1,7 @@
 2 1080
 1 135
 1 137
+1 139
 1 143
 1 1434
 1 161
@@ -17,7 +18,9 @@
 1 3306
 1 3389
 1 3544
+1 4011
 2 443
+1 445
 1 502
 1 5060
 1 5072
@@ -51,8 +54,8 @@
 1 992
 1 993
 1 995
-58 and
-57 or
-58 port
-40 tcp
-18 udp
+61 and
+60 or
+61 port
+42 tcp
+19 udp
diff --git a/testing/btest/Baseline/core.q-in-q/conn.log b/testing/btest/Baseline/core.q-in-q/conn.log
index 9ef7628b01..84cc55d13d 100644
--- a/testing/btest/Baseline/core.q-in-q/conn.log
+++ b/testing/btest/Baseline/core.q-in-q/conn.log
@@ -6,6 +6,6 @@
 #open	2016-07-13-16-13-00
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1363900699.548138	CHhAvVGS1DHFjwGM9	172.19.51.37	47808	172.19.51.63	47808	udp	-	0.000100	36	0	S0	-	-	0	D	2	92	0	0	(empty)
-1363900699.549647	ClEkJM2Vm5giqnMf4h	193.1.186.60	9875	224.2.127.254	9875	udp	-	0.000139	552	0	S0	-	-	0	D	2	608	0	0	(empty)
+1363900699.548138	CHhAvVGS1DHFjwGM9	172.19.51.37	47808	172.19.51.63	47808	udp	-	0.000100	36	0	S0	-	-	0	D	2	92	0	0	-
+1363900699.549647	ClEkJM2Vm5giqnMf4h	193.1.186.60	9875	224.2.127.254	9875	udp	-	0.000139	552	0	S0	-	-	0	D	2	608	0	0	-
 #close	2016-07-13-16-13-00
diff --git a/testing/btest/Baseline/core.radiotap/conn.log b/testing/btest/Baseline/core.radiotap/conn.log
index a8bd4c7591..c88d32480e 100644
--- a/testing/btest/Baseline/core.radiotap/conn.log
+++ b/testing/btest/Baseline/core.radiotap/conn.log
@@ -6,6 +6,6 @@
 #open	2016-07-13-16-13-00
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1439902891.705224	CHhAvVGS1DHFjwGM9	172.17.156.76	61738	208.67.220.220	53	udp	dns	0.041654	35	128	SF	-	-	0	Dd	1	63	1	156	(empty)
-1439903050.580632	ClEkJM2Vm5giqnMf4h	fe80::a667:6ff:fef7:ec54	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	-	0	D	1	328	0	0	(empty)
+1439902891.705224	CHhAvVGS1DHFjwGM9	172.17.156.76	61738	208.67.220.220	53	udp	dns	0.041654	35	128	SF	-	-	0	Dd	1	63	1	156	-
+1439903050.580632	ClEkJM2Vm5giqnMf4h	fe80::a667:6ff:fef7:ec54	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	-	0	D	1	328	0	0	-
 #close	2016-07-13-16-13-00
diff --git a/testing/btest/Baseline/core.recursive-event/output b/testing/btest/Baseline/core.recursive-event/output
index f599e28b8a..ec635144f6 100644
--- a/testing/btest/Baseline/core.recursive-event/output
+++ b/testing/btest/Baseline/core.recursive-event/output
@@ -1 +1 @@
-10
+9
diff --git a/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log b/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
index 73c860cb67..8da44df913 100644
--- a/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
+++ b/testing/btest/Baseline/core.tcp.large-file-reassembly/conn.log
@@ -6,7 +6,7 @@
 #open	2016-07-13-16-13-01
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1395939406.175845	ClEkJM2Vm5giqnMf4h	192.168.56.1	59763	192.168.56.101	63988	tcp	ftp-data	0.001676	0	270	SF	-	-	0	ShAdfFa	5	272	4	486	(empty)
-1395939411.361078	C4J4Th3PJpwUYZZ6gc	192.168.56.1	59764	192.168.56.101	37150	tcp	ftp-data	150.496065	0	5416666670	SF	-	-	4675708816	ShAdfFa	13	688	12	24454	(empty)
-1395939399.984671	CHhAvVGS1DHFjwGM9	192.168.56.1	59762	192.168.56.101	21	tcp	ftp	169.634297	104	1041	SF	-	-	0	ShAdDaFf	31	1728	18	1985	(empty)
+1395939406.175845	ClEkJM2Vm5giqnMf4h	192.168.56.1	59763	192.168.56.101	63988	tcp	ftp-data	0.001676	0	270	SF	-	-	0	ShAdfFa	5	272	4	486	-
+1395939411.361078	C4J4Th3PJpwUYZZ6gc	192.168.56.1	59764	192.168.56.101	37150	tcp	ftp-data	150.496065	0	5416666670	SF	-	-	4675708816	ShAdfFa	13	688	12	24454	-
+1395939399.984671	CHhAvVGS1DHFjwGM9	192.168.56.1	59762	192.168.56.101	21	tcp	ftp	169.634297	104	1041	SF	-	-	0	ShAdDaFf	31	1728	18	1985	-
 #close	2016-07-13-16-13-01
diff --git a/testing/btest/Baseline/core.tcp.miss-end-data/conn.log b/testing/btest/Baseline/core.tcp.miss-end-data/conn.log
index 048065166c..b33aec3366 100644
--- a/testing/btest/Baseline/core.tcp.miss-end-data/conn.log
+++ b/testing/btest/Baseline/core.tcp.miss-end-data/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-13-02
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1331764471.664131	CHhAvVGS1DHFjwGM9	192.168.122.230	60648	77.238.160.184	80	tcp	http	10.048360	538	2902	SF	-	-	2902	ShADafF	5	750	4	172	(empty)
+1331764471.664131	CHhAvVGS1DHFjwGM9	192.168.122.230	60648	77.238.160.184	80	tcp	http	10.048360	538	2902	SF	-	-	2902	ShADafF	5	750	4	172	-
 #close	2016-07-13-16-13-02
diff --git a/testing/btest/Baseline/core.tcp.missing-syn/conn.log b/testing/btest/Baseline/core.tcp.missing-syn/conn.log
index ca1f61216f..4832f83bfe 100644
--- a/testing/btest/Baseline/core.tcp.missing-syn/conn.log
+++ b/testing/btest/Baseline/core.tcp.missing-syn/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-17-58-31
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1128727435.633408	CHhAvVGS1DHFjwGM9	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.550793	98	9417	SF	-	-	0	^hADdFaf	11	670	10	9945	(empty)
+1128727435.633408	CHhAvVGS1DHFjwGM9	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.550793	98	9417	SF	-	-	0	^hADdFaf	11	670	10	9945	-
 #close	2016-07-13-17-58-31
diff --git a/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log b/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log
index f8ffb3ad74..43daf101a3 100644
--- a/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log
+++ b/testing/btest/Baseline/core.tcp.rxmit-history/conn-1.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2016-07-13-16-13-02
+#open	2018-01-12-21-43-34
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1285862902.700271	CHhAvVGS1DHFjwGM9	10.0.88.85	50368	192.168.0.27	80	tcp	-	60.991770	474	23783	RSTO	-	-	24257	ShADadtR	17	1250	22	28961	(empty)
-#close	2016-07-13-16-13-03
+1285862902.700271	CHhAvVGS1DHFjwGM9	10.0.88.85	50368	192.168.0.27	80	tcp	-	60.991770	474	23783	RSTO	-	-	24257	ShADadtR	17	1250	22	28961	-
+#close	2018-01-12-21-43-34
diff --git a/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log b/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log
index 73ec0e6fad..22d4ec3ab9 100644
--- a/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log
+++ b/testing/btest/Baseline/core.tcp.rxmit-history/conn-2.log
@@ -3,41 +3,41 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2016-07-13-16-13-03
+#open	2018-01-12-21-43-35
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475167.096535	CHhAvVGS1DHFjwGM9	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
-1300475167.097012	ClEkJM2Vm5giqnMf4h	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	-	0	D	1	199	0	0	(empty)
-1300475167.099816	C4J4Th3PJpwUYZZ6gc	141.142.220.50	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	179	0	0	(empty)
-1300475168.853899	CmES5u32sYpV7JYN	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.854378	CP5puj4I8PtEU4qzYg	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475168.854837	C37jN32gN3y3AZzyf6	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.857956	C0LAHyvtKSQHyJxIl	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.858306	CFLRIC3zaTU1loLGxh	141.142.220.118	59816	141.142.2.2	53	udp	dns	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475168.858713	C9rXSW3KSpTYvPrlI1	141.142.220.118	59714	141.142.2.2	53	udp	dns	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.891644	C9mvWx3ezztgzcexV7	141.142.220.118	58206	141.142.2.2	53	udp	dns	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.892037	CNnMIj2QSd84NKf7U3	141.142.220.118	38911	141.142.2.2	53	udp	dns	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475168.892414	C7fIlMZDuRiqjpYbb	141.142.220.118	59746	141.142.2.2	53	udp	dns	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.893988	CpmdRlaUoJLN3uIRa	141.142.220.118	45000	141.142.2.2	53	udp	dns	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.894422	C1Xkzz2MaGtLrc1Tla	141.142.220.118	48479	141.142.2.2	53	udp	dns	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475168.894787	CqlVyW1YwZ15RhTBc4	141.142.220.118	48128	141.142.2.2	53	udp	dns	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.901749	CBA8792iHmnhPLksKa	141.142.220.118	56056	141.142.2.2	53	udp	dns	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)
-1300475168.902195	CGLPPc35OzDQij1XX8	141.142.220.118	55092	141.142.2.2	53	udp	dns	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)
-1300475169.899438	Cipfzj1BEnhejw8cGf	141.142.220.44	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	85	0	0	(empty)
-1300475170.862384	CV5WJ42jPYbNW9JNWf	141.142.220.226	137	141.142.220.255	137	udp	dns	2.613017	350	0	S0	-	-	0	D	7	546	0	0	(empty)
-1300475171.675372	CPhDKt12KQPUVbQz06	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	dns	0.100096	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475171.677081	CAnFrb2Cvxr5T7quOc	141.142.220.226	55131	224.0.0.252	5355	udp	dns	0.100021	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.116749	C8rquZ3DjgNW06JGLl	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	dns	0.099801	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475173.117362	CzrZOtXqhwwndQva3	141.142.220.226	55671	224.0.0.252	5355	udp	dns	0.099849	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.153679	CaGCc13FffXe6RkQl9	141.142.220.238	56641	141.142.220.255	137	udp	dns	-	-	-	S0	-	-	0	D	1	78	0	0	(empty)
-1300475169.780331	CFSwNi4CNGxcuffo49	141.142.220.235	6705	173.192.163.128	80	tcp	-	-	-	-	OTH	-	-	0	^h	0	0	1	48	(empty)
-1300475168.892913	CykQaM33ztNt0csB9a	141.142.220.118	49999	208.80.152.3	80	tcp	http	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	(empty)
-1300475168.724007	CUM0KZ3MLUfNB0cl11	141.142.220.118	48649	208.80.152.118	80	tcp	http	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	(empty)
-1300475168.855330	CwjjYJ2WqgTbAqiHl6	141.142.220.118	49997	208.80.152.3	80	tcp	http	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	(empty)
-1300475168.855305	C3eiCBGOLw3VtHfOj	141.142.220.118	49996	208.80.152.3	80	tcp	http	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	(empty)
-1300475168.652003	CtPZjS20MLrsMUOJi2	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	(empty)
-1300475168.902635	CiyBAq1bBLNaTiTAc	141.142.220.118	35642	208.80.152.2	80	tcp	http	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	(empty)
-1300475168.859163	Ck51lg1bScffFj34Ri	141.142.220.118	49998	208.80.152.3	80	tcp	http	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	(empty)
-1300475168.892936	CtxTCR2Yer0FR1tIBg	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)
-1300475168.895267	CLNN1k2QMum1aexUK7	141.142.220.118	50001	208.80.152.3	80	tcp	http	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	(empty)
-#close	2016-07-13-16-13-03
+1300475167.096535	CHhAvVGS1DHFjwGM9	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	73	0	0	-
+1300475167.097012	ClEkJM2Vm5giqnMf4h	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	-	0	D	1	199	0	0	-
+1300475167.099816	C4J4Th3PJpwUYZZ6gc	141.142.220.50	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	179	0	0	-
+1300475168.853899	CmES5u32sYpV7JYN	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.854378	CP5puj4I8PtEU4qzYg	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475168.854837	C37jN32gN3y3AZzyf6	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.857956	C0LAHyvtKSQHyJxIl	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.858306	CFLRIC3zaTU1loLGxh	141.142.220.118	59816	141.142.2.2	53	udp	dns	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475168.858713	C9rXSW3KSpTYvPrlI1	141.142.220.118	59714	141.142.2.2	53	udp	dns	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.891644	C9mvWx3ezztgzcexV7	141.142.220.118	58206	141.142.2.2	53	udp	dns	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.892037	CNnMIj2QSd84NKf7U3	141.142.220.118	38911	141.142.2.2	53	udp	dns	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475168.892414	C7fIlMZDuRiqjpYbb	141.142.220.118	59746	141.142.2.2	53	udp	dns	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.893988	CpmdRlaUoJLN3uIRa	141.142.220.118	45000	141.142.2.2	53	udp	dns	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.894422	C1Xkzz2MaGtLrc1Tla	141.142.220.118	48479	141.142.2.2	53	udp	dns	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475168.894787	CqlVyW1YwZ15RhTBc4	141.142.220.118	48128	141.142.2.2	53	udp	dns	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.901749	CBA8792iHmnhPLksKa	141.142.220.118	56056	141.142.2.2	53	udp	dns	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-
+1300475168.902195	CGLPPc35OzDQij1XX8	141.142.220.118	55092	141.142.2.2	53	udp	dns	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-
+1300475169.899438	Cipfzj1BEnhejw8cGf	141.142.220.44	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	85	0	0	-
+1300475170.862384	CV5WJ42jPYbNW9JNWf	141.142.220.226	137	141.142.220.255	137	udp	dns	2.613017	350	0	S0	-	-	0	D	7	546	0	0	-
+1300475171.675372	CPhDKt12KQPUVbQz06	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	dns	0.100096	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475171.677081	CAnFrb2Cvxr5T7quOc	141.142.220.226	55131	224.0.0.252	5355	udp	dns	0.100021	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.116749	C8rquZ3DjgNW06JGLl	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	dns	0.099801	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475173.117362	CzrZOtXqhwwndQva3	141.142.220.226	55671	224.0.0.252	5355	udp	dns	0.099849	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.153679	CaGCc13FffXe6RkQl9	141.142.220.238	56641	141.142.220.255	137	udp	dns	-	-	-	S0	-	-	0	D	1	78	0	0	-
+1300475169.780331	CFSwNi4CNGxcuffo49	141.142.220.235	6705	173.192.163.128	80	tcp	-	-	-	-	OTH	-	-	0	^h	0	0	1	48	-
+1300475168.892913	CykQaM33ztNt0csB9a	141.142.220.118	49999	208.80.152.3	80	tcp	http	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	-
+1300475168.724007	CUM0KZ3MLUfNB0cl11	141.142.220.118	48649	208.80.152.118	80	tcp	http	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	-
+1300475168.855330	CwjjYJ2WqgTbAqiHl6	141.142.220.118	49997	208.80.152.3	80	tcp	http	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	-
+1300475168.855305	C3eiCBGOLw3VtHfOj	141.142.220.118	49996	208.80.152.3	80	tcp	http	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	-
+1300475168.652003	CtPZjS20MLrsMUOJi2	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	-
+1300475168.902635	CiyBAq1bBLNaTiTAc	141.142.220.118	35642	208.80.152.2	80	tcp	http	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	-
+1300475168.859163	Ck51lg1bScffFj34Ri	141.142.220.118	49998	208.80.152.3	80	tcp	http	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	-
+1300475168.892936	CtxTCR2Yer0FR1tIBg	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-
+1300475168.895267	CLNN1k2QMum1aexUK7	141.142.220.118	50001	208.80.152.3	80	tcp	http	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	-
+#close	2018-01-12-21-43-35
diff --git a/testing/btest/Baseline/core.truncation/output b/testing/btest/Baseline/core.truncation/output
index 678a886c44..85acc259ff 100644
--- a/testing/btest/Baseline/core.truncation/output
+++ b/testing/btest/Baseline/core.truncation/output
@@ -3,48 +3,78 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2015-08-31-21-35-27
+#open	2017-10-19-17-18-27
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1334160095.895421	-	-	-	-	-	truncated_IP	-	F	bro
-#close	2015-08-31-21-35-27
+#close	2017-10-19-17-18-28
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2015-08-31-21-35-27
+#open	2017-10-19-17-18-29
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1334156241.519125	-	-	-	-	-	truncated_IP	-	F	bro
-#close	2015-08-31-21-35-27
+#close	2017-10-19-17-18-30
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2015-08-31-21-35-28
+#open	2017-10-19-17-18-32
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1334094648.590126	-	-	-	-	-	truncated_IP	-	F	bro
-#close	2015-08-31-21-35-28
+#close	2017-10-19-17-18-32
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2015-08-31-21-35-30
+#open	2017-10-19-17-18-36
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1338328954.078361	-	-	-	-	-	internally_truncated_header	-	F	bro
-#close	2015-08-31-21-35-30
+#close	2017-10-19-17-18-36
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2015-08-31-21-35-30
+#open	2017-10-19-17-18-37
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 0.000000	-	-	-	-	-	truncated_link_header	-	F	bro
-#close	2015-08-31-21-35-30
+#close	2017-10-19-17-18-38
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2017-10-19-17-18-39
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1508360735.834163	-	163.253.48.183	0	192.150.187.43	0	invalid_IP_header_size	-	F	bro
+#close	2017-10-19-17-18-40
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2017-10-19-17-18-41
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1508360735.834163	-	163.253.48.183	0	192.150.187.43	0	internally_truncated_header	-	F	bro
+#close	2017-10-19-17-18-42
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2017-10-19-17-18-43
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1500557630.000000	-	0.255.0.255	0	15.254.2.1	0	invalid_IP_header_size_in_tunnel	-	F	bro
+#close	2017-10-19-17-18-44
diff --git a/testing/btest/Baseline/core.tunnels.ayiya/conn.log b/testing/btest/Baseline/core.tunnels.ayiya/conn.log
index d50978e86d..662918b83a 100644
--- a/testing/btest/Baseline/core.tunnels.ayiya/conn.log
+++ b/testing/btest/Baseline/core.tunnels.ayiya/conn.log
@@ -7,8 +7,8 @@
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1257655301.595604	C37jN32gN3y3AZzyf6	2001:4978:f:4c::2	53382	2001:4860:b002::68	80	tcp	http	2.101052	2981	4665	S1	-	-	0	ShADad	10	3605	11	5329	C4J4Th3PJpwUYZZ6gc
-1257655296.585034	C4J4Th3PJpwUYZZ6gc	192.168.3.101	53859	216.14.98.22	5072	udp	ayiya	20.879001	5129	6109	SF	-	-	0	Dd	21	5717	13	6473	(empty)
-1257655293.629048	CHhAvVGS1DHFjwGM9	192.168.3.101	53796	216.14.98.22	5072	udp	ayiya	-	-	-	SHR	-	-	0	^d	0	0	1	176	(empty)
+1257655296.585034	C4J4Th3PJpwUYZZ6gc	192.168.3.101	53859	216.14.98.22	5072	udp	ayiya	20.879001	5129	6109	SF	-	-	0	Dd	21	5717	13	6473	-
+1257655293.629048	CHhAvVGS1DHFjwGM9	192.168.3.101	53796	216.14.98.22	5072	udp	ayiya	-	-	-	SHR	-	-	0	^d	0	0	1	176	-
 1257655296.585333	CP5puj4I8PtEU4qzYg	::	135	ff02::1:ff00:2	136	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	C4J4Th3PJpwUYZZ6gc
 1257655296.585151	CUM0KZ3MLUfNB0cl11	fe80::216:cbff:fe9a:4cb9	131	ff02::2:f901:d225	130	icmp	-	0.719947	32	0	OTH	-	-	0	-	2	144	0	0	C4J4Th3PJpwUYZZ6gc
 1257655296.585034	CtPZjS20MLrsMUOJi2	fe80::216:cbff:fe9a:4cb9	131	ff02::1:ff9a:4cb9	130	icmp	-	4.922880	32	0	OTH	-	-	0	-	2	144	0	0	C4J4Th3PJpwUYZZ6gc
diff --git a/testing/btest/Baseline/core.tunnels.gre-pptp/conn.log b/testing/btest/Baseline/core.tunnels.gre-pptp/conn.log
new file mode 100644
index 0000000000..20c0dc7317
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.gre-pptp/conn.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2018-08-14-21-42-31
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1417577703.821897	C4J4Th3PJpwUYZZ6gc	172.16.44.3	40768	8.8.8.8	53	udp	dns	0.213894	71	146	SF	-	-	0	Dd	1	99	1	174	ClEkJM2Vm5giqnMf4h
+#close	2018-08-14-21-42-31
diff --git a/testing/btest/Baseline/core.tunnels.gre-pptp/dns.log b/testing/btest/Baseline/core.tunnels.gre-pptp/dns.log
new file mode 100644
index 0000000000..01875c2ff9
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.gre-pptp/dns.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dns
+#open	2018-08-14-21-42-31
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+1417577703.821897	C4J4Th3PJpwUYZZ6gc	172.16.44.3	40768	8.8.8.8	53	udp	42540	-	xqt-detect-mode2-97712e88-167a-45b9-93ee-913140e76678	1	C_INTERNET	28	AAAA	3	NXDOMAIN	F	F	T	F	0	-	-	F
+#close	2018-08-14-21-42-31
diff --git a/testing/btest/Baseline/core.tunnels.gre-pptp/tunnel.log b/testing/btest/Baseline/core.tunnels.gre-pptp/tunnel.log
new file mode 100644
index 0000000000..780ea33f59
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.gre-pptp/tunnel.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2018-08-14-21-42-31
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1417577703.821897	CHhAvVGS1DHFjwGM9	2402:f000:1:8e01::5555	0	2607:fcd0:100:2300::b108:2a6b	0	Tunnel::IP	Tunnel::DISCOVER
+1417577703.821897	ClEkJM2Vm5giqnMf4h	16.0.0.200	0	192.52.166.154	0	Tunnel::GRE	Tunnel::DISCOVER
+#close	2018-08-14-21-42-31
diff --git a/testing/btest/Baseline/core.tunnels.gre/ssh.log b/testing/btest/Baseline/core.tunnels.gre/ssh.log
index a3f6d0d738..7ffd15a845 100644
--- a/testing/btest/Baseline/core.tunnels.gre/ssh.log
+++ b/testing/btest/Baseline/core.tunnels.gre/ssh.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssh
-#open	2016-10-13-19-54-38
+#open	2017-08-01-16-46-22
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	auth_success	auth_attempts	direction	client	server	cipher_alg	mac_alg	compression_alg	kex_alg	host_key_alg	host_key
 #types	time	string	addr	port	addr	port	count	bool	count	enum	string	string	string	string	string	string	string	string
-1055289978.855137	CtPZjS20MLrsMUOJi2	66.59.111.190	40264	172.28.2.3	22	2	-	-	-	SSH-2.0-OpenSSH_3.6.1p1	SSH-1.99-OpenSSH_3.1p1	aes128-cbc	hmac-md5	none	diffie-hellman-group-exchange-sha1	ssh-rsa	20:7c:e5:96:b0:4e:ce:a4:db:e4:aa:29:e8:90:98:07
-#close	2016-10-13-19-54-38
+1055289978.855137	CtPZjS20MLrsMUOJi2	66.59.111.190	40264	172.28.2.3	22	2	-	0	-	SSH-2.0-OpenSSH_3.6.1p1	SSH-1.99-OpenSSH_3.1p1	aes128-cbc	hmac-md5	none	diffie-hellman-group-exchange-sha1	ssh-rsa	20:7c:e5:96:b0:4e:ce:a4:db:e4:aa:29:e8:90:98:07
+#close	2017-08-01-16-46-22
diff --git a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log
index a6e8235233..ce137763d0 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.different_dl_and_ul/conn.log
@@ -7,6 +7,6 @@
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1333458850.321642	ClEkJM2Vm5giqnMf4h	10.131.17.170	51803	173.199.115.168	80	tcp	http	0.257902	1138	63424	S3	-	-	0	ShADadf	29	2310	49	65396	CHhAvVGS1DHFjwGM9,C4J4Th3PJpwUYZZ6gc
-1333458850.321642	CHhAvVGS1DHFjwGM9	167.55.105.244	5906	207.233.125.40	2152	udp	gtpv1	0.257902	2542	0	S0	-	-	0	D	29	3354	0	0	(empty)
-1333458850.325787	C4J4Th3PJpwUYZZ6gc	207.233.125.40	2152	167.55.105.244	2152	udp	gtpv1	0.251127	65788	0	S0	-	-	0	D	49	67160	0	0	(empty)
+1333458850.321642	CHhAvVGS1DHFjwGM9	167.55.105.244	5906	207.233.125.40	2152	udp	gtpv1	0.257902	2542	0	S0	-	-	0	D	29	3354	0	0	-
+1333458850.325787	C4J4Th3PJpwUYZZ6gc	207.233.125.40	2152	167.55.105.244	2152	udp	gtpv1	0.251127	65788	0	S0	-	-	0	D	49	67160	0	0	-
 #close	2016-07-13-16-13-06
diff --git a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log
index 7917700127..fa2c080c7a 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.false_gtp/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-13-07
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1333458871.219794	CHhAvVGS1DHFjwGM9	10.131.24.6	2152	195.178.38.3	53	udp	dns	-	-	-	S0	-	-	0	D	1	64	0	0	(empty)
+1333458871.219794	CHhAvVGS1DHFjwGM9	10.131.24.6	2152	195.178.38.3	53	udp	dns	-	-	-	S0	-	-	0	D	1	64	0	0	-
 #close	2016-07-13-16-13-07
diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log
index 7fd6ec6835..9f8d866fbb 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.inner_ipv6/conn.log
@@ -7,6 +7,6 @@
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1333458851.770000	ClEkJM2Vm5giqnMf4h	fe80::224c:4fff:fe43:414c	1234	ff02::1:3	5355	udp	dns	-	-	-	S0	-	-	0	D	1	80	0	0	CHhAvVGS1DHFjwGM9
-1333458851.770000	CHhAvVGS1DHFjwGM9	118.92.124.41	2152	118.92.124.72	2152	udp	gtpv1	0.199236	152	0	S0	-	-	0	D	2	208	0	0	(empty)
+1333458851.770000	CHhAvVGS1DHFjwGM9	118.92.124.41	2152	118.92.124.72	2152	udp	gtpv1	0.199236	152	0	S0	-	-	0	D	2	208	0	0	-
 1333458851.969236	C4J4Th3PJpwUYZZ6gc	fe80::224c:4fff:fe43:414c	133	ff02::2	134	icmp	-	-	-	-	OTH	-	-	0	-	1	56	0	0	CHhAvVGS1DHFjwGM9
 #close	2016-07-13-16-13-08
diff --git a/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log
index 12fc4e0e0c..53ab0420a6 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.inner_teredo/conn.log
@@ -10,17 +10,17 @@
 1333458850.035456	C0LAHyvtKSQHyJxIl	172.27.159.9	63912	94.245.121.253	3544	udp	teredo	-	-	-	S0	-	-	0	D	1	89	0	0	CwjjYJ2WqgTbAqiHl6
 1333458850.029783	C37jN32gN3y3AZzyf6	172.24.16.67	52298	65.55.158.118	3544	udp	teredo	-	-	-	S0	-	-	0	D	1	88	0	0	CmES5u32sYpV7JYN
 1333458850.040098	C7fIlMZDuRiqjpYbb	172.24.203.81	54447	65.55.158.118	3544	udp	teredo	0.003698	120	0	S0	-	-	0	D	2	176	0	0	CNnMIj2QSd84NKf7U3
-1333458850.037956	Ck51lg1bScffFj34Ri	190.104.181.57	2152	190.104.181.222	2152	udp	gtpv1	-	-	-	S0	-	-	0	D	1	120	0	0	(empty)
+1333458850.037956	Ck51lg1bScffFj34Ri	190.104.181.57	2152	190.104.181.222	2152	udp	gtpv1	-	-	-	S0	-	-	0	D	1	120	0	0	-
 1333458850.035460	C9rXSW3KSpTYvPrlI1	172.27.159.9	63912	94.245.121.254	3544	udp	teredo	-	-	-	S0	-	-	0	D	1	89	0	0	CwjjYJ2WqgTbAqiHl6
-1333458850.040098	CNnMIj2QSd84NKf7U3	174.94.190.229	2152	190.104.181.57	2152	udp	gtpv1	0.003698	192	0	S0	-	-	0	D	2	248	0	0	(empty)
-1333458850.035456	CwjjYJ2WqgTbAqiHl6	190.104.181.210	2152	190.104.181.125	2152	udp	gtpv1	0.000004	194	0	S0	-	-	0	D	2	250	0	0	(empty)
+1333458850.040098	CNnMIj2QSd84NKf7U3	174.94.190.229	2152	190.104.181.57	2152	udp	gtpv1	0.003698	192	0	S0	-	-	0	D	2	248	0	0	-
+1333458850.035456	CwjjYJ2WqgTbAqiHl6	190.104.181.210	2152	190.104.181.125	2152	udp	gtpv1	0.000004	194	0	S0	-	-	0	D	2	250	0	0	-
 1333458850.029781	CP5puj4I8PtEU4qzYg	172.24.16.67	52298	94.245.121.253	3544	udp	teredo	-	-	-	S0	-	-	0	D	1	88	0	0	CmES5u32sYpV7JYN
 1333458850.032887	C3eiCBGOLw3VtHfOj	10.131.42.160	62069	94.245.121.253	3544	udp	teredo	-	-	-	SHR	-	-	0	^d	0	0	1	84	C4J4Th3PJpwUYZZ6gc
 1333458850.037956	C9mvWx3ezztgzcexV7	10.131.112.102	51403	94.245.121.253	3544	udp	teredo	-	-	-	SHR	-	-	0	^d	0	0	1	84	Ck51lg1bScffFj34Ri
-1333458850.014199	CHhAvVGS1DHFjwGM9	174.94.190.213	2152	190.104.181.57	2152	udp	gtpv1	-	-	-	S0	-	-	0	D	1	124	0	0	(empty)
-1333458850.016620	C4J4Th3PJpwUYZZ6gc	174.94.190.229	2152	190.104.181.62	2152	udp	gtpv1	0.016267	88	92	SF	-	-	0	Dd	1	116	1	120	(empty)
+1333458850.014199	CHhAvVGS1DHFjwGM9	174.94.190.213	2152	190.104.181.57	2152	udp	gtpv1	-	-	-	S0	-	-	0	D	1	124	0	0	-
+1333458850.016620	C4J4Th3PJpwUYZZ6gc	174.94.190.229	2152	190.104.181.62	2152	udp	gtpv1	0.016267	88	92	SF	-	-	0	Dd	1	116	1	120	-
 1333458850.016620	CtPZjS20MLrsMUOJi2	172.24.16.121	61901	94.245.121.251	3544	udp	teredo	-	-	-	S0	-	-	0	D	1	80	0	0	C4J4Th3PJpwUYZZ6gc
-1333458850.029781	CmES5u32sYpV7JYN	190.104.181.254	2152	190.104.181.62	2152	udp	gtpv1	0.000002	192	0	S0	-	-	0	D	2	248	0	0	(empty)
+1333458850.029781	CmES5u32sYpV7JYN	190.104.181.254	2152	190.104.181.62	2152	udp	gtpv1	0.000002	192	0	S0	-	-	0	D	2	248	0	0	-
 1333458850.016620	CUM0KZ3MLUfNB0cl11	2001:0:5ef5:79fb:38b8:1695:2b37:be8e	128	2002:2571:c817::2571:c817	129	icmp	-	-	-	-	OTH	-	-	0	-	1	52	0	0	CtPZjS20MLrsMUOJi2
 1333458850.035456	CFLRIC3zaTU1loLGxh	fe80::ffff:ffff:fffe	133	ff02::2	134	icmp	-	0.000004	0	0	OTH	-	-	0	-	2	96	0	0	C9rXSW3KSpTYvPrlI1,C0LAHyvtKSQHyJxIl
 #close	2016-07-13-16-13-08
diff --git a/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log b/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log
index a25cc10a18..151b7a135b 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.not_user_plane_data/conn.log
@@ -6,6 +6,6 @@
 #open	2016-07-13-16-13-09
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1333458850.867091	ClEkJM2Vm5giqnMf4h	247.56.43.214	2152	237.56.101.238	2152	udp	-	0.028676	12	14	SF	-	-	0	Dd	1	40	1	42	(empty)
-1333458850.532814	CHhAvVGS1DHFjwGM9	247.56.43.90	2152	247.56.43.248	2152	udp	-	-	-	-	S0	-	-	0	D	1	52	0	0	(empty)
+1333458850.867091	ClEkJM2Vm5giqnMf4h	247.56.43.214	2152	237.56.101.238	2152	udp	-	0.028676	12	14	SF	-	-	0	Dd	1	40	1	42	-
+1333458850.532814	CHhAvVGS1DHFjwGM9	247.56.43.90	2152	247.56.43.248	2152	udp	-	-	-	-	S0	-	-	0	D	1	52	0	0	-
 #close	2016-07-13-16-13-09
diff --git a/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log b/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log
index ea885d6a5f..1a0e4515cb 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.opt_header/conn.log
@@ -7,5 +7,5 @@
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1333458852.011535	ClEkJM2Vm5giqnMf4h	10.222.10.10	44960	173.194.69.188	5228	tcp	ssl	0.573499	704	1026	S1	-	-	0	ShADad	17	1604	14	1762	CHhAvVGS1DHFjwGM9
-1333458852.011535	CHhAvVGS1DHFjwGM9	79.188.154.91	2152	243.149.173.198	2152	udp	gtpv1	0.573499	1740	1930	SF	-	-	0	Dd	17	2216	14	2322	(empty)
+1333458852.011535	CHhAvVGS1DHFjwGM9	79.188.154.91	2152	243.149.173.198	2152	udp	gtpv1	0.573499	1740	1930	SF	-	-	0	Dd	17	2216	14	2322	-
 #close	2016-07-13-16-13-10
diff --git a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log
index 1216a09d8a..4c598b386d 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.outer_ip_frag/conn.log
@@ -7,5 +7,5 @@
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1333458850.364667	ClEkJM2Vm5giqnMf4h	10.131.47.185	1923	79.101.110.141	80	tcp	http	0.069783	2100	56702	SF	-	-	0	ShADadfF	27	3204	41	52594	CHhAvVGS1DHFjwGM9
-1333458850.364667	CHhAvVGS1DHFjwGM9	239.114.155.111	2152	63.94.149.181	2152	udp	gtpv1	0.069813	3420	52922	SF	-	-	0	Dd	27	4176	41	54070	(empty)
+1333458850.364667	CHhAvVGS1DHFjwGM9	239.114.155.111	2152	63.94.149.181	2152	udp	gtpv1	0.069813	3420	52922	SF	-	-	0	Dd	27	4176	41	54070	-
 #close	2016-07-13-16-13-10
diff --git a/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output b/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output
new file mode 100644
index 0000000000..728d8e4793
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.ip-in-ip-version/output
@@ -0,0 +1,20 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2017-10-19-17-26-34
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1500557630.000000	-	ff00:0:6929::6904:ff:3bbf	0	ffff:0:69:2900:0:69:400:ff3b	0	invalid_inner_IP_version_in_tunnel	-	F	bro
+#close	2017-10-19-17-26-35
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2017-10-19-17-26-36
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1500557630.000000	-	b100:7265::6904:2aff	0	3bbf:ff00:40:21:ffff:ffff:fffd:f7ff	0	invalid_inner_IP_version	-	F	bro
+#close	2017-10-19-17-26-37
diff --git a/testing/btest/Baseline/core.tunnels.teredo/conn.log b/testing/btest/Baseline/core.tunnels.teredo/conn.log
index 12e7481b36..159ad78bb6 100644
--- a/testing/btest/Baseline/core.tunnels.teredo/conn.log
+++ b/testing/btest/Baseline/core.tunnels.teredo/conn.log
@@ -6,24 +6,24 @@
 #open	2016-07-13-16-13-14
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1210953047.736921	ClEkJM2Vm5giqnMf4h	192.168.2.16	1576	75.126.130.163	80	tcp	-	0.000357	0	0	SHR	-	-	0	^fA	1	40	1	40	(empty)
-1210953050.867067	C4J4Th3PJpwUYZZ6gc	192.168.2.16	1577	75.126.203.78	80	tcp	-	0.000387	0	0	SHR	-	-	0	^fA	1	40	1	40	(empty)
-1210953057.833364	C37jN32gN3y3AZzyf6	192.168.2.16	1577	75.126.203.78	80	tcp	-	0.079208	0	0	SH	-	-	0	Fa	1	40	1	40	(empty)
-1210953058.007081	CwjjYJ2WqgTbAqiHl6	192.168.2.16	1576	75.126.130.163	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)
-1210953057.834454	C3eiCBGOLw3VtHfOj	192.168.2.16	1578	75.126.203.78	80	tcp	http	0.407908	790	171	RSTO	-	-	0	ShADadR	6	1038	4	335	(empty)
-1210953058.350065	C0LAHyvtKSQHyJxIl	192.168.2.16	1920	192.168.2.1	53	udp	dns	0.223055	66	438	SF	-	-	0	Dd	2	122	2	494	(empty)
-1210953058.577231	CFLRIC3zaTU1loLGxh	192.168.2.16	137	192.168.2.255	137	udp	dns	1.499261	150	0	S0	-	-	0	D	3	234	0	0	(empty)
-1210953074.264819	CtxTCR2Yer0FR1tIBg	192.168.2.16	1920	192.168.2.1	53	udp	dns	0.297723	123	598	SF	-	-	0	Dd	3	207	3	682	(empty)
-1210953074.570439	CpmdRlaUoJLN3uIRa	192.168.2.16	1580	67.228.110.120	80	tcp	http	0.466677	469	3916	SF	-	-	0	ShADadFf	7	757	6	4164	(empty)
-1210953074.057124	CykQaM33ztNt0csB9a	192.168.2.16	1576	75.126.130.163	80	tcp	-	-	-	-	RSTRH	-	-	0	^r	0	0	1	40	(empty)
+1210953047.736921	ClEkJM2Vm5giqnMf4h	192.168.2.16	1576	75.126.130.163	80	tcp	-	0.000357	0	0	SHR	-	-	0	^fA	1	40	1	40	-
+1210953050.867067	C4J4Th3PJpwUYZZ6gc	192.168.2.16	1577	75.126.203.78	80	tcp	-	0.000387	0	0	SHR	-	-	0	^fA	1	40	1	40	-
+1210953057.833364	C37jN32gN3y3AZzyf6	192.168.2.16	1577	75.126.203.78	80	tcp	-	0.079208	0	0	SH	-	-	0	Fa	1	40	1	40	-
+1210953058.007081	CwjjYJ2WqgTbAqiHl6	192.168.2.16	1576	75.126.130.163	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-
+1210953057.834454	C3eiCBGOLw3VtHfOj	192.168.2.16	1578	75.126.203.78	80	tcp	http	0.407908	790	171	RSTO	-	-	0	ShADadR	6	1038	4	335	-
+1210953058.350065	C0LAHyvtKSQHyJxIl	192.168.2.16	1920	192.168.2.1	53	udp	dns	0.223055	66	438	SF	-	-	0	Dd	2	122	2	494	-
+1210953058.577231	CFLRIC3zaTU1loLGxh	192.168.2.16	137	192.168.2.255	137	udp	dns	1.499261	150	0	S0	-	-	0	D	3	234	0	0	-
+1210953074.264819	CtxTCR2Yer0FR1tIBg	192.168.2.16	1920	192.168.2.1	53	udp	dns	0.297723	123	598	SF	-	-	0	Dd	3	207	3	682	-
+1210953074.570439	CpmdRlaUoJLN3uIRa	192.168.2.16	1580	67.228.110.120	80	tcp	http	0.466677	469	3916	SF	-	-	0	ShADadFf	7	757	6	4164	-
+1210953074.057124	CykQaM33ztNt0csB9a	192.168.2.16	1576	75.126.130.163	80	tcp	-	-	-	-	RSTRH	-	-	0	^r	0	0	1	40	-
 1210953061.312379	CNnMIj2QSd84NKf7U3	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	tcp	http	12.810848	1675	10467	S1	-	-	0	ShADad	10	2279	12	11191	Ck51lg1bScffFj34Ri
-1210953076.058333	C1Xkzz2MaGtLrc1Tla	192.168.2.16	1578	75.126.203.78	80	tcp	-	-	-	-	RSTRH	-	-	0	^r	0	0	1	40	(empty)
-1210953074.055744	C7fIlMZDuRiqjpYbb	192.168.2.16	1577	75.126.203.78	80	tcp	-	-	-	-	RSTRH	-	-	0	^r	0	0	1	40	(empty)
-1210953052.324629	CmES5u32sYpV7JYN	192.168.2.16	3797	65.55.158.81	3544	udp	-	-	-	-	SHR	-	-	0	^d	0	0	1	137	(empty)
-1210953052.202579	CtPZjS20MLrsMUOJi2	192.168.2.16	3797	65.55.158.80	3544	udp	teredo	8.928880	129	48	SF	-	-	0	Dd	2	185	1	76	(empty)
-1210953058.933954	C9rXSW3KSpTYvPrlI1	0.0.0.0	68	255.255.255.255	67	udp	dhcp	-	-	-	S0	-	-	0	D	1	328	0	0	(empty)
-1210953060.829233	Ck51lg1bScffFj34Ri	192.168.2.16	3797	83.170.1.38	32900	udp	teredo	13.293994	2359	11243	SF	-	-	0	Dd	12	2695	13	11607	(empty)
-1210953046.591933	CHhAvVGS1DHFjwGM9	192.168.2.16	138	192.168.2.255	138	udp	-	28.448321	416	0	S0	-	-	0	D	2	472	0	0	(empty)
+1210953076.058333	C1Xkzz2MaGtLrc1Tla	192.168.2.16	1578	75.126.203.78	80	tcp	-	-	-	-	RSTRH	-	-	0	^r	0	0	1	40	-
+1210953074.055744	C7fIlMZDuRiqjpYbb	192.168.2.16	1577	75.126.203.78	80	tcp	-	-	-	-	RSTRH	-	-	0	^r	0	0	1	40	-
+1210953052.324629	CmES5u32sYpV7JYN	192.168.2.16	3797	65.55.158.81	3544	udp	-	-	-	-	SHR	-	-	0	^d	0	0	1	137	-
+1210953052.202579	CtPZjS20MLrsMUOJi2	192.168.2.16	3797	65.55.158.80	3544	udp	teredo	8.928880	129	48	SF	-	-	0	Dd	2	185	1	76	-
+1210953058.933954	C9rXSW3KSpTYvPrlI1	0.0.0.0	68	255.255.255.255	67	udp	dhcp	-	-	-	S0	-	-	0	D	1	328	0	0	-
+1210953060.829233	Ck51lg1bScffFj34Ri	192.168.2.16	3797	83.170.1.38	32900	udp	teredo	13.293994	2359	11243	SF	-	-	0	Dd	12	2695	13	11607	-
+1210953046.591933	CHhAvVGS1DHFjwGM9	192.168.2.16	138	192.168.2.255	138	udp	-	28.448321	416	0	S0	-	-	0	D	2	472	0	0	-
 1210953052.324629	CP5puj4I8PtEU4qzYg	fe80::8000:f227:bec8:61af	134	fe80::8000:ffff:ffff:fffd	133	icmp	-	-	-	-	OTH	-	-	0	-	1	88	0	0	CmES5u32sYpV7JYN
 1210953060.829303	C9mvWx3ezztgzcexV7	2001:0:4137:9e50:8000:f12a:b9c8:2815	128	2001:4860:0:2001::68	129	icmp	-	0.463615	4	4	OTH	-	-	0	-	1	52	1	52	CtPZjS20MLrsMUOJi2,Ck51lg1bScffFj34Ri
 1210953052.202579	CUM0KZ3MLUfNB0cl11	fe80::8000:ffff:ffff:fffd	133	ff02::2	134	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	CtPZjS20MLrsMUOJi2
diff --git a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log
index 6d4a0302b3..3b4f3da36e 100644
--- a/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log
+++ b/testing/btest/Baseline/core.tunnels.teredo_bubble_with_payload/conn.log
@@ -7,9 +7,9 @@
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1340127577.354166	CP5puj4I8PtEU4qzYg	2001:0:4137:9e50:8000:f12a:b9c8:2815	1286	2001:4860:0:2001::68	80	tcp	http	0.052829	1675	10467	S1	-	-	0	ShADad	10	2279	12	11191	CUM0KZ3MLUfNB0cl11
-1340127577.339015	C4J4Th3PJpwUYZZ6gc	192.168.2.16	3797	65.55.158.81	3544	udp	-	-	-	-	SHR	-	-	0	^d	0	0	1	137	(empty)
-1340127577.336558	CHhAvVGS1DHFjwGM9	192.168.2.16	3797	65.55.158.80	3544	udp	teredo	0.010291	129	52	SF	-	-	0	Dd	2	185	1	80	(empty)
-1340127577.341510	CUM0KZ3MLUfNB0cl11	192.168.2.16	3797	83.170.1.38	32900	udp	teredo	0.065485	2367	11243	SF	-	-	0	Dd	12	2703	13	11607	(empty)
+1340127577.339015	C4J4Th3PJpwUYZZ6gc	192.168.2.16	3797	65.55.158.81	3544	udp	-	-	-	-	SHR	-	-	0	^d	0	0	1	137	-
+1340127577.336558	CHhAvVGS1DHFjwGM9	192.168.2.16	3797	65.55.158.80	3544	udp	teredo	0.010291	129	52	SF	-	-	0	Dd	2	185	1	80	-
+1340127577.341510	CUM0KZ3MLUfNB0cl11	192.168.2.16	3797	83.170.1.38	32900	udp	teredo	0.065485	2367	11243	SF	-	-	0	Dd	12	2703	13	11607	-
 1340127577.339015	CtPZjS20MLrsMUOJi2	fe80::8000:f227:bec8:61af	134	fe80::8000:ffff:ffff:fffd	133	icmp	-	-	-	-	OTH	-	-	0	-	1	88	0	0	C4J4Th3PJpwUYZZ6gc
 1340127577.343969	CmES5u32sYpV7JYN	2001:0:4137:9e50:8000:f12a:b9c8:2815	128	2001:4860:0:2001::68	129	icmp	-	0.007778	4	4	OTH	-	-	0	-	1	52	1	52	CUM0KZ3MLUfNB0cl11,CHhAvVGS1DHFjwGM9
 1340127577.336558	ClEkJM2Vm5giqnMf4h	fe80::8000:ffff:ffff:fffd	133	ff02::2	134	icmp	-	-	-	-	OTH	-	-	0	-	1	64	0	0	CHhAvVGS1DHFjwGM9
diff --git a/testing/btest/Baseline/core.vlan-mpls/conn.log b/testing/btest/Baseline/core.vlan-mpls/conn.log
index 7b7b1e919d..5bcf4c6778 100644
--- a/testing/btest/Baseline/core.vlan-mpls/conn.log
+++ b/testing/btest/Baseline/core.vlan-mpls/conn.log
@@ -6,7 +6,7 @@
 #open	2016-07-13-16-13-15
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-952109346.874907	CHhAvVGS1DHFjwGM9	10.1.2.1	11001	10.34.0.1	23	tcp	-	2.102560	26	0	SH	-	-	0	SADF	11	470	0	0	(empty)
-1128727435.450898	ClEkJM2Vm5giqnMf4h	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.733303	98	9417	SF	-	-	0	ShADdFaf	12	730	10	9945	(empty)
-1278600802.069419	C4J4Th3PJpwUYZZ6gc	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	-	0	ShADadfF	7	381	7	3801	(empty)
+952109346.874907	CHhAvVGS1DHFjwGM9	10.1.2.1	11001	10.34.0.1	23	tcp	-	2.102560	26	0	SH	-	-	0	SADF	11	470	0	0	-
+1128727435.450898	ClEkJM2Vm5giqnMf4h	141.42.64.125	56730	125.190.109.199	80	tcp	http	1.733303	98	9417	SF	-	-	0	ShADdFaf	12	730	10	9945	-
+1278600802.069419	C4J4Th3PJpwUYZZ6gc	10.20.80.1	50343	10.0.0.15	80	tcp	-	0.004152	9	3429	SF	-	-	0	ShADadfF	7	381	7	3801	-
 #close	2016-07-13-16-13-15
diff --git a/testing/btest/Baseline/core.when-interpreter-exceptions/bro.output b/testing/btest/Baseline/core.when-interpreter-exceptions/bro.output
index 6d7ae52baf..200e850a12 100644
--- a/testing/btest/Baseline/core.when-interpreter-exceptions/bro.output
+++ b/testing/btest/Baseline/core.when-interpreter-exceptions/bro.output
@@ -1,7 +1,7 @@
-expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 48: field value missing [myrecord$notset]
-expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 92: field value missing [myrecord$notset]
-expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 73: field value missing [myrecord$notset]
-expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 104: field value missing [myrecord$notset]
+expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 47: field value missing [myrecord$notset]
+expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 91: field value missing [myrecord$notset]
+expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 72: field value missing [myrecord$notset]
+expression error in /Users/jon/Projects/bro/bro/testing/btest/.tmp/core.when-interpreter-exceptions/when-interpreter-exceptions.bro, line 103: field value missing [myrecord$notset]
 received termination signal
 [f(F)]
 f() done, no exception, T
diff --git a/testing/btest/Baseline/core.wlanmon/conn.log b/testing/btest/Baseline/core.wlanmon/conn.log
new file mode 100644
index 0000000000..72161c6d47
--- /dev/null
+++ b/testing/btest/Baseline/core.wlanmon/conn.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2018-05-15-16-59-00
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1526399270.280018	CHhAvVGS1DHFjwGM9	172.17.156.76	61738	208.67.220.220	53	udp	dns	0.009303	35	128	SF	-	-	0	Dd	1	63	1	156	-
+1526399270.293114	ClEkJM2Vm5giqnMf4h	fe80::a667:6ff:fef7:ec54	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	-	0	D	1	328	0	0	-
+#close	2018-05-15-16-59-00
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 6587112ef2..02e6855308 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -3,25 +3,21 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2016-11-02-17-25-26
+#open	2018-06-08-16-37-15
 #fields	name
 #types	string
 scripts/base/init-bare.bro
   build/scripts/base/bif/const.bif.bro
   build/scripts/base/bif/types.bif.bro
-  build/scripts/base/bif/strings.bif.bro
   build/scripts/base/bif/bro.bif.bro
+  build/scripts/base/bif/stats.bif.bro
   build/scripts/base/bif/reporter.bif.bro
+  build/scripts/base/bif/strings.bif.bro
+  build/scripts/base/bif/option.bif.bro
   build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro
   build/scripts/base/bif/plugins/Bro_KRB.types.bif.bro
   build/scripts/base/bif/event.bif.bro
-  scripts/base/frameworks/broker/__load__.bro
-    scripts/base/frameworks/broker/main.bro
-      build/scripts/base/bif/comm.bif.bro
-      build/scripts/base/bif/messaging.bif.bro
-    scripts/base/frameworks/broker/store.bro
-      build/scripts/base/bif/data.bif.bro
-      build/scripts/base/bif/store.bif.bro
+scripts/base/init-frameworks-and-bifs.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
       build/scripts/base/bif/logging.bif.bro
@@ -31,6 +27,14 @@ scripts/base/init-bare.bro
     scripts/base/frameworks/logging/writers/ascii.bro
     scripts/base/frameworks/logging/writers/sqlite.bro
     scripts/base/frameworks/logging/writers/none.bro
+  scripts/base/frameworks/broker/__load__.bro
+    scripts/base/frameworks/broker/main.bro
+      build/scripts/base/bif/comm.bif.bro
+      build/scripts/base/bif/messaging.bif.bro
+    scripts/base/frameworks/broker/store.bro
+      build/scripts/base/bif/data.bif.bro
+      build/scripts/base/bif/store.bif.bro
+    scripts/base/frameworks/broker/log.bro
   scripts/base/frameworks/input/__load__.bro
     scripts/base/frameworks/input/main.bro
       build/scripts/base/bif/input.bif.bro
@@ -38,6 +42,7 @@ scripts/base/init-bare.bro
     scripts/base/frameworks/input/readers/raw.bro
     scripts/base/frameworks/input/readers/benchmark.bro
     scripts/base/frameworks/input/readers/binary.bro
+    scripts/base/frameworks/input/readers/config.bro
     scripts/base/frameworks/input/readers/sqlite.bro
   scripts/base/frameworks/analyzer/__load__.bro
     scripts/base/frameworks/analyzer/main.bro
@@ -50,7 +55,6 @@ scripts/base/init-bare.bro
         scripts/base/utils/patterns.bro
     scripts/base/frameworks/files/magic/__load__.bro
   build/scripts/base/bif/__load__.bro
-    build/scripts/base/bif/stats.bif.bro
     build/scripts/base/bif/broxygen.bif.bro
     build/scripts/base/bif/pcap.bif.bro
     build/scripts/base/bif/bloom-filter.bif.bro
@@ -58,7 +62,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/top-k.bif.bro
   build/scripts/base/bif/plugins/__load__.bro
     build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro
     build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro
     build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro
     build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro
@@ -67,6 +70,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.bro
     build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro
     build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_DHCP.types.bif.bro
     build/scripts/base/bif/plugins/Bro_DNP3.events.bif.bro
     build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_File.events.bif.bro
@@ -74,7 +78,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_GSSAPI.types.bif.bro
     build/scripts/base/bif/plugins/Bro_GSSAPI.events.bif.bro
     build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro
     build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro
@@ -91,12 +94,12 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro
     build/scripts/base/bif/plugins/Bro_MySQL.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_NCP.consts.bif.bro
     build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_NTLM.types.bif.bro
     build/scripts/base/bif/plugins/Bro_NTLM.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro
     build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RDP.events.bif.bro
@@ -117,7 +120,9 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro
+    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro
+    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro
@@ -150,7 +155,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro
     build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro
@@ -161,9 +165,11 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_X509.events.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.types.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro
+    build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro
     build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro
     build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro
     build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro
+    build/scripts/base/bif/plugins/Bro_ConfigReader.config.bif.bro
     build/scripts/base/bif/plugins/Bro_RawReader.raw.bif.bro
     build/scripts/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.bro
     build/scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro
@@ -171,4 +177,4 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SQLiteWriter.sqlite.bif.bro
 scripts/policy/misc/loaded-scripts.bro
   scripts/base/utils/paths.bro
-#close	2016-11-02-17-25-26
+#close	2018-06-08-16-37-15
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 7a7b127752..ebe22c1b91 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -3,25 +3,21 @@
 #empty_field	(empty)
 #unset_field	-
 #path	loaded_scripts
-#open	2016-11-02-17-25-18
+#open	2018-06-08-16-37-20
 #fields	name
 #types	string
 scripts/base/init-bare.bro
   build/scripts/base/bif/const.bif.bro
   build/scripts/base/bif/types.bif.bro
-  build/scripts/base/bif/strings.bif.bro
   build/scripts/base/bif/bro.bif.bro
+  build/scripts/base/bif/stats.bif.bro
   build/scripts/base/bif/reporter.bif.bro
+  build/scripts/base/bif/strings.bif.bro
+  build/scripts/base/bif/option.bif.bro
   build/scripts/base/bif/plugins/Bro_SNMP.types.bif.bro
   build/scripts/base/bif/plugins/Bro_KRB.types.bif.bro
   build/scripts/base/bif/event.bif.bro
-  scripts/base/frameworks/broker/__load__.bro
-    scripts/base/frameworks/broker/main.bro
-      build/scripts/base/bif/comm.bif.bro
-      build/scripts/base/bif/messaging.bif.bro
-    scripts/base/frameworks/broker/store.bro
-      build/scripts/base/bif/data.bif.bro
-      build/scripts/base/bif/store.bif.bro
+scripts/base/init-frameworks-and-bifs.bro
   scripts/base/frameworks/logging/__load__.bro
     scripts/base/frameworks/logging/main.bro
       build/scripts/base/bif/logging.bif.bro
@@ -31,6 +27,14 @@ scripts/base/init-bare.bro
     scripts/base/frameworks/logging/writers/ascii.bro
     scripts/base/frameworks/logging/writers/sqlite.bro
     scripts/base/frameworks/logging/writers/none.bro
+  scripts/base/frameworks/broker/__load__.bro
+    scripts/base/frameworks/broker/main.bro
+      build/scripts/base/bif/comm.bif.bro
+      build/scripts/base/bif/messaging.bif.bro
+    scripts/base/frameworks/broker/store.bro
+      build/scripts/base/bif/data.bif.bro
+      build/scripts/base/bif/store.bif.bro
+    scripts/base/frameworks/broker/log.bro
   scripts/base/frameworks/input/__load__.bro
     scripts/base/frameworks/input/main.bro
       build/scripts/base/bif/input.bif.bro
@@ -38,6 +42,7 @@ scripts/base/init-bare.bro
     scripts/base/frameworks/input/readers/raw.bro
     scripts/base/frameworks/input/readers/benchmark.bro
     scripts/base/frameworks/input/readers/binary.bro
+    scripts/base/frameworks/input/readers/config.bro
     scripts/base/frameworks/input/readers/sqlite.bro
   scripts/base/frameworks/analyzer/__load__.bro
     scripts/base/frameworks/analyzer/main.bro
@@ -50,7 +55,6 @@ scripts/base/init-bare.bro
         scripts/base/utils/patterns.bro
     scripts/base/frameworks/files/magic/__load__.bro
   build/scripts/base/bif/__load__.bro
-    build/scripts/base/bif/stats.bif.bro
     build/scripts/base/bif/broxygen.bif.bro
     build/scripts/base/bif/pcap.bif.bro
     build/scripts/base/bif/bloom-filter.bif.bro
@@ -58,7 +62,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/top-k.bif.bro
   build/scripts/base/bif/plugins/__load__.bro
     build/scripts/base/bif/plugins/Bro_ARP.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_AYIYA.events.bif.bro
     build/scripts/base/bif/plugins/Bro_BackDoor.events.bif.bro
     build/scripts/base/bif/plugins/Bro_BitTorrent.events.bif.bro
     build/scripts/base/bif/plugins/Bro_ConnSize.events.bif.bro
@@ -67,6 +70,7 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_DCE_RPC.types.bif.bro
     build/scripts/base/bif/plugins/Bro_DCE_RPC.events.bif.bro
     build/scripts/base/bif/plugins/Bro_DHCP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_DHCP.types.bif.bro
     build/scripts/base/bif/plugins/Bro_DNP3.events.bif.bro
     build/scripts/base/bif/plugins/Bro_DNS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_File.events.bif.bro
@@ -74,7 +78,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_FTP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FTP.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_Gnutella.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_GSSAPI.types.bif.bro
     build/scripts/base/bif/plugins/Bro_GSSAPI.events.bif.bro
     build/scripts/base/bif/plugins/Bro_GTPv1.events.bif.bro
     build/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro
@@ -91,12 +94,12 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_Modbus.events.bif.bro
     build/scripts/base/bif/plugins/Bro_MySQL.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NCP.events.bif.bro
+    build/scripts/base/bif/plugins/Bro_NCP.consts.bif.bro
     build/scripts/base/bif/plugins/Bro_NetBIOS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NetBIOS.functions.bif.bro
     build/scripts/base/bif/plugins/Bro_NTLM.types.bif.bro
     build/scripts/base/bif/plugins/Bro_NTLM.events.bif.bro
     build/scripts/base/bif/plugins/Bro_NTP.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_PIA.events.bif.bro
     build/scripts/base/bif/plugins/Bro_POP3.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RADIUS.events.bif.bro
     build/scripts/base/bif/plugins/Bro_RDP.events.bif.bro
@@ -117,7 +120,9 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_session_setup_andx.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro
+    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction_secondary.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro
+    build/scripts/base/bif/plugins/Bro_SMB.smb1_com_transaction2_secondary.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro
     build/scripts/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro
@@ -150,7 +155,6 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_Teredo.events.bif.bro
     build/scripts/base/bif/plugins/Bro_UDP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_XMPP.events.bif.bro
-    build/scripts/base/bif/plugins/Bro_ZIP.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileEntropy.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.events.bif.bro
     build/scripts/base/bif/plugins/Bro_FileExtract.functions.bif.bro
@@ -161,9 +165,11 @@ scripts/base/init-bare.bro
     build/scripts/base/bif/plugins/Bro_X509.events.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.types.bif.bro
     build/scripts/base/bif/plugins/Bro_X509.functions.bif.bro
+    build/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro
     build/scripts/base/bif/plugins/Bro_AsciiReader.ascii.bif.bro
     build/scripts/base/bif/plugins/Bro_BenchmarkReader.benchmark.bif.bro
     build/scripts/base/bif/plugins/Bro_BinaryReader.binary.bif.bro
+    build/scripts/base/bif/plugins/Bro_ConfigReader.config.bif.bro
     build/scripts/base/bif/plugins/Bro_RawReader.raw.bif.bro
     build/scripts/base/bif/plugins/Bro_SQLiteReader.sqlite.bif.bro
     build/scripts/base/bif/plugins/Bro_AsciiWriter.ascii.bif.bro
@@ -182,6 +188,7 @@ scripts/base/init-default.bro
   scripts/base/utils/email.bro
   scripts/base/utils/files.bro
   scripts/base/utils/geoip-distance.bro
+  scripts/base/utils/hash_hrw.bro
   scripts/base/utils/numbers.bro
   scripts/base/utils/queue.bro
   scripts/base/utils/strings.bro
@@ -190,6 +197,11 @@ scripts/base/init-default.bro
   scripts/base/utils/urls.bro
   scripts/base/frameworks/notice/__load__.bro
     scripts/base/frameworks/notice/main.bro
+      scripts/base/frameworks/cluster/__load__.bro
+        scripts/base/frameworks/cluster/main.bro
+          scripts/base/frameworks/control/__load__.bro
+            scripts/base/frameworks/control/main.bro
+        scripts/base/frameworks/cluster/pools.bro
     scripts/base/frameworks/notice/weird.bro
     scripts/base/frameworks/notice/actions/drop.bro
       scripts/base/frameworks/netcontrol/__load__.bro
@@ -208,10 +220,6 @@ scripts/base/init-default.bro
                   scripts/base/utils/json.bro
                 scripts/base/frameworks/openflow/plugins/log.bro
                 scripts/base/frameworks/openflow/plugins/broker.bro
-              scripts/base/frameworks/cluster/__load__.bro
-                scripts/base/frameworks/cluster/main.bro
-                  scripts/base/frameworks/control/__load__.bro
-                    scripts/base/frameworks/control/main.bro
               scripts/base/frameworks/openflow/non-cluster.bro
           scripts/base/frameworks/netcontrol/plugins/packetfilter.bro
           scripts/base/frameworks/netcontrol/plugins/broker.bro
@@ -223,8 +231,6 @@ scripts/base/init-default.bro
     scripts/base/frameworks/notice/actions/email_admin.bro
     scripts/base/frameworks/notice/actions/page.bro
     scripts/base/frameworks/notice/actions/add-geodata.bro
-    scripts/base/frameworks/notice/extend-email/hostnames.bro
-    scripts/base/frameworks/notice/non-cluster.bro
     scripts/base/frameworks/notice/actions/pp-alarms.bro
   scripts/base/frameworks/dpd/__load__.bro
     scripts/base/frameworks/dpd/main.bro
@@ -235,12 +241,13 @@ scripts/base/init-default.bro
     scripts/base/frameworks/packet-filter/netstats.bro
   scripts/base/frameworks/software/__load__.bro
     scripts/base/frameworks/software/main.bro
-  scripts/base/frameworks/communication/__load__.bro
-    scripts/base/frameworks/communication/main.bro
   scripts/base/frameworks/intel/__load__.bro
     scripts/base/frameworks/intel/main.bro
     scripts/base/frameworks/intel/files.bro
     scripts/base/frameworks/intel/input.bro
+  scripts/base/frameworks/config/__load__.bro
+    scripts/base/frameworks/config/main.bro
+    scripts/base/frameworks/config/input.bro
   scripts/base/frameworks/sumstats/__load__.bro
     scripts/base/frameworks/sumstats/main.bro
     scripts/base/frameworks/sumstats/plugins/__load__.bro
@@ -270,7 +277,6 @@ scripts/base/init-default.bro
   scripts/base/protocols/dhcp/__load__.bro
     scripts/base/protocols/dhcp/consts.bro
     scripts/base/protocols/dhcp/main.bro
-      scripts/base/protocols/dhcp/utils.bro
   scripts/base/protocols/dnp3/__load__.bro
     scripts/base/protocols/dnp3/main.bro
       scripts/base/protocols/dnp3/consts.bro
@@ -288,6 +294,7 @@ scripts/base/init-default.bro
         scripts/base/protocols/ssl/consts.bro
         scripts/base/protocols/ssl/main.bro
         scripts/base/protocols/ssl/mozilla-ca-list.bro
+        scripts/base/protocols/ssl/ct-list.bro
         scripts/base/protocols/ssl/files.bro
           scripts/base/files/x509/__load__.bro
             scripts/base/files/x509/main.bro
@@ -320,6 +327,10 @@ scripts/base/init-default.bro
         scripts/base/protocols/smb/consts.bro
         scripts/base/protocols/smb/const-dos-error.bro
         scripts/base/protocols/smb/const-nt-status.bro
+        scripts/base/protocols/smb/main.bro
+        scripts/base/protocols/smb/smb1-main.bro
+        scripts/base/protocols/smb/smb2-main.bro
+        scripts/base/protocols/smb/files.bro
   scripts/base/protocols/pop3/__load__.bro
   scripts/base/protocols/radius/__load__.bro
     scripts/base/protocols/radius/main.bro
@@ -359,4 +370,4 @@ scripts/base/init-default.bro
   scripts/base/misc/find-filtered-trace.bro
   scripts/base/misc/version.bro
 scripts/policy/misc/loaded-scripts.bro
-#close	2016-11-02-17-25-18
+#close	2018-06-08-16-37-20
diff --git a/testing/btest/Baseline/coverage.find-bro-logs/out b/testing/btest/Baseline/coverage.find-bro-logs/out
index 9ff209d2e6..70a635b24f 100644
--- a/testing/btest/Baseline/coverage.find-bro-logs/out
+++ b/testing/btest/Baseline/coverage.find-bro-logs/out
@@ -1,7 +1,8 @@
 barnyard2
+broker
 capture_loss
 cluster
-communication
+config
 conn
 dce__r_pc
 dhcp
@@ -14,7 +15,6 @@ http
 intel
 irc
 known_certs
-known_devices
 known_hosts
 known_modbus
 known_services
@@ -30,6 +30,7 @@ netcontrol_shunt
 notice
 notice_alarm
 ntlm
+ocsp
 open_flow
 packet_filter
 pe
diff --git a/testing/btest/Baseline/coverage.init-default/missing_loads b/testing/btest/Baseline/coverage.init-default/missing_loads
index 50d52bd0a5..31966f11c1 100644
--- a/testing/btest/Baseline/coverage.init-default/missing_loads
+++ b/testing/btest/Baseline/coverage.init-default/missing_loads
@@ -5,7 +5,6 @@
 -./frameworks/cluster/setup-connections.bro
 -./frameworks/intel/cluster.bro
 -./frameworks/netcontrol/cluster.bro
--./frameworks/notice/cluster.bro
 -./frameworks/openflow/cluster.bro
 -./frameworks/packet-filter/cluster.bro
 -./frameworks/sumstats/cluster.bro
diff --git a/testing/btest/Baseline/doc.broxygen.all_scripts/.stderr b/testing/btest/Baseline/doc.broxygen.all_scripts/.stderr
index d4746c0865..2bc5465045 100644
--- a/testing/btest/Baseline/doc.broxygen.all_scripts/.stderr
+++ b/testing/btest/Baseline/doc.broxygen.all_scripts/.stderr
@@ -1 +1,2 @@
+error in /home/jon/projects/bro/bro/scripts/policy/frameworks/control/controller.bro, line 22: The '' control command is unknown.
 <params>, line 1: received termination signal
diff --git a/testing/btest/Baseline/doc.broxygen.all_scripts/.stdout b/testing/btest/Baseline/doc.broxygen.all_scripts/.stdout
index f72022e359..bfc3c033df 100644
--- a/testing/btest/Baseline/doc.broxygen.all_scripts/.stdout
+++ b/testing/btest/Baseline/doc.broxygen.all_scripts/.stdout
@@ -1,2 +1 @@
-The '' control command is unknown.
 WARNING: No Site::local_nets have been defined.  It's usually a good idea to define your local networks.
diff --git a/testing/btest/Baseline/doc.broxygen.example/example.rst b/testing/btest/Baseline/doc.broxygen.example/example.rst
index 48289fe466..109784229d 100644
--- a/testing/btest/Baseline/doc.broxygen.example/example.rst
+++ b/testing/btest/Baseline/doc.broxygen.example/example.rst
@@ -32,8 +32,8 @@ And a custom directive does the equivalent references:
 
 Summary
 ~~~~~~~
-Options
-#######
+Redefinable Options
+###################
 ==================================================================================== =======================================================
 :bro:id:`BroxygenExample::an_option`: :bro:type:`set` :bro:attr:`&redef`             Add documentation for "an_option" here.
 :bro:id:`BroxygenExample::option_with_init`: :bro:type:`interval` :bro:attr:`&redef` Default initialization will be generated automatically.
@@ -81,8 +81,8 @@ Functions
 
 Detailed Interface
 ~~~~~~~~~~~~~~~~~~
-Options
-#######
+Redefinable Options
+###################
 .. bro:id:: BroxygenExample::an_option
 
    :Type: :bro:type:`set` [:bro:type:`addr`, :bro:type:`addr`, :bro:type:`string`]
diff --git a/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/conn.log b/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/conn.log
index 7fe6aa385c..6eb08725f5 100644
--- a/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/conn.log
+++ b/testing/btest/Baseline/doc.manual.using_bro_sandbox_01/conn.log
@@ -6,38 +6,38 @@
 #open	2013-05-05-20-51-24
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
-1300475167.096535	UWkUyAuUGXf	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	0	D	1	73	0	0	(empty)
-1300475167.097012	arKYeMETxOg	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	0	D	1	199	0	0	(empty)
-1300475167.099816	k6kgXLOoSKl	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	0	D	1	179	0	0	(empty)
-1300475168.853899	TEfuqmmG4bh	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	0	Dd	1	66	1	117	(empty)
-1300475168.854378	FrJExwHcSal	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	0	Dd	1	80	1	127	(empty)
-1300475168.854837	5OKnoww6xl4	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	0	Dd	1	66	1	211	(empty)
-1300475168.857956	fRFu0wcOle6	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	0	Dd	1	66	1	117	(empty)
-1300475168.858306	qSsw6ESzHV4	141.142.220.118	59816	141.142.2.2	53	udp	dns	0.000343	52	99	SF	-	0	Dd	1	80	1	127	(empty)
-1300475168.858713	iE6yhOq3SF	141.142.220.118	59714	141.142.2.2	53	udp	dns	0.000375	38	183	SF	-	0	Dd	1	66	1	211	(empty)
-1300475168.891644	qCaWGmzFtM5	141.142.220.118	58206	141.142.2.2	53	udp	dns	0.000339	38	89	SF	-	0	Dd	1	66	1	117	(empty)
-1300475168.892037	70MGiRM1Qf4	141.142.220.118	38911	141.142.2.2	53	udp	dns	0.000335	52	99	SF	-	0	Dd	1	80	1	127	(empty)
-1300475168.892414	h5DsfNtYzi1	141.142.220.118	59746	141.142.2.2	53	udp	dns	0.000421	38	183	SF	-	0	Dd	1	66	1	211	(empty)
-1300475168.893988	c4Zw9TmAE05	141.142.220.118	45000	141.142.2.2	53	udp	dns	0.000384	38	89	SF	-	0	Dd	1	66	1	117	(empty)
-1300475168.894422	EAr0uf4mhq	141.142.220.118	48479	141.142.2.2	53	udp	dns	0.000317	52	99	SF	-	0	Dd	1	80	1	127	(empty)
-1300475168.894787	GvmoxJFXdTa	141.142.220.118	48128	141.142.2.2	53	udp	dns	0.000423	38	183	SF	-	0	Dd	1	66	1	211	(empty)
-1300475168.901749	slFea8xwSmb	141.142.220.118	56056	141.142.2.2	53	udp	dns	0.000402	36	131	SF	-	0	Dd	1	64	1	159	(empty)
-1300475168.902195	UfGkYA2HI2g	141.142.220.118	55092	141.142.2.2	53	udp	dns	0.000374	36	198	SF	-	0	Dd	1	64	1	226	(empty)
-1300475169.899438	BWaU4aSuwkc	141.142.220.44	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	0	D	1	85	0	0	(empty)
-1300475170.862384	10XodEwRycf	141.142.220.226	137	141.142.220.255	137	udp	dns	2.613017	350	0	S0	-	0	D	7	546	0	0	(empty)
-1300475171.675372	zno26fFZkrh	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	dns	0.100096	66	0	S0	-	0	D	2	162	0	0	(empty)
-1300475171.677081	v5rgkJBig5l	141.142.220.226	55131	224.0.0.252	5355	udp	dns	0.100021	66	0	S0	-	0	D	2	122	0	0	(empty)
-1300475173.116749	eWZCH7OONC1	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	dns	0.099801	66	0	S0	-	0	D	2	162	0	0	(empty)
-1300475173.117362	0Pwk3ntf8O3	141.142.220.226	55671	224.0.0.252	5355	udp	dns	0.099849	66	0	S0	-	0	D	2	122	0	0	(empty)
-1300475173.153679	0HKorjr8Zp7	141.142.220.238	56641	141.142.220.255	137	udp	dns	-	-	-	S0	-	0	D	1	78	0	0	(empty)
-1300475168.859163	GSxOnSLghOa	141.142.220.118	49998	208.80.152.3	80	tcp	http	0.215893	1130	734	S1	-	0	ShADad	6	1450	4	950	(empty)
-1300475168.652003	nQcgTWjvg4c	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	0	DdA	2	567	1	402	(empty)
-1300475168.895267	0Q4FH8sESw5	141.142.220.118	50001	208.80.152.3	80	tcp	http	0.227284	1178	734	S1	-	0	ShADad	6	1498	4	950	(empty)
-1300475168.902635	i2rO3KD1Syg	141.142.220.118	35642	208.80.152.2	80	tcp	http	0.120041	534	412	S1	-	0	ShADad	4	750	3	576	(empty)
-1300475168.892936	Tw8jXtpTGu6	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	-	0	ShADad	6	1468	4	950	(empty)
-1300475168.855305	3PKsZ2Uye21	141.142.220.118	49996	208.80.152.3	80	tcp	http	0.218501	1171	733	S1	-	0	ShADad	6	1491	4	949	(empty)
-1300475168.892913	P654jzLoe3a	141.142.220.118	49999	208.80.152.3	80	tcp	http	0.220961	1137	733	S1	-	0	ShADad	6	1457	4	949	(empty)
-1300475169.780331	2cx26uAvUPl	141.142.220.235	6705	173.192.163.128	80	tcp	-	-	-	-	OTH	-	0	h	0	0	1	48	(empty)
-1300475168.724007	j4u32Pc5bif	141.142.220.118	48649	208.80.152.118	80	tcp	http	0.119905	525	232	S1	-	0	ShADad	4	741	3	396	(empty)
-1300475168.855330	VW0XPVINV8a	141.142.220.118	49997	208.80.152.3	80	tcp	http	0.219720	1125	734	S1	-	0	ShADad	6	1445	4	950	(empty)
+1300475167.096535	UWkUyAuUGXf	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	0	D	1	73	0	0	-
+1300475167.097012	arKYeMETxOg	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	0	D	1	199	0	0	-
+1300475167.099816	k6kgXLOoSKl	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	0	D	1	179	0	0	-
+1300475168.853899	TEfuqmmG4bh	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	0	Dd	1	66	1	117	-
+1300475168.854378	FrJExwHcSal	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	0	Dd	1	80	1	127	-
+1300475168.854837	5OKnoww6xl4	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	0	Dd	1	66	1	211	-
+1300475168.857956	fRFu0wcOle6	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	0	Dd	1	66	1	117	-
+1300475168.858306	qSsw6ESzHV4	141.142.220.118	59816	141.142.2.2	53	udp	dns	0.000343	52	99	SF	-	0	Dd	1	80	1	127	-
+1300475168.858713	iE6yhOq3SF	141.142.220.118	59714	141.142.2.2	53	udp	dns	0.000375	38	183	SF	-	0	Dd	1	66	1	211	-
+1300475168.891644	qCaWGmzFtM5	141.142.220.118	58206	141.142.2.2	53	udp	dns	0.000339	38	89	SF	-	0	Dd	1	66	1	117	-
+1300475168.892037	70MGiRM1Qf4	141.142.220.118	38911	141.142.2.2	53	udp	dns	0.000335	52	99	SF	-	0	Dd	1	80	1	127	-
+1300475168.892414	h5DsfNtYzi1	141.142.220.118	59746	141.142.2.2	53	udp	dns	0.000421	38	183	SF	-	0	Dd	1	66	1	211	-
+1300475168.893988	c4Zw9TmAE05	141.142.220.118	45000	141.142.2.2	53	udp	dns	0.000384	38	89	SF	-	0	Dd	1	66	1	117	-
+1300475168.894422	EAr0uf4mhq	141.142.220.118	48479	141.142.2.2	53	udp	dns	0.000317	52	99	SF	-	0	Dd	1	80	1	127	-
+1300475168.894787	GvmoxJFXdTa	141.142.220.118	48128	141.142.2.2	53	udp	dns	0.000423	38	183	SF	-	0	Dd	1	66	1	211	-
+1300475168.901749	slFea8xwSmb	141.142.220.118	56056	141.142.2.2	53	udp	dns	0.000402	36	131	SF	-	0	Dd	1	64	1	159	-
+1300475168.902195	UfGkYA2HI2g	141.142.220.118	55092	141.142.2.2	53	udp	dns	0.000374	36	198	SF	-	0	Dd	1	64	1	226	-
+1300475169.899438	BWaU4aSuwkc	141.142.220.44	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	0	D	1	85	0	0	-
+1300475170.862384	10XodEwRycf	141.142.220.226	137	141.142.220.255	137	udp	dns	2.613017	350	0	S0	-	0	D	7	546	0	0	-
+1300475171.675372	zno26fFZkrh	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	dns	0.100096	66	0	S0	-	0	D	2	162	0	0	-
+1300475171.677081	v5rgkJBig5l	141.142.220.226	55131	224.0.0.252	5355	udp	dns	0.100021	66	0	S0	-	0	D	2	122	0	0	-
+1300475173.116749	eWZCH7OONC1	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	dns	0.099801	66	0	S0	-	0	D	2	162	0	0	-
+1300475173.117362	0Pwk3ntf8O3	141.142.220.226	55671	224.0.0.252	5355	udp	dns	0.099849	66	0	S0	-	0	D	2	122	0	0	-
+1300475173.153679	0HKorjr8Zp7	141.142.220.238	56641	141.142.220.255	137	udp	dns	-	-	-	S0	-	0	D	1	78	0	0	-
+1300475168.859163	GSxOnSLghOa	141.142.220.118	49998	208.80.152.3	80	tcp	http	0.215893	1130	734	S1	-	0	ShADad	6	1450	4	950	-
+1300475168.652003	nQcgTWjvg4c	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	0	DdA	2	567	1	402	-
+1300475168.895267	0Q4FH8sESw5	141.142.220.118	50001	208.80.152.3	80	tcp	http	0.227284	1178	734	S1	-	0	ShADad	6	1498	4	950	-
+1300475168.902635	i2rO3KD1Syg	141.142.220.118	35642	208.80.152.2	80	tcp	http	0.120041	534	412	S1	-	0	ShADad	4	750	3	576	-
+1300475168.892936	Tw8jXtpTGu6	141.142.220.118	50000	208.80.152.3	80	tcp	http	0.229603	1148	734	S1	-	0	ShADad	6	1468	4	950	-
+1300475168.855305	3PKsZ2Uye21	141.142.220.118	49996	208.80.152.3	80	tcp	http	0.218501	1171	733	S1	-	0	ShADad	6	1491	4	949	-
+1300475168.892913	P654jzLoe3a	141.142.220.118	49999	208.80.152.3	80	tcp	http	0.220961	1137	733	S1	-	0	ShADad	6	1457	4	949	-
+1300475169.780331	2cx26uAvUPl	141.142.220.235	6705	173.192.163.128	80	tcp	-	-	-	-	OTH	-	0	h	0	0	1	48	-
+1300475168.724007	j4u32Pc5bif	141.142.220.118	48649	208.80.152.118	80	tcp	http	0.119905	525	232	S1	-	0	ShADad	4	741	3	396	-
+1300475168.855330	VW0XPVINV8a	141.142.220.118	49997	208.80.152.3	80	tcp	http	0.219720	1125	734	S1	-	0	ShADad	6	1445	4	950	-
 #close	2013-05-05-20-51-24
diff --git a/testing/btest/Baseline/doc.manual.using_bro_sandbox_02/conn.log b/testing/btest/Baseline/doc.manual.using_bro_sandbox_02/conn.log
index 1227e60ad3..cc68286986 100644
--- a/testing/btest/Baseline/doc.manual.using_bro_sandbox_02/conn.log
+++ b/testing/btest/Baseline/doc.manual.using_bro_sandbox_02/conn.log
@@ -6,10 +6,10 @@
 #open	2013-05-07-14-38-27
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	table[string]
-1320329757.771503	j4u32Pc5bif	10.0.2.15	49286	192.150.187.43	80	tcp	http	15.161537	2899	1127	S2	-	0	ShADadF	20	3719	19	1891	(empty)
-1320329757.771262	nQcgTWjvg4c	10.0.2.15	49285	192.150.187.43	80	tcp	http	15.161772	889	377	S2	-	0	ShADadF	8	1229	8	701	(empty)
-1320329757.761327	arKYeMETxOg	10.0.2.15	49283	192.150.187.43	80	tcp	http	15.168898	459	189	S2	-	0	ShADadF	5	679	4	353	(empty)
-1320329757.458867	UWkUyAuUGXf	10.0.2.15	49282	192.150.187.43	80	tcp	http	15.471378	1824	751	S2	-	0	ShADadF	12	2324	13	1275	(empty)
-1320329757.761638	k6kgXLOoSKl	10.0.2.15	49284	192.150.187.43	80	tcp	http	15.168613	898	376	S2	-	0	ShADadF	8	1238	8	700	(empty)
-1320329757.771755	TEfuqmmG4bh	10.0.2.15	49287	192.150.187.43	80	tcp	http	15.161267	900	376	S2	-	0	ShADadF	8	1240	8	700	(empty)
+1320329757.771503	j4u32Pc5bif	10.0.2.15	49286	192.150.187.43	80	tcp	http	15.161537	2899	1127	S2	-	0	ShADadF	20	3719	19	1891	-
+1320329757.771262	nQcgTWjvg4c	10.0.2.15	49285	192.150.187.43	80	tcp	http	15.161772	889	377	S2	-	0	ShADadF	8	1229	8	701	-
+1320329757.761327	arKYeMETxOg	10.0.2.15	49283	192.150.187.43	80	tcp	http	15.168898	459	189	S2	-	0	ShADadF	5	679	4	353	-
+1320329757.458867	UWkUyAuUGXf	10.0.2.15	49282	192.150.187.43	80	tcp	http	15.471378	1824	751	S2	-	0	ShADadF	12	2324	13	1275	-
+1320329757.761638	k6kgXLOoSKl	10.0.2.15	49284	192.150.187.43	80	tcp	http	15.168613	898	376	S2	-	0	ShADadF	8	1238	8	700	-
+1320329757.771755	TEfuqmmG4bh	10.0.2.15	49287	192.150.187.43	80	tcp	http	15.161267	900	376	S2	-	0	ShADadF	8	1240	8	700	-
 #close	2013-05-07-14-38-27
diff --git a/testing/btest/Baseline/doc.sphinx.conditional-notice/btest-doc.sphinx.conditional-notice#1 b/testing/btest/Baseline/doc.sphinx.conditional-notice/btest-doc.sphinx.conditional-notice#1
index 4164b54e53..0cb081d6fb 100644
--- a/testing/btest/Baseline/doc.sphinx.conditional-notice/btest-doc.sphinx.conditional-notice#1
+++ b/testing/btest/Baseline/doc.sphinx.conditional-notice/btest-doc.sphinx.conditional-notice#1
@@ -18,9 +18,9 @@
       #empty_field	(empty)
       #unset_field	-
       #path	notice
-      #open	2016-07-13-16-13-16
+      #open	2017-12-21-02-23-46
       #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
       #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-      1394745603.293028	CHhAvVGS1DHFjwGM9	192.168.4.149	60539	87.98.220.10	443	F1fX1R2cDOzbvg17ye	-	-	tcp	SSL::Certificate_Expired	Certificate CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated expired at 2014-03-04-23:59:59.000000000	-	192.168.4.149	87.98.220.10	443	-	bro	Notice::ACTION_EMAIL,Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-      #close	2016-07-13-16-13-17
+      1394745603.293028	CHhAvVGS1DHFjwGM9	192.168.4.149	60539	87.98.220.10	443	F1fX1R2cDOzbvg17ye	-	-	tcp	SSL::Certificate_Expired	Certificate CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated expired at 2014-03-04-23:59:59.000000000	-	192.168.4.149	87.98.220.10	443	-	-	Notice::ACTION_EMAIL,Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+      #close	2017-12-21-02-23-46
 
diff --git a/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1 b/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1
index 763f42387e..fcc4c8f846 100644
--- a/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1
+++ b/testing/btest/Baseline/doc.sphinx.connection-record-01/btest-doc.sphinx.connection-record-01#1
@@ -7,7 +7,5 @@
       # bro -b -r http/get.trace connection_record_01.bro
       [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={
       
-      }, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
-      
-      }], extract_orig=F, extract_resp=F, thresholds=<uninitialized>]
+      }, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>]
 
diff --git a/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1 b/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
index 23cba743e3..db5b18beeb 100644
--- a/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
+++ b/testing/btest/Baseline/doc.sphinx.connection-record-02/btest-doc.sphinx.connection-record-02#1
@@ -7,9 +7,7 @@
       # bro -b -r http/get.trace connection_record_02.bro
       [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.211484, service={
       
-      }, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={
-      
-      }], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={
+      }, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, conn=[ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=<uninitialized>, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, http=[ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=/download/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={
       
       }, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={
       
diff --git a/testing/btest/Baseline/doc.sphinx.ftp-bruteforce/btest-doc.sphinx.ftp-bruteforce#1 b/testing/btest/Baseline/doc.sphinx.ftp-bruteforce/btest-doc.sphinx.ftp-bruteforce#1
index 55bbccb828..3d3ad09013 100644
--- a/testing/btest/Baseline/doc.sphinx.ftp-bruteforce/btest-doc.sphinx.ftp-bruteforce#1
+++ b/testing/btest/Baseline/doc.sphinx.ftp-bruteforce/btest-doc.sphinx.ftp-bruteforce#1
@@ -16,9 +16,9 @@
       #empty_field	(empty)
       #unset_field	-
       #path	notice
-      #open	2014-04-01-22-59-07
+      #open	2017-12-21-02-24-08
       #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
       #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-      1389721084.522861	-	-	-	-	-	-	-	-	-	FTP::Bruteforcing	192.168.56.1 had 20 failed logins on 1 FTP server in 0m37s	-	192.168.56.1	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-      #close	2014-04-01-22-59-07
+      1389721084.522861	-	-	-	-	-	-	-	-	-	FTP::Bruteforcing	192.168.56.1 had 20 failed logins on 1 FTP server in 0m37s	-	192.168.56.1	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+      #close	2017-12-21-02-24-08
 
diff --git a/testing/btest/Baseline/doc.sphinx.http_proxy_04/btest-doc.sphinx.http_proxy_04#1 b/testing/btest/Baseline/doc.sphinx.http_proxy_04/btest-doc.sphinx.http_proxy_04#1
index 1d31f4b027..7ec214a1a9 100644
--- a/testing/btest/Baseline/doc.sphinx.http_proxy_04/btest-doc.sphinx.http_proxy_04#1
+++ b/testing/btest/Baseline/doc.sphinx.http_proxy_04/btest-doc.sphinx.http_proxy_04#1
@@ -16,9 +16,9 @@
       #empty_field	(empty)
       #unset_field	-
       #path	notice
-      #open	2016-07-13-16-13-22
+      #open	2017-12-21-02-24-33
       #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
       #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-      1389654450.449603	CHhAvVGS1DHFjwGM9	192.168.56.1	52679	192.168.56.101	80	-	-	-	tcp	HTTP::Open_Proxy	A local server is acting as an open proxy: 192.168.56.101	-	192.168.56.1	192.168.56.101	80	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-      #close	2016-07-13-16-13-22
+      1389654450.449603	CHhAvVGS1DHFjwGM9	192.168.56.1	52679	192.168.56.101	80	-	-	-	tcp	HTTP::Open_Proxy	A local server is acting as an open proxy: 192.168.56.101	-	192.168.56.1	192.168.56.101	80	-	-	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+      #close	2017-12-21-02-24-33
 
diff --git a/testing/btest/Baseline/doc.sphinx.include-build_scripts_base_bif_plugins_Bro_DNS_events_bif_bro/output b/testing/btest/Baseline/doc.sphinx.include-build_scripts_base_bif_plugins_Bro_DNS_events_bif_bro/output
new file mode 100644
index 0000000000..6e15ece5e0
--- /dev/null
+++ b/testing/btest/Baseline/doc.sphinx.include-build_scripts_base_bif_plugins_Bro_DNS_events_bif_bro/output
@@ -0,0 +1,30 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+Bro_DNS.events.bif.bro
+
+## Generated for DNS requests. For requests with multiple queries, this event
+## is raised once for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## query: The queried name.
+##
+## qtype: The queried resource record type.
+##
+## qclass: The queried resource record class.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+global dns_request: event(c: connection , msg: dns_msg , query: string , qtype: count , qclass: count );
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output
index c4cbde045c..d2916a4c4f 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-connector_bro/output
@@ -2,21 +2,15 @@
 
 connecting-connector.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1sec);
+	Broker::peer("127.0.0.1");
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established",
-		  peer_address, peer_port, peer_name;
+	print "peer added", endpoint;
 	terminate();
 	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output
index 8ea85569c9..b15bac75c0 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_connecting-listener_bro/output
@@ -2,23 +2,20 @@
 
 connecting-listener.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established", peer_name;
+	print "peer added", endpoint;
 	}
 
-event Broker::incoming_connection_broken(peer_name: string)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_broken", peer_name;
+	print "peer lost", endpoint;
 	terminate();
 	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output
index d7a0e64be2..96616dbd3c 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-connector_bro/output
@@ -2,34 +2,38 @@
 
 events-connector.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1sec);
-	Broker::auto_event("bro/event/my_auto_event", my_auto_event);
+	Broker::peer("127.0.0.1");
+	Broker::auto_publish("bro/event/my_auto_event", my_auto_event);
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;
-	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "hi", 0));
+	print "peer added", endpoint;
+	Broker::publish("bro/event/my_event", my_event, "hi", 0);
 	event my_auto_event("stuff", 88);
-	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "...", 1));
+	Broker::publish("bro/event/my_event", my_event, "...", 1);
 	event my_auto_event("more stuff", 51);
-	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "bye", 2));
+	local e = Broker::make_event(my_event, "bye", 2);
+	Broker::publish("bro/event/my_event", e);
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
+
+event my_event(msg: string, c: count)
+	{
+	print "got my_event", msg, c;
+	}
+
+event my_auto_event(msg: string, c: count)
+	{
+	print "got my_auto_event", msg, c;
+	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output
index 640722cac0..928ba60311 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_events-listener_bro/output
@@ -2,23 +2,20 @@
 
 events-listener.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
 global msg_count = 0;
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/event/");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established", peer_name;
+	print "peer added", endpoint;
 	}
 
 event my_event(msg: string, c: count)
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-connector_bro/output
index 907d712c88..84d0a60391 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-connector_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-connector_bro/output
@@ -4,18 +4,12 @@ logs-connector.bro
 
 @load ./testlog
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
-redef Log::enable_local_logging = F;
-redef Log::enable_remote_logging = F;
 global n = 0;
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::enable_remote_logs(Test::LOG);
-	Broker::connect("127.0.0.1", broker_port, 1sec);
+	Broker::peer("127.0.0.1");
 	}
 
 event do_write()
@@ -28,17 +22,19 @@ event do_write()
 	event do_write();
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;
+	print "peer added", endpoint;
 	event do_write();
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
+
+event Test::log_test(rec: Test::Info)
+	{
+	print "wrote log", rec;
+	Broker::publish("bro/logs/forward/test", Test::log_test, rec);
+	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-listener_bro/output
index de6abbf5a0..359a88b476 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-listener_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_logs-listener_bro/output
@@ -4,25 +4,22 @@ logs-listener.bro
 
 @load ./testlog
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_logs("bro/log/Test::LOG");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/logs");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established", peer_name;
+	print "peer added", endpoint;
 	}
 
 event Test::log_test(rec: Test::Info)
 	{
-	print "wrote log", rec;
+	print "got log event", rec;
 
 	if ( rec$num == 5 )
 		terminate();
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-connector_bro/output
deleted file mode 100644
index 91ee179fe6..0000000000
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-connector_bro/output
+++ /dev/null
@@ -1,30 +0,0 @@
-# @TEST-EXEC: cat %INPUT >output && btest-diff output
-
-printing-connector.bro
-
-const broker_port: port = 9999/tcp &redef;
-redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1sec);
-	}
-
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	print "Broker::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;
-	Broker::send_print("bro/print/hi", "hello");
-	Broker::send_print("bro/print/stuff", "...");
-	Broker::send_print("bro/print/bye", "goodbye");
-	}
-
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-	{
-	terminate();
-	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-listener_bro/output
deleted file mode 100644
index 37e4d0eae9..0000000000
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_printing-listener_bro/output
+++ /dev/null
@@ -1,29 +0,0 @@
-# @TEST-EXEC: cat %INPUT >output && btest-diff output
-
-printing-listener.bro
-
-const broker_port: port = 9999/tcp &redef;
-redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
-global msg_count = 0;
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_prints("bro/print/");
-	Broker::listen(broker_port, "127.0.0.1");
-	}
-
-event Broker::incoming_connection_established(peer_name: string)
-	{
-	print "Broker::incoming_connection_established", peer_name;
-	}
-
-event Broker::print_handler(msg: string)
-	{
-	++msg_count;
-	print "got print message", msg;
-
-	if ( msg_count == 3 )
-		terminate();
-	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-connector_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-connector_bro/output
index 74b59467e7..8ef4dca1f5 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-connector_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-connector_bro/output
@@ -2,56 +2,32 @@
 
 stores-connector.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of Broker::Handle;
-
-function dv(d: Broker::Data): Broker::DataVector
-	{
-	local rval: Broker::DataVector;
-	rval[0] = d;
-	return rval;
-	}
+global h: opaque of Broker::Store;
 
 global ready: event();
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	local myset: set[string] = {"a", "b", "c"};
-	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	h = Broker::create_master("mystore");
-	Broker::insert(h, Broker::data("one"), Broker::data(110));
-	Broker::insert(h, Broker::data("two"), Broker::data(223));
-	Broker::insert(h, Broker::data("myset"), Broker::data(myset));
-	Broker::insert(h, Broker::data("myvec"), Broker::data(myvec));
-	Broker::increment(h, Broker::data("one"));
-	Broker::decrement(h, Broker::data("two"));
-	Broker::add_to_set(h, Broker::data("myset"), Broker::data("d"));
-	Broker::remove_from_set(h, Broker::data("myset"), Broker::data("b"));
-	Broker::push_left(h, Broker::data("myvec"), dv(Broker::data("delta")));
-	Broker::push_right(h, Broker::data("myvec"), dv(Broker::data("omega")));
-
-	when ( local res = Broker::size(h) )
-		{
-		print "master size", res;
-		event ready();
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
 event bro_init()
 	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1secs);
-	Broker::auto_event("bro/event/ready", ready);
+	h = Broker::create_master("mystore");
+
+	local myset: set[string] = {"a", "b", "c"};
+	local myvec: vector of string = {"alpha", "beta", "gamma"};
+	Broker::put(h, "one", 110);
+	Broker::put(h, "two", 223);
+	Broker::put(h, "myset", myset);
+	Broker::put(h, "myvec", myvec);
+	Broker::increment(h, "one");
+	Broker::decrement(h, "two");
+	Broker::insert_into_set(h, "myset", "d");
+	Broker::remove_from(h, "myset", "b");
+	Broker::push(h, "myvec", "delta");
+
+	Broker::peer("127.0.0.1");
 	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-listener_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-listener_bro/output
index 8dadbc803c..571ede2687 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-listener_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_stores-listener_bro/output
@@ -2,46 +2,82 @@
 
 stores-listener.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of Broker::Handle;
+global h: opaque of Broker::Store;
 global expected_key_count = 4;
 global key_count = 0;
 
+# Lookup a value in the store based on an arbitrary key string.
 function do_lookup(key: string)
 	{
-	when ( local res = Broker::lookup(h, Broker::data(key)) )
+	when ( local res = Broker::get(h, key) )
 		{
 		++key_count;
 		print "lookup", key, res;
 
-		if ( key_count == expected_key_count )
+		# End after we iterated over looking up each key in the store twice.
+		if ( key_count == expected_key_count * 2 )
 			terminate();
 		}
-	timeout 10sec
+	# All data store queries must specify a timeout
+	timeout 3sec
 		{ print "timeout", key; }
 	}
 
-event ready()
+event check_keys()
 	{
-	h = Broker::create_clone("mystore");
-
+	# Here we just query for the list of keys in the store, and show how to
+	# look up each one's value.
 	when ( local res = Broker::keys(h) )
 		{
 		print "clone keys", res;
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 0)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 1)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 2)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 3)));
+
+		if ( res?$result )
+			{
+			# Since we know that the keys we are storing are all strings,
+			# we can conveniently cast the result of Broker::keys to
+			# a native Bro type, namely 'set[string]'.
+			for ( k in res$result as string_set )
+				do_lookup(k);
+
+			# Alternatively, we can use a generic iterator to iterate
+			# over the results (which we know is of the 'set' type because
+			# that's what Broker::keys() always returns).  If the keys
+			# we stored were not all of the same type, then you would
+			# likely want to use this method of inspecting the store's keys.
+			local i = Broker::set_iterator(res$result);
+
+			while ( ! Broker::set_iterator_last(i) )
+				{
+				do_lookup(Broker::set_iterator_value(i) as string);
+				Broker::set_iterator_next(i);
+				}
+			}
 		}
-	timeout 10sec
-		{ print "timeout"; }
+	# All data store queries must specify a timeout.
+	# You also might see timeouts on connecting/initializing a clone since
+	# it hasn't had time to get fully set up yet.
+	timeout 1sec
+		{
+		print "timeout";
+		schedule 1sec { check_keys() };
+		}
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer added";
+	# We could create a clone early, like in bro_init and it will periodically
+	# try to synchronize with its master once it connects, however, we just
+	# create it now since we know the peer w/ the master store has just
+	# connected.
+	h = Broker::create_clone("mystore");
+
+	event check_keys();
 	}
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/ready");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::listen("127.0.0.1");
 	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output
index d5a92417dc..8d779a1b92 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_broker_testlog_bro/output
@@ -17,6 +17,5 @@ export {
 
 event bro_init() &priority=5
 	{
-	Broker::enable();
 	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test, $path="test"]);
 	}
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_vector_declaration_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_vector_declaration_bro/output
index 4f1260e4ed..22790f45fe 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_vector_declaration_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_data_struct_vector_declaration_bro/output
@@ -7,10 +7,10 @@ event bro_init()
     local v1: vector of count;
     local v2 = vector(1, 2, 3, 4);
     
-    v1[|v1|] = 1;
-    v1[|v1|] = 2;
-    v1[|v1|] = 3;
-    v1[|v1|] = 4;
+    v1 += 1;
+    v1 += 2;
+    v1 += 3;
+    v1 += 4;
     
     print fmt("contents of v1: %s", v1);
     print fmt("length of v1: %d", |v1|);
diff --git a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_03_bro/output b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_03_bro/output
index d5d1c23b2b..01ed659c75 100644
--- a/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_03_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_scripting_framework_logging_factorial_03_bro/output
@@ -2,6 +2,43 @@
 
 framework_logging_factorial_03.bro
 
+module Factor;
+
+export {
+    redef enum Log::ID += { LOG };
+
+    type Info: record {
+        num:           count &log;
+        factorial_num: count &log;
+        };
+    }
+
+function factorial(n: count): count
+    {
+    if ( n == 0 )
+        return 1;
+    
+    else
+        return (n * factorial(n - 1));
+    }
+
+event bro_done()
+    {
+    local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);    
+    for ( n in numbers )
+        Log::write( Factor::LOG, [$num=numbers[n],
+                                  $factorial_num=factorial(numbers[n])]);
+    }
+
+function mod5(id: Log::ID, path: string, rec: Factor::Info) : string    
+    {
+    if ( rec$factorial_num % 5 == 0 )
+        return "factor-mod5";
+    
+    else
+        return "factor-non5";
+    }
+
 event bro_init()
     {
     Log::create_stream(LOG, [$columns=Info, $path="factor"]);
diff --git a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_conn_known-hosts_bro/output b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_conn_known-hosts_bro/output
deleted file mode 100644
index 150de38f35..0000000000
--- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_conn_known-hosts_bro/output
+++ /dev/null
@@ -1,9 +0,0 @@
-# @TEST-EXEC: cat %INPUT >output && btest-diff output
-
-known-hosts.bro
-
-module Known;
-
-export {
-	global known_hosts: set[addr] &create_expire=1day &synchronized &redef;
-}
diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#1 b/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#1
index 85b8662f40..5f899ce9c0 100644
--- a/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#1
+++ b/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#1
@@ -20,13 +20,13 @@
       #empty_field	(empty)
       #unset_field	-
       #path	netcontrol
-      #open	2016-07-26-22-04-14
+      #open	2017-12-21-18-58-53
       #fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
       #types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
       0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Debug-All
       0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
       0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
-      1427726711.398575	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.56.1/32	-	-	0	600.000000	ACTION_DROP: T	Debug-All
-      1427726711.398575	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.56.1/32	-	-	0	600.000000	ACTION_DROP: T	Debug-All
-      #close	2016-07-26-22-04-14
+      1427726759.303199	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.56.1/32	-	-	0	600.000000	ACTION_DROP: T	Debug-All
+      1427726759.303199	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.56.1/32	-	-	0	600.000000	ACTION_DROP: T	Debug-All
+      #close	2017-12-21-18-58-53
 
diff --git a/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#2 b/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#2
index 4501f85377..039821c266 100644
--- a/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#2
+++ b/testing/btest/Baseline/doc.sphinx.netcontrol-3-ssh-guesser.bro/btest-doc.sphinx.netcontrol-3-ssh-guesser.bro#2
@@ -10,9 +10,9 @@
       #empty_field	(empty)
       #unset_field	-
       #path	notice
-      #open	2016-07-26-22-04-14
+      #open	2017-12-21-18-58-53
       #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
       #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-      1427726711.398575	-	-	-	-	-	-	-	-	-	SSH::Password_Guessing	192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections).	Sampled servers:  192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103	192.168.56.1	-	-	-	bro	Notice::ACTION_DROP,Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-      #close	2016-07-26-22-04-14
+      1427726759.303199	-	-	-	-	-	-	-	-	-	SSH::Password_Guessing	192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections).	Sampled servers:  192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103	192.168.56.1	-	-	-	-	Notice::ACTION_DROP,Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+      #close	2017-12-21-18-58-53
 
diff --git a/testing/btest/Baseline/doc.sphinx.notice_ssh_guesser.bro/btest-doc.sphinx.notice_ssh_guesser.bro#1 b/testing/btest/Baseline/doc.sphinx.notice_ssh_guesser.bro/btest-doc.sphinx.notice_ssh_guesser.bro#1
index a8d9ce96d1..56918146fa 100644
--- a/testing/btest/Baseline/doc.sphinx.notice_ssh_guesser.bro/btest-doc.sphinx.notice_ssh_guesser.bro#1
+++ b/testing/btest/Baseline/doc.sphinx.notice_ssh_guesser.bro/btest-doc.sphinx.notice_ssh_guesser.bro#1
@@ -18,9 +18,9 @@
       #empty_field	(empty)
       #unset_field	-
       #path	notice
-      #open	2015-03-30-16-20-23
+      #open	2017-12-21-02-24-48
       #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
       #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-      1427726711.398575	-	-	-	-	-	-	-	-	-	SSH::Password_Guessing	192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections).	Sampled servers:  192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103	192.168.56.1	-	-	-	bro	Notice::ACTION_EMAIL,Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-      #close	2015-03-30-16-20-23
+      1427726759.303199	-	-	-	-	-	-	-	-	-	SSH::Password_Guessing	192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections).	Sampled servers:  192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103	192.168.56.1	-	-	-	-	Notice::ACTION_EMAIL,Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+      #close	2017-12-21-02-24-48
 
diff --git a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1 b/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1
index d0745a35ea..f64da50784 100644
--- a/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1
+++ b/testing/btest/Baseline/doc.sphinx.using_bro/btest-doc.sphinx.using_bro#1
@@ -16,15 +16,15 @@
       #empty_field	(empty)
       #unset_field	-
       #path	conn
-      #open	2016-07-13-16-13-24
+      #open	2018-01-12-21-43-52
       #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
       #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-      1300475167.096535	CHhAvVGS1DHFjwGM9	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
-      1300475167.097012	ClEkJM2Vm5giqnMf4h	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	-	0	D	1	199	0	0	(empty)
-      1300475167.099816	C4J4Th3PJpwUYZZ6gc	141.142.220.50	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	179	0	0	(empty)
-      1300475168.853899	CmES5u32sYpV7JYN	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-      1300475168.854378	CP5puj4I8PtEU4qzYg	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-      1300475168.854837	C37jN32gN3y3AZzyf6	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-      1300475168.857956	C0LAHyvtKSQHyJxIl	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+      1300475167.096535	CHhAvVGS1DHFjwGM9	141.142.220.202	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	73	0	0	-
+      1300475167.097012	ClEkJM2Vm5giqnMf4h	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	dns	-	-	-	S0	-	-	0	D	1	199	0	0	-
+      1300475167.099816	C4J4Th3PJpwUYZZ6gc	141.142.220.50	5353	224.0.0.251	5353	udp	dns	-	-	-	S0	-	-	0	D	1	179	0	0	-
+      1300475168.853899	CmES5u32sYpV7JYN	141.142.220.118	43927	141.142.2.2	53	udp	dns	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
+      1300475168.854378	CP5puj4I8PtEU4qzYg	141.142.220.118	37676	141.142.2.2	53	udp	dns	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
+      1300475168.854837	C37jN32gN3y3AZzyf6	141.142.220.118	40526	141.142.2.2	53	udp	dns	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
+      1300475168.857956	C0LAHyvtKSQHyJxIl	141.142.220.118	32902	141.142.2.2	53	udp	dns	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
       [...]
 
diff --git a/testing/btest/Baseline/istate.base/events b/testing/btest/Baseline/istate.base/events
deleted file mode 100644
index fbb3c23f28..0000000000
--- a/testing/btest/Baseline/istate.base/events
+++ /dev/null
@@ -1,33 +0,0 @@
-Event [1301452424.097552] connection_pending([id=[orig_h=141.42.64.125, orig_p=56729/tcp, resp_h=125.190.109.199, resp_p=12345/tcp], orig=[size=0, state=1], resp=[size=0, state=6], start_time=1301452418.93139, duration=0.182432889938354, service={}, addl="", hot=0, history="Sr"])
-Event [1301452424.097552] connection_state_remove([id=[orig_h=141.42.64.125, orig_p=56729/tcp, resp_h=125.190.109.199, resp_p=12345/tcp], orig=[size=0, state=1], resp=[size=0, state=6], start_time=1301452418.93139, duration=0.182432889938354, service={}, addl="", hot=0, history="Sr"])
-Event [1301452424.099251] new_connection([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=0, state=1], resp=[size=0, state=0], start_time=1301452424.0315, duration=0.0, service={}, addl="cc=1", hot=0, history=""])
-Event [1301452424.280556] connection_established([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=0, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.182510137557983, service={}, addl="", hot=0, history="Sh"])
-Event [1301452424.280556] protocol_confirmation([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="", hot=0, history="ShAD"]165)
-Event [1301452424.282557] http_request([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="", hot=0, history="ShAD"]"GET""/""/""1.0")
-Event [1301452424.282557] http_begin_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1", hot=0, history="ShAD"]T)
-Event [1301452424.284421] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"USER-AGENT""Wget/1.10")
-Event [1301452424.284421] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"ACCEPT""*/*")
-Event [1301452424.284421] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"HOST""www.icir.org")
-Event [1301452424.284421] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"CONNECTION""Keep-Alive")
-Event [1301452424.284421] http_content_type([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T"TEXT""PLAIN")
-Event [1301452424.284421] http_end_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T)
-Event [1301452424.284421] http_message_done([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=0, state=4], start_time=1301452424.0315, duration=0.183290958404541, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShAD"]T[start=1301452424.21479, interrupted=F, finish_msg="message ends normally", body_length=0, content_gap_length=0, header_length=86])
-Event [1301452424.465561] http_reply([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1", hot=0, history="ShADd"]"1.1"200"OK")
-Event [1301452424.465561] http_begin_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F)
-Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"DATE""Fri, 07 Oct 2005 23:23:55 GMT")
-Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"SERVER""Apache/1.3.33 (Unix)")
-Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"LAST-MODIFIED""Fri, 07 Oct 2005 16:23:01 GMT")
-Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"ETAG"""2c96c-23aa-4346a0e5"")
-Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"ACCEPT-RANGES""bytes")
-Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"CONTENT-LENGTH""9130")
-Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"KEEP-ALIVE""timeout=15, max=100")
-Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"CONNECTION""Keep-Alive")
-Event [1301452424.465561] http_header([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"CONTENT-TYPE""text/html")
-Event [1301452424.465561] http_content_type([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=1448, state=4], start_time=1301452424.0315, duration=0.367331027984619, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F"TEXT""HTML")
-Event [1301452424.648565] http_entity_data([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=5792, state=4], start_time=1301452424.0315, duration=0.551820039749146, service={}, addl="%events-send-1", hot=0, history="ShADd"]F4096"<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"^J"http://www.w3.org/TR/REC-html40/loose.dtd">^J<HEAD><TITLE>ICIR</TITLE></HEAD>^J<BODY bgcolor="#ffffff" text="#000000" link="#0000ff" vlink="#b20000">^J<img src=icir.gif alt="ICIR"><br>^J<p>^JICIR (The ICSI Center for Internet Research)^Jis a ^Jnon-profit^Jresearch institute at^J<a href="http://www.icsi.berkeley.edu">ICSI</a>^Jin ^J<a href="http://dir.yahoo.com/Regional/U_S__States/California/Cities/Berkeley/">Berkeley</a>, ^JCalifornia.<br>^JFor the three years from 1999 to 2001 we were named^JACIRI, the AT&T Center for Internet Research at ICSI, ^Jand were funded by <a href="http://www.att.com">AT&amp;T</a>.<br>^J^JThe goals of ICIR are to:^J<ul>^J<li>Pursue research on the Internet architecture and related networking issues,^J<li>^JParticipate actively in the research (<a href="http://www.acm.org/sigcomm/">SIGCOMM</a> and <a href="http://www.irtf.org/">IRTF</a>) and^Jstandards (<a href="http://www.ietf.org/">IETF</a>) communities,^J<li> Bridge the gap between the Internet research community and commercial ^Jinterests by providing a neutral forum where topics of mutual technical ^Jinterest can be addressed.^J</ul>^J<p>^J<!--^JICIR is now ^J<a href="jobs.html">^Jhiring</a> for both postdoctoral positions and summer interns.^J-->^J<hr>^J^J<DIV ALIGN="CENTER">^J^J<table width="100%" cellspacing=16 cellpadding=0>^J^J<tr>^J<td width="35%" valign=top>^J^J<h2>^JPeople^J</h2>^J<ul>^J<li>^J<a href="./shenker/">^JScott Shenker</a>, Group Leader<br> ^J<li><a href="http://www.icir.org/mallman/">Mark Allman</a>^J<li>^J<a href="./floyd/">Sally Floyd</a>^J<!--^J<li><a href="http://www.isi.edu/~govindan/">Ramesh Govindan</a>^J-->^J<li>^J<a href="./karp/papers.html">^JRichard Karp</a>  ^J<!-- (also with the ^J<a href="http://www.icsi.berkeley.edu/Theory/">ICSI Theory Group</a>, ^J<a href="http://www.msri.org/">MSRI</a>, and^J<a href="http://www.cs.berkeley.edu/">UC Berkeley</a>) -->^J<li>^J<a href="./vern/">^JVern Paxson</a>  ^J<li>^J<a href="http://www.icir.org/robin/">^JRobin Sommer</a>^J<li>^J<a href="http://www.cs.berkeley.edu/~nweaver/">^JNicholas Weaver</a>^J<li>^J<a href="http://www.icsi.berkeley.edu/~zhao/">^JJerry Zhao</a>^J<!-- </ul> &nbsp; &nbsp;<b>Group Members</b> <ul> -->^J<li><b><a href="pastvisitors.html">Past Group Members</a></b>,^J<br>including:^J<ul>^J<li>^J<a href="http://www.cs.ucl.ac.uk/staff/M.Handley/">^JMark Handley</a> (UCL)^J<li><a href="./kohler/">Eddie Kohler</a> (UCLA)^J</ul>^J<li><b>Affiliated <a href="http://www.xorp.org/">Xorp</a>^JResearchers</b>:^J  <ul>^J  <li><a href="./jcardona/">Javier Cardona</a>^J  <li><a href="./atanu/">Atanu Ghosh</a> ^J  <li><a href="./hodson/">Orion Hodson</a>^J  <li><a href="./pavlin/">Pavlin Radoslavov</a> ^J  <li><a href="http://www.iet.unipi.it/~luigi">Luigi Rizzo</a>^J  <li><a href="http://people.freebsd.org/~bms/">Bruce Simpson</a>^J</ul>^J<li><b>Affiliated UCB Researchers</b>:^J  <ul>^J  <li><a href="http://www.cs.berkeley.edu/~christos/">Christos Papadimitriou</a>^J  <li><a href="http://www.cs.berkeley.edu/~istoica/">Ion Stoica</a>^J  </ul>^J<li><b>Visitors</b>:^J  <ul>^J  <li><a href="http://grid.sjtu.edu.cn/teachers/dengqn/dengqn.htm">Professor Quin-Ni Deng</a>^J<!--^J  from Shanghai Jiaotong University^J-->^J  <li>Teemu Koponen^J<!--^J  , Helsinki Institute for Information Technology^J-->^J  </ul>^J<!--^J<li><a href="pastvisitors.html">Other researchers</a>^J-->^J<a name=Visitors></a>^J<li><b>Interns:</b>^J<ul>^J<li>Juan Caballero^J<li><a href="http://www.stanford.edu/~casado/">Martin Casado</a>^J<li><a href="http://www.cs.rice.edu/~scrosby/">Scott Crosby</a>^J<li><a href="http://bnrg.cs.berkeley.edu/~wdc/">Weidong Cui</a>^J<li><a href="http://www.cs.berkeley.edu/~chema">Chema Gonzalez</a>^J<li>Halldor Isak Gylfason^J<li><a href="http://www.cl.cam.ac.uk/~cpk25/">Christian Kreibich</a>^J<li><a href="http://www.cs.ucsd.edu/~braghava">Barath Raghavan</a>^J<!--^J<li><a href="newinterns.html">New Interns:</a> ^J-->^J</ul>^J<li><b>Undergraduate Interns:</b>^J<ul>^J<li>Michael Hoisie^J<li>Arthur Wayne Liao^J<li>Christopher Portka^J</ul>^J<li><b><a href="pastvisitors.html">Past Visitors and Interns:</a></b>^J</ul>^J^J</td>^J<td width="30%" vali")
-Event [1301452424.689566] http_entity_data([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=8688, state=4], start_time=1301452424.0315, duration=0.552114009857178, service={}, addl="%events-send-1", hot=0, history="ShADd"]F4096"gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<li><a href="./rfcs.html">^JRFCs</a> with ICIR authors.^J<li>^J<a href="./internetdrafts.html">^JInternet drafts</a> with ICIR authors, 3/2004 ^J(or <a href="http://www.rfc-editor.org/idsearch.html">search</a>^Jthe current list).^J<!--^Jfor "Shenker OR Floyd OR Allman OR Paxson".^J(or the ^J<a^Jhref="^Jhttp://search.ietf.org:80/search/cgi-bin/BrokerQuery.pl.cgi?broker=internet-drafts&query=%28Author%3A+Shenker+OR+Floyd+OR+Handley+OR+Paxson+OR+Kohler%29&caseflag=on&wordflag=off&errorflag=0&maxlineflag=50&maxresultflag=1000&descflag=on&sort=by-NML&verbose=on&maxobjflag=25">current list</a>.)^J^Jhttp://search.ietf.org:80/search/cgi-bin/BrokerQuery.pl.cgi?broker=internet-drafts&query=(Shenker+OR+Floyd+OR+Handley+OR+Paxson+OR+Kohler)&descflag=on">current list</a>).^J-->^J<!--^Jfrom the ^J<a href="http://search.ietf.org/search/brokers/internet-drafts/query.html">^JInternet-Drafts Search Engine</a>).^J-->^J<li>Papers by ^J<a href="./shenker/papers.html">Scott Shenker</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Scott%20w/2%20Shenker%20or%20S%20w/2%20Shenker&co=Citations">RI</a>),^J^J<a href="./mallman/papers/">Mark Allman</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Mark%20w/2%20Allman%20or%20S%20w/2%20Allman&co=Citations">RI</a>),^J^J<a href="./floyd/papers.html">Sally Floyd</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Sally%20w/2%20Floyd%20or%20S%20w/2%20Floyd&co=Citations">RI</a>),^J^J<a href="./karp/papers.html">Richard Karp</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Richard%20w/2%20Karp%20or%20R%20w/2%20Karp&co=Citations">RI</a>),^J<a href="./kohler/pubs/">Eddie Kohler</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=eddie%20w/2%20kohler%20or%20e%20w/2%20kohler&co=Citations">RI</a>),^J<a href="./vern/papers.html">Vern Paxson</a>^J(<a^Jhref="http://citeseer.ist.psu.edu/cs?qb=dbnum%3D1%2Cqtype%3Dcitation:&q=Vern%20w/2%20Paxson%20or%20V%20w/2%20Paxson&co=Citations">RI</a>).^J<li>The <a href="http://citeseer.ist.psu.edu/">^JResearchIndex</a> (RI) and the ^J<a href="http://citeseer.ist.psu.edu/cs">Search</a>^Jand ^J<a href="http://citeseer.ist.psu.edu/Networking/">^JNetworking</a> pages. ^J</ul>^J^J<h2>^JProjects ^J</h2>^J<ul>^J<li>^J<a href="./vern/bro-info.html">Bro</a>^J(detecting network intruders). ^J<li>The <a href="http://www.isi.edu/newarch/">NewArch</a> Project:^JFuture-Generation Internet Architecture.^J<LI>The <a href="http://www.isi.edu/nsnam/ns/">NS</a>^Jnetwork simulator.^J<li> <a href="./tbit/">TBIT</a>^J(TCP Behavior Identification Tool).^J<li> <a href="http://www.xorp.org/">Xorp</a>^J(Extensible Open Router Platform).^J<li>^J<a href="./funded_projects.html">^JOther Funded Projects</a>.^J<li>^J<a href="./research.html">^JAdditional Research Links</a>.^J</ul>^J^J^J</td>^J^J<td width="35%" valign=top>^J    ^J<h2>Research</h2>^J&nbsp; &nbsp;<b>Transport and Congestion</b>^J<ul>^J<li>^J<a href="./kohler/dcp/">DCCP</a>^J(Datagram Congestion Control Protocol).^J<li>^J<a href="./floyd/ecn.html">ECN</a>^J(Explicit Congestion Notification).^J<li>^J<a href="http://www.ietf.org/html.charters/intserv-charter.html">^JIntegrated services</a>.^J<li>^J<a href="./floyd/red.html">RED</a> ^Jqueue management, and^J<a href="./red-pd/">RED-PD</a>.^J<li>^J<a href="./floyd/hstcp.html">HighSpeed TCP</a>.^J<li>^J<a^Jhref="http://www.ietf.cnri.reston.va.us/html.charters/OLD/tcpimpl-charter.html">^JTCP Implementation</a>.^J<li>^JReordering-Robust TCP ^J(<a href="./bkarp/RR-TCP/">RR-TCP</a>).^J<li>TCP^J<a href="./floyd/sacks.html">SACK</a> ^J(Selective Acknowledgment).^J<li>^J<a href="./tfrc/">TFRC</a> ^J(TCP-Friendly Rate Control).^J</ul>^J^J&nbsp; &nbsp;<b>Traffic and Topology</b>^J<ul>^J<LI>^J<a href="http://idmaps.eecs.umich.edu/">IDMaps</a> ^J(Internet Distance Mapping).^J<LI>The <a href="http://www.acm.org/sigcomm/ITA/">^JInternet Traffic Archive</a>.^J<li>^J<a href="http://www-net.cs.umass.edu/minc/">MINC</a>^J(Multicast-based Inference of Network-internal Characteristics).^J<li>^J<a href="http://www.psc.edu/networking/nimi/">NIMI</a>^J(N")
-Event [1301452424.832570] http_entity_data([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=9417, state=4], start_time=1301452424.0315, duration=0.73563814163208, service={}, addl="%events-send-1", hot=0, history="ShADd"]F938"ational Internet Measurement Infrastructure).^J</ul>^J^J<h2>^J<a href="./collaborators.html">^JCollaborators</a>^J</h2>^J^J<!--^J&nbsp; &nbsp;<b>Multicast and Multimedia</b>^J<ul>^J<LI><A href="/malloc/">MALLOC</a>^J(Multicast Address Allocation).^J<LI><a href="http://www.cs.columbia.edu/~hgs/sip/">SIP</a>^J(Session Initiation Protocol).^J<li> <a href="yoid"> Yoid</a> (host-based content distribution). ^J</ul>^J-->^J^J</td>^J^J</tr>^J</table>^J</DIV>^J^J<hr>^J<h2>Information for <a href="./abouticir.html">visitors</a> and <a href="/sysdocs/">local users</a>.</h2>^J<hr>^JLast modified: June 2004. <a href="./COPYRIGHTS">Copyright notice</a>.^J<a href="http://web.archive.org/web/*/http://www.aciri.org/">^JOlder versions</a> of this web page, in its ACIRI incarnation..^J<BR>^JFor more information about this server, mail <I>www@aciri.org</I>.  ^J<BR>^JTo report <a href="scanning.html">unusual activity</a> by any of our hosts, mail <I>abuse@aciri.org</I>.^J</BODY>^J")
-Event [1301452424.832570] http_end_entity([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=9417, state=4], start_time=1301452424.0315, duration=0.73563814163208, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F)
-Event [1301452424.832570] http_message_done([id=[orig_h=141.42.64.125, orig_p=56730/tcp, resp_h=125.190.109.199, resp_p=80/tcp], orig=[size=98, state=4], resp=[size=9417, state=4], start_time=1301452424.0315, duration=0.73563814163208, service={}, addl="%events-send-1 %events-rcv-1", hot=0, history="ShADd"]F[start=1301452424.39883, interrupted=F, finish_msg="message ends normally", body_length=9130, content_gap_length=0, header_length=265])
-Event [1301452424.990539] net_done(1301452424.99054)
-Event [1301452424.990539] bro_done()
diff --git a/testing/btest/Baseline/istate.base/receiver.conn.log b/testing/btest/Baseline/istate.base/receiver.conn.log
deleted file mode 100644
index 6827ed1fee..0000000000
--- a/testing/btest/Baseline/istate.base/receiver.conn.log
+++ /dev/null
@@ -1 +0,0 @@
-1301452418.931393 0.182433 141.42.64.125 125.190.109.199 other 56729 12345 tcp ? ? REJ X
diff --git a/testing/btest/Baseline/istate.base/receiver.http.log b/testing/btest/Baseline/istate.base/receiver.http.log
deleted file mode 100644
index 74400b15d5..0000000000
--- a/testing/btest/Baseline/istate.base/receiver.http.log
+++ /dev/null
@@ -1,18 +0,0 @@
-1301452424.282557 %events-rcv-1 start 141.42.64.125:56730 > 125.190.109.199:80
-1301452424.284421 %events-rcv-1 > USER-AGENT: Wget/1.10
-1301452424.284421 %events-rcv-1 > ACCEPT: */*
-1301452424.284421 %events-rcv-1 > HOST: www.icir.org
-1301452424.284421 %events-rcv-1 > CONNECTION: Keep-Alive
-1301452424.465561 %events-rcv-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
-1301452424.465561 %events-rcv-1 < SERVER: Apache/1.3.33 (Unix)
-1301452424.465561 %events-rcv-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
-1301452424.465561 %events-rcv-1 < ETAG: "2c96c-23aa-4346a0e5"
-1301452424.465561 %events-rcv-1 < ACCEPT-RANGES: bytes
-1301452424.465561 %events-rcv-1 < CONTENT-LENGTH: 9130
-1301452424.465561 %events-rcv-1 < KEEP-ALIVE: timeout=15, max=100
-1301452424.465561 %events-rcv-1 < CONNECTION: Keep-Alive
-1301452424.465561 %events-rcv-1 < CONTENT-TYPE: text/html
-1301452424.648565 %events-rcv-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
-1301452424.689566 %events-rcv-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
-1301452424.832570 %events-rcv-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
-1301452424.832570 %events-rcv-1 GET / (200 "OK" [9130] www.icir.org)
diff --git a/testing/btest/Baseline/istate.base/sender.conn.log b/testing/btest/Baseline/istate.base/sender.conn.log
deleted file mode 100644
index 1735dbd63e..0000000000
--- a/testing/btest/Baseline/istate.base/sender.conn.log
+++ /dev/null
@@ -1,2 +0,0 @@
-1301452418.931393 0.182433 141.42.64.125 125.190.109.199 other 56729 12345 tcp ? ? REJ X
-1301452424.031503 ? 141.42.64.125 125.190.109.199 http 56730 80 tcp 98 9417 S1 X %events-send-1
diff --git a/testing/btest/Baseline/istate.base/sender.http.log b/testing/btest/Baseline/istate.base/sender.http.log
deleted file mode 100644
index b5aed6501a..0000000000
--- a/testing/btest/Baseline/istate.base/sender.http.log
+++ /dev/null
@@ -1,18 +0,0 @@
-1301452424.214794 %events-send-1 start 141.42.64.125:56730 > 125.190.109.199:80
-1301452424.214794 %events-send-1 > USER-AGENT: Wget/1.10
-1301452424.214794 %events-send-1 > ACCEPT: */*
-1301452424.214794 %events-send-1 > HOST: www.icir.org
-1301452424.214794 %events-send-1 > CONNECTION: Keep-Alive
-1301452424.398834 %events-send-1 < DATE: Fri, 07 Oct 2005 23:23:55 GMT
-1301452424.398834 %events-send-1 < SERVER: Apache/1.3.33 (Unix)
-1301452424.398834 %events-send-1 < LAST-MODIFIED: Fri, 07 Oct 2005 16:23:01 GMT
-1301452424.398834 %events-send-1 < ETAG: "2c96c-23aa-4346a0e5"
-1301452424.398834 %events-send-1 < ACCEPT-RANGES: bytes
-1301452424.398834 %events-send-1 < CONTENT-LENGTH: 9130
-1301452424.398834 %events-send-1 < KEEP-ALIVE: timeout=15, max=100
-1301452424.398834 %events-send-1 < CONNECTION: Keep-Alive
-1301452424.398834 %events-send-1 < CONTENT-TYPE: text/html
-1301452424.583323 %events-send-1 <= 4096 bytes: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML ..."
-1301452424.583617 %events-send-1 <= 4096 bytes: "gn=top>^J^J<h2>^JPublications^J</h2>^J<ul>^J<l..."
-1301452424.767141 %events-send-1 <= 938 bytes: "ational Internet Measurement Infrastruct..."
-1301452424.767141 %events-send-1 GET / (200 "OK" [9130] www.icir.org)
diff --git a/testing/btest/Baseline/istate.bro-ipv6-socket/recv..stdout b/testing/btest/Baseline/istate.bro-ipv6-socket/recv..stdout
deleted file mode 100644
index 673af68234..0000000000
--- a/testing/btest/Baseline/istate.bro-ipv6-socket/recv..stdout
+++ /dev/null
@@ -1 +0,0 @@
-handshake done with peer: ::1
diff --git a/testing/btest/Baseline/istate.bro-ipv6-socket/send..stdout b/testing/btest/Baseline/istate.bro-ipv6-socket/send..stdout
deleted file mode 100644
index fbc855464d..0000000000
--- a/testing/btest/Baseline/istate.bro-ipv6-socket/send..stdout
+++ /dev/null
@@ -1,2 +0,0 @@
-handshake done with peer: ::1
-my_event: hello world
diff --git a/testing/btest/Baseline/istate.broccoli-ipv6-socket/bro..stdout b/testing/btest/Baseline/istate.broccoli-ipv6-socket/bro..stdout
deleted file mode 100644
index 0a7bac52c5..0000000000
--- a/testing/btest/Baseline/istate.broccoli-ipv6-socket/bro..stdout
+++ /dev/null
@@ -1,9 +0,0 @@
-handshake done with peer
-bro_addr(1.2.3.4)
-bro_subnet(10.0.0.0/16)
-bro_addr(2607:f8b0:4009:802::1014)
-bro_subnet(2607:f8b0::/32)
-broccoli_addr(1.2.3.4)
-broccoli_subnet(10.0.0.0/16)
-broccoli_addr(2607:f8b0:4009:802::1014)
-broccoli_subnet(2607:f8b0::/32)
diff --git a/testing/btest/Baseline/istate.broccoli-ipv6-socket/broccoli..stdout b/testing/btest/Baseline/istate.broccoli-ipv6-socket/broccoli..stdout
deleted file mode 100644
index dba9318891..0000000000
--- a/testing/btest/Baseline/istate.broccoli-ipv6-socket/broccoli..stdout
+++ /dev/null
@@ -1,6 +0,0 @@
-Connected to Bro instance at: ::1:47757
-Received bro_addr(1.2.3.4)
-Received bro_subnet(10.0.0.0/16)
-Received bro_addr(2607:f8b0:4009:802::1014)
-Received bro_subnet(2607:f8b0::/32)
-Terminating
diff --git a/testing/btest/Baseline/istate.broccoli-ipv6/bro..stdout b/testing/btest/Baseline/istate.broccoli-ipv6/bro..stdout
deleted file mode 100644
index 0a7bac52c5..0000000000
--- a/testing/btest/Baseline/istate.broccoli-ipv6/bro..stdout
+++ /dev/null
@@ -1,9 +0,0 @@
-handshake done with peer
-bro_addr(1.2.3.4)
-bro_subnet(10.0.0.0/16)
-bro_addr(2607:f8b0:4009:802::1014)
-bro_subnet(2607:f8b0::/32)
-broccoli_addr(1.2.3.4)
-broccoli_subnet(10.0.0.0/16)
-broccoli_addr(2607:f8b0:4009:802::1014)
-broccoli_subnet(2607:f8b0::/32)
diff --git a/testing/btest/Baseline/istate.broccoli-ipv6/broccoli..stdout b/testing/btest/Baseline/istate.broccoli-ipv6/broccoli..stdout
deleted file mode 100644
index 481778c98a..0000000000
--- a/testing/btest/Baseline/istate.broccoli-ipv6/broccoli..stdout
+++ /dev/null
@@ -1,6 +0,0 @@
-Connected to Bro instance at: localhost:47757
-Received bro_addr(1.2.3.4)
-Received bro_subnet(10.0.0.0/16)
-Received bro_addr(2607:f8b0:4009:802::1014)
-Received bro_subnet(2607:f8b0::/32)
-Terminating
diff --git a/testing/btest/Baseline/istate.broccoli-ssl/bro..stdout b/testing/btest/Baseline/istate.broccoli-ssl/bro..stdout
deleted file mode 100644
index 0a7bac52c5..0000000000
--- a/testing/btest/Baseline/istate.broccoli-ssl/bro..stdout
+++ /dev/null
@@ -1,9 +0,0 @@
-handshake done with peer
-bro_addr(1.2.3.4)
-bro_subnet(10.0.0.0/16)
-bro_addr(2607:f8b0:4009:802::1014)
-bro_subnet(2607:f8b0::/32)
-broccoli_addr(1.2.3.4)
-broccoli_subnet(10.0.0.0/16)
-broccoli_addr(2607:f8b0:4009:802::1014)
-broccoli_subnet(2607:f8b0::/32)
diff --git a/testing/btest/Baseline/istate.broccoli-ssl/broccoli..stdout b/testing/btest/Baseline/istate.broccoli-ssl/broccoli..stdout
deleted file mode 100644
index 481778c98a..0000000000
--- a/testing/btest/Baseline/istate.broccoli-ssl/broccoli..stdout
+++ /dev/null
@@ -1,6 +0,0 @@
-Connected to Bro instance at: localhost:47757
-Received bro_addr(1.2.3.4)
-Received bro_subnet(10.0.0.0/16)
-Received bro_addr(2607:f8b0:4009:802::1014)
-Received bro_subnet(2607:f8b0::/32)
-Terminating
diff --git a/testing/btest/Baseline/istate.broccoli-vector/bro..stdout b/testing/btest/Baseline/istate.broccoli-vector/bro..stdout
deleted file mode 100644
index 5b50dcda66..0000000000
--- a/testing/btest/Baseline/istate.broccoli-vector/bro..stdout
+++ /dev/null
@@ -1,13 +0,0 @@
-handshake done with peer
-bro_vector([a, b, c, d, e])
-bro_vector([one, two, three])
-broccoli_vector_element(0, a)
-broccoli_vector_element(1, b)
-broccoli_vector_element(2, c)
-broccoli_vector_element(3, d)
-broccoli_vector_element(4, e)
-broccoli_vector_element(5, additional element)
-broccoli_vector_element(0, one)
-broccoli_vector_element(1, two)
-broccoli_vector_element(2, three)
-broccoli_vector_element(3, additional element)
diff --git a/testing/btest/Baseline/istate.broccoli-vector/broccoli..stdout b/testing/btest/Baseline/istate.broccoli-vector/broccoli..stdout
deleted file mode 100644
index 147384f565..0000000000
--- a/testing/btest/Baseline/istate.broccoli-vector/broccoli..stdout
+++ /dev/null
@@ -1,12 +0,0 @@
-Connected to Bro instance at: localhost:47757
-Received bro_vector
-  0: a
-  1: b
-  2: c
-  3: d
-  4: e
-Received bro_vector
-  0: one
-  1: two
-  2: three
-Terminating
diff --git a/testing/btest/Baseline/istate.broccoli/bro.log b/testing/btest/Baseline/istate.broccoli/bro.log
deleted file mode 100644
index 70bf23f95a..0000000000
--- a/testing/btest/Baseline/istate.broccoli/bro.log
+++ /dev/null
@@ -1,3 +0,0 @@
-ping received, seq 0, 1342749173.594568 at src, 1342749173.637317 at dest, 
-ping received, seq 1, 1342749174.594948 at src, 1342749174.596551 at dest, 
-ping received, seq 2, 1342749175.595486 at src, 1342749175.596581 at dest, 
diff --git a/testing/btest/Baseline/istate.broccoli/broccoli.log b/testing/btest/Baseline/istate.broccoli/broccoli.log
deleted file mode 100644
index faa3960273..0000000000
--- a/testing/btest/Baseline/istate.broccoli/broccoli.log
+++ /dev/null
@@ -1,3 +0,0 @@
-pong event from 127.0.0.1: seq=0, 
-pong event from 127.0.0.1: seq=1, 
-pong event from 127.0.0.1: seq=2, 
diff --git a/testing/btest/Baseline/istate.events-ssl/events.rec.log b/testing/btest/Baseline/istate.events-ssl/events.rec.log
deleted file mode 100644
index 8c7f4f621c..0000000000
--- a/testing/btest/Baseline/istate.events-ssl/events.rec.log
+++ /dev/null
@@ -1,32 +0,0 @@
-http_request
-http_begin_entity
-http_header
-http_header
-http_header
-http_header
-http_all_headers
-http_content_type
-http_end_entity
-http_message_done
-http_reply
-http_begin_entity
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_all_headers
-http_content_type
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_end_entity
-http_message_done
diff --git a/testing/btest/Baseline/istate.events-ssl/events.snd.log b/testing/btest/Baseline/istate.events-ssl/events.snd.log
deleted file mode 100644
index 8c7f4f621c..0000000000
--- a/testing/btest/Baseline/istate.events-ssl/events.snd.log
+++ /dev/null
@@ -1,32 +0,0 @@
-http_request
-http_begin_entity
-http_header
-http_header
-http_header
-http_header
-http_all_headers
-http_content_type
-http_end_entity
-http_message_done
-http_reply
-http_begin_entity
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_all_headers
-http_content_type
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_end_entity
-http_message_done
diff --git a/testing/btest/Baseline/istate.events/events.rec.log b/testing/btest/Baseline/istate.events/events.rec.log
deleted file mode 100644
index 8c7f4f621c..0000000000
--- a/testing/btest/Baseline/istate.events/events.rec.log
+++ /dev/null
@@ -1,32 +0,0 @@
-http_request
-http_begin_entity
-http_header
-http_header
-http_header
-http_header
-http_all_headers
-http_content_type
-http_end_entity
-http_message_done
-http_reply
-http_begin_entity
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_all_headers
-http_content_type
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_end_entity
-http_message_done
diff --git a/testing/btest/Baseline/istate.events/events.snd.log b/testing/btest/Baseline/istate.events/events.snd.log
deleted file mode 100644
index 8c7f4f621c..0000000000
--- a/testing/btest/Baseline/istate.events/events.snd.log
+++ /dev/null
@@ -1,32 +0,0 @@
-http_request
-http_begin_entity
-http_header
-http_header
-http_header
-http_header
-http_all_headers
-http_content_type
-http_end_entity
-http_message_done
-http_reply
-http_begin_entity
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_header
-http_all_headers
-http_content_type
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_entity_data
-http_end_entity
-http_message_done
diff --git a/testing/btest/Baseline/istate.hll/out b/testing/btest/Baseline/istate.hll/out
deleted file mode 100644
index f5bb99d960..0000000000
--- a/testing/btest/Baseline/istate.hll/out
+++ /dev/null
@@ -1,6 +0,0 @@
-1
-10.000763
-2
-10.000763
-3
-11.000923
diff --git a/testing/btest/Baseline/istate.opaque/expected.log b/testing/btest/Baseline/istate.opaque/expected.log
deleted file mode 100644
index 1386a47db1..0000000000
--- a/testing/btest/Baseline/istate.opaque/expected.log
+++ /dev/null
@@ -1,4 +0,0 @@
-acbd18db4cc2f85cedef654fccc4a4d8
-0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33
-2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
-[entropy=0.918296, chi_square=423.666667, mean=108.0, monte_carlo_pi=nan, serial_correlation=-0.5]
diff --git a/testing/btest/Baseline/istate.opaque/output.log b/testing/btest/Baseline/istate.opaque/output.log
deleted file mode 100644
index 1386a47db1..0000000000
--- a/testing/btest/Baseline/istate.opaque/output.log
+++ /dev/null
@@ -1,4 +0,0 @@
-acbd18db4cc2f85cedef654fccc4a4d8
-0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33
-2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
-[entropy=0.918296, chi_square=423.666667, mean=108.0, monte_carlo_pi=nan, serial_correlation=-0.5]
diff --git a/testing/btest/Baseline/istate.persistence/vars.read.log b/testing/btest/Baseline/istate.persistence/vars.read.log
deleted file mode 100644
index dbf6780da5..0000000000
--- a/testing/btest/Baseline/istate.persistence/vars.read.log
+++ /dev/null
@@ -1,32 +0,0 @@
-42
--42
-Hallihallo
-1.2.3.4
-1.2.0.0/16
-3.14
-42.0 secs
-{
-[2] = uiop,
-[1] = qwerty
-}
-file "test" of string
-/^?(12345)$?/
-{
-2,
-4,
-1,
-5,
-3
-}
-{
-[1, ABC] = 101,
-[3, GHI] = 103,
-[2, DEF] = 102
-}
-{
-[12345] = /^?(12345)$?/,
-[12346] = /^?(12345)$?/
-}
-42/udp
-[1, 2, 3]
-[a=yuyuyu, b=[a=rec1, b=100, c=1.24], c=[a=rec2, b=200, c=2.24], d=7.77]
diff --git a/testing/btest/Baseline/istate.persistence/vars.write.log b/testing/btest/Baseline/istate.persistence/vars.write.log
deleted file mode 100644
index dbf6780da5..0000000000
--- a/testing/btest/Baseline/istate.persistence/vars.write.log
+++ /dev/null
@@ -1,32 +0,0 @@
-42
--42
-Hallihallo
-1.2.3.4
-1.2.0.0/16
-3.14
-42.0 secs
-{
-[2] = uiop,
-[1] = qwerty
-}
-file "test" of string
-/^?(12345)$?/
-{
-2,
-4,
-1,
-5,
-3
-}
-{
-[1, ABC] = 101,
-[3, GHI] = 103,
-[2, DEF] = 102
-}
-{
-[12345] = /^?(12345)$?/,
-[12346] = /^?(12345)$?/
-}
-42/udp
-[1, 2, 3]
-[a=yuyuyu, b=[a=rec1, b=100, c=1.24], c=[a=rec2, b=200, c=2.24], d=7.77]
diff --git a/testing/btest/Baseline/istate.pybroccoli/bro..stdout b/testing/btest/Baseline/istate.pybroccoli/bro..stdout
deleted file mode 100644
index 85260ba64b..0000000000
--- a/testing/btest/Baseline/istate.pybroccoli/bro..stdout
+++ /dev/null
@@ -1,20 +0,0 @@
-==== atomic
--10
-2
-1468426429.288464
-2.0 mins
-F
-1.5
-Servus
-5555/tcp
-6.7.6.5
-2001:db8:85a3::8a2e:370:7334
-192.168.0.0/16
-2001:db8:85a3::/48
-==== record
-[a=42, b=6.6.7.7]
-42, 6.6.7.7
-==== coerced record
-[one=<uninitialized>, a=13, b=<uninitialized>, c=helloworld, d=<uninitialized>]
-13
-helloworld
diff --git a/testing/btest/Baseline/istate.pybroccoli/python..stdout.filtered b/testing/btest/Baseline/istate.pybroccoli/python..stdout.filtered
deleted file mode 100644
index d6c81edf2b..0000000000
--- a/testing/btest/Baseline/istate.pybroccoli/python..stdout.filtered
+++ /dev/null
@@ -1,47 +0,0 @@
-==== atomic a 1 ====
--4L -4
-42 42
-1468426429.2942
-60.0
-True True
-3.14
-'Hurz' Hurz
-'12345/udp' 12345/udp
-'1.2.3.4' 1.2.3.4
-'22.33.44.0/24' 22.33.44.0/24
-'2607:f8b0:4009:802::1014' 2607:f8b0:4009:802::1014
-'2607:f8b0::/32' 2607:f8b0::/32
-==== atomic a 2 ====
--10L -10
-2 2
-1468426429.2885
-120.0
-False False
-1.5
-'Servus' Servus
-'5555/tcp' 5555/tcp
-'6.7.6.5' 6.7.6.5
-'192.168.0.0/16' 192.168.0.0/16
-'2001:db8:85a3::8a2e:370:7334' 2001:db8:85a3::8a2e:370:7334
-'2001:db8:85a3::/48' 2001:db8:85a3::/48
-==== atomic b 2 ====
--10L -10
-<broccoli.count instance at > 2
-<broccoli.time instance at > 1468426429.2885
-<broccoli.interval instance at > 120.0
-False False
-1.5
-'Servus' Servus
-<broccoli.port instance at > 5555/tcp
-<broccoli.addr instance at > 6.7.6.5
-<broccoli.subnet instance at > 192.168.0.0/16
-<broccoli.addr instance at > 2001:db8:85a3::8a2e:370:7334
-<broccoli.subnet instance at > 2001:db8:85a3::/48
-==== record 1 ====
-<broccoli.record instance at >
-42L 42
-'6.6.7.7' 6.6.7.7
-==== record 2 ====
-<broccoli.record instance at >
-99L 99
-'3.4.5.1' 3.4.5.1
diff --git a/testing/btest/Baseline/istate.sync/receiver.vars.log b/testing/btest/Baseline/istate.sync/receiver.vars.log
deleted file mode 100644
index d15c4b9c35..0000000000
--- a/testing/btest/Baseline/istate.sync/receiver.vars.log
+++ /dev/null
@@ -1,34 +0,0 @@
-421
-1234567
-Jodel
-4.3.2.1
-4.0.0.0/8
-21.0
-42.0 secs
-{
-[1] = asdfg2,
-[3] = asdfg1
-}
-file "test2" of string
-/^?(abbcdefgh)$?/
-{
-2,
-6,
-4,
-5,
-3
-}
-{
-[3, GHI] = 103,
-[2, DEF] = 103,
-[4, JKL] = 104
-}
-{
-[6767] = /^?(QWERTZ)$?/,
-[12345] = /^?(12345)$?/,
-[12346] = /^?(12345)$?/
-}
-6667/tcp
-[2, 20, 3, 4]
-[a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=<uninitialized>]
-122112
diff --git a/testing/btest/Baseline/istate.sync/sender.vars.log b/testing/btest/Baseline/istate.sync/sender.vars.log
deleted file mode 100644
index d15c4b9c35..0000000000
--- a/testing/btest/Baseline/istate.sync/sender.vars.log
+++ /dev/null
@@ -1,34 +0,0 @@
-421
-1234567
-Jodel
-4.3.2.1
-4.0.0.0/8
-21.0
-42.0 secs
-{
-[1] = asdfg2,
-[3] = asdfg1
-}
-file "test2" of string
-/^?(abbcdefgh)$?/
-{
-2,
-6,
-4,
-5,
-3
-}
-{
-[3, GHI] = 103,
-[2, DEF] = 103,
-[4, JKL] = 104
-}
-{
-[6767] = /^?(QWERTZ)$?/,
-[12345] = /^?(12345)$?/,
-[12346] = /^?(12345)$?/
-}
-6667/tcp
-[2, 20, 3, 4]
-[a=zxzxzx, b=[a=pop, b=43, c=9.999], c=[a=IOIOI, b=201, c=612.2], d=6.6666, e=<uninitialized>]
-122112
diff --git a/testing/btest/Baseline/istate.topk/out b/testing/btest/Baseline/istate.topk/out
deleted file mode 100644
index ef3d0cef30..0000000000
--- a/testing/btest/Baseline/istate.topk/out
+++ /dev/null
@@ -1,21 +0,0 @@
-1
-2
-6
-4
-5
-1
-[c, e, d]
-1
-2
-6
-4
-5
-1
-[c, e, d]
-2
-4
-12
-8
-10
-2
-[c, e, d]
diff --git a/testing/btest/Baseline/language.count/out b/testing/btest/Baseline/language.count/out
index 4ef65b6098..f1e1eef587 100644
--- a/testing/btest/Baseline/language.count/out
+++ b/testing/btest/Baseline/language.count/out
@@ -14,5 +14,16 @@ modulus operator (PASS)
 division operator (PASS)
 assignment operator (PASS)
 assignment operator (PASS)
+bitwise and (PASS)
+bitwise and (PASS)
+bitwise and (PASS)
+bitwise or (PASS)
+bitwise or (PASS)
+bitwise or (PASS)
+bitwise xor (PASS)
+bitwise xor (PASS)
+bitwise xor (PASS)
+bitwise complement (PASS)
+bitwise complement (PASS)
 max count value = 18446744073709551615 (PASS)
 max count value = 18446744073709551615 (PASS)
diff --git a/testing/btest/Baseline/language.expire-expr-error/output b/testing/btest/Baseline/language.expire-expr-error/output
index 544527fe23..cf43dd4c80 100644
--- a/testing/btest/Baseline/language.expire-expr-error/output
+++ b/testing/btest/Baseline/language.expire-expr-error/output
@@ -1,2 +1,2 @@
-error in /home/robin/bro/master/testing/btest/.tmp/language.expire-expr-error/expire-expr-error.bro, line 7: no such index (x[kaputt])
+error in /home/robin/bro/master/testing/btest/.tmp/language.expire-expr-error/expire-expr-error.bro, line 8: no such index (x[kaputt])
 received termination signal
diff --git a/testing/btest/Baseline/language.expire-redef/output b/testing/btest/Baseline/language.expire-redef/output
index d5a745e7f3..42bb1b485c 100644
--- a/testing/btest/Baseline/language.expire-redef/output
+++ b/testing/btest/Baseline/language.expire-redef/output
@@ -1,5 +1,3 @@
-Run 0
 Run 1
 Expired: 0 --> some data
 Run 2
-Run 3
diff --git a/testing/btest/Baseline/language.pattern/out b/testing/btest/Baseline/language.pattern/out
index 4a5b8de670..dac62ab0fa 100644
--- a/testing/btest/Baseline/language.pattern/out
+++ b/testing/btest/Baseline/language.pattern/out
@@ -6,3 +6,29 @@ inequality operator (order of operands) (PASS)
 in operator (PASS)
 in operator (PASS)
 !in operator (PASS)
+& operator (PASS)
+& operator (FAIL)
+| operator (PASS)
+| operator (FAIL)
+/i pattern modifier (PASS)
+/i pattern modifier (PASS)
+/i double-quote escape (FAIL)
+/i double-quote escape (PASS)
+case-sensitive pattern (FAIL)
+case-sensitive pattern (FAIL)
+case-sensitive pattern (PASS)
+/i pattern disjunction (PASS)
+/i pattern disjunction (FAIL)
+/i pattern disjunction (PASS)
+/i pattern disjunction (PASS)
+/i pattern concatenation (PASS)
+/i pattern concatenation (FAIL)
+/i pattern concatenation (FAIL)
+/i pattern concatenation (PASS)
+/i pattern concatenation (PASS)
+/i pattern concatenation (FAIL)
+/i pattern character class (FAIL)
+/i pattern character class (PASS)
+(?i:...) pattern construct (PASS)
+(?i:...) pattern construct (FAIL)
+(?i:...) pattern construct (PASS)
diff --git a/testing/btest/Baseline/language.record-redef-after-init/output b/testing/btest/Baseline/language.record-redef-after-init/output
new file mode 100644
index 0000000000..9c422442a5
--- /dev/null
+++ b/testing/btest/Baseline/language.record-redef-after-init/output
@@ -0,0 +1,10 @@
+[a=redef, d=<uninitialized>, e=<uninitialized>, f=<uninitialized>, g=<uninitialized>, h=<uninitialized>, i=<uninitialized>, j=<uninitialized>, k=<uninitialized>, l=<uninitialized>, m=<uninitialized>, n=<uninitialized>, o=<uninitialized>, p=<uninitialized>, q=<uninitialized>]
+[a=runtime, d=<uninitialized>, e=<uninitialized>, f=<uninitialized>, g=<uninitialized>, h=<uninitialized>, i=<uninitialized>, j=<uninitialized>, k=<uninitialized>, l=<uninitialized>, m=<uninitialized>, n=<uninitialized>, o=<uninitialized>, p=<uninitialized>, q=OPTQ]
+[a=local, d=<uninitialized>, e=<uninitialized>, f=<uninitialized>, g=<uninitialized>, h=<uninitialized>, i=<uninitialized>, j=<uninitialized>, k=<uninitialized>, l=<uninitialized>, m=<uninitialized>, n=<uninitialized>, o=<uninitialized>, p=<uninitialized>, q=OPTQ]
+[a=redef, d=<uninitialized>, e=<uninitialized>, f=<uninitialized>, g=<uninitialized>, h=<uninitialized>, i=<uninitialized>, j=<uninitialized>, k=<uninitialized>, l=<uninitialized>, m=<uninitialized>, n=<uninitialized>, o=<uninitialized>, p=<uninitialized>, q=<uninitialized>]
+[a=redef, d=<uninitialized>, e=<uninitialized>, f=<uninitialized>, g=<uninitialized>, h=<uninitialized>, i=<uninitialized>, j=<uninitialized>, k=<uninitialized>, l=<uninitialized>, m=<uninitialized>, n=<uninitialized>, o=<uninitialized>, p=<uninitialized>, q=<uninitialized>]
+newp
+[a=redef, d=<uninitialized>, e=<uninitialized>, f=<uninitialized>, g=<uninitialized>, h=<uninitialized>, i=<uninitialized>, j=<uninitialized>, k=<uninitialized>, l=<uninitialized>, m=<uninitialized>, n=<uninitialized>, o=<uninitialized>, p=newp, q=<uninitialized>]
+OPTQ
+our value
+[a=redef, d=<uninitialized>, e=<uninitialized>, f=<uninitialized>, g=<uninitialized>, h=<uninitialized>, i=<uninitialized>, j=<uninitialized>, k=<uninitialized>, l=<uninitialized>, m=<uninitialized>, n=<uninitialized>, o=<uninitialized>, p=newp, q=our value]
diff --git a/testing/btest/Baseline/language.set/out b/testing/btest/Baseline/language.set/out
index fc157cf7d9..0128420cbf 100644
--- a/testing/btest/Baseline/language.set/out
+++ b/testing/btest/Baseline/language.set/out
@@ -42,3 +42,30 @@ remove element (PASS)
 !in operator (PASS)
 remove element (PASS)
 !in operator (PASS)
+union (PASS)
+intersection (FAIL)
+difference (PASS)
+difference (PASS)
+union/inter. (PASS)
+relational (PASS)
+relational (PASS)
+subset (FAIL)
+subset (FAIL)
+subset (PASS)
+superset (FAIL)
+superset (FAIL)
+superset (FAIL)
+superset (PASS)
+non-ordering (FAIL)
+non-ordering (PASS)
+superset (PASS)
+superset (FAIL)
+superset (PASS)
+superset (PASS)
+superset (PASS)
+superset (FAIL)
+equality (PASS)
+equality (FAIL)
+non-equality (PASS)
+equality (FAIL)
+magnitude (FAIL)
diff --git a/testing/btest/Baseline/language.switch-error-mixed/out b/testing/btest/Baseline/language.switch-error-mixed/out
new file mode 100644
index 0000000000..75fa1d84c2
--- /dev/null
+++ b/testing/btest/Baseline/language.switch-error-mixed/out
@@ -0,0 +1 @@
+error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-error-mixed/switch-error-mixed.bro, line 6: cannot mix cases with expressions and types (switch (v) {case 42:{ return (42!)}case type count:{ return (Count!)}})
diff --git a/testing/btest/Baseline/language.switch-types-error-duplicate/out b/testing/btest/Baseline/language.switch-types-error-duplicate/out
new file mode 100644
index 0000000000..e523b14550
--- /dev/null
+++ b/testing/btest/Baseline/language.switch-types-error-duplicate/out
@@ -0,0 +1 @@
+error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-duplicate/switch-types-error-duplicate.bro, lines 11-12: duplicate case label (case type bool, type count:{ return (Bool or address!)})
diff --git a/testing/btest/Baseline/language.switch-types-error-unsupported/out b/testing/btest/Baseline/language.switch-types-error-unsupported/out
new file mode 100644
index 0000000000..133c8653f2
--- /dev/null
+++ b/testing/btest/Baseline/language.switch-types-error-unsupported/out
@@ -0,0 +1,3 @@
+error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-unsupported/switch-types-error-unsupported.bro, lines 9-10: cannot cast switch expression to case type (case type count:{ return (Count!)})
+error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-unsupported/switch-types-error-unsupported.bro, lines 11-12: cannot cast switch expression to case type (case type bool, type addr:{ return (Bool or address!)})
+error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.switch-types-error-unsupported/switch-types-error-unsupported.bro, lines 11-12: cannot cast switch expression to case type (case type bool, type addr:{ return (Bool or address!)})
diff --git a/testing/btest/Baseline/language.switch-types-vars/out b/testing/btest/Baseline/language.switch-types-vars/out
new file mode 100644
index 0000000000..36904c63b9
--- /dev/null
+++ b/testing/btest/Baseline/language.switch-types-vars/out
@@ -0,0 +1,9 @@
+string!, My StrIng
+count!, 42
+Bool or address?
+    addr, 1.2.3.4
+Bool or address?
+    bool, T
+int!
+double or port
+double or port
diff --git a/testing/btest/Baseline/language.switch-types/out b/testing/btest/Baseline/language.switch-types/out
new file mode 100644
index 0000000000..536852101f
--- /dev/null
+++ b/testing/btest/Baseline/language.switch-types/out
@@ -0,0 +1,7 @@
+String!
+Count!
+Bool or address!
+Somethign else!
+
+Bool or address!
+n/a
diff --git a/testing/btest/Baseline/language.type-cast-any/output b/testing/btest/Baseline/language.type-cast-any/output
new file mode 100644
index 0000000000..e7c07abe7e
--- /dev/null
+++ b/testing/btest/Baseline/language.type-cast-any/output
@@ -0,0 +1,6 @@
+Foo, Foo, T, Foo==Foo => T
+Foo, Foo, T, Bar==Foo => F
+42, 42, T, 42==42 => T
+42, 42, T, 21==42 => F
+[a=1.2.3.4, b=1947/tcp], [a=1.2.3.4, b=1947/tcp], T, [a=1.2.3.4, b=1947/tcp]==[a=1.2.3.4, b=1947/tcp] => T
+[a=1.2.3.4, b=1947/tcp], [a=1.2.3.4, b=1947/tcp], T, [a=2.3.4.5, b=1947/tcp]==[a=1.2.3.4, b=1947/tcp] => F
diff --git a/testing/btest/Baseline/language.type-cast-error-dynamic/output b/testing/btest/Baseline/language.type-cast-error-dynamic/output
new file mode 100644
index 0000000000..8ebf0cc90e
--- /dev/null
+++ b/testing/btest/Baseline/language.type-cast-error-dynamic/output
@@ -0,0 +1,4 @@
+expression error in /Users/jon/projects/bro/bro/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.bro, line 11: invalid cast of value with type 'count' to type 'string' [a as string]
+expression error in /Users/jon/projects/bro/bro/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.bro, line 11: invalid cast of value with type 'record { a:addr; b:port; }' to type 'string' [a as string]
+expression error in /Users/jon/projects/bro/bro/testing/btest/.tmp/language.type-cast-error-dynamic/type-cast-error-dynamic.bro, line 11: invalid cast of value with type 'record { data:opaque of Broker::Data; }' to type 'string' (nil $data field) [a as string]
+data is string, F
diff --git a/testing/btest/Baseline/language.type-cast-error-static/output b/testing/btest/Baseline/language.type-cast-error-static/output
new file mode 100644
index 0000000000..a93e262f21
--- /dev/null
+++ b/testing/btest/Baseline/language.type-cast-error-static/output
@@ -0,0 +1,2 @@
+error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.type-cast-error-static/type-cast-error-static.bro, line 14: cast not supported (string as count)
+error in /home/robin/bro/lang-ext/testing/btest/.tmp/language.type-cast-error-static/type-cast-error-static.bro, line 15: cast not supported (string as X)
diff --git a/testing/btest/Baseline/language.type-cast-same/output b/testing/btest/Baseline/language.type-cast-same/output
new file mode 100644
index 0000000000..ac40874860
--- /dev/null
+++ b/testing/btest/Baseline/language.type-cast-same/output
@@ -0,0 +1,2 @@
+sTriNg, T
+[a=1.2.3.4, b=1947/tcp], T
diff --git a/testing/btest/Baseline/language.type-check-any/output b/testing/btest/Baseline/language.type-check-any/output
new file mode 100644
index 0000000000..90b825d6fd
--- /dev/null
+++ b/testing/btest/Baseline/language.type-check-any/output
@@ -0,0 +1,3 @@
+Foo, T, F, F
+1, F, T, F
+[a=1.2.3.4, b=1947/tcp], F, F, T
diff --git a/testing/btest/Baseline/language.uninitialized-local2/out b/testing/btest/Baseline/language.uninitialized-local2/out
new file mode 100644
index 0000000000..75d09294e6
--- /dev/null
+++ b/testing/btest/Baseline/language.uninitialized-local2/out
@@ -0,0 +1,2 @@
+error in /home/jon/projects/bro/bro/testing/btest/.tmp/language.uninitialized-local2/uninitialized-local2.bro, line 19: value used but not set (var_b)
+var_a is, baz
diff --git a/testing/btest/Baseline/language.vector/out b/testing/btest/Baseline/language.vector/out
index 0aa3ab0a8f..0fdcc1fa24 100644
--- a/testing/btest/Baseline/language.vector/out
+++ b/testing/btest/Baseline/language.vector/out
@@ -57,3 +57,4 @@ access element (PASS)
 % operator (PASS)
 && operator (PASS)
 || operator (PASS)
++= operator (PASS)
diff --git a/testing/btest/Baseline/plugins.api-version-mismatch/output b/testing/btest/Baseline/plugins.api-version-mismatch/output
deleted file mode 100644
index 04f3cdd3a2..0000000000
--- a/testing/btest/Baseline/plugins.api-version-mismatch/output
+++ /dev/null
@@ -1 +0,0 @@
-fatal error in /home/robin/bro/plugins/scripts/base/init-bare.bro, line 1: plugin's API version does not match Bro (expected 2, got 42 in /home/robin/bro/plugins/testing/btest/.tmp/plugins.api-version-mismatch/build//lib/XXX)
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 9b22c34b71..20e01df16f 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -4,6 +4,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 68/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)) -> <no result>
@@ -39,6 +40,8 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_RADIUS, 1812/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_RDP, 3389/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SIP, 5060/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMB, 139/tcp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMB, 445/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMTP, 25/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMTP, 587/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SNMP, 161/udp)) -> <no result>
@@ -66,6 +69,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 68/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)) -> <no result>
@@ -101,6 +105,8 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_RADIUS, 1812/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_RDP, 3389/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SIP, 5060/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SMB, 139/tcp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SMB, 445/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SMTP, 25/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SMTP, 587/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SNMP, 161/udp)) -> <no result>
@@ -140,6 +146,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_RADIUS, {1812/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_RDP, {3389/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SIP, {5060/udp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SMB, {139<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SMTP, {587<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SNMP, {162<...>/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SOCKS, {1080/tcp})) -> <no result>
@@ -150,8 +157,21 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <null>, ()) -> <no result>
+0.000000   MetaHookPost  CallFunction(Cluster::local_node_type, <frame>, ()) -> <no result>
+0.000000   MetaHookPost  CallFunction(Cluster::register_pool, <frame>, ([topic=bro<...>/logger, node_type=Cluster::LOGGER, max_nodes=<uninitialized>, exclusive=F])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Cluster::register_pool, <frame>, ([topic=bro<...>/proxy, node_type=Cluster::PROXY, max_nodes=<uninitialized>, exclusive=F])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Cluster::register_pool, <frame>, ([topic=bro<...>/worker, node_type=Cluster::WORKER, max_nodes=<uninitialized>, exclusive=F])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)})) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/pkix-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/x-x509-ca-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/x-x509-user-cert)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_PE, application/x-dosexec)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/pkix-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/x-x509-ca-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/x-x509-user-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_X509, application/pkix-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_X509, application/x-x509-ca-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_X509, application/x-x509-user-cert)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_for_mime_types, <frame>, (Files::ANALYZER_PE, {application/x-dosexec})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])) -> <no result>
@@ -159,10 +179,12 @@
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ <init> KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial,  Subject: , KRB::f$info$x509$certificate$subject,  Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ <init> KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial,  Subject: , KRB::f$info$x509$certificate$subject,  Issuer: , KRB::f$info$x509$certificate$issuer))}}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ <init> SMB::cid{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { SMB::info = SMB::f$conns[SMB::cid]if (SMB::info?$smb_state && SMB::info$smb_state?$current_file && SMB::info$smb_state$current_file?$name) return (SMB::info$smb_state$current_file$name)}return ()}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=broker, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=cluster, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=communication, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=config, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=conn, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (DCE_RPC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=dce_rpc, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=dhcp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@@ -191,6 +213,8 @@
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=rfb, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=reporter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=sip, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_files, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_mapping, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smtp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=snmp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=socks, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@@ -204,8 +228,9 @@
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=weird, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=x509, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=mysql, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Broker::LOG, [columns=<no value description>, ev=<uninitialized>, path=broker])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Config::LOG, [columns=<no value description>, ev=Config::log_config, path=config])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DCE_RPC::LOG, [columns=<no value description>, ev=<uninitialized>, path=dce_rpc])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp, path=dhcp])) -> <no result>
@@ -234,6 +259,8 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp, path=snmp])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks, path=socks])) -> <no result>
@@ -247,9 +274,10 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1534522064.090237, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Broker::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Communication::LOG)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Config::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Conn::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (DCE_RPC::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (DHCP::LOG)) -> <no result>
@@ -278,6 +306,8 @@
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (RFB::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Reporter::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SIP::LOG)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SMB::FILES_LOG)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SMB::MAPPING_LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SMTP::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SNMP::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (SOCKS::LOG)) -> <no result>
@@ -291,8 +321,9 @@
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Weird::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (X509::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (mysql::LOG)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (DCE_RPC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@@ -321,6 +352,8 @@
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
@@ -334,8 +367,55 @@
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Broker::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Cluster::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Config::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Conn::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (DCE_RPC::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (DHCP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (DNP3::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (DNS::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (DPD::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (FTP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Files::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (HTTP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (IRC::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Intel::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (KRB::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Modbus::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (NTLM::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (NetControl::CATCH_RELEASE, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (NetControl::DROP, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (NetControl::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (NetControl::SHUNT, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Notice::ALARM_LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Notice::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (OpenFlow::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (PE::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (PacketFilter::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (RADIUS::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (RDP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (RFB::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Reporter::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SIP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SMB::FILES_LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SMB::MAPPING_LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SMTP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SNMP::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SOCKS::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SSH::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (SSL::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Signatures::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Software::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Syslog::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Tunnel::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Unified2::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Weird::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (X509::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (mysql::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Broker::LOG, [columns=<no value description>, ev=<uninitialized>, path=broker])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Config::LOG, [columns=<no value description>, ev=Config::log_config, path=config])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (DCE_RPC::LOG, [columns=<no value description>, ev=<uninitialized>, path=dce_rpc])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp, path=dhcp])) -> <no result>
@@ -364,6 +444,8 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp, path=snmp])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks, path=socks])) -> <no result>
@@ -377,7 +459,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1534522064.090237, node=bro, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, <frame>, ()) -> <no result>
@@ -405,7 +487,9 @@
 0.000000   MetaHookPost  CallFunction(bro_init, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(current_time, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
+0.000000   MetaHookPost  CallFunction(getenv, <null>, (BRO_DEFAULT_LISTEN_ADDRESS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(getenv, <null>, (CLUSTER_NODE)) -> <no result>
+0.000000   MetaHookPost  CallFunction(global_ids, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(reading_live_traffic, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(reading_traces, <frame>, ()) -> <no result>
@@ -413,309 +497,327 @@
 0.000000   MetaHookPost  CallFunction(string_to_pattern, <frame>, ((^\.?|\.)()$, F)) -> <no result>
 0.000000   MetaHookPost  CallFunction(sub, <frame>, ((^\.?|\.)(~~)$, <...>/, )) -> <no result>
 0.000000   MetaHookPost  DrainEvents() -> <void>
-0.000000   MetaHookPost  LoadFile(../main) -> -1
-0.000000   MetaHookPost  LoadFile(../plugin) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_ARP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_AYIYA.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_AsciiReader.ascii.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_AsciiWriter.ascii.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_BackDoor.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_BenchmarkReader.benchmark.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_BinaryReader.binary.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_BitTorrent.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_ConnSize.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_ConnSize.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_DCE_RPC.consts.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_DCE_RPC.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_DCE_RPC.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_DHCP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_DNP3.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_DNS.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_FTP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_FTP.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_File.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_FileEntropy.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_FileExtract.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_FileExtract.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_FileHash.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Finger.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_GSSAPI.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_GSSAPI.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_GTPv1.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Gnutella.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_HTTP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_HTTP.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_ICMP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_IMAP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_IRC.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Ident.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_InterConn.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_KRB.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_KRB.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Login.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Login.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_MIME.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Modbus.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_MySQL.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_NCP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_NTLM.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_NTLM.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_NTP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_NetBIOS.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_NetBIOS.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_NoneWriter.none.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_PE.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_PIA.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_POP3.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_RADIUS.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_RDP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_RDP.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_RFB.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_RPC.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_RawReader.raw.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SIP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.consts.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_check_directory.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_close.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_create_directory.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_echo.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_logoff_andx.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_negotiate.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_nt_cancel.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_nt_create_andx.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_query_information.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_read_andx.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_session_setup_andx.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_transaction.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_transaction2.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_tree_connect_andx.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_tree_disconnect.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_com_write_andx.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb1_events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_close.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_create.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_negotiate.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_read.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_session_setup.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_set_info.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_tree_connect.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_tree_disconnect.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_com_write.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.smb2_events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMB.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMTP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SMTP.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SNMP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SNMP.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SOCKS.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SQLiteReader.sqlite.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SQLiteWriter.sqlite.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SSH.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SSH.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SSL.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SSL.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SSL.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_SteppingStone.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Syslog.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_TCP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_TCP.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Teredo.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_UDP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Unified2.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_Unified2.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_X509.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_X509.functions.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_X509.types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_XMPP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./Bro_ZIP.events.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./acld) -> -1
-0.000000   MetaHookPost  LoadFile(./addrs) -> -1
-0.000000   MetaHookPost  LoadFile(./analyzer.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./average) -> -1
-0.000000   MetaHookPost  LoadFile(./bloom-filter.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./bro.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./broker) -> -1
-0.000000   MetaHookPost  LoadFile(./broxygen.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./cardinality-counter.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./catch-and-release) -> -1
-0.000000   MetaHookPost  LoadFile(./comm.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./const-dos-error) -> -1
-0.000000   MetaHookPost  LoadFile(./const-nt-status) -> -1
-0.000000   MetaHookPost  LoadFile(./const.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./consts) -> -1
-0.000000   MetaHookPost  LoadFile(./consts.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./contents) -> -1
-0.000000   MetaHookPost  LoadFile(./data.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./dcc-send) -> -1
-0.000000   MetaHookPost  LoadFile(./debug) -> -1
-0.000000   MetaHookPost  LoadFile(./drop) -> -1
-0.000000   MetaHookPost  LoadFile(./entities) -> -1
-0.000000   MetaHookPost  LoadFile(./event.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./exec) -> -1
-0.000000   MetaHookPost  LoadFile(./file_analysis.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./files) -> -1
-0.000000   MetaHookPost  LoadFile(./gridftp) -> -1
-0.000000   MetaHookPost  LoadFile(./hll_unique) -> -1
-0.000000   MetaHookPost  LoadFile(./hooks.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./inactivity) -> -1
-0.000000   MetaHookPost  LoadFile(./info) -> -1
-0.000000   MetaHookPost  LoadFile(./init.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./input) -> -1
-0.000000   MetaHookPost  LoadFile(./input.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./last) -> -1
-0.000000   MetaHookPost  LoadFile(./log) -> -1
-0.000000   MetaHookPost  LoadFile(./logging.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./magic) -> -1
-0.000000   MetaHookPost  LoadFile(./main) -> -1
-0.000000   MetaHookPost  LoadFile(./main.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./max) -> -1
-0.000000   MetaHookPost  LoadFile(./messaging.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./min) -> -1
-0.000000   MetaHookPost  LoadFile(./mozilla-ca-list) -> -1
-0.000000   MetaHookPost  LoadFile(./netstats) -> -1
-0.000000   MetaHookPost  LoadFile(./non-cluster) -> -1
-0.000000   MetaHookPost  LoadFile(./openflow) -> -1
-0.000000   MetaHookPost  LoadFile(./packetfilter) -> -1
-0.000000   MetaHookPost  LoadFile(./patterns) -> -1
-0.000000   MetaHookPost  LoadFile(./pcap.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./plugin) -> -1
-0.000000   MetaHookPost  LoadFile(./plugins) -> -1
-0.000000   MetaHookPost  LoadFile(./polling) -> -1
-0.000000   MetaHookPost  LoadFile(./postprocessors) -> -1
-0.000000   MetaHookPost  LoadFile(./reporter.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./ryu) -> -1
-0.000000   MetaHookPost  LoadFile(./sample) -> -1
-0.000000   MetaHookPost  LoadFile(./scp) -> -1
-0.000000   MetaHookPost  LoadFile(./sftp) -> -1
-0.000000   MetaHookPost  LoadFile(./shunt) -> -1
-0.000000   MetaHookPost  LoadFile(./site) -> -1
-0.000000   MetaHookPost  LoadFile(./stats.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./std-dev) -> -1
-0.000000   MetaHookPost  LoadFile(./store) -> -1
-0.000000   MetaHookPost  LoadFile(./store.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./strings.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./sum) -> -1
-0.000000   MetaHookPost  LoadFile(./thresholds) -> -1
-0.000000   MetaHookPost  LoadFile(./top-k.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./topk) -> -1
-0.000000   MetaHookPost  LoadFile(./types) -> -1
-0.000000   MetaHookPost  LoadFile(./types.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./types.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./unique) -> -1
-0.000000   MetaHookPost  LoadFile(./utils) -> -1
-0.000000   MetaHookPost  LoadFile(./utils-commands) -> -1
-0.000000   MetaHookPost  LoadFile(./utils.bro) -> -1
-0.000000   MetaHookPost  LoadFile(./variance) -> -1
-0.000000   MetaHookPost  LoadFile(./weird) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/add-geodata) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/ascii) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/benchmark) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/binary) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/drop) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/email_admin) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/hostnames) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/none) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/page) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/pp-alarms) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/raw) -> -1
-0.000000   MetaHookPost  LoadFile(.<...>/sqlite) -> -1
-0.000000   MetaHookPost  LoadFile(<...>/__load__.bro) -> -1
-0.000000   MetaHookPost  LoadFile(<...>/__preload__.bro) -> -1
-0.000000   MetaHookPost  LoadFile(<...>/hooks.bro) -> -1
-0.000000   MetaHookPost  LoadFile(base/bif) -> -1
-0.000000   MetaHookPost  LoadFile(base/init-default.bro) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/Bro_KRB.types.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/Bro_SNMP.types.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/active-http) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/addrs) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/analyzer) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/analyzer.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/bro.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/broker) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/cluster) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/comm.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/communication) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/conn) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/conn-ids) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/const.bif.bro) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/control) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/data.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/dce-rpc) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/dhcp) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/dir) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/directions-and-hosts) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/dnp3) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/dns) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/dpd) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/email) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/event.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/exec) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/extract) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/file_analysis.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/files) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/find-checksum-offloading) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/find-filtered-trace) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/ftp) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/geoip-distance) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/hash) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/http) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/imap) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/input) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/input.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/intel) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/irc) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/json) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/krb) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/logging) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/logging.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/main) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/messaging.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/modbus) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/mysql) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/netcontrol) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/notice) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/ntlm) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/numbers) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/openflow) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/packet-filter) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/paths) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/patterns) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/pe) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/plugins) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/pop3) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/queue) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/radius) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/rdp) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/reporter) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/reporter.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/rfb) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/signatures) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/sip) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/site) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/smb) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/smtp) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/snmp) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/socks) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/software) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/ssh) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/ssl) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/store.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/strings) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/strings.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/sumstats) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/syslog) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/thresholds) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/time) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/tunnels) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/types.bif) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/unified2) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/urls) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/utils) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/version) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/weird) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/x509) -> -1
-0.000000   MetaHookPost  LoadFile(base<...>/xmpp) -> -1
+0.000000   MetaHookPost  LoadFile(0, ..<...>/main.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, ..<...>/plugin.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_ARP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_AsciiReader.ascii.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_AsciiWriter.ascii.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_BackDoor.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_BenchmarkReader.benchmark.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_BinaryReader.binary.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_BitTorrent.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_ConfigReader.config.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_ConnSize.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_ConnSize.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DCE_RPC.consts.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DCE_RPC.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DCE_RPC.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DHCP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DHCP.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DNP3.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_DNS.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_FTP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_FTP.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_File.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_FileEntropy.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_FileExtract.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_FileExtract.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_FileHash.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Finger.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_GSSAPI.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_GTPv1.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Gnutella.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_HTTP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_HTTP.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_ICMP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_IMAP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_IRC.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Ident.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_InterConn.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_KRB.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_KRB.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Login.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Login.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_MIME.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Modbus.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_MySQL.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NCP.consts.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NCP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NTLM.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NTLM.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NTP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NetBIOS.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NetBIOS.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_NoneWriter.none.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_PE.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_POP3.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_RADIUS.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_RDP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_RDP.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_RFB.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_RPC.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_RawReader.raw.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SIP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.consts.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_check_directory.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_close.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_create_directory.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_echo.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_logoff_andx.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_negotiate.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_cancel.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_create_andx.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_query_information.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_read_andx.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2_secondary.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction_secondary.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_com_write_andx.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb1_events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_close.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_create.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_negotiate.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.smb2_events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMB.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMTP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SMTP.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SNMP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SNMP.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SOCKS.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SQLiteReader.sqlite.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SQLiteWriter.sqlite.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SSH.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SSH.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SSL.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SSL.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SSL.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_SteppingStone.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Syslog.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_TCP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_TCP.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Teredo.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_UDP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Unified2.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_Unified2.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_X509.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_X509.functions.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_X509.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/Bro_XMPP.events.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/acld.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/add-geodata.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/addrs.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/analyzer.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/ascii.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/average.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/benchmark.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/binary.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/bloom-filter.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/bro.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/broker.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/broxygen.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/cardinality-counter.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/catch-and-release.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/comm.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/config.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/const-dos-error.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/const-nt-status.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/const.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/consts.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/contents.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/ct-list.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/data.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/dcc-send.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/debug.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/drop.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/email_admin.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/entities.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/event.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/exec.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/file_analysis.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/files.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/gridftp.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/hll_unique.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/hooks.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/inactivity.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/info.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/init.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/input.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/input.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/last.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/log.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/logging.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/magic) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/main.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/max.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/messaging.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/min.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/mozilla-ca-list.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/netstats.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/non-cluster.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/none.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/openflow.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/option.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/packetfilter.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/page.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/patterns.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/pcap.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/plugin.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/plugins) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/polling.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/pools.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/postprocessors) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/pp-alarms.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/raw.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/reporter.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/ryu.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/sample.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/scp.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/sftp.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/shunt.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/site.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/smb1-main.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/smb2-main.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/sqlite.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/stats.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/std-dev.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/store.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/store.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/strings.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/sum.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/thresholds.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/top-k.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/topk.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/types.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/unique.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/utils-commands.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/utils.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/variance.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, .<...>/weird.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, <...>/__load__.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, <...>/__preload__.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, <...>/hooks.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/Bro_KRB.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/Bro_SNMP.types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/active-http.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/addrs.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/analyzer) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/analyzer.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/bif) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/bro.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/broker) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/cluster) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/comm.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/config) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/conn) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/conn-ids.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/const.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/control) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/data.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/dce-rpc) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/dhcp) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/dir.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/directions-and-hosts.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/dnp3) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/dns) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/dpd) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/email.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/event.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/exec.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/extract) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/file_analysis.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/files) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/files.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/find-checksum-offloading.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/find-filtered-trace.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/ftp) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/geoip-distance.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/hash) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/hash_hrw.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/http) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/imap) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/init-default.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/init-frameworks-and-bifs.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/input) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/input.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/intel) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/irc) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/json.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/krb) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/logging) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/logging.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/main.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/messaging.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/modbus) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/mysql) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/netcontrol) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/notice) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/ntlm) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/numbers.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/openflow) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/option.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/packet-filter) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/paths.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/patterns.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/pe) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/plugins) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/pop3) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/queue.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/radius) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/rdp) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/reporter) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/reporter.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/rfb) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/signatures) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/sip) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/site.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/smb) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/smtp) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/snmp) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/socks) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/software) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/ssh) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/ssl) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/stats.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/store.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/strings.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/strings.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/sumstats) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/syslog) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/thresholds.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/time.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/tunnels) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/types.bif.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/unified2) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/urls.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/utils.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/version.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/weird.bro) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/x509) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/xmpp) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/archive.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/audio.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/dpd.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/font.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/general.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/image.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/libmagic.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/msoffice.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, .<...>/video.sig) -> -1
+0.000000   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) -> <void>
+0.000000   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, <void ptr>) -> true
 0.000000   MetaHookPost  QueueEvent(NetControl::init()) -> false
 0.000000   MetaHookPost  QueueEvent(bro_init()) -> false
 0.000000   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
@@ -725,6 +827,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 68/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp))
@@ -760,6 +863,8 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_RADIUS, 1812/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_RDP, 3389/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SIP, 5060/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMB, 139/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMB, 445/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMTP, 25/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMTP, 587/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SNMP, 161/udp))
@@ -787,6 +892,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 68/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp))
@@ -822,6 +928,8 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_RADIUS, 1812/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_RDP, 3389/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SIP, 5060/udp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SMB, 139/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SMB, 445/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SMTP, 25/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SMTP, 587/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SNMP, 161/udp))
@@ -861,6 +969,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_RADIUS, {1812/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_RDP, {3389/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SIP, {5060/udp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SMB, {139<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SMTP, {587<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SNMP, {162<...>/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SOCKS, {1080/tcp}))
@@ -871,8 +980,21 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <frame>, ())
 0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <null>, ())
+0.000000   MetaHookPre   CallFunction(Cluster::local_node_type, <frame>, ())
+0.000000   MetaHookPre   CallFunction(Cluster::register_pool, <frame>, ([topic=bro<...>/logger, node_type=Cluster::LOGGER, max_nodes=<uninitialized>, exclusive=F]))
+0.000000   MetaHookPre   CallFunction(Cluster::register_pool, <frame>, ([topic=bro<...>/proxy, node_type=Cluster::PROXY, max_nodes=<uninitialized>, exclusive=F]))
+0.000000   MetaHookPre   CallFunction(Cluster::register_pool, <frame>, ([topic=bro<...>/worker, node_type=Cluster::WORKER, max_nodes=<uninitialized>, exclusive=F]))
 0.000000   MetaHookPre   CallFunction(Files::register_analyzer_add_callback, <frame>, (Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)}))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/pkix-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/x-x509-ca-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/x-x509-user-cert))
 0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_PE, application/x-dosexec))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/pkix-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/x-x509-ca-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/x-x509-user-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_X509, application/pkix-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_X509, application/x-x509-ca-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_X509, application/x-x509-user-cert))
 0.000000   MetaHookPre   CallFunction(Files::register_for_mime_types, <frame>, (Files::ANALYZER_PE, {application/x-dosexec}))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}]))
@@ -880,10 +1002,12 @@
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ <init> KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial,  Subject: , KRB::f$info$x509$certificate$subject,  Issuer: , KRB::f$info$x509$certificate$issuer))}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ <init> KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial,  Subject: , KRB::f$info$x509$certificate$subject,  Issuer: , KRB::f$info$x509$certificate$issuer))}}]))
+0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ <init> SMB::cid{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { SMB::info = SMB::f$conns[SMB::cid]if (SMB::info?$smb_state && SMB::info$smb_state?$current_file && SMB::info$smb_state$current_file?$name) return (SMB::info$smb_state$current_file$name)}return ()}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=broker, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=cluster, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=communication, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=config, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=conn, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (DCE_RPC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=dce_rpc, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=dhcp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@@ -912,6 +1036,8 @@
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=rfb, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=reporter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=sip, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_files, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_mapping, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smtp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=snmp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=socks, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@@ -925,8 +1051,9 @@
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=weird, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=x509, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=mysql, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Broker::LOG, [columns=<no value description>, ev=<uninitialized>, path=broker]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Config::LOG, [columns=<no value description>, ev=Config::log_config, path=config]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DCE_RPC::LOG, [columns=<no value description>, ev=<uninitialized>, path=dce_rpc]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp, path=dhcp]))
@@ -955,6 +1082,8 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp, path=snmp]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks, path=socks]))
@@ -968,9 +1097,10 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, <frame>, (PacketFilter::LOG, [ts=1534522064.090237, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Broker::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Cluster::LOG))
-0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Communication::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Config::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Conn::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (DCE_RPC::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (DHCP::LOG))
@@ -999,6 +1129,8 @@
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (RFB::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Reporter::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SIP::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SMB::FILES_LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SMB::MAPPING_LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SMTP::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SNMP::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (SOCKS::LOG))
@@ -1012,8 +1144,9 @@
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Weird::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (X509::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (mysql::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
-0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (DCE_RPC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@@ -1042,6 +1175,8 @@
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
@@ -1055,8 +1190,55 @@
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}]))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Broker::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Cluster::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Config::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Conn::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (DCE_RPC::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (DHCP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (DNP3::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (DNS::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (DPD::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (FTP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Files::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (HTTP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (IRC::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Intel::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (KRB::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Modbus::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (NTLM::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (NetControl::CATCH_RELEASE, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (NetControl::DROP, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (NetControl::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (NetControl::SHUNT, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Notice::ALARM_LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Notice::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (OpenFlow::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (PE::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (PacketFilter::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (RADIUS::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (RDP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (RFB::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Reporter::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SIP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SMB::FILES_LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SMB::MAPPING_LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SMTP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SNMP::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SOCKS::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SSH::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (SSL::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Signatures::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Software::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Syslog::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Tunnel::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Unified2::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Weird::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (X509::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (mysql::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Broker::LOG, [columns=<no value description>, ev=<uninitialized>, path=broker]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Config::LOG, [columns=<no value description>, ev=Config::log_config, path=config]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (DCE_RPC::LOG, [columns=<no value description>, ev=<uninitialized>, path=dce_rpc]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp, path=dhcp]))
@@ -1085,6 +1267,8 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp, path=snmp]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks, path=socks]))
@@ -1098,7 +1282,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql]))
-0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=1534522064.090237, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, <frame>, ())
@@ -1126,7 +1310,9 @@
 0.000000   MetaHookPre   CallFunction(bro_init, <null>, ())
 0.000000   MetaHookPre   CallFunction(current_time, <frame>, ())
 0.000000   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
+0.000000   MetaHookPre   CallFunction(getenv, <null>, (BRO_DEFAULT_LISTEN_ADDRESS))
 0.000000   MetaHookPre   CallFunction(getenv, <null>, (CLUSTER_NODE))
+0.000000   MetaHookPre   CallFunction(global_ids, <frame>, ())
 0.000000   MetaHookPre   CallFunction(network_time, <frame>, ())
 0.000000   MetaHookPre   CallFunction(reading_live_traffic, <frame>, ())
 0.000000   MetaHookPre   CallFunction(reading_traces, <frame>, ())
@@ -1134,309 +1320,327 @@
 0.000000   MetaHookPre   CallFunction(string_to_pattern, <frame>, ((^\.?|\.)()$, F))
 0.000000   MetaHookPre   CallFunction(sub, <frame>, ((^\.?|\.)(~~)$, <...>/, ))
 0.000000   MetaHookPre   DrainEvents()
-0.000000   MetaHookPre   LoadFile(../main)
-0.000000   MetaHookPre   LoadFile(../plugin)
-0.000000   MetaHookPre   LoadFile(./Bro_ARP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_AYIYA.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_AsciiReader.ascii.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_AsciiWriter.ascii.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_BackDoor.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_BenchmarkReader.benchmark.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_BinaryReader.binary.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_BitTorrent.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_ConnSize.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_ConnSize.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_DCE_RPC.consts.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_DCE_RPC.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_DCE_RPC.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_DHCP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_DNP3.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_DNS.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_FTP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_FTP.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_File.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_FileEntropy.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_FileExtract.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_FileExtract.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_FileHash.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Finger.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_GSSAPI.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_GSSAPI.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_GTPv1.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Gnutella.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_HTTP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_HTTP.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_ICMP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_IMAP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_IRC.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Ident.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_InterConn.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_KRB.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_KRB.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Login.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Login.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_MIME.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Modbus.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_MySQL.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_NCP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_NTLM.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_NTLM.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_NTP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_NetBIOS.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_NetBIOS.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_NoneWriter.none.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_PE.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_PIA.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_POP3.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_RADIUS.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_RDP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_RDP.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_RFB.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_RPC.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_RawReader.raw.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SIP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.consts.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_check_directory.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_close.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_create_directory.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_echo.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_logoff_andx.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_negotiate.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_nt_cancel.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_nt_create_andx.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_query_information.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_read_andx.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_session_setup_andx.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_transaction.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_transaction2.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_tree_connect_andx.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_tree_disconnect.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_com_write_andx.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb1_events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_close.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_create.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_negotiate.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_read.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_session_setup.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_set_info.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_tree_connect.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_tree_disconnect.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_com_write.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.smb2_events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMB.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMTP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SMTP.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SNMP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SNMP.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SOCKS.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SQLiteReader.sqlite.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SQLiteWriter.sqlite.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SSH.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SSH.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SSL.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SSL.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SSL.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_SteppingStone.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Syslog.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_TCP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_TCP.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Teredo.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_UDP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Unified2.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_Unified2.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_X509.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_X509.functions.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_X509.types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_XMPP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./Bro_ZIP.events.bif.bro)
-0.000000   MetaHookPre   LoadFile(./acld)
-0.000000   MetaHookPre   LoadFile(./addrs)
-0.000000   MetaHookPre   LoadFile(./analyzer.bif.bro)
-0.000000   MetaHookPre   LoadFile(./average)
-0.000000   MetaHookPre   LoadFile(./bloom-filter.bif.bro)
-0.000000   MetaHookPre   LoadFile(./bro.bif.bro)
-0.000000   MetaHookPre   LoadFile(./broker)
-0.000000   MetaHookPre   LoadFile(./broxygen.bif.bro)
-0.000000   MetaHookPre   LoadFile(./cardinality-counter.bif.bro)
-0.000000   MetaHookPre   LoadFile(./catch-and-release)
-0.000000   MetaHookPre   LoadFile(./comm.bif.bro)
-0.000000   MetaHookPre   LoadFile(./const-dos-error)
-0.000000   MetaHookPre   LoadFile(./const-nt-status)
-0.000000   MetaHookPre   LoadFile(./const.bif.bro)
-0.000000   MetaHookPre   LoadFile(./consts)
-0.000000   MetaHookPre   LoadFile(./consts.bro)
-0.000000   MetaHookPre   LoadFile(./contents)
-0.000000   MetaHookPre   LoadFile(./data.bif.bro)
-0.000000   MetaHookPre   LoadFile(./dcc-send)
-0.000000   MetaHookPre   LoadFile(./debug)
-0.000000   MetaHookPre   LoadFile(./drop)
-0.000000   MetaHookPre   LoadFile(./entities)
-0.000000   MetaHookPre   LoadFile(./event.bif.bro)
-0.000000   MetaHookPre   LoadFile(./exec)
-0.000000   MetaHookPre   LoadFile(./file_analysis.bif.bro)
-0.000000   MetaHookPre   LoadFile(./files)
-0.000000   MetaHookPre   LoadFile(./gridftp)
-0.000000   MetaHookPre   LoadFile(./hll_unique)
-0.000000   MetaHookPre   LoadFile(./hooks.bif.bro)
-0.000000   MetaHookPre   LoadFile(./inactivity)
-0.000000   MetaHookPre   LoadFile(./info)
-0.000000   MetaHookPre   LoadFile(./init.bro)
-0.000000   MetaHookPre   LoadFile(./input)
-0.000000   MetaHookPre   LoadFile(./input.bif.bro)
-0.000000   MetaHookPre   LoadFile(./last)
-0.000000   MetaHookPre   LoadFile(./log)
-0.000000   MetaHookPre   LoadFile(./logging.bif.bro)
-0.000000   MetaHookPre   LoadFile(./magic)
-0.000000   MetaHookPre   LoadFile(./main)
-0.000000   MetaHookPre   LoadFile(./main.bro)
-0.000000   MetaHookPre   LoadFile(./max)
-0.000000   MetaHookPre   LoadFile(./messaging.bif.bro)
-0.000000   MetaHookPre   LoadFile(./min)
-0.000000   MetaHookPre   LoadFile(./mozilla-ca-list)
-0.000000   MetaHookPre   LoadFile(./netstats)
-0.000000   MetaHookPre   LoadFile(./non-cluster)
-0.000000   MetaHookPre   LoadFile(./openflow)
-0.000000   MetaHookPre   LoadFile(./packetfilter)
-0.000000   MetaHookPre   LoadFile(./patterns)
-0.000000   MetaHookPre   LoadFile(./pcap.bif.bro)
-0.000000   MetaHookPre   LoadFile(./plugin)
-0.000000   MetaHookPre   LoadFile(./plugins)
-0.000000   MetaHookPre   LoadFile(./polling)
-0.000000   MetaHookPre   LoadFile(./postprocessors)
-0.000000   MetaHookPre   LoadFile(./reporter.bif.bro)
-0.000000   MetaHookPre   LoadFile(./ryu)
-0.000000   MetaHookPre   LoadFile(./sample)
-0.000000   MetaHookPre   LoadFile(./scp)
-0.000000   MetaHookPre   LoadFile(./sftp)
-0.000000   MetaHookPre   LoadFile(./shunt)
-0.000000   MetaHookPre   LoadFile(./site)
-0.000000   MetaHookPre   LoadFile(./stats.bif.bro)
-0.000000   MetaHookPre   LoadFile(./std-dev)
-0.000000   MetaHookPre   LoadFile(./store)
-0.000000   MetaHookPre   LoadFile(./store.bif.bro)
-0.000000   MetaHookPre   LoadFile(./strings.bif.bro)
-0.000000   MetaHookPre   LoadFile(./sum)
-0.000000   MetaHookPre   LoadFile(./thresholds)
-0.000000   MetaHookPre   LoadFile(./top-k.bif.bro)
-0.000000   MetaHookPre   LoadFile(./topk)
-0.000000   MetaHookPre   LoadFile(./types)
-0.000000   MetaHookPre   LoadFile(./types.bif.bro)
-0.000000   MetaHookPre   LoadFile(./types.bro)
-0.000000   MetaHookPre   LoadFile(./unique)
-0.000000   MetaHookPre   LoadFile(./utils)
-0.000000   MetaHookPre   LoadFile(./utils-commands)
-0.000000   MetaHookPre   LoadFile(./utils.bro)
-0.000000   MetaHookPre   LoadFile(./variance)
-0.000000   MetaHookPre   LoadFile(./weird)
-0.000000   MetaHookPre   LoadFile(.<...>/add-geodata)
-0.000000   MetaHookPre   LoadFile(.<...>/ascii)
-0.000000   MetaHookPre   LoadFile(.<...>/benchmark)
-0.000000   MetaHookPre   LoadFile(.<...>/binary)
-0.000000   MetaHookPre   LoadFile(.<...>/drop)
-0.000000   MetaHookPre   LoadFile(.<...>/email_admin)
-0.000000   MetaHookPre   LoadFile(.<...>/hostnames)
-0.000000   MetaHookPre   LoadFile(.<...>/none)
-0.000000   MetaHookPre   LoadFile(.<...>/page)
-0.000000   MetaHookPre   LoadFile(.<...>/pp-alarms)
-0.000000   MetaHookPre   LoadFile(.<...>/raw)
-0.000000   MetaHookPre   LoadFile(.<...>/sqlite)
-0.000000   MetaHookPre   LoadFile(<...>/__load__.bro)
-0.000000   MetaHookPre   LoadFile(<...>/__preload__.bro)
-0.000000   MetaHookPre   LoadFile(<...>/hooks.bro)
-0.000000   MetaHookPre   LoadFile(base/bif)
-0.000000   MetaHookPre   LoadFile(base/init-default.bro)
-0.000000   MetaHookPre   LoadFile(base<...>/Bro_KRB.types.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/Bro_SNMP.types.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/active-http)
-0.000000   MetaHookPre   LoadFile(base<...>/addrs)
-0.000000   MetaHookPre   LoadFile(base<...>/analyzer)
-0.000000   MetaHookPre   LoadFile(base<...>/analyzer.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/bro.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/broker)
-0.000000   MetaHookPre   LoadFile(base<...>/cluster)
-0.000000   MetaHookPre   LoadFile(base<...>/comm.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/communication)
-0.000000   MetaHookPre   LoadFile(base<...>/conn)
-0.000000   MetaHookPre   LoadFile(base<...>/conn-ids)
-0.000000   MetaHookPre   LoadFile(base<...>/const.bif.bro)
-0.000000   MetaHookPre   LoadFile(base<...>/control)
-0.000000   MetaHookPre   LoadFile(base<...>/data.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/dce-rpc)
-0.000000   MetaHookPre   LoadFile(base<...>/dhcp)
-0.000000   MetaHookPre   LoadFile(base<...>/dir)
-0.000000   MetaHookPre   LoadFile(base<...>/directions-and-hosts)
-0.000000   MetaHookPre   LoadFile(base<...>/dnp3)
-0.000000   MetaHookPre   LoadFile(base<...>/dns)
-0.000000   MetaHookPre   LoadFile(base<...>/dpd)
-0.000000   MetaHookPre   LoadFile(base<...>/email)
-0.000000   MetaHookPre   LoadFile(base<...>/event.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/exec)
-0.000000   MetaHookPre   LoadFile(base<...>/extract)
-0.000000   MetaHookPre   LoadFile(base<...>/file_analysis.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/files)
-0.000000   MetaHookPre   LoadFile(base<...>/find-checksum-offloading)
-0.000000   MetaHookPre   LoadFile(base<...>/find-filtered-trace)
-0.000000   MetaHookPre   LoadFile(base<...>/ftp)
-0.000000   MetaHookPre   LoadFile(base<...>/geoip-distance)
-0.000000   MetaHookPre   LoadFile(base<...>/hash)
-0.000000   MetaHookPre   LoadFile(base<...>/http)
-0.000000   MetaHookPre   LoadFile(base<...>/imap)
-0.000000   MetaHookPre   LoadFile(base<...>/input)
-0.000000   MetaHookPre   LoadFile(base<...>/input.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/intel)
-0.000000   MetaHookPre   LoadFile(base<...>/irc)
-0.000000   MetaHookPre   LoadFile(base<...>/json)
-0.000000   MetaHookPre   LoadFile(base<...>/krb)
-0.000000   MetaHookPre   LoadFile(base<...>/logging)
-0.000000   MetaHookPre   LoadFile(base<...>/logging.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/main)
-0.000000   MetaHookPre   LoadFile(base<...>/messaging.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/modbus)
-0.000000   MetaHookPre   LoadFile(base<...>/mysql)
-0.000000   MetaHookPre   LoadFile(base<...>/netcontrol)
-0.000000   MetaHookPre   LoadFile(base<...>/notice)
-0.000000   MetaHookPre   LoadFile(base<...>/ntlm)
-0.000000   MetaHookPre   LoadFile(base<...>/numbers)
-0.000000   MetaHookPre   LoadFile(base<...>/openflow)
-0.000000   MetaHookPre   LoadFile(base<...>/packet-filter)
-0.000000   MetaHookPre   LoadFile(base<...>/paths)
-0.000000   MetaHookPre   LoadFile(base<...>/patterns)
-0.000000   MetaHookPre   LoadFile(base<...>/pe)
-0.000000   MetaHookPre   LoadFile(base<...>/plugins)
-0.000000   MetaHookPre   LoadFile(base<...>/pop3)
-0.000000   MetaHookPre   LoadFile(base<...>/queue)
-0.000000   MetaHookPre   LoadFile(base<...>/radius)
-0.000000   MetaHookPre   LoadFile(base<...>/rdp)
-0.000000   MetaHookPre   LoadFile(base<...>/reporter)
-0.000000   MetaHookPre   LoadFile(base<...>/reporter.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/rfb)
-0.000000   MetaHookPre   LoadFile(base<...>/signatures)
-0.000000   MetaHookPre   LoadFile(base<...>/sip)
-0.000000   MetaHookPre   LoadFile(base<...>/site)
-0.000000   MetaHookPre   LoadFile(base<...>/smb)
-0.000000   MetaHookPre   LoadFile(base<...>/smtp)
-0.000000   MetaHookPre   LoadFile(base<...>/snmp)
-0.000000   MetaHookPre   LoadFile(base<...>/socks)
-0.000000   MetaHookPre   LoadFile(base<...>/software)
-0.000000   MetaHookPre   LoadFile(base<...>/ssh)
-0.000000   MetaHookPre   LoadFile(base<...>/ssl)
-0.000000   MetaHookPre   LoadFile(base<...>/store.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/strings)
-0.000000   MetaHookPre   LoadFile(base<...>/strings.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/sumstats)
-0.000000   MetaHookPre   LoadFile(base<...>/syslog)
-0.000000   MetaHookPre   LoadFile(base<...>/thresholds)
-0.000000   MetaHookPre   LoadFile(base<...>/time)
-0.000000   MetaHookPre   LoadFile(base<...>/tunnels)
-0.000000   MetaHookPre   LoadFile(base<...>/types.bif)
-0.000000   MetaHookPre   LoadFile(base<...>/unified2)
-0.000000   MetaHookPre   LoadFile(base<...>/urls)
-0.000000   MetaHookPre   LoadFile(base<...>/utils)
-0.000000   MetaHookPre   LoadFile(base<...>/version)
-0.000000   MetaHookPre   LoadFile(base<...>/weird)
-0.000000   MetaHookPre   LoadFile(base<...>/x509)
-0.000000   MetaHookPre   LoadFile(base<...>/xmpp)
+0.000000   MetaHookPre   LoadFile(0, ..<...>/main.bro)
+0.000000   MetaHookPre   LoadFile(0, ..<...>/plugin.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_ARP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_AsciiReader.ascii.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_AsciiWriter.ascii.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_BackDoor.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_BenchmarkReader.benchmark.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_BinaryReader.binary.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_BitTorrent.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_ConfigReader.config.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_ConnSize.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_ConnSize.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DCE_RPC.consts.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DCE_RPC.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DCE_RPC.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DHCP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DHCP.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DNP3.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_DNS.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_FTP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_FTP.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_File.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_FileEntropy.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_FileExtract.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_FileExtract.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_FileHash.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Finger.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_GSSAPI.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_GTPv1.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Gnutella.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_HTTP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_HTTP.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_ICMP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_IMAP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_IRC.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Ident.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_InterConn.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_KRB.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_KRB.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Login.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Login.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_MIME.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Modbus.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_MySQL.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NCP.consts.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NCP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NTLM.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NTLM.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NTP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NetBIOS.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NetBIOS.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_NoneWriter.none.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_PE.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_POP3.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_RADIUS.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_RDP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_RDP.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_RFB.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_RPC.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_RawReader.raw.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SIP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.consts.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_check_directory.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_close.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_create_directory.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_echo.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_logoff_andx.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_negotiate.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_cancel.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_nt_create_andx.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_query_information.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_read_andx.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction2_secondary.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_transaction_secondary.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_com_write_andx.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb1_events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_close.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_create.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_negotiate.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_read.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_session_setup.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_set_info.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_com_write.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.smb2_events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMB.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMTP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SMTP.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SNMP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SNMP.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SOCKS.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SQLiteReader.sqlite.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SQLiteWriter.sqlite.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SSH.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SSH.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SSL.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SSL.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SSL.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_SteppingStone.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Syslog.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_TCP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_TCP.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Teredo.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_UDP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Unified2.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_Unified2.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_X509.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_X509.functions.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_X509.ocsp_events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_X509.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/Bro_XMPP.events.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/acld.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/add-geodata.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/addrs.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/analyzer.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/ascii.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/average.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/benchmark.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/binary.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/bloom-filter.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/bro.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/broker.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/broxygen.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/cardinality-counter.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/catch-and-release.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/comm.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/config.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/const-dos-error.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/const-nt-status.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/const.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/consts.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/contents.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/ct-list.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/data.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/dcc-send.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/debug.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/drop.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/email_admin.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/entities.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/event.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/exec.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/file_analysis.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/files.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/gridftp.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/hll_unique.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/hooks.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/inactivity.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/info.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/init.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/input.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/input.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/last.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/log.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/logging.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/magic)
+0.000000   MetaHookPre   LoadFile(0, .<...>/main.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/max.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/messaging.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/min.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/mozilla-ca-list.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/netstats.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/non-cluster.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/none.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/openflow.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/option.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/packetfilter.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/page.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/patterns.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/pcap.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/plugin.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/plugins)
+0.000000   MetaHookPre   LoadFile(0, .<...>/polling.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/pools.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/postprocessors)
+0.000000   MetaHookPre   LoadFile(0, .<...>/pp-alarms.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/raw.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/reporter.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/ryu.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/sample.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/scp.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/sftp.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/shunt.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/site.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/smb1-main.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/smb2-main.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/sqlite.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/stats.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/std-dev.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/store.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/store.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/strings.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/sum.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/thresholds.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/top-k.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/topk.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/types.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/unique.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/utils-commands.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/utils.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/variance.bro)
+0.000000   MetaHookPre   LoadFile(0, .<...>/weird.bro)
+0.000000   MetaHookPre   LoadFile(0, <...>/__load__.bro)
+0.000000   MetaHookPre   LoadFile(0, <...>/__preload__.bro)
+0.000000   MetaHookPre   LoadFile(0, <...>/hooks.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/Bro_KRB.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/Bro_SNMP.types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/active-http.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/addrs.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/analyzer)
+0.000000   MetaHookPre   LoadFile(0, base<...>/analyzer.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/bif)
+0.000000   MetaHookPre   LoadFile(0, base<...>/bro.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/broker)
+0.000000   MetaHookPre   LoadFile(0, base<...>/cluster)
+0.000000   MetaHookPre   LoadFile(0, base<...>/comm.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/config)
+0.000000   MetaHookPre   LoadFile(0, base<...>/conn)
+0.000000   MetaHookPre   LoadFile(0, base<...>/conn-ids.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/const.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/control)
+0.000000   MetaHookPre   LoadFile(0, base<...>/data.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/dce-rpc)
+0.000000   MetaHookPre   LoadFile(0, base<...>/dhcp)
+0.000000   MetaHookPre   LoadFile(0, base<...>/dir.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/directions-and-hosts.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/dnp3)
+0.000000   MetaHookPre   LoadFile(0, base<...>/dns)
+0.000000   MetaHookPre   LoadFile(0, base<...>/dpd)
+0.000000   MetaHookPre   LoadFile(0, base<...>/email.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/event.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/exec.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/extract)
+0.000000   MetaHookPre   LoadFile(0, base<...>/file_analysis.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/files)
+0.000000   MetaHookPre   LoadFile(0, base<...>/files.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/find-checksum-offloading.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/find-filtered-trace.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/ftp)
+0.000000   MetaHookPre   LoadFile(0, base<...>/geoip-distance.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/hash)
+0.000000   MetaHookPre   LoadFile(0, base<...>/hash_hrw.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/http)
+0.000000   MetaHookPre   LoadFile(0, base<...>/imap)
+0.000000   MetaHookPre   LoadFile(0, base<...>/init-default.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/init-frameworks-and-bifs.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/input)
+0.000000   MetaHookPre   LoadFile(0, base<...>/input.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/intel)
+0.000000   MetaHookPre   LoadFile(0, base<...>/irc)
+0.000000   MetaHookPre   LoadFile(0, base<...>/json.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/krb)
+0.000000   MetaHookPre   LoadFile(0, base<...>/logging)
+0.000000   MetaHookPre   LoadFile(0, base<...>/logging.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/main.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/messaging.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/modbus)
+0.000000   MetaHookPre   LoadFile(0, base<...>/mysql)
+0.000000   MetaHookPre   LoadFile(0, base<...>/netcontrol)
+0.000000   MetaHookPre   LoadFile(0, base<...>/notice)
+0.000000   MetaHookPre   LoadFile(0, base<...>/ntlm)
+0.000000   MetaHookPre   LoadFile(0, base<...>/numbers.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/openflow)
+0.000000   MetaHookPre   LoadFile(0, base<...>/option.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/packet-filter)
+0.000000   MetaHookPre   LoadFile(0, base<...>/paths.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/patterns.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/pe)
+0.000000   MetaHookPre   LoadFile(0, base<...>/plugins)
+0.000000   MetaHookPre   LoadFile(0, base<...>/pop3)
+0.000000   MetaHookPre   LoadFile(0, base<...>/queue.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/radius)
+0.000000   MetaHookPre   LoadFile(0, base<...>/rdp)
+0.000000   MetaHookPre   LoadFile(0, base<...>/reporter)
+0.000000   MetaHookPre   LoadFile(0, base<...>/reporter.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/rfb)
+0.000000   MetaHookPre   LoadFile(0, base<...>/signatures)
+0.000000   MetaHookPre   LoadFile(0, base<...>/sip)
+0.000000   MetaHookPre   LoadFile(0, base<...>/site.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/smb)
+0.000000   MetaHookPre   LoadFile(0, base<...>/smtp)
+0.000000   MetaHookPre   LoadFile(0, base<...>/snmp)
+0.000000   MetaHookPre   LoadFile(0, base<...>/socks)
+0.000000   MetaHookPre   LoadFile(0, base<...>/software)
+0.000000   MetaHookPre   LoadFile(0, base<...>/ssh)
+0.000000   MetaHookPre   LoadFile(0, base<...>/ssl)
+0.000000   MetaHookPre   LoadFile(0, base<...>/stats.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/store.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/strings.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/strings.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/sumstats)
+0.000000   MetaHookPre   LoadFile(0, base<...>/syslog)
+0.000000   MetaHookPre   LoadFile(0, base<...>/thresholds.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/time.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/tunnels)
+0.000000   MetaHookPre   LoadFile(0, base<...>/types.bif.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/unified2)
+0.000000   MetaHookPre   LoadFile(0, base<...>/urls.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/utils.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/version.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/weird.bro)
+0.000000   MetaHookPre   LoadFile(0, base<...>/x509)
+0.000000   MetaHookPre   LoadFile(0, base<...>/xmpp)
+0.000000   MetaHookPre   LoadFile(1, .<...>/archive.sig)
+0.000000   MetaHookPre   LoadFile(1, .<...>/audio.sig)
+0.000000   MetaHookPre   LoadFile(1, .<...>/dpd.sig)
+0.000000   MetaHookPre   LoadFile(1, .<...>/font.sig)
+0.000000   MetaHookPre   LoadFile(1, .<...>/general.sig)
+0.000000   MetaHookPre   LoadFile(1, .<...>/image.sig)
+0.000000   MetaHookPre   LoadFile(1, .<...>/libmagic.sig)
+0.000000   MetaHookPre   LoadFile(1, .<...>/msoffice.sig)
+0.000000   MetaHookPre   LoadFile(1, .<...>/video.sig)
+0.000000   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)})
+0.000000   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, <void ptr>)
 0.000000   MetaHookPre   QueueEvent(NetControl::init())
 0.000000   MetaHookPre   QueueEvent(bro_init())
 0.000000   MetaHookPre   QueueEvent(filter_change_tracking())
@@ -1446,6 +1650,7 @@
 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DCE_RPC, 135/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 4011/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 67/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 68/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)
@@ -1481,6 +1686,8 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_RADIUS, 1812/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_RDP, 3389/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SIP, 5060/udp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SMB, 139/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SMB, 445/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SMTP, 25/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SMTP, 587/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SNMP, 161/udp)
@@ -1508,6 +1715,7 @@
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DCE_RPC, 135/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 4011/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 67/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 68/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)
@@ -1543,6 +1751,8 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_RADIUS, 1812/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_RDP, 3389/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SIP, 5060/udp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SMB, 139/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SMB, 445/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SMTP, 25/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SMTP, 587/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SNMP, 161/udp)
@@ -1582,6 +1792,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, {1812/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_RDP, {3389/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SIP, {5060/udp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, {139<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SMTP, {587<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SNMP, {162<...>/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SOCKS, {1080/tcp})
@@ -1591,8 +1802,21 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp})
 0.000000 | HookCallFunction Cluster::is_enabled()
+0.000000 | HookCallFunction Cluster::local_node_type()
+0.000000 | HookCallFunction Cluster::register_pool([topic=bro<...>/logger, node_type=Cluster::LOGGER, max_nodes=<uninitialized>, exclusive=F])
+0.000000 | HookCallFunction Cluster::register_pool([topic=bro<...>/proxy, node_type=Cluster::PROXY, max_nodes=<uninitialized>, exclusive=F])
+0.000000 | HookCallFunction Cluster::register_pool([topic=bro<...>/worker, node_type=Cluster::WORKER, max_nodes=<uninitialized>, exclusive=F])
 0.000000 | HookCallFunction Files::register_analyzer_add_callback(Files::ANALYZER_EXTRACT, FileExtract::on_add{ if (!FileExtract::args?$extract_filename) FileExtract::args$extract_filename = cat(extract-, FileExtract::f$last_active, -, FileExtract::f$source, -, FileExtract::f$id)FileExtract::f$info$extracted = FileExtract::args$extract_filenameFileExtract::args$extract_filename = build_path_compressed(FileExtract::prefix, FileExtract::args$extract_filename)FileExtract::f$info$extracted_cutoff = Fmkdir(FileExtract::prefix)})
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/pkix-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/x-x509-ca-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/x-x509-user-cert)
 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_PE, application/x-dosexec)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_SHA1, application/pkix-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_SHA1, application/x-x509-ca-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_SHA1, application/x-x509-user-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/pkix-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/x-x509-ca-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_X509, application/x-x509-user-cert)
 0.000000 | HookCallFunction Files::register_for_mime_types(Files::ANALYZER_PE, {application/x-dosexec})
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_DTLS, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_FTP_DATA, [get_file_handle=FTP::get_file_handle{ if (!FTP::c$id$resp_h, FTP::c$id$resp_p in FTP::ftp_data_expected) return ()return (cat(Analyzer::ANALYZER_FTP_DATA, FTP::c$start_time, FTP::c$id, FTP::is_orig))}, describe=FTP::describe_file{ <init> FTP::cid{ if (FTP::f$source != FTP) return ()for ([FTP::cid] in FTP::f$conns) { if (FTP::f$conns[FTP::cid]?$ftp) return (FTP::describe(FTP::f$conns[FTP::cid]$ftp))}return ()}}])
@@ -1600,10 +1824,12 @@
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ return (cat(Analyzer::ANALYZER_IRC_DATA, IRC::c$start_time, IRC::c$id, IRC::is_orig))}, describe=anonymous-function{ return ()}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ <init> KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial,  Subject: , KRB::f$info$x509$certificate$subject,  Issuer: , KRB::f$info$x509$certificate$issuer))}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handle{ return ()}, describe=KRB::describe_file{ <init> KRB::cid{ if (KRB::f$source != KRB_TCP && KRB::f$source != KRB) return ()if (!KRB::f?$info || !KRB::f$info?$x509 || !KRB::f$info$x509?$certificate) return ()for ([KRB::cid] in KRB::f$conns) { if (KRB::f$conns[KRB::cid]?$krb) { KRB::c = KRB::f$conns[KRB::cid]return (cat(KRB::c$id$resp_h, :, KRB::c$id$resp_p))}}return (cat(Serial: , KRB::f$info$x509$certificate$serial,  Subject: , KRB::f$info$x509$certificate$subject,  Issuer: , KRB::f$info$x509$certificate$issuer))}}])
+0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ if (!(SMB::c$smb_state?$current_file && (SMB::c$smb_state$current_file?$name || SMB::c$smb_state$current_file?$path))) { return ()}SMB::current_file = SMB::c$smb_state$current_fileSMB::path_name = SMB::current_file?$path ? SMB::current_file$path : SMB::file_name = SMB::current_file?$name ? SMB::current_file$name : SMB::last_mod = cat(SMB::current_file?$times ? SMB::current_file$times$modified : double_to_time(0.0))return (hexdump(cat(Analyzer::ANALYZER_SMB, SMB::c$id$orig_h, SMB::c$id$resp_h, SMB::path_name, SMB::file_name, SMB::last_mod)))}, describe=SMB::describe_file{ <init> SMB::cid{ if (SMB::f$source != SMB) return ()for ([SMB::cid] in SMB::f$conns) { SMB::info = SMB::f$conns[SMB::cid]if (SMB::info?$smb_state && SMB::info$smb_state?$current_file && SMB::info$smb_state$current_file?$name) return (SMB::info$smb_state$current_file$name)}return ()}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ return (cat(Analyzer::ANALYZER_SMTP, SMTP::c$start_time, SMTP::c$smtp$trans_depth, SMTP::c$smtp_state$mime_depth))}, describe=SMTP::describe_file{ <init> SMTP::cid{ if (SMTP::f$source != SMTP) return ()for ([SMTP::cid] in SMTP::f$conns) { SMTP::c = SMTP::f$conns[SMTP::cid]return (SMTP::describe(SMTP::c$smtp))}return ()}}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handle{ return ()}, describe=SSL::describe_file{ <init> SSL::cid{ if (SSL::f$source != SSL || !SSL::f?$info || !SSL::f$info?$x509 || !SSL::f$info$x509?$certificate) return ()for ([SSL::cid] in SSL::f$conns) { if (SSL::f$conns[SSL::cid]?$ssl) { SSL::c = SSL::f$conns[SSL::cid]return (cat(SSL::c$id$resp_h, :, SSL::c$id$resp_p))}}return (cat(Serial: , SSL::f$info$x509$certificate$serial,  Subject: , SSL::f$info$x509$certificate$subject,  Issuer: , SSL::f$info$x509$certificate$issuer))}}])
+0.000000 | HookCallFunction Log::__add_filter(Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=broker, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=cluster, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::__add_filter(Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=communication, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=config, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=conn, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(DCE_RPC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=dce_rpc, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=dhcp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
@@ -1632,6 +1858,8 @@
 0.000000 | HookCallFunction Log::__add_filter(RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=rfb, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=reporter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=sip, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_files, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__add_filter(SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smb_mapping, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=smtp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=snmp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=socks, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
@@ -1645,8 +1873,9 @@
 0.000000 | HookCallFunction Log::__add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=weird, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=x509, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::__add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=mysql, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::__create_stream(Broker::LOG, [columns=<no value description>, ev=<uninitialized>, path=broker])
 0.000000 | HookCallFunction Log::__create_stream(Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster])
-0.000000 | HookCallFunction Log::__create_stream(Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication])
+0.000000 | HookCallFunction Log::__create_stream(Config::LOG, [columns=<no value description>, ev=Config::log_config, path=config])
 0.000000 | HookCallFunction Log::__create_stream(Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn])
 0.000000 | HookCallFunction Log::__create_stream(DCE_RPC::LOG, [columns=<no value description>, ev=<uninitialized>, path=dce_rpc])
 0.000000 | HookCallFunction Log::__create_stream(DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp, path=dhcp])
@@ -1675,6 +1904,8 @@
 0.000000 | HookCallFunction Log::__create_stream(RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb])
 0.000000 | HookCallFunction Log::__create_stream(Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter])
 0.000000 | HookCallFunction Log::__create_stream(SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip])
+0.000000 | HookCallFunction Log::__create_stream(SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files])
+0.000000 | HookCallFunction Log::__create_stream(SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping])
 0.000000 | HookCallFunction Log::__create_stream(SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp])
 0.000000 | HookCallFunction Log::__create_stream(SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp, path=snmp])
 0.000000 | HookCallFunction Log::__create_stream(SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks, path=socks])
@@ -1688,9 +1919,10 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1534522064.090237, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
-0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(Config::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(DCE_RPC::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(DHCP::LOG)
@@ -1719,6 +1951,8 @@
 0.000000 | HookCallFunction Log::add_default_filter(RFB::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Reporter::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(SIP::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(SMB::FILES_LOG)
+0.000000 | HookCallFunction Log::add_default_filter(SMB::MAPPING_LOG)
 0.000000 | HookCallFunction Log::add_default_filter(SMTP::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(SNMP::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(SOCKS::LOG)
@@ -1732,8 +1966,9 @@
 0.000000 | HookCallFunction Log::add_default_filter(Weird::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(X509::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(mysql::LOG)
+0.000000 | HookCallFunction Log::add_filter(Broker::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
-0.000000 | HookCallFunction Log::add_filter(Communication::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(Config::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(Conn::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(DCE_RPC::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
@@ -1762,6 +1997,8 @@
 0.000000 | HookCallFunction Log::add_filter(RFB::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(SIP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_filter(SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
@@ -1775,8 +2012,55 @@
 0.000000 | HookCallFunction Log::add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
 0.000000 | HookCallFunction Log::add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, pred=<uninitialized>, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=anonymous-function, interv=0 secs, postprocessor=<uninitialized>, config={}])
+0.000000 | HookCallFunction Log::add_stream_filters(Broker::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Cluster::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Config::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Conn::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(DCE_RPC::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(DHCP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(DNP3::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(DNS::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(DPD::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(FTP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Files::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(HTTP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(IRC::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Intel::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(KRB::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Modbus::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(NTLM::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(NetControl::CATCH_RELEASE, default)
+0.000000 | HookCallFunction Log::add_stream_filters(NetControl::DROP, default)
+0.000000 | HookCallFunction Log::add_stream_filters(NetControl::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(NetControl::SHUNT, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Notice::ALARM_LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Notice::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(OpenFlow::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(PE::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(PacketFilter::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(RADIUS::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(RDP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(RFB::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Reporter::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SIP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SMB::FILES_LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SMB::MAPPING_LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SMTP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SNMP::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SOCKS::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SSH::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(SSL::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Signatures::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Software::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Syslog::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Tunnel::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Unified2::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(Weird::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(X509::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(mysql::LOG, default)
+0.000000 | HookCallFunction Log::create_stream(Broker::LOG, [columns=<no value description>, ev=<uninitialized>, path=broker])
 0.000000 | HookCallFunction Log::create_stream(Cluster::LOG, [columns=<no value description>, ev=<uninitialized>, path=cluster])
-0.000000 | HookCallFunction Log::create_stream(Communication::LOG, [columns=<no value description>, ev=<uninitialized>, path=communication])
+0.000000 | HookCallFunction Log::create_stream(Config::LOG, [columns=<no value description>, ev=Config::log_config, path=config])
 0.000000 | HookCallFunction Log::create_stream(Conn::LOG, [columns=<no value description>, ev=Conn::log_conn, path=conn])
 0.000000 | HookCallFunction Log::create_stream(DCE_RPC::LOG, [columns=<no value description>, ev=<uninitialized>, path=dce_rpc])
 0.000000 | HookCallFunction Log::create_stream(DHCP::LOG, [columns=<no value description>, ev=DHCP::log_dhcp, path=dhcp])
@@ -1805,6 +2089,8 @@
 0.000000 | HookCallFunction Log::create_stream(RFB::LOG, [columns=<no value description>, ev=RFB::log_rfb, path=rfb])
 0.000000 | HookCallFunction Log::create_stream(Reporter::LOG, [columns=<no value description>, ev=<uninitialized>, path=reporter])
 0.000000 | HookCallFunction Log::create_stream(SIP::LOG, [columns=<no value description>, ev=SIP::log_sip, path=sip])
+0.000000 | HookCallFunction Log::create_stream(SMB::FILES_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_files])
+0.000000 | HookCallFunction Log::create_stream(SMB::MAPPING_LOG, [columns=<no value description>, ev=<uninitialized>, path=smb_mapping])
 0.000000 | HookCallFunction Log::create_stream(SMTP::LOG, [columns=<no value description>, ev=SMTP::log_smtp, path=smtp])
 0.000000 | HookCallFunction Log::create_stream(SNMP::LOG, [columns=<no value description>, ev=SNMP::log_snmp, path=snmp])
 0.000000 | HookCallFunction Log::create_stream(SOCKS::LOG, [columns=<no value description>, ev=SOCKS::log_socks, path=socks])
@@ -1818,7 +2104,7 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird, path=weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509, path=x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql, path=mysql])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1485327769.512366, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1534522064.090237, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
 0.000000 | HookCallFunction Notice::want_pp()
@@ -1846,7 +2132,9 @@
 0.000000 | HookCallFunction bro_init()
 0.000000 | HookCallFunction current_time()
 0.000000 | HookCallFunction filter_change_tracking()
+0.000000 | HookCallFunction getenv(BRO_DEFAULT_LISTEN_ADDRESS)
 0.000000 | HookCallFunction getenv(CLUSTER_NODE)
+0.000000 | HookCallFunction global_ids()
 0.000000 | HookCallFunction network_time()
 0.000000 | HookCallFunction reading_live_traffic()
 0.000000 | HookCallFunction reading_traces()
@@ -1854,11 +2142,327 @@
 0.000000 | HookCallFunction string_to_pattern((^\.?|\.)()$, F)
 0.000000 | HookCallFunction sub((^\.?|\.)(~~)$, <...>/, )
 0.000000 | HookDrainEvents
-0.000000 | HookLoadFile  ..<...>/bro
-0.000000 | HookLoadFile  .<...>/bro
-0.000000 | HookLoadFile  <...>/bro
+0.000000 | HookLoadFile  ..<...>/main.bro
+0.000000 | HookLoadFile  ..<...>/plugin.bro
+0.000000 | HookLoadFile  .<...>/Bro_ARP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_AsciiReader.ascii.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_AsciiWriter.ascii.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_BackDoor.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_BenchmarkReader.benchmark.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_BinaryReader.binary.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_BitTorrent.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_ConfigReader.config.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_ConnSize.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_ConnSize.functions.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_DCE_RPC.consts.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_DCE_RPC.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_DCE_RPC.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_DHCP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_DHCP.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_DNP3.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_DNS.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_FTP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_FTP.functions.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_File.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_FileEntropy.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_FileExtract.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_FileExtract.functions.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_FileHash.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_Finger.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_GSSAPI.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_GTPv1.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_Gnutella.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_HTTP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_HTTP.functions.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_ICMP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_IMAP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_IRC.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_Ident.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_InterConn.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_KRB.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_KRB.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_Login.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_Login.functions.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_MIME.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_Modbus.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_MySQL.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_NCP.consts.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_NCP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_NTLM.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_NTLM.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_NTP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_NetBIOS.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_NetBIOS.functions.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_NoneWriter.none.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_PE.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_POP3.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_RADIUS.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_RDP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_RDP.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_RFB.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_RPC.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_RawReader.raw.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SIP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.consts.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_check_directory.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_close.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_create_directory.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_echo.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_logoff_andx.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_negotiate.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_nt_cancel.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_nt_create_andx.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_query_information.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_read_andx.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_session_setup_andx.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_transaction.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_transaction2.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_transaction2_secondary.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_transaction_secondary.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_tree_connect_andx.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_tree_disconnect.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_com_write_andx.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb1_events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_close.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_create.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_negotiate.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_read.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_session_setup.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_set_info.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_tree_connect.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_tree_disconnect.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_com_write.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.smb2_events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMB.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMTP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SMTP.functions.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SNMP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SNMP.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SOCKS.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SQLiteReader.sqlite.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SQLiteWriter.sqlite.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SSH.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SSH.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SSL.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SSL.functions.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SSL.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_SteppingStone.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_Syslog.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_TCP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_TCP.functions.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_Teredo.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_UDP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_Unified2.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_Unified2.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_X509.events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_X509.functions.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_X509.ocsp_events.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_X509.types.bif.bro
+0.000000 | HookLoadFile  .<...>/Bro_XMPP.events.bif.bro
+0.000000 | HookLoadFile  .<...>/acld.bro
+0.000000 | HookLoadFile  .<...>/add-geodata.bro
+0.000000 | HookLoadFile  .<...>/addrs.bro
+0.000000 | HookLoadFile  .<...>/analyzer.bif.bro
+0.000000 | HookLoadFile  .<...>/archive.sig
+0.000000 | HookLoadFile  .<...>/ascii.bro
+0.000000 | HookLoadFile  .<...>/audio.sig
+0.000000 | HookLoadFile  .<...>/average.bro
+0.000000 | HookLoadFile  .<...>/benchmark.bro
+0.000000 | HookLoadFile  .<...>/binary.bro
+0.000000 | HookLoadFile  .<...>/bloom-filter.bif.bro
+0.000000 | HookLoadFile  .<...>/bro.bif.bro
+0.000000 | HookLoadFile  .<...>/broker.bro
+0.000000 | HookLoadFile  .<...>/broxygen.bif.bro
+0.000000 | HookLoadFile  .<...>/cardinality-counter.bif.bro
+0.000000 | HookLoadFile  .<...>/catch-and-release.bro
+0.000000 | HookLoadFile  .<...>/comm.bif.bro
+0.000000 | HookLoadFile  .<...>/config.bro
+0.000000 | HookLoadFile  .<...>/const-dos-error.bro
+0.000000 | HookLoadFile  .<...>/const-nt-status.bro
+0.000000 | HookLoadFile  .<...>/const.bif.bro
+0.000000 | HookLoadFile  .<...>/consts.bro
+0.000000 | HookLoadFile  .<...>/contents.bro
+0.000000 | HookLoadFile  .<...>/ct-list.bro
+0.000000 | HookLoadFile  .<...>/data.bif.bro
+0.000000 | HookLoadFile  .<...>/dcc-send.bro
+0.000000 | HookLoadFile  .<...>/debug.bro
+0.000000 | HookLoadFile  .<...>/dpd.sig
+0.000000 | HookLoadFile  .<...>/drop.bro
+0.000000 | HookLoadFile  .<...>/email_admin.bro
+0.000000 | HookLoadFile  .<...>/entities.bro
+0.000000 | HookLoadFile  .<...>/event.bif.bro
+0.000000 | HookLoadFile  .<...>/exec.bro
+0.000000 | HookLoadFile  .<...>/file_analysis.bif.bro
+0.000000 | HookLoadFile  .<...>/files.bro
+0.000000 | HookLoadFile  .<...>/font.sig
+0.000000 | HookLoadFile  .<...>/general.sig
+0.000000 | HookLoadFile  .<...>/gridftp.bro
+0.000000 | HookLoadFile  .<...>/hll_unique.bro
+0.000000 | HookLoadFile  .<...>/hooks.bif.bro
+0.000000 | HookLoadFile  .<...>/image.sig
+0.000000 | HookLoadFile  .<...>/inactivity.bro
+0.000000 | HookLoadFile  .<...>/info.bro
+0.000000 | HookLoadFile  .<...>/init.bro
+0.000000 | HookLoadFile  .<...>/input.bif.bro
+0.000000 | HookLoadFile  .<...>/input.bro
+0.000000 | HookLoadFile  .<...>/last.bro
+0.000000 | HookLoadFile  .<...>/libmagic.sig
+0.000000 | HookLoadFile  .<...>/log.bro
+0.000000 | HookLoadFile  .<...>/logging.bif.bro
+0.000000 | HookLoadFile  .<...>/magic
+0.000000 | HookLoadFile  .<...>/main.bro
+0.000000 | HookLoadFile  .<...>/max.bro
+0.000000 | HookLoadFile  .<...>/messaging.bif.bro
+0.000000 | HookLoadFile  .<...>/min.bro
+0.000000 | HookLoadFile  .<...>/mozilla-ca-list.bro
+0.000000 | HookLoadFile  .<...>/msoffice.sig
+0.000000 | HookLoadFile  .<...>/netstats.bro
+0.000000 | HookLoadFile  .<...>/non-cluster.bro
+0.000000 | HookLoadFile  .<...>/none.bro
+0.000000 | HookLoadFile  .<...>/openflow.bro
+0.000000 | HookLoadFile  .<...>/option.bif.bro
+0.000000 | HookLoadFile  .<...>/packetfilter.bro
+0.000000 | HookLoadFile  .<...>/page.bro
+0.000000 | HookLoadFile  .<...>/patterns.bro
+0.000000 | HookLoadFile  .<...>/pcap.bif.bro
+0.000000 | HookLoadFile  .<...>/plugin.bro
+0.000000 | HookLoadFile  .<...>/plugins
+0.000000 | HookLoadFile  .<...>/polling.bro
+0.000000 | HookLoadFile  .<...>/pools.bro
+0.000000 | HookLoadFile  .<...>/postprocessors
+0.000000 | HookLoadFile  .<...>/pp-alarms.bro
+0.000000 | HookLoadFile  .<...>/raw.bro
+0.000000 | HookLoadFile  .<...>/reporter.bif.bro
+0.000000 | HookLoadFile  .<...>/ryu.bro
+0.000000 | HookLoadFile  .<...>/sample.bro
+0.000000 | HookLoadFile  .<...>/scp.bro
+0.000000 | HookLoadFile  .<...>/sftp.bro
+0.000000 | HookLoadFile  .<...>/shunt.bro
+0.000000 | HookLoadFile  .<...>/site.bro
+0.000000 | HookLoadFile  .<...>/smb1-main.bro
+0.000000 | HookLoadFile  .<...>/smb2-main.bro
+0.000000 | HookLoadFile  .<...>/sqlite.bro
+0.000000 | HookLoadFile  .<...>/stats.bif.bro
+0.000000 | HookLoadFile  .<...>/std-dev.bro
+0.000000 | HookLoadFile  .<...>/store.bif.bro
+0.000000 | HookLoadFile  .<...>/store.bro
+0.000000 | HookLoadFile  .<...>/strings.bif.bro
+0.000000 | HookLoadFile  .<...>/sum.bro
+0.000000 | HookLoadFile  .<...>/thresholds.bro
+0.000000 | HookLoadFile  .<...>/top-k.bif.bro
+0.000000 | HookLoadFile  .<...>/topk.bro
+0.000000 | HookLoadFile  .<...>/types.bif.bro
+0.000000 | HookLoadFile  .<...>/types.bro
+0.000000 | HookLoadFile  .<...>/unique.bro
+0.000000 | HookLoadFile  .<...>/utils-commands.bro
+0.000000 | HookLoadFile  .<...>/utils.bro
+0.000000 | HookLoadFile  .<...>/variance.bro
+0.000000 | HookLoadFile  .<...>/video.sig
+0.000000 | HookLoadFile  .<...>/weird.bro
+0.000000 | HookLoadFile  <...>/__load__.bro
+0.000000 | HookLoadFile  <...>/__preload__.bro
+0.000000 | HookLoadFile  <...>/hooks.bro
+0.000000 | HookLoadFile  base<...>/Bro_KRB.types.bif.bro
+0.000000 | HookLoadFile  base<...>/Bro_SNMP.types.bif.bro
+0.000000 | HookLoadFile  base<...>/active-http.bro
+0.000000 | HookLoadFile  base<...>/addrs.bro
+0.000000 | HookLoadFile  base<...>/analyzer
+0.000000 | HookLoadFile  base<...>/analyzer.bif.bro
 0.000000 | HookLoadFile  base<...>/bif
-0.000000 | HookLoadFile  base<...>/bro
+0.000000 | HookLoadFile  base<...>/bro.bif.bro
+0.000000 | HookLoadFile  base<...>/broker
+0.000000 | HookLoadFile  base<...>/cluster
+0.000000 | HookLoadFile  base<...>/comm.bif.bro
+0.000000 | HookLoadFile  base<...>/config
+0.000000 | HookLoadFile  base<...>/conn
+0.000000 | HookLoadFile  base<...>/conn-ids.bro
+0.000000 | HookLoadFile  base<...>/const.bif.bro
+0.000000 | HookLoadFile  base<...>/control
+0.000000 | HookLoadFile  base<...>/data.bif.bro
+0.000000 | HookLoadFile  base<...>/dce-rpc
+0.000000 | HookLoadFile  base<...>/dhcp
+0.000000 | HookLoadFile  base<...>/dir.bro
+0.000000 | HookLoadFile  base<...>/directions-and-hosts.bro
+0.000000 | HookLoadFile  base<...>/dnp3
+0.000000 | HookLoadFile  base<...>/dns
+0.000000 | HookLoadFile  base<...>/dpd
+0.000000 | HookLoadFile  base<...>/email.bro
+0.000000 | HookLoadFile  base<...>/event.bif.bro
+0.000000 | HookLoadFile  base<...>/exec.bro
+0.000000 | HookLoadFile  base<...>/extract
+0.000000 | HookLoadFile  base<...>/file_analysis.bif.bro
+0.000000 | HookLoadFile  base<...>/files
+0.000000 | HookLoadFile  base<...>/files.bro
+0.000000 | HookLoadFile  base<...>/find-checksum-offloading.bro
+0.000000 | HookLoadFile  base<...>/find-filtered-trace.bro
+0.000000 | HookLoadFile  base<...>/ftp
+0.000000 | HookLoadFile  base<...>/geoip-distance.bro
+0.000000 | HookLoadFile  base<...>/hash
+0.000000 | HookLoadFile  base<...>/hash_hrw.bro
+0.000000 | HookLoadFile  base<...>/http
+0.000000 | HookLoadFile  base<...>/imap
+0.000000 | HookLoadFile  base<...>/init-default.bro
+0.000000 | HookLoadFile  base<...>/init-frameworks-and-bifs.bro
+0.000000 | HookLoadFile  base<...>/input
+0.000000 | HookLoadFile  base<...>/input.bif.bro
+0.000000 | HookLoadFile  base<...>/intel
+0.000000 | HookLoadFile  base<...>/irc
+0.000000 | HookLoadFile  base<...>/json.bro
+0.000000 | HookLoadFile  base<...>/krb
+0.000000 | HookLoadFile  base<...>/logging
+0.000000 | HookLoadFile  base<...>/logging.bif.bro
+0.000000 | HookLoadFile  base<...>/main.bro
+0.000000 | HookLoadFile  base<...>/messaging.bif.bro
+0.000000 | HookLoadFile  base<...>/modbus
+0.000000 | HookLoadFile  base<...>/mysql
+0.000000 | HookLoadFile  base<...>/netcontrol
+0.000000 | HookLoadFile  base<...>/notice
+0.000000 | HookLoadFile  base<...>/ntlm
+0.000000 | HookLoadFile  base<...>/numbers.bro
+0.000000 | HookLoadFile  base<...>/openflow
+0.000000 | HookLoadFile  base<...>/option.bif.bro
+0.000000 | HookLoadFile  base<...>/packet-filter
+0.000000 | HookLoadFile  base<...>/paths.bro
+0.000000 | HookLoadFile  base<...>/patterns.bro
+0.000000 | HookLoadFile  base<...>/pe
+0.000000 | HookLoadFile  base<...>/plugins
+0.000000 | HookLoadFile  base<...>/pop3
+0.000000 | HookLoadFile  base<...>/queue.bro
+0.000000 | HookLoadFile  base<...>/radius
+0.000000 | HookLoadFile  base<...>/rdp
+0.000000 | HookLoadFile  base<...>/reporter
+0.000000 | HookLoadFile  base<...>/reporter.bif.bro
+0.000000 | HookLoadFile  base<...>/rfb
+0.000000 | HookLoadFile  base<...>/signatures
+0.000000 | HookLoadFile  base<...>/sip
+0.000000 | HookLoadFile  base<...>/site.bro
+0.000000 | HookLoadFile  base<...>/smb
+0.000000 | HookLoadFile  base<...>/smtp
+0.000000 | HookLoadFile  base<...>/snmp
+0.000000 | HookLoadFile  base<...>/socks
+0.000000 | HookLoadFile  base<...>/software
+0.000000 | HookLoadFile  base<...>/ssh
+0.000000 | HookLoadFile  base<...>/ssl
+0.000000 | HookLoadFile  base<...>/stats.bif.bro
+0.000000 | HookLoadFile  base<...>/store.bif.bro
+0.000000 | HookLoadFile  base<...>/strings.bif.bro
+0.000000 | HookLoadFile  base<...>/strings.bro
+0.000000 | HookLoadFile  base<...>/sumstats
+0.000000 | HookLoadFile  base<...>/syslog
+0.000000 | HookLoadFile  base<...>/thresholds.bro
+0.000000 | HookLoadFile  base<...>/time.bro
+0.000000 | HookLoadFile  base<...>/tunnels
+0.000000 | HookLoadFile  base<...>/types.bif.bro
+0.000000 | HookLoadFile  base<...>/unified2
+0.000000 | HookLoadFile  base<...>/urls.bro
+0.000000 | HookLoadFile  base<...>/utils.bro
+0.000000 | HookLoadFile  base<...>/version.bro
+0.000000 | HookLoadFile  base<...>/weird.bro
+0.000000 | HookLoadFile  base<...>/x509
+0.000000 | HookLoadFile  base<...>/xmpp
+0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
+0.000000 | HookLogWrite  packet_filter [ts=1534522064.090237, node=bro, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
 0.000000 | HookQueueEvent bro_init()
 0.000000 | HookQueueEvent filter_change_tracking()
@@ -1868,11 +2472,12 @@
 1362692526.869344   MetaHookPost  CallFunction(addr_to_subnet, <frame>, (141.142.228.5)) -> <no result>
 1362692526.869344   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
 1362692526.869344   MetaHookPost  CallFunction(get_net_stats, <frame>, ()) -> <no result>
-1362692526.869344   MetaHookPost  CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692526.869344   MetaHookPost  CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692526.869344   MetaHookPost  DrainEvents() -> <void>
 1362692526.869344   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
 1362692526.869344   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
-1362692526.869344   MetaHookPost  QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
+1362692526.869344   MetaHookPost  QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
+1362692526.869344   MetaHookPost  SetupAnalyzerTree(1362692526.869344(1362692526.869344) TCP 141.142.228.5:59856 -> 192.150.187.43:80) -> <void>
 1362692526.869344   MetaHookPost  UpdateNetworkTime(1362692526.869344) -> <void>
 1362692526.869344   MetaHookPre   BroObjDtor(<void ptr>)
 1362692526.869344   MetaHookPre   CallFunction(ChecksumOffloading::check, <null>, ())
@@ -1880,11 +2485,12 @@
 1362692526.869344   MetaHookPre   CallFunction(addr_to_subnet, <frame>, (141.142.228.5))
 1362692526.869344   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
 1362692526.869344   MetaHookPre   CallFunction(get_net_stats, <frame>, ())
-1362692526.869344   MetaHookPre   CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.869344   MetaHookPre   CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.869344   MetaHookPre   DrainEvents()
 1362692526.869344   MetaHookPre   QueueEvent(ChecksumOffloading::check())
 1362692526.869344   MetaHookPre   QueueEvent(filter_change_tracking())
-1362692526.869344   MetaHookPre   QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.869344   MetaHookPre   QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.869344   MetaHookPre   SetupAnalyzerTree(1362692526.869344(1362692526.869344) TCP 141.142.228.5:59856 -> 192.150.187.43:80)
 1362692526.869344   MetaHookPre   UpdateNetworkTime(1362692526.869344)
 1362692526.869344  | HookBroObjDtor
 1362692526.869344  | HookUpdateNetworkTime 1362692526.869344
@@ -1893,30 +2499,31 @@
 1362692526.869344 | HookCallFunction addr_to_subnet(141.142.228.5)
 1362692526.869344 | HookCallFunction filter_change_tracking()
 1362692526.869344 | HookCallFunction get_net_stats()
-1362692526.869344 | HookCallFunction new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.869344 | HookCallFunction new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.869344 | HookDrainEvents
 1362692526.869344 | HookQueueEvent ChecksumOffloading::check()
 1362692526.869344 | HookQueueEvent filter_change_tracking()
-1362692526.869344 | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.869344 | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.0, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.869344 | HookSetupAnalyzerTree 1362692526.869344(1362692526.869344) TCP 141.142.228.5:59856 -> 192.150.187.43:80
 1362692526.869344 | RequestObjDtor ChecksumOffloading::check()
 1362692526.939084   MetaHookPost  CallFunction(NetControl::catch_release_seen, <frame>, (141.142.228.5)) -> <no result>
 1362692526.939084   MetaHookPost  CallFunction(addr_to_subnet, <frame>, (141.142.228.5)) -> <no result>
-1362692526.939084   MetaHookPost  CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692526.939084   MetaHookPost  CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692526.939084   MetaHookPost  DrainEvents() -> <void>
-1362692526.939084   MetaHookPost  QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
+1362692526.939084   MetaHookPost  QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
 1362692526.939084   MetaHookPost  UpdateNetworkTime(1362692526.939084) -> <void>
 1362692526.939084   MetaHookPre   CallFunction(NetControl::catch_release_seen, <frame>, (141.142.228.5))
 1362692526.939084   MetaHookPre   CallFunction(addr_to_subnet, <frame>, (141.142.228.5))
-1362692526.939084   MetaHookPre   CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939084   MetaHookPre   CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.939084   MetaHookPre   DrainEvents()
-1362692526.939084   MetaHookPre   QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939084   MetaHookPre   QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692526.939084   MetaHookPre   UpdateNetworkTime(1362692526.939084)
 1362692526.939084  | HookUpdateNetworkTime 1362692526.939084
 1362692526.939084 | HookCallFunction NetControl::catch_release_seen(141.142.228.5)
 1362692526.939084 | HookCallFunction addr_to_subnet(141.142.228.5)
-1362692526.939084 | HookCallFunction connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.939084 | HookCallFunction connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.939084 | HookDrainEvents
-1362692526.939084 | HookQueueEvent connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.939084 | HookQueueEvent connection_established([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.06974, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692526.939378   MetaHookPost  DrainEvents() -> <void>
 1362692526.939378   MetaHookPost  UpdateNetworkTime(1362692526.939378) -> <void>
 1362692526.939378   MetaHookPre   DrainEvents()
@@ -1925,118 +2532,118 @@
 1362692526.939378 | HookDrainEvents
 1362692526.939527   MetaHookPost  CallFunction(Analyzer::__name, <frame>, (Analyzer::ANALYZER_HTTP)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(Analyzer::name, <frame>, (Analyzer::ANALYZER_HTTP)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(fmt, <frame>, (-%s, HTTP)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
-1362692526.939527   MetaHookPost  CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <no result>
+1362692526.939527   MetaHookPost  CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692526.939527   MetaHookPost  CallFunction(split_string1, <frame>, (bro.org, <...>/)) -> <no result>
 1362692526.939527   MetaHookPost  DrainEvents() -> <void>
-1362692526.939527   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
 1362692526.939527   MetaHookPost  QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)) -> false
-1362692526.939527   MetaHookPost  QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> false
+1362692526.939527   MetaHookPost  QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> false
 1362692526.939527   MetaHookPost  UpdateNetworkTime(1362692526.939527) -> <void>
 1362692526.939527   MetaHookPre   CallFunction(Analyzer::__name, <frame>, (Analyzer::ANALYZER_HTTP))
 1362692526.939527   MetaHookPre   CallFunction(Analyzer::name, <frame>, (Analyzer::ANALYZER_HTTP))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::new_http_session, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
 1362692526.939527   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
 1362692526.939527   MetaHookPre   CallFunction(fmt, <frame>, (-%s, HTTP))
-1362692526.939527   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/*))
 1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)))
-1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
-1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
-1362692526.939527   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
+1362692526.939527   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
+1362692526.939527   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
 1362692526.939527   MetaHookPre   CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
 1362692526.939527   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692526.939527   MetaHookPre   CallFunction(network_time, <frame>, ())
-1362692526.939527   MetaHookPre   CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
+1362692526.939527   MetaHookPre   CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
 1362692526.939527   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80))
 1362692526.939527   MetaHookPre   CallFunction(split_string1, <frame>, (bro.org, <...>/))
 1362692526.939527   MetaHookPre   DrainEvents()
-1362692526.939527   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692526.939527   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692526.939527   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*))
 1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0)))
-1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
-1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
-1362692526.939527   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
+1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive))
+1362692526.939527   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org))
+1362692526.939527   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
 1362692526.939527   MetaHookPre   QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1))
-1362692526.939527   MetaHookPre   QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
+1362692526.939527   MetaHookPre   QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
 1362692526.939527   MetaHookPre   UpdateNetworkTime(1362692526.939527)
 1362692526.939527  | HookUpdateNetworkTime 1362692526.939527
 1362692526.939527 | HookCallFunction Analyzer::__name(Analyzer::ANALYZER_HTTP)
 1362692526.939527 | HookCallFunction Analyzer::name(Analyzer::ANALYZER_HTTP)
-1362692526.939527 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::new_http_session([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::new_http_session([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=[pending={}, current_request=1, current_response=0, trans_depth=0], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
 1362692526.939527 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
 1362692526.939527 | HookCallFunction fmt(-%s, HTTP)
-1362692526.939527 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)
 1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))
-1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
-1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
-1362692526.939527 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
+1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
+1362692526.939527 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
+1362692526.939527 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
 1362692526.939527 | HookCallFunction http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)
 1362692526.939527 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692526.939527 | HookCallFunction network_time()
-1362692526.939527 | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
+1362692526.939527 | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
 1362692526.939527 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344T11141.142.228.5:59856 > 192.150.187.43:80)
 1362692526.939527 | HookCallFunction split_string1(bro.org, <...>/)
 1362692526.939527 | HookDrainEvents
-1362692526.939527 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692526.939527 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692526.939527 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/*)
 1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0))
-1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
-1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
-1362692526.939527 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
+1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, CONNECTION, Keep-Alive)
+1362692526.939527 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, HOST, bro.org)
+1362692526.939527 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=1362692526.939527, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
 1362692526.939527 | HookQueueEvent http_request([id=[orig_h=141.142.228.5, orig_p=59856<...>/CHANGES.bro-aux.txt, 1.1)
-1362692526.939527 | HookQueueEvent protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
+1362692526.939527 | HookQueueEvent protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=1362692526.869344, duration=0.070183, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
 1362692527.008509   MetaHookPost  DrainEvents() -> <void>
 1362692527.008509   MetaHookPost  UpdateNetworkTime(1362692527.008509) -> <void>
 1362692527.008509   MetaHookPre   DrainEvents()
@@ -2045,142 +2652,142 @@
 1362692527.008509 | HookDrainEvents
 1362692527.009512   MetaHookPost  CallFunction(Files::__enable_reassembly, <frame>, (FakNcS1Jfe01uljb3)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(Files::__set_reassembly_buffer, <frame>, (FakNcS1Jfe01uljb3, 524288)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> <no result>
-1362692527.009512   MetaHookPost  CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> <no result>
+1362692527.009512   MetaHookPost  CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692527.009512   MetaHookPost  CallFunction(split_string_all, <frame>, (HTTP, <...>/)) -> <no result>
 1362692527.009512   MetaHookPost  DrainEvents() -> <void>
-1362692527.009512   MetaHookPost  QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> false
-1362692527.009512   MetaHookPost  QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> false
+1362692527.009512   MetaHookPost  QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))) -> false
 1362692527.009512   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)) -> false
-1362692527.009512   MetaHookPost  QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> false
+1362692527.009512   MetaHookPost  QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> false
 1362692527.009512   MetaHookPost  UpdateNetworkTime(1362692527.009512) -> <void>
 1362692527.009512   MetaHookPre   CallFunction(Files::__enable_reassembly, <frame>, (FakNcS1Jfe01uljb3))
 1362692527.009512   MetaHookPre   CallFunction(Files::__set_reassembly_buffer, <frame>, (FakNcS1Jfe01uljb3, 524288))
-1362692527.009512   MetaHookPre   CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288))
+1362692527.009512   MetaHookPre   CallFunction(Files::enable_reassembly, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(Files::set_reassembly_buffer_size, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288))
 1362692527.009512   MetaHookPre   CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009512   MetaHookPre   CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(file_new, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   CallFunction(file_over_new_connection, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009512   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.009512   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
-1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
+1362692527.009512   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
+1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
 1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora)))
 1362692527.009512   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8))
-1362692527.009512   MetaHookPre   CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
+1362692527.009512   MetaHookPre   CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
 1362692527.009512   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692527.009512   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.009512   MetaHookPre   CallFunction(split_string_all, <frame>, (HTTP, <...>/))
 1362692527.009512   MetaHookPre   DrainEvents()
-1362692527.009512   MetaHookPre   QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009512   MetaHookPre   QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
-1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
+1362692527.009512   MetaHookPre   QueueEvent(file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
+1362692527.009512   MetaHookPre   QueueEvent(file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0"))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100))
+1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
 1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora)))
 1362692527.009512   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8))
-1362692527.009512   MetaHookPre   QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
+1362692527.009512   MetaHookPre   QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
 1362692527.009512   MetaHookPre   UpdateNetworkTime(1362692527.009512)
 1362692527.009512  | HookUpdateNetworkTime 1362692527.009512
 1362692527.009512 | HookCallFunction Files::__enable_reassembly(FakNcS1Jfe01uljb3)
 1362692527.009512 | HookCallFunction Files::__set_reassembly_buffer(FakNcS1Jfe01uljb3, 524288)
-1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288)
+1362692527.009512 | HookCallFunction Files::enable_reassembly([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction Files::set_reassembly_buffer_size([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>], 524288)
 1362692527.009512 | HookCallFunction HTTP::code_in_range(200, 100, 199)
-1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookCallFunction file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009512 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
-1362692527.009512 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
-1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
+1362692527.009512 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
+1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))
 1362692527.009512 | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)
-1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
+1362692527.009512 | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
 1362692527.009512 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692527.009512 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.009512 | HookCallFunction split_string_all(HTTP, <...>/)
 1362692527.009512 | HookDrainEvents
-1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
-1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
+1362692527.009512 | HookQueueEvent file_new([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=1362692527.009512, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
+1362692527.009512 | HookQueueEvent file_over_new_connection([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ACCEPT-RANGES, bytes)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONNECTION, Keep-Alive)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, CONTENT-LENGTH, 4705)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETAG, "1261-4c870358a6fc0")
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, KEEP-ALIVE, timeout=5, max=100)
+1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/2.4.3 (Fedora))
 1362692527.009512 | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain; charset=UTF-8)
-1362692527.009512 | HookQueueEvent http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
+1362692527.009512 | HookQueueEvent http_reply([id=[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
 1362692527.009721   MetaHookPost  DrainEvents() -> <void>
 1362692527.009721   MetaHookPost  UpdateNetworkTime(1362692527.009721) -> <void>
 1362692527.009721   MetaHookPre   DrainEvents()
@@ -2196,78 +2803,90 @@
 1362692527.009775   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Log::__write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Log::__write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Log::write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(Log::write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(file_sniff, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(file_sniff, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-1362692527.009775   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
+1362692527.009775   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
 1362692527.009775   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 1362692527.009775   MetaHookPost  DrainEvents() -> <void>
-1362692527.009775   MetaHookPost  QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])) -> false
+1362692527.009775   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, files(1362692527.009775,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}) -> <void>
+1362692527.009775   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}) -> <void>
+1362692527.009775   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, files(1362692527.009775,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}, <void ptr>) -> true
+1362692527.009775   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}, <void ptr>) -> true
+1362692527.009775   MetaHookPost  QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])) -> false
 1362692527.009775   MetaHookPost  QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])) -> false
-1362692527.009775   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009775   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-1362692527.009775   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> false
+1362692527.009775   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009775   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
+1362692527.009775   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> false
 1362692527.009775   MetaHookPost  UpdateNetworkTime(1362692527.009775) -> <void>
 1362692527.009775   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(Files::set_info, <frame>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(HTTP::code_in_range, <frame>, (200, 100, 199))
-1362692527.009775   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 1362692527.009775   MetaHookPre   CallFunction(Log::__write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(Log::__write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
 1362692527.009775   MetaHookPre   CallFunction(Log::write, <frame>, (Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(Log::write, <frame>, (HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
 1362692527.009775   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.009775   MetaHookPre   CallFunction(file_sniff, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]))
+1362692527.009775   MetaHookPre   CallFunction(file_sniff, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T]))
 1362692527.009775   MetaHookPre   CallFunction(file_state_remove, <null>, ([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
 1362692527.009775   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.009775   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
+1362692527.009775   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
 1362692527.009775   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
 1362692527.009775   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80))
 1362692527.009775   MetaHookPre   DrainEvents()
-1362692527.009775   MetaHookPre   QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]]))
+1362692527.009775   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, files(1362692527.009775,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)})
+1362692527.009775   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])})
+1362692527.009775   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, files(1362692527.009775,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}, <void ptr>)
+1362692527.009775   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, http(1362692527.009775,0.0,0.0), 29, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}, <void ptr>)
+1362692527.009775   MetaHookPre   QueueEvent(file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T]))
 1362692527.009775   MetaHookPre   QueueEvent(file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]))
-1362692527.009775   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-1362692527.009775   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
+1362692527.009775   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
+1362692527.009775   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
 1362692527.009775   MetaHookPre   UpdateNetworkTime(1362692527.009775)
 1362692527.009775  | HookUpdateNetworkTime 1362692527.009775
 1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/1.14 (darwin12.2.0), request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FakNcS1Jfe01uljb3], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction Files::set_info([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction HTTP::code_in_range(200, 100, 199)
-1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 1362692527.009775 | HookCallFunction Log::__write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])
 1362692527.009775 | HookCallFunction Log::__write(HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
 1362692527.009775 | HookCallFunction Log::write(Files::LOG, [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.0 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])
 1362692527.009775 | HookCallFunction Log::write(HTTP::LOG, [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
 1362692527.009775 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-1362692527.009775 | HookCallFunction file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])
+1362692527.009775 | HookCallFunction file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])
 1362692527.009775 | HookCallFunction file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
 1362692527.009775 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
-1362692527.009775 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
+1362692527.009775 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
 1362692527.009775 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
 1362692527.009775 | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTP1362692526.869344F11141.142.228.5:59856 > 192.150.187.43:80)
 1362692527.009775 | HookDrainEvents
-1362692527.009775 | HookQueueEvent file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]]])
+1362692527.009775 | HookLogInit   files 1/1 {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}
+1362692527.009775 | HookLogInit   http 1/1 {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}
+1362692527.009775 | HookLogWrite  files [ts=1362692527.009512, fuid=FakNcS1Jfe01uljb3, tx_hosts=192.150.187.43, rx_hosts=141.142.228.5, conn_uids=CHhAvVGS1DHFjwGM9, source=HTTP, depth=0, analyzers=, mime_type=text/plain, filename=<uninitialized>, duration=0.000263, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]
+1362692527.009775 | HookLogWrite  http [ts=1362692526.939527, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, trans_depth=1, method=GET, host=bro.org, uri=<...>/plain]
+1362692527.009775 | HookQueueEvent file_sniff([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain]], inferred=T])
 1362692527.009775 | HookQueueEvent file_state_remove([id=FakNcS1Jfe01uljb3, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>])
-1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-1362692527.009775 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
+1362692527.009775 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
+1362692527.009775 | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=1362692527.009512, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
 1362692527.009855   MetaHookPost  DrainEvents() -> <void>
 1362692527.009855   MetaHookPost  UpdateNetworkTime(1362692527.009855) -> <void>
 1362692527.009855   MetaHookPre   DrainEvents()
@@ -2293,19 +2912,20 @@
 1362692527.080828  | HookUpdateNetworkTime 1362692527.080828
 1362692527.080828 | HookDrainEvents
 1362692527.080972   MetaHookPost  CallFunction(ChecksumOffloading::check, <null>, ()) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(KRB::do_log, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(bro_done, <null>, ()) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)) -> <no result>
-1362692527.080972   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+1362692527.080972   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(get_net_stats, <frame>, ()) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(get_port_transport_proto, <frame>, (80/tcp)) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp])) -> <no result>
@@ -2316,26 +2936,29 @@
 1362692527.080972   MetaHookPost  CallFunction(sub_bytes, <frame>, (HTTP, 0, 1)) -> <no result>
 1362692527.080972   MetaHookPost  CallFunction(to_lower, <frame>, (HTTP)) -> <no result>
 1362692527.080972   MetaHookPost  DrainEvents() -> <void>
+1362692527.080972   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}) -> <void>
+1362692527.080972   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}, <void ptr>) -> true
 1362692527.080972   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
 1362692527.080972   MetaHookPost  QueueEvent(bro_done()) -> false
-1362692527.080972   MetaHookPost  QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
+1362692527.080972   MetaHookPost  QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
 1362692527.080972   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
-1362692527.080972   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
+1362692527.080972   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
 1362692527.080972   MetaHookPost  UpdateNetworkTime(1362692527.080972) -> <void>
 1362692527.080972   MetaHookPre   CallFunction(ChecksumOffloading::check, <null>, ())
-1362692527.080972   MetaHookPre   CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp))
-1362692527.080972   MetaHookPre   CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692527.080972   MetaHookPre   CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692527.080972   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-1362692527.080972   MetaHookPre   CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-1362692527.080972   MetaHookPre   CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
-1362692527.080972   MetaHookPre   CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}]))
+1362692527.080972   MetaHookPre   CallFunction(Conn::conn_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp))
+1362692527.080972   MetaHookPre   CallFunction(Conn::determine_service, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(Conn::set_conn, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(KRB::do_log, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(KRB::fill_in_subjects, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(Log::write, <frame>, (Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(bro_done, <null>, ())
 1362692527.080972   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-1362692527.080972   MetaHookPre   CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692527.080972   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
 1362692527.080972   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp))
-1362692527.080972   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692527.080972   MetaHookPre   CallFunction(get_net_stats, <frame>, ())
 1362692527.080972   MetaHookPre   CallFunction(get_port_transport_proto, <frame>, (80/tcp))
 1362692527.080972   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856<...>/tcp]))
@@ -2346,27 +2969,30 @@
 1362692527.080972   MetaHookPre   CallFunction(sub_bytes, <frame>, (HTTP, 0, 1))
 1362692527.080972   MetaHookPre   CallFunction(to_lower, <frame>, (HTTP))
 1362692527.080972   MetaHookPre   DrainEvents()
+1362692527.080972   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])})
+1362692527.080972   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, conn(1362692527.080972,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}, <void ptr>)
 1362692527.080972   MetaHookPre   QueueEvent(ChecksumOffloading::check())
 1362692527.080972   MetaHookPre   QueueEvent(bro_done())
-1362692527.080972   MetaHookPre   QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
+1362692527.080972   MetaHookPre   QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 1362692527.080972   MetaHookPre   QueueEvent(filter_change_tracking())
-1362692527.080972   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+1362692527.080972   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 1362692527.080972   MetaHookPre   UpdateNetworkTime(1362692527.080972)
 1362692527.080972  | HookUpdateNetworkTime 1362692527.080972
 1362692527.080972 | HookCallFunction ChecksumOffloading::check()
-1362692527.080972 | HookCallFunction Conn::conn_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)
-1362692527.080972 | HookCallFunction Conn::determine_service([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692527.080972 | HookCallFunction Conn::set_conn([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692527.080972 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-1362692527.080972 | HookCallFunction KRB::fill_in_subjects([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-1362692527.080972 | HookCallFunction Log::__write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
-1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents={}])
+1362692527.080972 | HookCallFunction Conn::conn_state([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], tcp)
+1362692527.080972 | HookCallFunction Conn::determine_service([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookCallFunction Conn::set_conn([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookCallFunction KRB::do_log([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookCallFunction KRB::fill_in_subjects([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookCallFunction Log::__write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])
+1362692527.080972 | HookCallFunction Log::write(Conn::LOG, [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856<...>/tcp], proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])
 1362692527.080972 | HookCallFunction bro_done()
 1362692527.080972 | HookCallFunction cat(Analyzer::ANALYZER_HTTP, 1362692526.869344, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-1362692527.080972 | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692527.080972 | HookCallFunction filter_change_tracking()
 1362692527.080972 | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856<...>/tcp)
-1362692527.080972 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 1362692527.080972 | HookCallFunction get_net_stats()
 1362692527.080972 | HookCallFunction get_port_transport_proto(80/tcp)
 1362692527.080972 | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856<...>/tcp])
@@ -2377,8 +3003,10 @@
 1362692527.080972 | HookCallFunction sub_bytes(HTTP, 0, 1)
 1362692527.080972 | HookCallFunction to_lower(HTTP)
 1362692527.080972 | HookDrainEvents
+1362692527.080972 | HookLogInit   conn 1/1 {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}
+1362692527.080972 | HookLogWrite  conn [ts=1362692526.869344, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]
 1362692527.080972 | HookQueueEvent ChecksumOffloading::check()
 1362692527.080972 | HookQueueEvent bro_done()
-1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
+1362692527.080972 | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 1362692527.080972 | HookQueueEvent filter_change_tracking()
-1362692527.080972 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+1362692527.080972 | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856<...>/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
diff --git a/testing/btest/Baseline/plugins.logging-hooks/output b/testing/btest/Baseline/plugins.logging-hooks/output
new file mode 100644
index 0000000000..54330845bc
--- /dev/null
+++ b/testing/btest/Baseline/plugins.logging-hooks/output
@@ -0,0 +1 @@
+1488216470.960453 | HookLogInit   ssh 1/1 {b (bool), i (int), e (enum), c (count), p (port), sn (subnet), a (addr), d (double), t (time), iv (interval), s (string), sc (set[count]), ss (set[string]), se (set[string]), vc (vector[count]), ve (vector[string]), f (func)}
diff --git a/testing/btest/Baseline/plugins.logging-hooks/ssh.log b/testing/btest/Baseline/plugins.logging-hooks/ssh.log
new file mode 100644
index 0000000000..4b62eb8aca
--- /dev/null
+++ b/testing/btest/Baseline/plugins.logging-hooks/ssh.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	EMPTY
+#unset_field	-
+#path	ssh
+#open	2017-02-27-17-27-50
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	f
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	set[count]	set[string]	set[string]	vector[count]	vector[string]	func
+F	-2	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1488216470.960453	100.000000	hurz	2,4,1,3	BB,AA,CC	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
+T	-	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1488216470.960453	100.000000	hurz	2,4,1,3	BB,AA,CC	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
+#close	2017-02-27-17-27-50
diff --git a/testing/btest/Baseline/plugins.pktsrc/conn.log b/testing/btest/Baseline/plugins.pktsrc/conn.log
index 6beeb3c5ea..1f19f48ffa 100644
--- a/testing/btest/Baseline/plugins.pktsrc/conn.log
+++ b/testing/btest/Baseline/plugins.pktsrc/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-14-11
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1409193037.000000	CHhAvVGS1DHFjwGM9	1.2.0.2	2527	1.2.0.3	6649	tcp	-	-	-	-	S0	-	-	0	S	1	64	0	0	(empty)
+1409193037.000000	CHhAvVGS1DHFjwGM9	1.2.0.2	2527	1.2.0.3	6649	tcp	-	-	-	-	S0	-	-	0	S	1	64	0	0	-
 #close	2016-07-13-16-14-11
diff --git a/testing/btest/Baseline/plugins.reporter-hook/output b/testing/btest/Baseline/plugins.reporter-hook/output
new file mode 100644
index 0000000000..e5ed573e67
--- /dev/null
+++ b/testing/btest/Baseline/plugins.reporter-hook/output
@@ -0,0 +1,10 @@
+ | Hook  Some Info <...>/reporter-hook.bro, line 16
+ | Hook error An Error <...>/reporter-hook.bro, line 18
+ | Hook error An Error that does not show up in the log <...>/reporter-hook.bro, line 19
+ | Hook expression error field value missing [b$a] <...>/reporter-hook.bro, line 23
+ | Hook warning A warning <...>/reporter-hook.bro, line 17
+<...>/reporter-hook.bro, line 16: Some Info
+error in <...>/reporter-hook.bro, line 18: An Error
+error in <...>/reporter-hook.bro, line 19: An Error that does not show up in the log
+expression error in <...>/reporter-hook.bro, line 23: field value missing [b$a]
+warning in <...>/reporter-hook.bro, line 17: A warning
diff --git a/testing/btest/Baseline/plugins.reporter-hook/reporter.log b/testing/btest/Baseline/plugins.reporter-hook/reporter.log
new file mode 100644
index 0000000000..ab70b0c17a
--- /dev/null
+++ b/testing/btest/Baseline/plugins.reporter-hook/reporter.log
@@ -0,0 +1,13 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	reporter
+#open	2017-07-26-17-58-52
+#fields	ts	level	message	location
+#types	time	enum	string	string
+0.000000	Reporter::INFO	Some Info	/Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.bro, line 16
+0.000000	Reporter::WARNING	A warning	/Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.bro, line 17
+0.000000	Reporter::ERROR	An Error	/Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.bro, line 18
+0.000000	Reporter::ERROR	field value missing [b$a]	/Users/johanna/corelight/bro/testing/btest/.tmp/plugins.reporter-hook/reporter-hook.bro, line 23
+#close	2017-07-26-17-58-52
diff --git a/testing/btest/Baseline/plugins.writer/output b/testing/btest/Baseline/plugins.writer/output
index f17b55dad2..bbd11b8484 100644
--- a/testing/btest/Baseline/plugins.writer/output
+++ b/testing/btest/Baseline/plugins.writer/output
@@ -2,13 +2,13 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0)
     [Writer] Foo (Log::WRITER_FOO)
 
 ===
-[conn] 1340213005.165293|CHhAvVGS1DHFjwGM9|10.0.0.55|53994|60.190.189.214|8124|tcp|-|4.314406|0|0|S0|-|-|0|S|5|320|0|0|
-[conn] 1340213010.582723|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|tcp|socks,http|13.839419|3860|2934|SF|-|-|0|ShADadfF|23|5080|20|3986|
-[conn] 1340213048.780152|C4J4Th3PJpwUYZZ6gc|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
-[conn] 1340213097.272764|CtPZjS20MLrsMUOJi2|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
-[conn] 1340213162.160367|CUM0KZ3MLUfNB0cl11|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
-[conn] 1340213226.561757|CmES5u32sYpV7JYN|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
-[conn] 1340213290.981995|CP5puj4I8PtEU4qzYg|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|
+[conn] 1340213005.165293|CHhAvVGS1DHFjwGM9|10.0.0.55|53994|60.190.189.214|8124|tcp|-|4.314406|0|0|S0|-|-|0|S|5|320|0|0|-
+[conn] 1340213010.582723|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|tcp|socks,http|13.839419|3860|2934|SF|-|-|0|ShADadfF|23|5080|20|3986|-
+[conn] 1340213048.780152|C4J4Th3PJpwUYZZ6gc|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|-
+[conn] 1340213097.272764|CtPZjS20MLrsMUOJi2|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|-
+[conn] 1340213162.160367|CUM0KZ3MLUfNB0cl11|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|-
+[conn] 1340213226.561757|CmES5u32sYpV7JYN|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|-
+[conn] 1340213290.981995|CP5puj4I8PtEU4qzYg|10.0.0.55|53994|60.190.189.214|8124|tcp|-|-|-|-|SH|-|-|0|F|1|52|0|0|-
 [files] 1340213020.732547|FBtZ7y1ppK8iIeY622|60.190.189.214|10.0.0.55|ClEkJM2Vm5giqnMf4h|HTTP|0||image/gif|-|0.000034|-|F|1368|1368|0|0|F|-|-|-|-|-|-|-
 [http] 1340213019.013158|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|1|GET|www.osnews.com|/images/printer2.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
 [http] 1340213019.013426|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|2|GET|www.osnews.com|/img2/shorturl.jpg|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
@@ -17,6 +17,6 @@ Demo::Foo - A Foo test logging writer (dynamic, version 1.0)
 [http] 1340213020.732963|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|5|GET|www.osnews.com|/images/icons/17.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
 [http] 1340213021.300269|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|6|GET|www.osnews.com|/images/left.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
 [http] 1340213021.861584|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|7|GET|www.osnews.com|/images/icons/32.gif|http://www.osnews.com/|1.1|Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20100101 Firefox/10.0.2|0|0|304|Not Modified|-|-||-|-|-|-|-|-|-|-|-
-[packet_filter] 1485327742.161604|bro|ip or not ip|T|T
+[packet_filter] 1515793460.485950|bro|ip or not ip|T|T
 [socks] 1340213015.276495|ClEkJM2Vm5giqnMf4h|10.0.0.55|53994|60.190.189.214|8124|5|-|-|succeeded|-|www.osnews.com|80|192.168.0.31|-|2688
 [tunnel] 1340213015.276495|-|10.0.0.55|0|60.190.189.214|8124|Tunnel::SOCKS|Tunnel::DISCOVER
diff --git a/testing/btest/Baseline/broker.clone_store/master.master.out b/testing/btest/Baseline/scripts.base.files.data_event.basic/.stderr
similarity index 100%
rename from testing/btest/Baseline/broker.clone_store/master.master.out
rename to testing/btest/Baseline/scripts.base.files.data_event.basic/.stderr
diff --git a/testing/btest/Baseline/scripts.base.files.data_event.basic/.stdout b/testing/btest/Baseline/scripts.base.files.data_event.basic/.stdout
new file mode 100644
index 0000000000..ddfdf71f06
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.files.data_event.basic/.stdout
@@ -0,0 +1,3 @@
+Found
+Found
+Found
diff --git a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout
new file mode 100644
index 0000000000..e11616d745
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout
@@ -0,0 +1,12 @@
+0, Symantec log, 1474927230.876, 4, 3
+0, Google 'Rocketeer' log, 1474927232.863, 4, 3
+0, Google 'Aviator' log, 1474927232.112, 4, 3
+0, Google 'Pilot' log, 1474927232.304, 4, 3
+Verify of, Symantec log, T
+Bad verify of, Symantec log, F
+Verify of, Google 'Rocketeer' log, T
+Bad verify of, Google 'Rocketeer' log, F
+Verify of, Google 'Aviator' log, T
+Bad verify of, Google 'Aviator' log, F
+Verify of, Google 'Pilot' log, T
+Bad verify of, Google 'Pilot' log, F
diff --git a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp_ocsp/.stdout b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp_ocsp/.stdout
new file mode 100644
index 0000000000..5384f4e6b7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp_ocsp/.stdout
@@ -0,0 +1,6 @@
+0, Google 'Pilot' log, 1406997753.366, 4, 3
+Verify of, Google 'Pilot' log, T
+Bad verify of, Google 'Pilot' log, F
+0, Google 'Aviator' log, 1407002457.456, 4, 3
+Verify of, Google 'Aviator' log, T
+Bad verify of, Google 'Aviator' log, F
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_exclusivity/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_exclusivity/manager-1..stdout
new file mode 100644
index 0000000000..f5b2222839
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_exclusivity/manager-1..stdout
@@ -0,0 +1,147 @@
+1st stuff
+hrw, 0, bro/cluster/node/proxy-1
+hrw (custom pool), 0, bro/cluster/node/proxy-2
+hrw, 1, bro/cluster/node/proxy-1
+hrw (custom pool), 1, bro/cluster/node/proxy-2
+hrw, 2, bro/cluster/node/proxy-1
+hrw (custom pool), 2, bro/cluster/node/proxy-2
+hrw, 3, bro/cluster/node/proxy-1
+hrw (custom pool), 3, bro/cluster/node/proxy-2
+hrw, 13, bro/cluster/node/proxy-1
+hrw (custom pool), 13, bro/cluster/node/proxy-2
+hrw, 37, bro/cluster/node/proxy-1
+hrw (custom pool), 37, bro/cluster/node/proxy-2
+hrw, 42, bro/cluster/node/proxy-1
+hrw (custom pool), 42, bro/cluster/node/proxy-2
+hrw, 101, bro/cluster/node/proxy-1
+hrw (custom pool), 101, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+hrw, 0, bro/cluster/node/proxy-1
+hrw (custom pool), 0, bro/cluster/node/proxy-2
+hrw, 1, bro/cluster/node/proxy-1
+hrw (custom pool), 1, bro/cluster/node/proxy-2
+hrw, 2, bro/cluster/node/proxy-1
+hrw (custom pool), 2, bro/cluster/node/proxy-2
+hrw, 3, bro/cluster/node/proxy-1
+hrw (custom pool), 3, bro/cluster/node/proxy-2
+hrw, 13, bro/cluster/node/proxy-1
+hrw (custom pool), 13, bro/cluster/node/proxy-2
+hrw, 37, bro/cluster/node/proxy-1
+hrw (custom pool), 37, bro/cluster/node/proxy-2
+hrw, 42, bro/cluster/node/proxy-1
+hrw (custom pool), 42, bro/cluster/node/proxy-2
+hrw, 101, bro/cluster/node/proxy-1
+hrw (custom pool), 101, bro/cluster/node/proxy-2
+2nd stuff
+hrw, 0, 
+hrw (custom pool), 0, bro/cluster/node/proxy-2
+hrw, 1, 
+hrw (custom pool), 1, bro/cluster/node/proxy-2
+hrw, 2, 
+hrw (custom pool), 2, bro/cluster/node/proxy-2
+hrw, 3, 
+hrw (custom pool), 3, bro/cluster/node/proxy-2
+hrw, 13, 
+hrw (custom pool), 13, bro/cluster/node/proxy-2
+hrw, 37, 
+hrw (custom pool), 37, bro/cluster/node/proxy-2
+hrw, 42, 
+hrw (custom pool), 42, bro/cluster/node/proxy-2
+hrw, 101, 
+hrw (custom pool), 101, bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+hrw, 0, 
+hrw (custom pool), 0, bro/cluster/node/proxy-2
+hrw, 1, 
+hrw (custom pool), 1, bro/cluster/node/proxy-2
+hrw, 2, 
+hrw (custom pool), 2, bro/cluster/node/proxy-2
+hrw, 3, 
+hrw (custom pool), 3, bro/cluster/node/proxy-2
+hrw, 13, 
+hrw (custom pool), 13, bro/cluster/node/proxy-2
+hrw, 37, 
+hrw (custom pool), 37, bro/cluster/node/proxy-2
+hrw, 42, 
+hrw (custom pool), 42, bro/cluster/node/proxy-2
+hrw, 101, 
+hrw (custom pool), 101, bro/cluster/node/proxy-2
+no stuff
+hrw, 0, 
+hrw (custom pool), 0, 
+hrw, 1, 
+hrw (custom pool), 1, 
+hrw, 2, 
+hrw (custom pool), 2, 
+hrw, 3, 
+hrw (custom pool), 3, 
+hrw, 13, 
+hrw (custom pool), 13, 
+hrw, 37, 
+hrw (custom pool), 37, 
+hrw, 42, 
+hrw (custom pool), 42, 
+hrw, 101, 
+hrw (custom pool), 101, 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+hrw, 0, 
+hrw (custom pool), 0, 
+hrw, 1, 
+hrw (custom pool), 1, 
+hrw, 2, 
+hrw (custom pool), 2, 
+hrw, 3, 
+hrw (custom pool), 3, 
+hrw, 13, 
+hrw (custom pool), 13, 
+hrw, 37, 
+hrw (custom pool), 37, 
+hrw, 42, 
+hrw (custom pool), 42, 
+hrw, 101, 
+hrw (custom pool), 101, 
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_limits/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_limits/manager-1..stdout
new file mode 100644
index 0000000000..977abbf9e9
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.custom_pool_limits/manager-1..stdout
@@ -0,0 +1,147 @@
+1st stuff
+hrw, 0, bro/cluster/node/proxy-1
+hrw (custom pool), 0, bro/cluster/node/proxy-1
+hrw, 1, bro/cluster/node/proxy-1
+hrw (custom pool), 1, bro/cluster/node/proxy-1
+hrw, 2, bro/cluster/node/proxy-1
+hrw (custom pool), 2, bro/cluster/node/proxy-1
+hrw, 3, bro/cluster/node/proxy-1
+hrw (custom pool), 3, bro/cluster/node/proxy-1
+hrw, 13, bro/cluster/node/proxy-1
+hrw (custom pool), 13, bro/cluster/node/proxy-2
+hrw, 37, bro/cluster/node/proxy-1
+hrw (custom pool), 37, bro/cluster/node/proxy-2
+hrw, 42, bro/cluster/node/proxy-1
+hrw (custom pool), 42, bro/cluster/node/proxy-2
+hrw, 101, bro/cluster/node/proxy-1
+hrw (custom pool), 101, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-1
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-1
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-1
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-1
+rr, bro/cluster/node/proxy-1
+rr (custom pool), bro/cluster/node/proxy-2
+hrw, 0, bro/cluster/node/proxy-1
+hrw (custom pool), 0, bro/cluster/node/proxy-1
+hrw, 1, bro/cluster/node/proxy-1
+hrw (custom pool), 1, bro/cluster/node/proxy-1
+hrw, 2, bro/cluster/node/proxy-1
+hrw (custom pool), 2, bro/cluster/node/proxy-1
+hrw, 3, bro/cluster/node/proxy-1
+hrw (custom pool), 3, bro/cluster/node/proxy-1
+hrw, 13, bro/cluster/node/proxy-1
+hrw (custom pool), 13, bro/cluster/node/proxy-2
+hrw, 37, bro/cluster/node/proxy-1
+hrw (custom pool), 37, bro/cluster/node/proxy-2
+hrw, 42, bro/cluster/node/proxy-1
+hrw (custom pool), 42, bro/cluster/node/proxy-2
+hrw, 101, bro/cluster/node/proxy-1
+hrw (custom pool), 101, bro/cluster/node/proxy-2
+2nd stuff
+hrw, 0, 
+hrw (custom pool), 0, bro/cluster/node/proxy-2
+hrw, 1, 
+hrw (custom pool), 1, bro/cluster/node/proxy-2
+hrw, 2, 
+hrw (custom pool), 2, bro/cluster/node/proxy-2
+hrw, 3, 
+hrw (custom pool), 3, bro/cluster/node/proxy-2
+hrw, 13, 
+hrw (custom pool), 13, bro/cluster/node/proxy-2
+hrw, 37, 
+hrw (custom pool), 37, bro/cluster/node/proxy-2
+hrw, 42, 
+hrw (custom pool), 42, bro/cluster/node/proxy-2
+hrw, 101, 
+hrw (custom pool), 101, bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+rr, 
+rr (custom pool), bro/cluster/node/proxy-2
+hrw, 0, 
+hrw (custom pool), 0, bro/cluster/node/proxy-2
+hrw, 1, 
+hrw (custom pool), 1, bro/cluster/node/proxy-2
+hrw, 2, 
+hrw (custom pool), 2, bro/cluster/node/proxy-2
+hrw, 3, 
+hrw (custom pool), 3, bro/cluster/node/proxy-2
+hrw, 13, 
+hrw (custom pool), 13, bro/cluster/node/proxy-2
+hrw, 37, 
+hrw (custom pool), 37, bro/cluster/node/proxy-2
+hrw, 42, 
+hrw (custom pool), 42, bro/cluster/node/proxy-2
+hrw, 101, 
+hrw (custom pool), 101, bro/cluster/node/proxy-2
+no stuff
+hrw, 0, 
+hrw (custom pool), 0, 
+hrw, 1, 
+hrw (custom pool), 1, 
+hrw, 2, 
+hrw (custom pool), 2, 
+hrw, 3, 
+hrw (custom pool), 3, 
+hrw, 13, 
+hrw (custom pool), 13, 
+hrw, 37, 
+hrw (custom pool), 37, 
+hrw, 42, 
+hrw (custom pool), 42, 
+hrw, 101, 
+hrw (custom pool), 101, 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+rr, 
+rr (custom pool), 
+hrw, 0, 
+hrw (custom pool), 0, 
+hrw, 1, 
+hrw (custom pool), 1, 
+hrw, 2, 
+hrw (custom pool), 2, 
+hrw, 3, 
+hrw (custom pool), 3, 
+hrw, 13, 
+hrw (custom pool), 13, 
+hrw, 37, 
+hrw (custom pool), 37, 
+hrw, 42, 
+hrw (custom pool), 42, 
+hrw, 101, 
+hrw (custom pool), 101, 
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.log_distribution/logger-1.test.log b/testing/btest/Baseline/scripts.base.frameworks.cluster.log_distribution/logger-1.test.log
new file mode 100644
index 0000000000..03d3454c14
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.log_distribution/logger-1.test.log
@@ -0,0 +1,59 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2017-12-08-00-37-18
+#fields	num
+#types	count
+1
+3
+5
+7
+9
+11
+13
+15
+17
+19
+21
+23
+25
+27
+29
+31
+33
+35
+37
+39
+41
+43
+45
+47
+49
+51
+53
+55
+57
+59
+61
+63
+65
+67
+69
+71
+73
+75
+77
+79
+81
+83
+85
+87
+89
+91
+93
+95
+97
+99
+#close	2017-12-08-00-37-20
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.log_distribution/logger-2.test.log b/testing/btest/Baseline/scripts.base.frameworks.cluster.log_distribution/logger-2.test.log
new file mode 100644
index 0000000000..1b04569201
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.log_distribution/logger-2.test.log
@@ -0,0 +1,59 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	test
+#open	2017-12-08-00-37-18
+#fields	num
+#types	count
+2
+4
+6
+8
+10
+12
+14
+16
+18
+20
+22
+24
+26
+28
+30
+32
+34
+36
+38
+40
+42
+44
+46
+48
+50
+52
+54
+56
+58
+60
+62
+64
+66
+68
+70
+72
+74
+76
+78
+80
+82
+84
+86
+88
+90
+92
+94
+96
+98
+100
+#close	2017-12-08-00-37-20
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/logger-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/logger-1..stdout
index e10770a5cc..15baa652c9 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/logger-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/logger-1..stdout
@@ -2,4 +2,10 @@ Connected to a peer
 Connected to a peer
 Connected to a peer
 Connected to a peer
+got fully_connected event from, worker-1
 Connected to a peer
+got fully_connected event from, proxy-1
+got fully_connected event from, proxy-2
+got fully_connected event from, manager-1
+got fully_connected event from, worker-2
+termination condition met: shutting down
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/manager-1..stdout
index e10770a5cc..b7b8f3e3b6 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/manager-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/manager-1..stdout
@@ -3,3 +3,4 @@ Connected to a peer
 Connected to a peer
 Connected to a peer
 Connected to a peer
+sent fully_connected event
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-1..stdout
index c3a1950daf..328d7c91a3 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-1..stdout
@@ -1,3 +1,5 @@
 Connected to a peer
 Connected to a peer
 Connected to a peer
+Connected to a peer
+sent fully_connected event
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-2..stdout
index c3a1950daf..328d7c91a3 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-2..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/proxy-2..stdout
@@ -1,3 +1,5 @@
 Connected to a peer
 Connected to a peer
 Connected to a peer
+Connected to a peer
+sent fully_connected event
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-1..stdout
index c3a1950daf..328d7c91a3 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-1..stdout
@@ -1,3 +1,5 @@
 Connected to a peer
 Connected to a peer
 Connected to a peer
+Connected to a peer
+sent fully_connected event
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-2..stdout
index c3a1950daf..328d7c91a3 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-2..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up-logger/worker-2..stdout
@@ -1,3 +1,5 @@
 Connected to a peer
 Connected to a peer
 Connected to a peer
+Connected to a peer
+sent fully_connected event
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/manager-1..stdout
index 7c8eb5ee83..5b10602c67 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/manager-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/manager-1..stdout
@@ -1,4 +1,8 @@
 Connected to a peer
 Connected to a peer
 Connected to a peer
+Got fully_connected event
+Got fully_connected event
 Connected to a peer
+Got fully_connected event
+Got fully_connected event
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-1..stdout
index 4e70653647..c3a1950daf 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-1..stdout
@@ -1,2 +1,3 @@
 Connected to a peer
 Connected to a peer
+Connected to a peer
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-2..stdout
index 4e70653647..c3a1950daf 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-2..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/proxy-2..stdout
@@ -1,2 +1,3 @@
 Connected to a peer
 Connected to a peer
+Connected to a peer
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-1..stdout
index 4e70653647..c3a1950daf 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-1..stdout
@@ -1,2 +1,3 @@
 Connected to a peer
 Connected to a peer
+Connected to a peer
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-2..stdout
index 4e70653647..c3a1950daf 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-2..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.start-it-up/worker-2..stdout
@@ -1,2 +1,3 @@
 Connected to a peer
 Connected to a peer
+Connected to a peer
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution/manager-1..stdout
new file mode 100644
index 0000000000..2c99f08ef2
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution/manager-1..stdout
@@ -0,0 +1,75 @@
+1st stuff
+hrw, 0, bro/cluster/node/proxy-1
+hrw, 1, bro/cluster/node/proxy-1
+hrw, 2, bro/cluster/node/proxy-1
+hrw, 3, bro/cluster/node/proxy-1
+hrw, 13, bro/cluster/node/proxy-2
+hrw, 37, bro/cluster/node/proxy-2
+hrw, 42, bro/cluster/node/proxy-2
+hrw, 101, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-1
+rr, bro/cluster/node/proxy-2
+hrw, 0, bro/cluster/node/proxy-1
+hrw, 1, bro/cluster/node/proxy-1
+hrw, 2, bro/cluster/node/proxy-1
+hrw, 3, bro/cluster/node/proxy-1
+hrw, 13, bro/cluster/node/proxy-2
+hrw, 37, bro/cluster/node/proxy-2
+hrw, 42, bro/cluster/node/proxy-2
+hrw, 101, bro/cluster/node/proxy-2
+2nd stuff
+hrw, 0, bro/cluster/node/proxy-2
+hrw, 1, bro/cluster/node/proxy-2
+hrw, 2, bro/cluster/node/proxy-2
+hrw, 3, bro/cluster/node/proxy-2
+hrw, 13, bro/cluster/node/proxy-2
+hrw, 37, bro/cluster/node/proxy-2
+hrw, 42, bro/cluster/node/proxy-2
+hrw, 101, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-2
+rr, bro/cluster/node/proxy-2
+hrw, 0, bro/cluster/node/proxy-2
+hrw, 1, bro/cluster/node/proxy-2
+hrw, 2, bro/cluster/node/proxy-2
+hrw, 3, bro/cluster/node/proxy-2
+hrw, 13, bro/cluster/node/proxy-2
+hrw, 37, bro/cluster/node/proxy-2
+hrw, 42, bro/cluster/node/proxy-2
+hrw, 101, bro/cluster/node/proxy-2
+no stuff
+hrw, 0, 
+hrw, 1, 
+hrw, 2, 
+hrw, 3, 
+hrw, 13, 
+hrw, 37, 
+hrw, 42, 
+hrw, 101, 
+rr, 
+rr, 
+rr, 
+rr, 
+rr, 
+rr, 
+rr, 
+rr, 
+hrw, 0, 
+hrw, 1, 
+hrw, 2, 
+hrw, 3, 
+hrw, 13, 
+hrw, 37, 
+hrw, 42, 
+hrw, 101, 
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution_bifs/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution_bifs/manager-1..stdout
new file mode 100644
index 0000000000..1170b6dd6a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution_bifs/manager-1..stdout
@@ -0,0 +1,51 @@
+1st stuff
+hrw, 0, T
+hrw, 1, T
+hrw, 2, T
+hrw, 3, T
+hrw, 13, T
+hrw, 37, T
+hrw, 42, T
+hrw, 101, T
+rr, T
+rr, T
+rr, T
+rr, T
+rr, T
+rr, T
+rr, T
+rr, T
+2nd stuff
+hrw, 0, T
+hrw, 1, T
+hrw, 2, T
+hrw, 3, T
+hrw, 13, T
+hrw, 37, T
+hrw, 42, T
+hrw, 101, T
+rr, T
+rr, T
+rr, T
+rr, T
+rr, T
+rr, T
+rr, T
+rr, T
+no stuff
+hrw, 0, F
+hrw, 1, F
+hrw, 2, F
+hrw, 3, F
+hrw, 13, F
+hrw, 37, F
+hrw, 42, F
+hrw, 101, F
+rr, F
+rr, F
+rr, F
+rr, F
+rr, F
+rr, F
+rr, F
+rr, F
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution_bifs/proxy-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution_bifs/proxy-1..stdout
new file mode 100644
index 0000000000..b86028c482
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution_bifs/proxy-1..stdout
@@ -0,0 +1,8 @@
+got distributed event hrw, 0
+got distributed event hrw, 1
+got distributed event hrw, 2
+got distributed event hrw, 3
+got distributed event rr, 0
+got distributed event rr, 2
+got distributed event rr, 13
+got distributed event rr, 42
diff --git a/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution_bifs/proxy-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution_bifs/proxy-2..stdout
new file mode 100644
index 0000000000..a83f3f7394
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.cluster.topic_distribution_bifs/proxy-2..stdout
@@ -0,0 +1,24 @@
+got distributed event hrw, 13
+got distributed event hrw, 37
+got distributed event hrw, 42
+got distributed event hrw, 101
+got distributed event rr, 1
+got distributed event rr, 3
+got distributed event rr, 37
+got distributed event rr, 101
+got distributed event hrw, 0
+got distributed event hrw, 1
+got distributed event hrw, 2
+got distributed event hrw, 3
+got distributed event hrw, 13
+got distributed event hrw, 37
+got distributed event hrw, 42
+got distributed event hrw, 101
+got distributed event rr, 0
+got distributed event rr, 1
+got distributed event rr, 2
+got distributed event rr, 3
+got distributed event rr, 13
+got distributed event rr, 37
+got distributed event rr, 42
+got distributed event rr, 101
diff --git a/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log b/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log
deleted file mode 100644
index c6a19029b6..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.communication.communication_log_baseline/send.log
+++ /dev/null
@@ -1,24 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	communication
-#open	2012-07-20-01-49-40
-#fields	ts	peer	src_name	connected_peer_desc	connected_peer_addr	connected_peer_port	level	message
-#types	time	string	string	string	addr	port	string	string
-1342748980.737451	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] added peer
-1342748980.747149	bro	child	-	-	-	info	[#1/127.0.0.1:47757] connected
-1342748980.748489	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] peer connected
-1342748980.748489	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] phase: version
-1342748980.750749	bro	script	-	-	-	info	connection established
-1342748980.750749	bro	script	-	-	-	info	requesting events matching /^?(NOTHING)$?/
-1342748980.750749	bro	script	-	-	-	info	accepting state
-1342748980.752225	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] phase: handshake
-1342748980.752225	bro	parent	-	-	-	info	warning: no events to request
-1342748980.753384	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] peer_description is bro
-1342748980.793108	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] peer supports keep-in-cache; using that
-1342748980.793108	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] phase: running
-1342748980.793108	bro	parent	-	-	-	info	terminating...
-1342748980.796454	bro	child	-	-	-	info	terminating
-1342748980.797536	bro	parent	-	-	-	info	[#1/127.0.0.1:47757] closing connection
-#close	2012-07-20-01-49-40
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.basic/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.config.basic/bro..stderr
new file mode 100644
index 0000000000..977e8fc37a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.basic/bro..stderr
@@ -0,0 +1 @@
+received termination signal
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.basic/bro.config.log b/testing/btest/Baseline/scripts.base.frameworks.config.basic/bro.config.log
new file mode 100644
index 0000000000..0d96d0f111
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.basic/bro.config.log
@@ -0,0 +1,25 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	config
+#open	2018-08-10-18-16-52
+#fields	ts	id	old_value	new_value	location
+#types	time	string	string	string	string
+1533925012.140634	testbool	T	F	../configfile
+1533925012.140634	testcount	0	1	../configfile
+1533925012.140634	testcount	1	2	../configfile
+1533925012.140634	testint	0	-1	../configfile
+1533925012.140634	testenum	SSH::LOG	Conn::LOG	../configfile
+1533925012.140634	testport	42/tcp	45/unknown	../configfile
+1533925012.140634	testporttcp	40/udp	42/tcp	../configfile
+1533925012.140634	testportudp	40/tcp	42/udp	../configfile
+1533925012.140634	testaddr	127.0.0.1	127.0.0.1	../configfile
+1533925012.140634	testaddr	127.0.0.1	2607:f8b0:4005:801::200e	../configfile
+1533925012.140634	testinterval	1.0 sec	60.0	../configfile
+1533925012.140634	testtime	0.0	1507321987.0	../configfile
+1533925012.140634	test_set	(empty)	b,c,a,d,erdbeerschnitzel	../configfile
+1533925012.140634	test_vector	(empty)	1,2,3,4,5,6	../configfile
+1533925012.140634	test_set	b,c,a,d,erdbeerschnitzel	(empty)	../configfile
+1533925012.140634	test_set	(empty)	\x2d	../configfile
+#close	2018-08-10-18-16-52
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/manager-1..stdout
new file mode 100644
index 0000000000..ad74a79d79
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/manager-1..stdout
@@ -0,0 +1,2 @@
+option changed, testport, 44/tcp, 
+option changed, teststring, b, comment
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/manager-1.config.log b/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/manager-1.config.log
new file mode 100644
index 0000000000..2953e3d78d
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/manager-1.config.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	config
+#open	2018-06-22-18-27-45
+#fields	ts	id	old_value	new_value	location
+#types	time	string	string	string	string
+1529692065.525489	testport	42/tcp	44/tcp	-
+1529692065.562594	teststring	a	b	comment
+#close	2018-06-22-18-27-50
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/worker-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/worker-1..stdout
new file mode 100644
index 0000000000..3558bbe476
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/worker-1..stdout
@@ -0,0 +1,4 @@
+option changed, testport, 44/tcp, 
+option changed, teststring, b, comment
+option changed, testport, 44/tcp, 
+option changed, teststring, b, comment
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/worker-2..stdout
new file mode 100644
index 0000000000..ad74a79d79
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.basic_cluster/worker-2..stdout
@@ -0,0 +1,2 @@
+option changed, testport, 44/tcp, 
+option changed, teststring, b, comment
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/manager-1..stdout
new file mode 100644
index 0000000000..066eb59f96
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/manager-1..stdout
@@ -0,0 +1,5 @@
+Node up, worker-1
+option changed, testcount, 1, 
+option changed, testport, 44/tcp, 
+option changed, teststring, b, comment
+Node up, worker-2
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/manager-1.config.log b/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/manager-1.config.log
new file mode 100644
index 0000000000..900aaf6796
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/manager-1.config.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	config
+#open	2018-06-29-19-46-30
+#fields	ts	id	old_value	new_value	location
+#types	time	string	string	string	string
+1530301590.505311	testcount	0	1	-
+1530301590.605012	testport	42/tcp	44/tcp	-
+1530301590.605012	teststring	a	b	comment
+#close	2018-06-29-19-46-51
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/worker-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/worker-1..stdout
new file mode 100644
index 0000000000..59431be9c1
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/worker-1..stdout
@@ -0,0 +1,5 @@
+option changed, testport, 44/tcp, 
+option changed, teststring, b, comment
+option changed, testcount, 1, 
+option changed, testport, 44/tcp, 
+option changed, teststring, b, comment
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/worker-2..stdout
new file mode 100644
index 0000000000..564ac790e8
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.cluster_resend/worker-2..stdout
@@ -0,0 +1,3 @@
+option changed, testport, 44/tcp, 
+option changed, testcount, 1, 
+option changed, teststring, b, comment
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.read_config/bro.config.log b/testing/btest/Baseline/scripts.base.frameworks.config.read_config/bro.config.log
new file mode 100644
index 0000000000..fa56b8455e
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.read_config/bro.config.log
@@ -0,0 +1,23 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	config
+#open	2017-10-11-20-47-09
+#fields	ts	id	old_value	new_value	location
+#types	time	string	string	string	string
+1507754829.092788	testbool	T	F	../configfile
+1507754829.092788	testcount	0	1	../configfile
+1507754829.092788	testcount	1	2	../configfile
+1507754829.092788	testint	0	-1	../configfile
+1507754829.092788	testenum	SSH::LOG	Conn::LOG	../configfile
+1507754829.092788	testport	42/tcp	45/unknown	../configfile
+1507754829.092788	testaddr	127.0.0.1	127.0.0.1	../configfile
+1507754829.092788	testaddr	127.0.0.1	2607:f8b0:4005:801::200e	../configfile
+1507754829.092788	testinterval	1.0 sec	60.0	../configfile
+1507754829.092788	testtime	0.0	1507321987.0	../configfile
+1507754829.092788	test_set	(empty)	b,c,a,d,erdbeerschnitzel	../configfile
+1507754829.092788	test_vector	(empty)	1,2,3,4,5,6	../configfile
+1507754829.092788	test_set	b,c,a,d,erdbeerschnitzel	(empty)	../configfile
+1507754829.092788	test_set	(empty)	\x2d	../configfile
+#close	2017-10-11-20-47-09
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/manager-1..stdout
new file mode 100644
index 0000000000..21f258d510
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/manager-1..stdout
@@ -0,0 +1 @@
+option changed, testport, 45/unknown, ../configfile
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/manager-1.config.log b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/manager-1.config.log
new file mode 100644
index 0000000000..f1420279b4
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/manager-1.config.log
@@ -0,0 +1,24 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	config
+#open	2018-07-20-20-40-10
+#fields	ts	id	old_value	new_value	location
+#types	time	string	string	string	string
+1532119210.151927	testbool	T	F	../configfile
+1532119210.151927	testcount	0	1	../configfile
+1532119210.151927	testcount	1	2	../configfile
+1532119210.151927	testint	0	-1	../configfile
+1532119210.151927	testenum	SSH::LOG	Conn::LOG	../configfile
+1532119210.151927	testport	42/tcp	45/unknown	../configfile
+1532119210.151927	testaddr	127.0.0.1	127.0.0.1	../configfile
+1532119210.151927	testaddr	127.0.0.1	2607:f8b0:4005:801::200e	../configfile
+1532119210.151927	testinterval	1.0 sec	60.0	../configfile
+1532119210.151927	testtime	0.0	1507321987.0	../configfile
+1532119210.151927	test_set	(empty)	b,c,a,d,erdbeerschnitzel	../configfile
+1532119210.151927	test_vector	(empty)	1,2,3,4,5,6	../configfile
+1532119210.151927	test_set	b,c,a,d,erdbeerschnitzel	\x28empty)	../configfile
+1532119210.151927	test_set	\x28empty)	\x2d	../configfile
+1532119210.151927	test_set_full	2,1,7,15,10,3	6,4,1,7,5,3	../configfile
+#close	2018-07-20-20-40-22
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-1..stdout
new file mode 100644
index 0000000000..08b60346e3
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-1..stdout
@@ -0,0 +1,12 @@
+cluster_set_option, testtime, [data=broker::data{1507321987000000000ns}], ../configfile
+cluster_set_option, testint, [data=broker::data{-1}], ../configfile
+option changed, testport, 45/unknown, ../configfile
+cluster_set_option, testport, [data=broker::data{45/?}], ../configfile
+cluster_set_option, testinterval, [data=broker::data{60000000000ns}], ../configfile
+cluster_set_option, test_set, [data=broker::data{{-}}], ../configfile
+cluster_set_option, testaddr, [data=broker::data{2607:f8b0:4005:801::200e}], ../configfile
+cluster_set_option, testenum, [data=broker::data{Conn::LOG}], ../configfile
+cluster_set_option, test_vector, [data=broker::data{[1, 2, 3, 4, 5, 6]}], ../configfile
+cluster_set_option, testbool, [data=broker::data{F}], ../configfile
+cluster_set_option, testcount, [data=broker::data{2}], ../configfile
+cluster_set_option, test_set_full, [data=broker::data{{1, 3, 4, 5, 6, 7}}], ../configfile
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-2..stdout
new file mode 100644
index 0000000000..08b60346e3
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.read_config_cluster/worker-2..stdout
@@ -0,0 +1,12 @@
+cluster_set_option, testtime, [data=broker::data{1507321987000000000ns}], ../configfile
+cluster_set_option, testint, [data=broker::data{-1}], ../configfile
+option changed, testport, 45/unknown, ../configfile
+cluster_set_option, testport, [data=broker::data{45/?}], ../configfile
+cluster_set_option, testinterval, [data=broker::data{60000000000ns}], ../configfile
+cluster_set_option, test_set, [data=broker::data{{-}}], ../configfile
+cluster_set_option, testaddr, [data=broker::data{2607:f8b0:4005:801::200e}], ../configfile
+cluster_set_option, testenum, [data=broker::data{Conn::LOG}], ../configfile
+cluster_set_option, test_vector, [data=broker::data{[1, 2, 3, 4, 5, 6]}], ../configfile
+cluster_set_option, testbool, [data=broker::data{F}], ../configfile
+cluster_set_option, testcount, [data=broker::data{2}], ../configfile
+cluster_set_option, test_set_full, [data=broker::data{{1, 3, 4, 5, 6, 7}}], ../configfile
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.several-files/bro.config.log b/testing/btest/Baseline/scripts.base.frameworks.config.several-files/bro.config.log
new file mode 100644
index 0000000000..90127d6c1d
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.several-files/bro.config.log
@@ -0,0 +1,19 @@
+#close	2018-02-07-22-20-13
+#empty_field	(empty)
+#fields	ts	id	old_value	new_value	location
+#open	2018-02-07-22-20-13
+#path	config
+#separator \x09
+#set_separator	,
+#types	time	string	string	string	string
+#unset_field	-
+1518042012.989543	test_set	(empty)	b,c,a,d,erdbeerschnitzel	../configfile1
+1518042012.989543	test_vector	(empty)	1,2,3,4,5,6	../configfile1
+1518042012.989543	testaddr	127.0.0.1	127.0.0.1	../configfile2
+1518042012.989543	testbool	T	F	../configfile1
+1518042012.989543	testcount	0	2	../configfile1
+1518042012.989543	testenum	SSH::LOG	Conn::LOG	../configfile1
+1518042012.989543	testint	0	-1	../configfile1
+1518042012.989543	testinterval	1.0 sec	60.0	../configfile2
+1518042012.989543	testport	42/tcp	45/unknown	../configfile2
+1518042012.989543	testtime	0.0	1507321987.0	../configfile2
diff --git a/testing/btest/Baseline/scripts.base.frameworks.config.updates/bro.config.log b/testing/btest/Baseline/scripts.base.frameworks.config.updates/bro.config.log
new file mode 100644
index 0000000000..1365648515
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.config.updates/bro.config.log
@@ -0,0 +1,27 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	config
+#open	2018-01-18-23-16-41
+#fields	ts	id	old_value	new_value	location
+#types	time	string	string	string	string
+1516317401.889929	testbool	T	F	../configfile
+1516317401.889929	testcount	0	1	../configfile
+1516317401.889929	testcount	1	2	../configfile
+1516317401.889929	testint	0	-1	../configfile
+1516317401.889929	testenum	SSH::LOG	Conn::LOG	../configfile
+1516317401.889929	testport	42/tcp	45/unknown	../configfile
+1516317401.889929	testaddr	127.0.0.1	127.0.0.1	../configfile
+1516317401.889929	testaddr	127.0.0.1	2607:f8b0:4005:801::200e	../configfile
+1516317401.889929	testinterval	1.0 sec	60.0	../configfile
+1516317401.889929	testtime	0.0	1507321987.0	../configfile
+1516317401.889929	test_set	(empty)	b,c,a,d,erdbeerschnitzel	../configfile
+1516317401.889929	test_vector	(empty)	1,2,3,4,5,6	../configfile
+1516317405.093522	testcount	2	1	../configfile
+1516317405.093522	testcount	1	2	../configfile
+1516317405.093522	testaddr	2607:f8b0:4005:801::200e	127.0.0.1	../configfile
+1516317405.093522	testaddr	127.0.0.1	2607:f8b0:4005:801::200e	../configfile
+1516317405.093522	test_vector	1,2,3,4,5,6	1,2,3,4,5,9	../configfile
+1516317409.199572	test_vector	1,2,3,4,5,9	1,2,3,4,5,9	../configfile
+#close	2018-01-18-23-16-49
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.file_exists_lookup_file/.stdout b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.file_exists_lookup_file/.stdout
new file mode 100644
index 0000000000..d5dd2cab55
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.bifs.file_exists_lookup_file/.stdout
@@ -0,0 +1,9 @@
+error: file ID asdf not a known file
+warning: non-void function returns without a value: Files::lookup_file
+This should fail but not crash
+This should return F
+F
+lookup fid: FakNcS1Jfe01uljb3
+We should have found the file id: FakNcS1Jfe01uljb3
+This should return T
+T
diff --git a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out
index d7c0aef00d..90e5e79ef0 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.file-analysis.smtp/out
@@ -60,10 +60,8 @@ FILE_OVER_NEW_CONNECTION
 FILE_STATE_REMOVE
 file #4, 1406, 0
 [orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]
-FILE_BOF_BUFFER
-0\x82\x05z0\x82\x04b\xa0\x03\x02
 MIME_TYPE
-application/pkix-cert
+application/x-x509-user-cert
 source: SSL
 MD5: 1bf9696d9f337805383427e88781d001
 SHA1: f5ccb1a724133607548b00d8eb402efca3076d58
@@ -73,10 +71,8 @@ FILE_OVER_NEW_CONNECTION
 FILE_STATE_REMOVE
 file #5, 1092, 0
 [orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]
-FILE_BOF_BUFFER
-0\x82\x04@0\x82\x03(\xa0\x03\x02
 MIME_TYPE
-application/pkix-cert
+application/x-x509-ca-cert
 source: SSL
 MD5: 48f0e38385112eeca5fc9ffd402eaecd
 SHA1: 8e8321ca08b08e3726fe1d82996884eeb5f0d655
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.basic/out b/testing/btest/Baseline/scripts.base.frameworks.input.basic/out
index 694f708fd8..5cc19d85a2 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.basic/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.basic/out
@@ -1,5 +1,5 @@
 {
-[-42] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, ns=4242, sc={
+[-42] = [b=T, bt=T, e=SSH::LOG, c=21, p=123/unknown, pp=5/icmp, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, ns=4242, sc={
 2,
 4,
 1,
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.config.basic/out b/testing/btest/Baseline/scripts.base.frameworks.input.config.basic/out
new file mode 100644
index 0000000000..1863c7e8ea
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.config.basic/out
@@ -0,0 +1,28 @@
+testbool, F
+testcount, 1
+testcount, 2
+testint, -1
+testenum, Conn::LOG
+testport, 45/unknown
+testportandproto, 45/udp
+testaddr, 127.0.0.1
+testaddr, 2607:f8b0:4005:801::200e
+testinterval, 60.0
+testtime, 1507321987.0
+test_set, {
+b,
+c,
+a,
+d,
+erdbeerschnitzel
+}
+test_vector, [1, 2, 3, 4, 5, 6]
+test_set, {
+(empty)
+}
+test_set, {
+
+}
+test_set, {
+-
+}
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.config.errors/errout b/testing/btest/Baseline/scripts.base.frameworks.input.config.errors/errout
new file mode 100644
index 0000000000..792f50d8c8
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.config.errors/errout
@@ -0,0 +1,14 @@
+warning: ../configfile/Input::READER_CONFIG: Field: testbool Invalid value for boolean: A
+warning: ../configfile/Input::READER_CONFIG: Could not convert line 'testbool A' to value. Ignoring line.
+warning: ../configfile/Input::READER_CONFIG: Could not parse 'testtesttesttesttesttest'; line has invalid format. Ignoring line.
+warning: ../configfile/Input::READER_CONFIG: Field: testbool Invalid value for boolean: A B
+warning: ../configfile/Input::READER_CONFIG: Could not convert line 'testbool A B' to value. Ignoring line.
+warning: ../configfile/Input::READER_CONFIG: String 'A' contained no parseable number
+warning: ../configfile/Input::READER_CONFIG: Could not convert line 'testcount A' to value. Ignoring line.
+warning: Value 'unknown' for stream 'configuration' is not a valid enum.
+error: SendEvent for event InputConfig::new_value failed
+warning: ../configfile/Input::READER_CONFIG: Option 'testbooool' does not exist. Ignoring line.
+warning: ../configfile/Input::READER_CONFIG: Option 'test_any' has type 'any', which is not supported for file input. Ignoring line.
+warning: ../configfile/Input::READER_CONFIG: Option 'test_table' has type 'table', which is not supported for file input. Ignoring line.
+received termination signal
+>>>
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.invalid-lines/out b/testing/btest/Baseline/scripts.base.frameworks.input.invalid-lines/out
new file mode 100644
index 0000000000..3406639d29
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.invalid-lines/out
@@ -0,0 +1,26 @@
+{
+[-43] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, ns=4242 HOHOHO, sc={
+2,
+4,
+1,
+3
+}, ss={
+BB,
+AA,
+CC
+}, se={
+
+}, vc=[10, 20, 30], ve=[]],
+[-42] = [b=T, e=SSH::LOG, c=21, p=123/unknown, sn=10.0.0.0/24, a=1.2.3.4, d=3.14, t=1315801931.273616, iv=100.0, s=hurz, ns=4242, sc={
+2,
+4,
+1,
+3
+}, ss={
+BB,
+AA,
+CC
+}, se={
+
+}, vc=[10, 20, 30], ve=[]]
+}
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.invalidset/.stderrwithoutfirstline b/testing/btest/Baseline/scripts.base.frameworks.input.invalidset/.stderrwithoutfirstline
new file mode 100644
index 0000000000..69855535cf
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.invalidset/.stderrwithoutfirstline
@@ -0,0 +1,8 @@
+warning: ../input.log/Input::READER_ASCII: Invalid value for subnet: 127.0.0.1
+warning: ../input.log/Input::READER_ASCII: Error while reading set or vector
+warning: ../input.log/Input::READER_ASCII: Could not convert line 'name	127.0.0.1' to Val. Ignoring line.
+warning: ../input.log/Input::READER_ASCII: Invalid value for subnet: 127.0.0.1
+warning: ../input.log/Input::READER_ASCII: Error while reading set or vector
+warning: ../input.log/Input::READER_ASCII: Could not convert line 'name	127.0.0.1' to Val. Ignoring line.
+received termination signal
+>>>
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.invalidset/out b/testing/btest/Baseline/scripts.base.frameworks.input.invalidset/out
new file mode 100644
index 0000000000..80359cc005
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.invalidset/out
@@ -0,0 +1,14 @@
+TableErrorEvent, Invalid value for subnet: 127.0.0.1, Reporter::WARNING
+TableErrorEvent, Error while reading set or vector, Reporter::WARNING
+TableErrorEvent, Could not convert line 'name\x09127.0.0.1' to Val. Ignoring line., Reporter::WARNING
+Event, [s={
+
+}]
+EventErrorEvent, Invalid value for subnet: 127.0.0.1, Reporter::WARNING
+EventErrorEvent, Error while reading set or vector, Reporter::WARNING
+EventErrorEvent, Could not convert line 'name\x09127.0.0.1' to Val. Ignoring line., Reporter::WARNING
+{
+[name] = [s={
+
+}]
+}
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr
index 20207bcf94..8cd0c5ab6c 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-enum/bro..stderr
@@ -1,2 +1,2 @@
-warning: Value not 'IdoNot::Exist' for stream 'enum' is not a valid enum.
+warning: Value 'IdoNot::Exist' for stream 'enum' is not a valid enum.
 received termination signal
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr
new file mode 100644
index 0000000000..337cdcda87
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stderr
@@ -0,0 +1,8 @@
+warning: ../does-not-exist.dat/Input::READER_ASCII: Init: cannot open ../does-not-exist.dat
+warning: ../does-not-exist.dat/Input::READER_ASCII: Init: cannot open ../does-not-exist.dat
+warning: ../does-not-exist.dat/Input::READER_ASCII: Init: cannot open ../does-not-exist.dat
+error: ../does-not-exist.dat/Input::READER_ASCII: Init: cannot open ../does-not-exist.dat
+error: ../does-not-exist.dat/Input::READER_ASCII: Init failed
+error: ../does-not-exist.dat/Input::READER_ASCII: terminating thread
+warning: ../does-not-exist.dat/Input::READER_ASCII: Could not get stat for ../does-not-exist.dat
+received termination signal
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout
new file mode 100644
index 0000000000..4178deba14
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.missing-file-initially/bro..stdout
@@ -0,0 +1,5 @@
+input: 1 now it does
+input: 2 and more!
+inputstream: 1 now it does
+inputstream: 2 and more!
+inputstream: 3 streaming still works
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.port-embedded/bro..stderr b/testing/btest/Baseline/scripts.base.frameworks.input.port-embedded/bro..stderr
new file mode 100644
index 0000000000..fee70a8699
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.port-embedded/bro..stderr
@@ -0,0 +1,2 @@
+warning: ../input.log/Input::READER_ASCII: Port '50/trash' contained unknown protocol 'trash'
+received termination signal
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.port-embedded/bro..stdout b/testing/btest/Baseline/scripts.base.frameworks.input.port-embedded/bro..stdout
new file mode 100644
index 0000000000..d1d886b370
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.port-embedded/bro..stdout
@@ -0,0 +1,4 @@
+[i=1.2.3.4], [p=80/tcp]
+[i=1.2.3.5], [p=52/udp]
+[i=1.2.3.6], [p=30/unknown]
+[i=1.2.3.7], [p=50/unknown]
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestdin/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestdin/out
index 23851022b5..e847bdab82 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestdin/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestdin/out
@@ -1,20 +1,10 @@
-Input::EVENT_NEW, cat |, input0
-hello
-Input::EVENT_NEW, cat |, input0
-there\x01\x02\x03\x04\x05\x01\x02\x03yay0
-Input::EVENT_NEW, cat |, input1
-hello
-Input::EVENT_NEW, cat |, input1
-there\x01\x02\x03\x04\x05\x01\x02\x03yay01
-Input::EVENT_NEW, cat |, input2
-hello
-Input::EVENT_NEW, cat |, input2
-there\x01\x02\x03\x04\x05\x01\x02\x03yay012
-Input::EVENT_NEW, cat |, input3
-hello
-Input::EVENT_NEW, cat |, input3
-there\x01\x02\x03\x04\x05\x01\x02\x03yay0123
-Input::EVENT_NEW, cat |, input4
-hello
-Input::EVENT_NEW, cat |, input4
-there\x01\x02\x03\x04\x05\x01\x02\x03yay01234
+Input::EVENT_NEW, cat |, input0, hello
+Input::EVENT_NEW, cat |, input0, there\x01\x02\x03\x04\x05\x01\x02\x03yay0
+Input::EVENT_NEW, cat |, input1, hello
+Input::EVENT_NEW, cat |, input1, there\x01\x02\x03\x04\x05\x01\x02\x03yay01
+Input::EVENT_NEW, cat |, input4, hello
+Input::EVENT_NEW, cat |, input4, there\x01\x02\x03\x04\x05\x01\x02\x03yay01234
+Input::EVENT_NEW, cat |, input2, hello
+Input::EVENT_NEW, cat |, input2, there\x01\x02\x03\x04\x05\x01\x02\x03yay012
+Input::EVENT_NEW, cat |, input3, hello
+Input::EVENT_NEW, cat |, input3, there\x01\x02\x03\x04\x05\x01\x02\x03yay0123
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream/out
index 1705220b28..df7331e5e2 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw.executestream/out
@@ -1,153 +1,25 @@
-[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+tail -f ../input.log |, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF
-[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+tail -f ../input.log |, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF
-[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+tail -f ../input.log |, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 q3r3057fdf
-[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+tail -f ../input.log |, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 sdfs\d
-[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+tail -f ../input.log |, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 
-[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+tail -f ../input.log |, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 dfsdf
-[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+tail -f ../input.log |, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 sdf
-[source=tail -f ../input.log |, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+tail -f ../input.log |, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 3rw43wRRERLlL#RWERERERE.
 done
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw.stderr/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.stderr/out
index b7f857339d..65d0c26ab4 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.raw.stderr/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw.stderr/out
@@ -1,27 +1,9 @@
-Input::EVENT_NEW
-..:
-F
-Input::EVENT_NEW
-bro
-F
-Input::EVENT_NEW
-out
-F
-Input::EVENT_NEW
-stderr.bro
-F
-Input::EVENT_NEW
-stderr output contained nonexistant
-T
-Input::EVENT_NEW
-stderr output contained nonexistant
-T
-Input::EVENT_NEW
-stderr output contained nonexistant
-T
-done
-End of Data event
-input
-Process finished event
-input
-Exit code != 0
+Input::EVENT_NEW line output (stderr=F): ../mydir:
+Input::EVENT_NEW line output (stderr=F): a
+Input::EVENT_NEW line output (stderr=F): b
+Input::EVENT_NEW line output (stderr=F): c
+Input::EVENT_NEW line output (stderr=T): <stderr output contained nonexistant>
+Input::EVENT_NEW line output (stderr=T): <stderr output contained nonexistant>
+Input::EVENT_NEW line output (stderr=T): <stderr output contained nonexistant>
+End of Data event, input
+Process finished event, input, T
diff --git a/testing/btest/Baseline/scripts.base.frameworks.input.raw.streamraw/out b/testing/btest/Baseline/scripts.base.frameworks.input.raw.streamraw/out
index a2082f154b..16822c34a4 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.input.raw.streamraw/out
+++ b/testing/btest/Baseline/scripts.base.frameworks.input.raw.streamraw/out
@@ -1,153 +1,25 @@
-[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+../input.log, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF
-[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+../input.log, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 DSF"DFKJ"SDFKLh304yrsdkfj@#(*U$34jfDJup3UF
-[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+../input.log, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 q3r3057fdf
-[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+../input.log, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 sdfs\d
-[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+../input.log, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 
-[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+../input.log, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 dfsdf
-[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+../input.log, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 sdf
-[source=../input.log, reader=Input::READER_RAW, mode=Input::STREAM, name=input, fields=<no value description>, want_record=F, ev=line
-{ 
-print A::outfile, A::description;
-print A::outfile, A::tpe;
-print A::outfile, A::s;
-A::try = A::try + 1;
-if (8 == A::try) 
-{ 
-print A::outfile, done;
-close(A::outfile);
-Input::remove(input);
-terminate();
-}
-
-}, error_ev=<uninitialized>, config={
-
-}]
+../input.log, Input::READER_RAW, Input::STREAM, input
 Input::EVENT_NEW
 3rw43wRRERLlL#RWERERERE.
 done
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/manager-1..stdout
new file mode 100644
index 0000000000..3bc1269931
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/manager-1..stdout
@@ -0,0 +1,5 @@
+new_item triggered for 1.2.3.4 by manager on manager-1
+insert_item: 4.3.2.1 inserted by worker-2
+new_item triggered for 4.3.2.1 by worker-2 on manager-1
+insert_item: 123.123.123.123 inserted by worker-1
+new_item triggered for 123.123.123.123 by worker-1 on manager-1
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/manager-1.intel.log b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/manager-1.intel.log
new file mode 100644
index 0000000000..8ec5dbe3cd
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/manager-1.intel.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	intel
+#open	2018-02-27-17-03-26
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
+#types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
+1519751006.478387	-	-	-	-	-	123.123.123.123	Intel::ADDR	Intel::IN_ANYWHERE	worker-2	Intel::ADDR	worker-1	-	-	-
+#close	2018-02-27-17-03-26
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/worker-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/worker-1..stdout
new file mode 100644
index 0000000000..a6288340f5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/worker-1..stdout
@@ -0,0 +1,4 @@
+new_indicator: 1.2.3.4 inserted by manager
+new_indicator: 4.3.2.1 inserted by worker-2
+new_item triggered for 123.123.123.123 by worker-1 on worker-1
+new_indicator: 123.123.123.123 inserted by worker-1
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/worker-2..stdout
new file mode 100644
index 0000000000..b0c71cfb6a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency-with-proxy/worker-2..stdout
@@ -0,0 +1,5 @@
+new_indicator: 1.2.3.4 inserted by manager
+new_item triggered for 4.3.2.1 by worker-2 on worker-2
+new_indicator: 4.3.2.1 inserted by worker-2
+new_indicator: 123.123.123.123 inserted by worker-1
+Doing a lookup
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1..stdout
index c57cda176e..3bc1269931 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1..stdout
@@ -1,2 +1,5 @@
-cluster_new_item: 123.123.123.123 inserted by worker-1 (from peer: worker-1)
-cluster_new_item: 4.3.2.1 inserted by worker-2 (from peer: worker-2)
+new_item triggered for 1.2.3.4 by manager on manager-1
+insert_item: 4.3.2.1 inserted by worker-2
+new_item triggered for 4.3.2.1 by worker-2 on manager-1
+insert_item: 123.123.123.123 inserted by worker-1
+new_item triggered for 123.123.123.123 by worker-1 on manager-1
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log
index 48df37a6ec..8ec5dbe3cd 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/manager-1.intel.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2016-06-15-19-11-27
+#open	2018-02-27-17-03-26
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1466017887.060652	-	-	-	-	-	123.123.123.123	Intel::ADDR	Intel::IN_ANYWHERE	worker-2	Intel::ADDR	worker-1	-	-	-
-#close	2016-06-15-19-11-36
+1519751006.478387	-	-	-	-	-	123.123.123.123	Intel::ADDR	Intel::IN_ANYWHERE	worker-2	Intel::ADDR	worker-1	-	-	-
+#close	2018-02-27-17-03-26
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/worker-1..stdout b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/worker-1..stdout
index 3be0ae6f70..a6288340f5 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/worker-1..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/worker-1..stdout
@@ -1,3 +1,4 @@
-cluster_new_item: 1.2.3.4 inserted by manager (from peer: manager-1)
-cluster_new_item: 123.123.123.123 inserted by worker-1 (from peer: manager-1)
-cluster_new_item: 4.3.2.1 inserted by worker-2 (from peer: manager-1)
+new_indicator: 1.2.3.4 inserted by manager
+new_indicator: 4.3.2.1 inserted by worker-2
+new_item triggered for 123.123.123.123 by worker-1 on worker-1
+new_indicator: 123.123.123.123 inserted by worker-1
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/worker-2..stdout
index df950e68c4..b0c71cfb6a 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/worker-2..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.cluster-transparency/worker-2..stdout
@@ -1,4 +1,5 @@
-cluster_new_item: 1.2.3.4 inserted by manager (from peer: manager-1)
-cluster_new_item: 123.123.123.123 inserted by worker-1 (from peer: manager-1)
-cluster_new_item: 4.3.2.1 inserted by worker-2 (from peer: manager-1)
+new_indicator: 1.2.3.4 inserted by manager
+new_item triggered for 4.3.2.1 by worker-2 on worker-2
+new_indicator: 4.3.2.1 inserted by worker-2
+new_indicator: 123.123.123.123 inserted by worker-1
 Doing a lookup
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output b/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output
index dfa922f88f..78422499cf 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.expire-item/output
@@ -3,20 +3,32 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2016-06-15-19-11-06
+#open	2018-04-27-23-53-04
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1466017866.348490	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
-1466017867.349583	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
-1466017868.349656	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
-#close	2016-06-15-19-11-12
+1524873184.861542	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
+1524873187.913197	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
+1524873190.976201	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
+1524873194.052686	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
+1524873197.128942	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
+#close	2018-04-27-23-53-20
+-- Run 1 --
 Trigger: 1.2.3.4
 Seen: 1.2.3.4
+-- Run 2 --
+Trigger: 1.2.3.4
+Reinsert: 1.2.3.4
+Seen: 1.2.3.4
+-- Run 3 --
 Trigger: 1.2.3.4
 Seen: 1.2.3.4
+Expired: 192.168.0.0/16
+-- Run 4 --
+Trigger: 1.2.3.4
+Seen: 1.2.3.4
+-- Run 5 --
 Trigger: 1.2.3.4
 Seen: 1.2.3.4
 Expired: 1.2.3.4
-Trigger: 1.2.3.4
-Trigger: 1.2.3.4
+-- Run 6 --
 Trigger: 1.2.3.4
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output
index 9cb4a7c9ff..03dcf582e9 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.remove-non-existing/output
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	reporter
-#open	2016-09-20-22-35-58
+#open	2018-02-27-17-25-30
 #fields	ts	level	message	location
 #types	time	enum	string	string
-0.000000	Reporter::INFO	Tried to remove non-existing item '192.168.1.1' (Intel::ADDR).	/home/jgras/devel/bro/scripts/base/frameworks/intel/./main.bro, lines 507-508
+0.000000	Reporter::INFO	Tried to remove non-existing item '192.168.1.1' (Intel::ADDR).	/home/jgras/devel/bro/scripts/base/frameworks/intel/./main.bro, lines 547-548
 0.000000	Reporter::INFO	received termination signal	(empty)
-#close	2016-09-20-22-35-59
+#close	2018-02-27-17-25-30
diff --git a/testing/btest/Baseline/scripts.base.frameworks.intel.updated-match/output b/testing/btest/Baseline/scripts.base.frameworks.intel.updated-match/output
index 5249bb3110..c6f6e14fdd 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.intel.updated-match/output
+++ b/testing/btest/Baseline/scripts.base.frameworks.intel.updated-match/output
@@ -3,23 +3,23 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2016-08-05-13-14-12
+#open	2017-12-21-02-28-27
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1470402852.531769	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
-1470402855.546089	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
-1470402855.546089	-	-	-	-	-	4.3.2.1	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source2	-	-	-
-1470402858.547977	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
-1470402858.547977	-	-	-	-	-	4.3.2.1	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source2	-	-	-
-#close	2016-08-05-13-14-18
+1513823307.655824	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1	-	-	-
+1513823310.680693	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
+1513823310.680693	-	-	-	-	-	4.3.2.1	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source2	-	-	-
+1513823313.736551	-	-	-	-	-	1.2.3.4	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source1,source2	-	-	-
+1513823313.736551	-	-	-	-	-	4.3.2.1	Intel::ADDR	SOMEWHERE	bro	Intel::ADDR	source2	-	-	-
+#close	2017-12-21-02-28-33
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2016-08-05-13-14-18
+#open	2017-12-21-02-28-33
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1470402858.547977	-	-	-	-	-	-	-	-	-	Intel::Notice	Intel hit on 1.2.3.4 at SOMEWHERE	1.2.3.4	-	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-1470402858.547977	-	-	-	-	-	-	-	-	-	Intel::Notice	Intel hit on 4.3.2.1 at SOMEWHERE	4.3.2.1	-	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2016-08-05-13-14-18
+1513823313.736551	-	-	-	-	-	-	-	-	-	Intel::Notice	Intel hit on 1.2.3.4 at SOMEWHERE	1.2.3.4	-	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1513823313.736551	-	-	-	-	-	-	-	-	-	Intel::Notice	Intel hit on 4.3.2.1 at SOMEWHERE	4.3.2.1	-	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2017-12-21-02-28-33
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/json.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/json.log
new file mode 100644
index 0000000000..49b3c5d172
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/json.log
@@ -0,0 +1,22 @@
+{"d":2.153226e+09}
+{"d":2.153226e+09}
+{"d":2.153226e+09}
+{"d":1.0}
+{"d":1.1}
+{"d":1.123457}
+{"d":-1.123457}
+{"d":1.1234}
+{"d":0.1234}
+{"d":50000.0}
+{"d":-50000.0}
+{"d":3.140000e+15}
+{"d":-3.140000e+15}
+{"d":1.790000e+308}
+{"d":-1.790000e+308}
+{"d":0.000012}
+{"d":0}
+{"d":-0}
+{"d":inf}
+{"d":-inf}
+{"d":0.0}
+{"d":nan}
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log
index 7fb6492f1b..9d5dd6ecf0 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-double/test.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	test
-#open	2016-05-23-22-44-54
+#open	2017-11-06-19-58-08
 #fields	d
 #types	double
 2153226000.0
@@ -12,6 +12,20 @@
 1.0
 1.1
 1.123457
+-1.123457
 1.1234
+0.1234
+50000.0
+-50000.0
 3140000000000000.0
-#close	2016-05-23-22-44-54
+-3140000000000000.0
+178999999999999996376899522972626047077637637819240219954027593177370961667659291027329061638406108931437333529420935752785895444161234074984843178962619172326295244262722141766382622299223626438470088150218987997954747866198184686628013966119769261150988554952970462018533787926725176560021258785656871583744.0
+-178999999999999996376899522972626047077637637819240219954027593177370961667659291027329061638406108931437333529420935752785895444161234074984843178962619172326295244262722141766382622299223626438470088150218987997954747866198184686628013966119769261150988554952970462018533787926725176560021258785656871583744.0
+0.000012
+0
+-0
+inf
+-inf
+0.0
+nan
+#close	2017-11-06-19-58-08
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh-uncompressed.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh-uncompressed.log
new file mode 100644
index 0000000000..c6979d60b9
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh-uncompressed.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh-uncompressed
+#open	2017-04-18-16-16-16
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	f
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	set[count]	set[string]	set[string]	vector[count]	vector[string]	func
+T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1215620010.543210	100.000000	hurz	2,4,1,3	BB,AA,CC	(empty)	10,20,30	(empty)	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
+#close	2017-04-18-16-16-16
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh.log
new file mode 100644
index 0000000000..22bac43cef
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-gz/ssh.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh
+#open	2017-04-18-16-15-17
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	f
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	set[count]	set[string]	set[string]	vector[count]	vector[string]	func
+T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1215620010.543210	100.000000	hurz	2,4,1,3	BB,AA,CC	(empty)	10,20,30	(empty)	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
+#close	2017-04-18-16-15-17
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.enable-stream/ssh.log b/testing/btest/Baseline/scripts.base.frameworks.logging.enable-stream/ssh.log
new file mode 100644
index 0000000000..6ae0bfd050
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.enable-stream/ssh.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh
+#open	2018-01-09-22-31-37
+#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
+#types	time	addr	port	addr	port	string	string
+1515537097.372589	1.2.3.4	1234	2.3.4.5	80	failure	MX
+#close	2018-01-09-22-31-37
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-1.reporter.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-1.reporter.log
deleted file mode 100644
index b7d8c111cf..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-1.reporter.log
+++ /dev/null
@@ -1,13 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	reporter
-#open	2016-09-22-23-31-34
-#fields	_write_ts	_stream	_system_name	ts	level	message	location
-#types	time	string	string	time	enum	string	string
-1474587094.261799	reporter	manager-1	0.000000	Reporter::WARNING	WriterFrontend communication/Log::WRITER_ASCII expected 11 fields in write, got 8. Skipping line.	(empty)
-1474587094.261799	reporter	manager-1	0.000000	Reporter::WARNING	WriterFrontend communication/Log::WRITER_ASCII expected 11 fields in write, got 8. Skipping line.	(empty)
-1474587094.261799	reporter	manager-1	0.000000	Reporter::WARNING	WriterFrontend communication/Log::WRITER_ASCII expected 11 fields in write, got 8. Skipping line.	(empty)
-1474587099.984660	reporter	manager-1	0.000000	Reporter::INFO	received termination signal	(empty)
-#close	2016-09-22-23-31-40
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-reporter.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-reporter.log
new file mode 100644
index 0000000000..7b8743734c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-cluster-error/manager-reporter.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	reporter
+#open	2018-04-27-22-48-04
+#fields	_write_ts	_stream	_system_name	ts	level	message	location
+#types	time	string	string	time	enum	string	string
+1524869284.624934	reporter	manager-1	0.000000	Reporter::WARNING	WriterFrontend broker/Log::WRITER_ASCII expected 9 fields in write, got 6. Skipping line.	(empty)
+1524869284.679015	reporter	manager-1	0.000000	Reporter::WARNING	WriterFrontend cluster/Log::WRITER_ASCII expected 6 fields in write, got 3. Skipping line.	(empty)
+1524869299.534389	reporter	manager-1	0.000000	Reporter::INFO	received termination signal	(empty)
+#close	2018-04-27-22-48-19
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-complex/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-complex/conn.log
index 96922ff529..1919c5f9d1 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-complex/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-complex/conn.log
@@ -6,38 +6,38 @@
 #open	2016-08-10-20-36-59
 #fields	_write_ts	_stream	_innerLogged.a	_innerLogged.c	_innerLogged.d	_system_name	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	count	count	set[count]	string	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	conn	1	3	2,4,1,3	-	1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-
 #close	2016-08-10-20-36-59
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-invalid/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-invalid/conn.log
index 7a7408239d..05999fc9e2 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-invalid/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-invalid/conn.log
@@ -6,5 +6,5 @@
 #open	2016-08-10-20-26-22
 #fields	_write_ts	_stream	_system_name	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	string	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
--	-	-	1362692526.869344	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80	tcp	-	0.211484	136	5007	SF	-	-	0	ShADadFf	7	512	7	5379	(empty)
+-	-	-	1362692526.869344	CHhAvVGS1DHFjwGM9	141.142.228.5	59856	192.150.187.43	80	tcp	-	0.211484	136	5007	SF	-	-	0	ShADadFf	7	512	7	5379	-
 #close	2016-08-10-20-26-22
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-optional/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-optional/conn.log
index 64a99641df..867ba696d8 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-optional/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension-optional/conn.log
@@ -6,38 +6,38 @@
 #open	2016-08-10-20-27-56
 #fields	_write_ts	_system_name	_undefined_string	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	string	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475173.475401	bro	-	1300475173.475401	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	(empty)
-1300475173.475401	bro	-	1300475173.475401	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	(empty)
-1300475173.475401	bro	-	1300475173.475401	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	(empty)
-1300475173.475401	bro	-	1300475173.475401	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	(empty)
-1300475173.475401	bro	-	1300475173.475401	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	(empty)
-1300475173.475401	bro	-	1300475173.475401	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	(empty)
-1300475173.475401	bro	-	1300475173.475401	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	(empty)
-1300475173.475401	bro	-	1300475173.475401	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)
-1300475173.475401	bro	-	1300475173.475401	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	(empty)
-1300475173.475401	bro	-	1300475173.475401	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475173.475401	bro	-	1300475173.475401	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)
-1300475173.475401	bro	-	1300475173.475401	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)
-1300475173.475401	bro	-	1300475173.475401	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	bro	-	1300475173.475401	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	bro	-	1300475173.475401	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	bro	-	1300475173.475401	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	bro	-	1300475173.475401	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	bro	-	1300475173.475401	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	bro	-	1300475173.475401	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	bro	-	1300475173.475401	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	bro	-	1300475173.475401	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475173.475401	bro	-	1300475173.475401	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475173.475401	bro	-	1300475173.475401	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475173.475401	bro	-	1300475173.475401	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+1300475173.475401	bro	-	1300475173.475401	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	-
+1300475173.475401	bro	-	1300475173.475401	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	-
+1300475173.475401	bro	-	1300475173.475401	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	-
+1300475173.475401	bro	-	1300475173.475401	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	-
+1300475173.475401	bro	-	1300475173.475401	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	-
+1300475173.475401	bro	-	1300475173.475401	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	-
+1300475173.475401	bro	-	1300475173.475401	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	-
+1300475173.475401	bro	-	1300475173.475401	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	-
+1300475173.475401	bro	-	1300475173.475401	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-
+1300475173.475401	bro	-	1300475173.475401	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	-
+1300475173.475401	bro	-	1300475173.475401	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	bro	-	1300475173.475401	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-
+1300475173.475401	bro	-	1300475173.475401	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-
+1300475173.475401	bro	-	1300475173.475401	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	bro	-	1300475173.475401	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	-
+1300475173.475401	bro	-	1300475173.475401	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	bro	-	1300475173.475401	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	bro	-	1300475173.475401	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	bro	-	1300475173.475401	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	-
+1300475173.475401	bro	-	1300475173.475401	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	-
+1300475173.475401	bro	-	1300475173.475401	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	bro	-	1300475173.475401	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	bro	-	1300475173.475401	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	-
+1300475173.475401	bro	-	1300475173.475401	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.475401	bro	-	1300475173.475401	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+1300475173.475401	bro	-	1300475173.475401	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	bro	-	1300475173.475401	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475173.475401	bro	-	1300475173.475401	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	-
+1300475173.475401	bro	-	1300475173.475401	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	bro	-	1300475173.475401	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.475401	bro	-	1300475173.475401	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475173.475401	bro	-	1300475173.475401	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	bro	-	1300475173.475401	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	bro	-	1300475173.475401	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-
 #close	2016-08-10-20-27-56
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension/conn.log
index dd98eac209..5d66623de7 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-extension/conn.log
@@ -6,38 +6,38 @@
 #open	2016-08-10-17-45-11
 #fields	_write_ts	_stream	_system_name	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	string	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475173.475401	conn	bro	1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	(empty)
-1300475173.475401	conn	bro	1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	(empty)
-1300475173.475401	conn	bro	1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	(empty)
-1300475173.475401	conn	bro	1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	(empty)
-1300475173.475401	conn	bro	1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	(empty)
-1300475173.475401	conn	bro	1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	(empty)
-1300475173.475401	conn	bro	1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	(empty)
-1300475173.475401	conn	bro	1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	(empty)
-1300475173.475401	conn	bro	1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)
-1300475173.475401	conn	bro	1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	(empty)
-1300475173.475401	conn	bro	1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475173.475401	conn	bro	1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)
-1300475173.475401	conn	bro	1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)
-1300475173.475401	conn	bro	1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	conn	bro	1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	(empty)
-1300475173.475401	conn	bro	1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	conn	bro	1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	conn	bro	1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	conn	bro	1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	(empty)
-1300475173.475401	conn	bro	1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	(empty)
-1300475173.475401	conn	bro	1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475173.475401	conn	bro	1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	conn	bro	1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	(empty)
-1300475173.475401	conn	bro	1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.475401	conn	bro	1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	(empty)
-1300475173.475401	conn	bro	1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	conn	bro	1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475173.475401	conn	bro	1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
-1300475173.475401	conn	bro	1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475173.475401	conn	bro	1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.475401	conn	bro	1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475173.475401	conn	bro	1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475173.475401	conn	bro	1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475173.475401	conn	bro	1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+1300475173.475401	conn	bro	1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	-
+1300475173.475401	conn	bro	1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	-
+1300475173.475401	conn	bro	1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	-
+1300475173.475401	conn	bro	1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	-
+1300475173.475401	conn	bro	1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	-
+1300475173.475401	conn	bro	1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	-
+1300475173.475401	conn	bro	1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	-
+1300475173.475401	conn	bro	1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	-
+1300475173.475401	conn	bro	1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-
+1300475173.475401	conn	bro	1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	-
+1300475173.475401	conn	bro	1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	conn	bro	1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-
+1300475173.475401	conn	bro	1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-
+1300475173.475401	conn	bro	1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	conn	bro	1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	-
+1300475173.475401	conn	bro	1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	conn	bro	1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	conn	bro	1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	conn	bro	1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	-
+1300475173.475401	conn	bro	1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	-
+1300475173.475401	conn	bro	1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475173.475401	conn	bro	1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	conn	bro	1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	-
+1300475173.475401	conn	bro	1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.475401	conn	bro	1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+1300475173.475401	conn	bro	1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	conn	bro	1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475173.475401	conn	bro	1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	-
+1300475173.475401	conn	bro	1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475173.475401	conn	bro	1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.475401	conn	bro	1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475173.475401	conn	bro	1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	conn	bro	1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475173.475401	conn	bro	1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-
 #close	2016-08-10-17-45-11
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.field-name-map/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.field-name-map/conn.log
index a97fff59b2..26ea9cd33c 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.field-name-map/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.field-name-map/conn.log
@@ -6,38 +6,38 @@
 #open	2016-08-10-16-51-09
 #fields	ts	uid	src	src_port	dst	dst_port	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	(empty)
-1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	(empty)
-1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	(empty)
-1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	(empty)
-1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	(empty)
-1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	(empty)
-1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	(empty)
-1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	(empty)
-1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)
-1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	(empty)
-1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)
-1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)
-1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	(empty)
-1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	(empty)
-1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	(empty)
-1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	(empty)
-1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	(empty)
-1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
-1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	-
+1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	-
+1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	-
+1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	-
+1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	-
+1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	-
+1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	-
+1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	-
+1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-
+1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	-
+1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-
+1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-
+1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	-
+1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	-
+1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	-
+1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	-
+1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	-
+1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-
 #close	2016-08-10-16-51-09
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.failure.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.failure.log
deleted file mode 100644
index 41b8544db1..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.failure.log
+++ /dev/null
@@ -1,4 +0,0 @@
-t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-1424728450.994495	1.2.3.4	1234	2.3.4.5	80	failure	US
-1424728450.994495	1.2.3.4	1234	2.3.4.5	80	failure	UK
-1424728450.994495	1.2.3.4	1234	2.3.4.5	80	failure	MX
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.log
deleted file mode 100644
index f84ccde80c..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.log
+++ /dev/null
@@ -1,14 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	test
-#open	2015-02-23-21-54-13
-#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-#types	time	addr	port	addr	port	string	string
-1424728450.994495	1.2.3.4	1234	2.3.4.5	80	success	unknown
-1424728450.994495	1.2.3.4	1234	2.3.4.5	80	failure	US
-1424728450.994495	1.2.3.4	1234	2.3.4.5	80	failure	UK
-1424728450.994495	1.2.3.4	1234	2.3.4.5	80	success	BR
-1424728450.994495	1.2.3.4	1234	2.3.4.5	80	failure	MX
-#close	2015-02-23-21-54-13
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.success.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.success.log
deleted file mode 100644
index 35f497fd0d..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-config/sender.test.success.log
+++ /dev/null
@@ -1,11 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	test.success
-#open	2015-02-23-21-54-13
-#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-#types	time	addr	port	addr	port	string	string
-1424728450.994495	1.2.3.4	1234	2.3.4.5	80	success	unknown
-1424728450.994495	1.2.3.4	1234	2.3.4.5	80	success	BR
-#close	2015-02-23-21-54-13
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log
deleted file mode 100644
index d15f9fa7d6..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.remote-types/receiver.test.log
+++ /dev/null
@@ -1,10 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	EMPTY
-#unset_field	-
-#path	test
-#open	2016-07-13-16-15-16
-#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve
-#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	set[count]	set[string]	set[string]	vector[count]	vector[string]
-T	-42	Test::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1468426515.359438	100.000000	hurz	2,4,1,3	BB,AA,CC	EMPTY	10,20,30	EMPTY
-#close	2016-07-13-16-15-26
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.failure.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.failure.log
deleted file mode 100644
index 71e1d18c73..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.failure.log
+++ /dev/null
@@ -1,12 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	test.failure
-#open	2012-07-20-01-50-18
-#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-#types	time	addr	port	addr	port	string	string
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	US
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	UK
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	MX
-#close	2012-07-20-01-50-18
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.log
deleted file mode 100644
index bc3dac5a1a..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.log
+++ /dev/null
@@ -1,14 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	test
-#open	2012-07-20-01-50-18
-#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-#types	time	addr	port	addr	port	string	string
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	success	unknown
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	US
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	UK
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	success	BR
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	failure	MX
-#close	2012-07-20-01-50-18
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.success.log b/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.success.log
deleted file mode 100644
index f0b26454b4..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.remote/sender.test.success.log
+++ /dev/null
@@ -1,11 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	test.success
-#open	2012-07-20-01-50-18
-#fields	t	id.orig_h	id.orig_p	id.resp_h	id.resp_p	status	country
-#types	time	addr	port	addr	port	string	string
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	success	unknown
-1342749018.970682	1.2.3.4	1234	2.3.4.5	80	success	BR
-#close	2012-07-20-01-50-18
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.remove/.stdout b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/.stdout
new file mode 100644
index 0000000000..10e5d0099a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.remove/.stdout
@@ -0,0 +1,7 @@
+{
+default,
+f1
+}
+{
+
+}
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep/conn.log
index 2347e0b3ce..da75aa01ec 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep/conn.log
@@ -6,38 +6,38 @@
 #open	2016-08-10-16-53-04
 #fields	ts	uid	id_orig_h	id_orig_p	id_resp_h	id_resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	(empty)
-1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	(empty)
-1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	(empty)
-1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	(empty)
-1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	(empty)
-1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	(empty)
-1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	(empty)
-1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	(empty)
-1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)
-1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	(empty)
-1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)
-1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)
-1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	(empty)
-1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	(empty)
-1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	(empty)
-1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	(empty)
-1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	(empty)
-1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
-1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	-
+1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	-
+1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	-
+1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	-
+1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	-
+1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	-
+1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	-
+1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	-
+1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-
+1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	-
+1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-
+1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-
+1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	-
+1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	-
+1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	-
+1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	-
+1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	-
+1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-
 #close	2016-08-10-16-53-04
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep_and_field_name_map/conn.log b/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep_and_field_name_map/conn.log
index e52c0ce6bd..36afb8856c 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep_and_field_name_map/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.scope_sep_and_field_name_map/conn.log
@@ -6,38 +6,38 @@
 #open	2016-08-10-16-53-37
 #fields	ts	uid	src	src_port	dst	dst_port	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	(empty)
-1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	(empty)
-1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	(empty)
-1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	(empty)
-1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	(empty)
-1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	(empty)
-1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	(empty)
-1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	(empty)
-1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)
-1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	(empty)
-1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)
-1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)
-1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	(empty)
-1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	(empty)
-1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	(empty)
-1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)
-1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	(empty)
-1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	(empty)
-1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)
-1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)
-1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	(empty)
-1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	(empty)
-1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
-1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)
+1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	-
+1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	-
+1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	-
+1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	-
+1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	-
+1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	-
+1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	-
+1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	-
+1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-
+1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	-
+1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-
+1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-
+1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	-
+1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	-
+1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	-
+1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-
+1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	-
+1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	-
+1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-
+1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	-
+1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	-
+1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-
+1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-
 #close	2016-08-10-16-53-37
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select
index 2d2aab7e90..f1c0099e40 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.sqlite.wikipedia/conn.select
@@ -1,34 +1,34 @@
-1300475167.09653|CHhAvVGS1DHFjwGM9|141.142.220.202|5353|224.0.0.251|5353|udp|dns||||S0|||0|D|1|73|0|0|(empty)
-1300475167.09701|ClEkJM2Vm5giqnMf4h|fe80::217:f2ff:fed7:cf65|5353|ff02::fb|5353|udp|dns||||S0|||0|D|1|199|0|0|(empty)
-1300475167.09982|C4J4Th3PJpwUYZZ6gc|141.142.220.50|5353|224.0.0.251|5353|udp|dns||||S0|||0|D|1|179|0|0|(empty)
-1300475168.652|CtPZjS20MLrsMUOJi2|141.142.220.118|35634|208.80.152.2|80|tcp||0.0613288879394531|463|350|OTH|||0|DdA|2|567|1|402|(empty)
-1300475168.72401|CUM0KZ3MLUfNB0cl11|141.142.220.118|48649|208.80.152.118|80|tcp|http|0.1199049949646|525|232|S1|||0|ShADad|4|741|3|396|(empty)
-1300475168.8539|CmES5u32sYpV7JYN|141.142.220.118|43927|141.142.2.2|53|udp|dns|0.000435113906860352|38|89|SF|||0|Dd|1|66|1|117|(empty)
-1300475168.85438|CP5puj4I8PtEU4qzYg|141.142.220.118|37676|141.142.2.2|53|udp|dns|0.000420093536376953|52|99|SF|||0|Dd|1|80|1|127|(empty)
-1300475168.85484|C37jN32gN3y3AZzyf6|141.142.220.118|40526|141.142.2.2|53|udp|dns|0.000391960144042969|38|183|SF|||0|Dd|1|66|1|211|(empty)
-1300475168.8553|C3eiCBGOLw3VtHfOj|141.142.220.118|49996|208.80.152.3|80|tcp|http|0.218501091003418|1171|733|S1|||0|ShADad|6|1491|4|949|(empty)
-1300475168.85533|CwjjYJ2WqgTbAqiHl6|141.142.220.118|49997|208.80.152.3|80|tcp|http|0.219720125198364|1125|734|S1|||0|ShADad|6|1445|4|950|(empty)
-1300475168.85796|C0LAHyvtKSQHyJxIl|141.142.220.118|32902|141.142.2.2|53|udp|dns|0.000317096710205078|38|89|SF|||0|Dd|1|66|1|117|(empty)
-1300475168.85831|CFLRIC3zaTU1loLGxh|141.142.220.118|59816|141.142.2.2|53|udp|dns|0.000343084335327148|52|99|SF|||0|Dd|1|80|1|127|(empty)
-1300475168.85871|C9rXSW3KSpTYvPrlI1|141.142.220.118|59714|141.142.2.2|53|udp|dns|0.000375032424926758|38|183|SF|||0|Dd|1|66|1|211|(empty)
-1300475168.85916|Ck51lg1bScffFj34Ri|141.142.220.118|49998|208.80.152.3|80|tcp|http|0.215893030166626|1130|734|S1|||0|ShADad|6|1450|4|950|(empty)
-1300475168.89164|C9mvWx3ezztgzcexV7|141.142.220.118|58206|141.142.2.2|53|udp|dns|0.000339031219482422|38|89|SF|||0|Dd|1|66|1|117|(empty)
-1300475168.89204|CNnMIj2QSd84NKf7U3|141.142.220.118|38911|141.142.2.2|53|udp|dns|0.000334978103637695|52|99|SF|||0|Dd|1|80|1|127|(empty)
-1300475168.89241|C7fIlMZDuRiqjpYbb|141.142.220.118|59746|141.142.2.2|53|udp|dns|0.000420808792114258|38|183|SF|||0|Dd|1|66|1|211|(empty)
-1300475168.89291|CykQaM33ztNt0csB9a|141.142.220.118|49999|208.80.152.3|80|tcp|http|0.220960855484009|1137|733|S1|||0|ShADad|6|1457|4|949|(empty)
-1300475168.89294|CtxTCR2Yer0FR1tIBg|141.142.220.118|50000|208.80.152.3|80|tcp|http|0.229603052139282|1148|734|S1|||0|ShADad|6|1468|4|950|(empty)
-1300475168.89399|CpmdRlaUoJLN3uIRa|141.142.220.118|45000|141.142.2.2|53|udp|dns|0.000384092330932617|38|89|SF|||0|Dd|1|66|1|117|(empty)
-1300475168.89442|C1Xkzz2MaGtLrc1Tla|141.142.220.118|48479|141.142.2.2|53|udp|dns|0.000316858291625977|52|99|SF|||0|Dd|1|80|1|127|(empty)
-1300475168.89479|CqlVyW1YwZ15RhTBc4|141.142.220.118|48128|141.142.2.2|53|udp|dns|0.000422954559326172|38|183|SF|||0|Dd|1|66|1|211|(empty)
-1300475168.89527|CLNN1k2QMum1aexUK7|141.142.220.118|50001|208.80.152.3|80|tcp|http|0.227283954620361|1178|734|S1|||0|ShADad|6|1498|4|950|(empty)
-1300475168.90175|CBA8792iHmnhPLksKa|141.142.220.118|56056|141.142.2.2|53|udp|dns|0.000402212142944336|36|131|SF|||0|Dd|1|64|1|159|(empty)
-1300475168.90219|CGLPPc35OzDQij1XX8|141.142.220.118|55092|141.142.2.2|53|udp|dns|0.000374078750610352|36|198|SF|||0|Dd|1|64|1|226|(empty)
-1300475168.90264|CiyBAq1bBLNaTiTAc|141.142.220.118|35642|208.80.152.2|80|tcp|http|0.120040893554688|534|412|S1|||0|ShADad|4|750|3|576|(empty)
-1300475169.78033|CFSwNi4CNGxcuffo49|141.142.220.235|6705|173.192.163.128|80|tcp|||||OTH|||0|^h|0|0|1|48|(empty)
-1300475169.89944|Cipfzj1BEnhejw8cGf|141.142.220.44|5353|224.0.0.251|5353|udp|dns||||S0|||0|D|1|85|0|0|(empty)
-1300475170.86238|CV5WJ42jPYbNW9JNWf|141.142.220.226|137|141.142.220.255|137|udp|dns|2.61301684379578|350|0|S0|||0|D|7|546|0|0|(empty)
-1300475171.67537|CPhDKt12KQPUVbQz06|fe80::3074:17d5:2052:c324|65373|ff02::1:3|5355|udp|dns|0.100096225738525|66|0|S0|||0|D|2|162|0|0|(empty)
-1300475171.67708|CAnFrb2Cvxr5T7quOc|141.142.220.226|55131|224.0.0.252|5355|udp|dns|0.100020885467529|66|0|S0|||0|D|2|122|0|0|(empty)
-1300475173.11675|C8rquZ3DjgNW06JGLl|fe80::3074:17d5:2052:c324|54213|ff02::1:3|5355|udp|dns|0.0998010635375977|66|0|S0|||0|D|2|162|0|0|(empty)
-1300475173.11736|CzrZOtXqhwwndQva3|141.142.220.226|55671|224.0.0.252|5355|udp|dns|0.0998489856719971|66|0|S0|||0|D|2|122|0|0|(empty)
-1300475173.15368|CaGCc13FffXe6RkQl9|141.142.220.238|56641|141.142.220.255|137|udp|dns||||S0|||0|D|1|78|0|0|(empty)
+1300475167.09653|CHhAvVGS1DHFjwGM9|141.142.220.202|5353|224.0.0.251|5353|udp|dns||||S0|||0|D|1|73|0|0|
+1300475167.09701|ClEkJM2Vm5giqnMf4h|fe80::217:f2ff:fed7:cf65|5353|ff02::fb|5353|udp|dns||||S0|||0|D|1|199|0|0|
+1300475167.09982|C4J4Th3PJpwUYZZ6gc|141.142.220.50|5353|224.0.0.251|5353|udp|dns||||S0|||0|D|1|179|0|0|
+1300475168.652|CtPZjS20MLrsMUOJi2|141.142.220.118|35634|208.80.152.2|80|tcp||0.0613288879394531|463|350|OTH|||0|DdA|2|567|1|402|
+1300475168.72401|CUM0KZ3MLUfNB0cl11|141.142.220.118|48649|208.80.152.118|80|tcp|http|0.1199049949646|525|232|S1|||0|ShADad|4|741|3|396|
+1300475168.8539|CmES5u32sYpV7JYN|141.142.220.118|43927|141.142.2.2|53|udp|dns|0.000435113906860352|38|89|SF|||0|Dd|1|66|1|117|
+1300475168.85438|CP5puj4I8PtEU4qzYg|141.142.220.118|37676|141.142.2.2|53|udp|dns|0.000420093536376953|52|99|SF|||0|Dd|1|80|1|127|
+1300475168.85484|C37jN32gN3y3AZzyf6|141.142.220.118|40526|141.142.2.2|53|udp|dns|0.000391960144042969|38|183|SF|||0|Dd|1|66|1|211|
+1300475168.8553|C3eiCBGOLw3VtHfOj|141.142.220.118|49996|208.80.152.3|80|tcp|http|0.218501091003418|1171|733|S1|||0|ShADad|6|1491|4|949|
+1300475168.85533|CwjjYJ2WqgTbAqiHl6|141.142.220.118|49997|208.80.152.3|80|tcp|http|0.219720125198364|1125|734|S1|||0|ShADad|6|1445|4|950|
+1300475168.85796|C0LAHyvtKSQHyJxIl|141.142.220.118|32902|141.142.2.2|53|udp|dns|0.000317096710205078|38|89|SF|||0|Dd|1|66|1|117|
+1300475168.85831|CFLRIC3zaTU1loLGxh|141.142.220.118|59816|141.142.2.2|53|udp|dns|0.000343084335327148|52|99|SF|||0|Dd|1|80|1|127|
+1300475168.85871|C9rXSW3KSpTYvPrlI1|141.142.220.118|59714|141.142.2.2|53|udp|dns|0.000375032424926758|38|183|SF|||0|Dd|1|66|1|211|
+1300475168.85916|Ck51lg1bScffFj34Ri|141.142.220.118|49998|208.80.152.3|80|tcp|http|0.215893030166626|1130|734|S1|||0|ShADad|6|1450|4|950|
+1300475168.89164|C9mvWx3ezztgzcexV7|141.142.220.118|58206|141.142.2.2|53|udp|dns|0.000339031219482422|38|89|SF|||0|Dd|1|66|1|117|
+1300475168.89204|CNnMIj2QSd84NKf7U3|141.142.220.118|38911|141.142.2.2|53|udp|dns|0.000334978103637695|52|99|SF|||0|Dd|1|80|1|127|
+1300475168.89241|C7fIlMZDuRiqjpYbb|141.142.220.118|59746|141.142.2.2|53|udp|dns|0.000420808792114258|38|183|SF|||0|Dd|1|66|1|211|
+1300475168.89291|CykQaM33ztNt0csB9a|141.142.220.118|49999|208.80.152.3|80|tcp|http|0.220960855484009|1137|733|S1|||0|ShADad|6|1457|4|949|
+1300475168.89294|CtxTCR2Yer0FR1tIBg|141.142.220.118|50000|208.80.152.3|80|tcp|http|0.229603052139282|1148|734|S1|||0|ShADad|6|1468|4|950|
+1300475168.89399|CpmdRlaUoJLN3uIRa|141.142.220.118|45000|141.142.2.2|53|udp|dns|0.000384092330932617|38|89|SF|||0|Dd|1|66|1|117|
+1300475168.89442|C1Xkzz2MaGtLrc1Tla|141.142.220.118|48479|141.142.2.2|53|udp|dns|0.000316858291625977|52|99|SF|||0|Dd|1|80|1|127|
+1300475168.89479|CqlVyW1YwZ15RhTBc4|141.142.220.118|48128|141.142.2.2|53|udp|dns|0.000422954559326172|38|183|SF|||0|Dd|1|66|1|211|
+1300475168.89527|CLNN1k2QMum1aexUK7|141.142.220.118|50001|208.80.152.3|80|tcp|http|0.227283954620361|1178|734|S1|||0|ShADad|6|1498|4|950|
+1300475168.90175|CBA8792iHmnhPLksKa|141.142.220.118|56056|141.142.2.2|53|udp|dns|0.000402212142944336|36|131|SF|||0|Dd|1|64|1|159|
+1300475168.90219|CGLPPc35OzDQij1XX8|141.142.220.118|55092|141.142.2.2|53|udp|dns|0.000374078750610352|36|198|SF|||0|Dd|1|64|1|226|
+1300475168.90264|CiyBAq1bBLNaTiTAc|141.142.220.118|35642|208.80.152.2|80|tcp|http|0.120040893554688|534|412|S1|||0|ShADad|4|750|3|576|
+1300475169.78033|CFSwNi4CNGxcuffo49|141.142.220.235|6705|173.192.163.128|80|tcp|||||OTH|||0|^h|0|0|1|48|
+1300475169.89944|Cipfzj1BEnhejw8cGf|141.142.220.44|5353|224.0.0.251|5353|udp|dns||||S0|||0|D|1|85|0|0|
+1300475170.86238|CV5WJ42jPYbNW9JNWf|141.142.220.226|137|141.142.220.255|137|udp|dns|2.61301684379578|350|0|S0|||0|D|7|546|0|0|
+1300475171.67537|CPhDKt12KQPUVbQz06|fe80::3074:17d5:2052:c324|65373|ff02::1:3|5355|udp|dns|0.100096225738525|66|0|S0|||0|D|2|162|0|0|
+1300475171.67708|CAnFrb2Cvxr5T7quOc|141.142.220.226|55131|224.0.0.252|5355|udp|dns|0.100020885467529|66|0|S0|||0|D|2|122|0|0|
+1300475173.11675|C8rquZ3DjgNW06JGLl|fe80::3074:17d5:2052:c324|54213|ff02::1:3|5355|udp|dns|0.0998010635375977|66|0|S0|||0|D|2|162|0|0|
+1300475173.11736|CzrZOtXqhwwndQva3|141.142.220.226|55671|224.0.0.252|5355|udp|dns|0.0998489856719971|66|0|S0|||0|D|2|122|0|0|
+1300475173.15368|CaGCc13FffXe6RkQl9|141.142.220.238|56641|141.142.220.255|137|udp|dns||||S0|||0|D|1|78|0|0|
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/recv.recv.out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/recv.recv.out
index d6d5c32fb2..b4ae6c9810 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/recv.recv.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/recv.recv.out
@@ -1,4 +1,4 @@
-Broker::incoming_connection_established
+Broker peer added
 add_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP, [command=blockhosthost, cookie=2, arg=192.168.18.50 74.125.239.97, comment=here]
 add_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP, [command=droptcpport, cookie=3, arg=443, comment=there]
 add_rule, 0, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP, [command=nullzero, cookie=4, arg=192.168.18.50/32, comment=]
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/send.send.out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/send.send.out
index 5d8cb431f4..b348f04fc0 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/send.send.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld-hook/send.send.out
@@ -1,4 +1,4 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Broker peer added, [address=127.0.0.1, bound_port=9999/tcp]
 rule added, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule added, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule added, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/recv.recv.out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/recv.recv.out
index f75f20ea28..b6e702c448 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/recv.recv.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/recv.recv.out
@@ -1,4 +1,4 @@
-Broker::incoming_connection_established
+Broker peer added
 add_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP, [command=blockhosthost, cookie=2, arg=192.168.18.50 74.125.239.97, comment=here]
 add_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP, [command=droptcpport, cookie=3, arg=443, comment=there]
 add_rule, 0, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP, [command=drop, cookie=4, arg=192.168.18.50/32, comment=]
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log
index 70c1a28ee2..6170cb6ce0 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.netcontrol.log
@@ -3,23 +3,23 @@
 #empty_field	(empty)
 #unset_field	-
 #path	netcontrol
-#open	2016-03-24-22-04-41
+#open	2017-04-07-17-26-05
 #fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
 #types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Acld-bro/event/netcontroltest
 0.000000	-	NetControl::MESSAGE	-	-	-	-	-	-	-	waiting for plugins to initialize	-	-	-	-
-1458857080.863419	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Acld-bro/event/netcontroltest
-1458857080.863419	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
-1458857080.887618	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	-	0	36000.000000	here	Acld-bro/event/netcontroltest
-1458857080.887618	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	-	0	36000.000000	there	Acld-bro/event/netcontroltest
-1458857080.887618	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	36000.000000	-	Acld-bro/event/netcontroltest
-1458857080.888169	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	blockhosthost	0	36000.000000	here	Acld-bro/event/netcontroltest
-1458857080.888169	2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	-	0	36000.000000	here	Acld-bro/event/netcontroltest
-1458857080.888169	3	NetControl::RULE	ADD	NetControl::EXISTS	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	droptcpport	0	36000.000000	there	Acld-bro/event/netcontroltest
-1458857080.888169	3	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	-	0	36000.000000	there	Acld-bro/event/netcontroltest
-1458857080.888169	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	drop	0	36000.000000	-	Acld-bro/event/netcontroltest
-1458857080.888169	4	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	36000.000000	-	Acld-bro/event/netcontroltest
-1458857080.888169	2	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	restorehosthost	0	36000.000000	here	Acld-bro/event/netcontroltest
-1458857080.888169	3	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	restoretcpport	0	36000.000000	there	Acld-bro/event/netcontroltest
-1458857080.888169	4	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	restore	0	36000.000000	-	Acld-bro/event/netcontroltest
-#close	2016-03-24-22-04-41
+1491585965.002956	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Acld-bro/event/netcontroltest
+1491585965.002956	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
+1491585965.027155	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	-	0	36000.000000	here	Acld-bro/event/netcontroltest
+1491585965.027155	3	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	-	0	36000.000000	there	Acld-bro/event/netcontroltest
+1491585965.027155	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	36000.000000	-	Acld-bro/event/netcontroltest
+1491585965.027706	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	blockhosthost	0	36000.000000	here	Acld-bro/event/netcontroltest
+1491585965.027706	2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	-	0	36000.000000	here	Acld-bro/event/netcontroltest
+1491585965.027706	3	NetControl::RULE	ADD	NetControl::EXISTS	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	droptcpport	0	36000.000000	there	Acld-bro/event/netcontroltest
+1491585965.027706	3	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	-	0	36000.000000	there	Acld-bro/event/netcontroltest
+1491585965.027706	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	drop	0	36000.000000	-	Acld-bro/event/netcontroltest
+1491585965.027706	4	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	36000.000000	-	Acld-bro/event/netcontroltest
+1491585965.027706	2	NetControl::ERROR	-	-	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	192.168.18.50/32/*->74.125.239.97/32/*	-	restorehosthost	0	36000.000000	here	Acld-bro/event/netcontroltest
+1491585965.027706	3	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::FLOW	*/*->*/443	-	restoretcpport	0	36000.000000	there	Acld-bro/event/netcontroltest
+1491585965.027706	4	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	restore	0	36000.000000	-	Acld-bro/event/netcontroltest
+#close	2017-04-07-17-26-05
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out
index 0d0ce0fccd..1e24b1ae3a 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.acld/send.send.out
@@ -1,7 +1,7 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Broker peer added, [address=127.0.0.1, bound_port=9999/tcp]
 rule added, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule exists, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule added, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP
-rule removed, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
+rule error, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=192.168.18.50/32, src_p=<uninitialized>, dst_h=74.125.239.97/32, dst_p=<uninitialized>, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule removed, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=<uninitialized>, src_p=<uninitialized>, dst_h=<uninitialized>, dst_p=443/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule removed, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=192.168.18.50/32, mac=<uninitialized>], NetControl::DROP
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic-cluster/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic-cluster/worker-2..stdout
index c638f34077..587a51d2b8 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic-cluster/worker-2..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.basic-cluster/worker-2..stdout
@@ -1,3 +1,4 @@
 Rule added, worker-2:2, 4
 Rule added, worker-2:3, 5
 1
+Rule destroyed, worker-2:3, 5, 0
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/recv.recv.out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/recv.recv.out
index 5a3741d841..58f209eaf4 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/recv.recv.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/recv.recv.out
@@ -1,4 +1,4 @@
-Broker::incoming_connection_established
+Broker peer added
 add_rule, 0, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 add_rule, 0, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], NetControl::DROP
 remove_rule, 0, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], NetControl::DROP, removing
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.send.out b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.send.out
index aee04c25cc..920fdd8085 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.send.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.broker/send.send.out
@@ -1,4 +1,4 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Broker peer added, [address=127.0.0.1, bound_port=9999/tcp]
 rule exists, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP
 rule timeout, [ty=NetControl::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], NetControl::DROP, [duration=<uninitialized>, packet_count=<uninitialized>, byte_count=<uninitialized>]
 rule added, [ty=NetControl::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], NetControl::DROP
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol.log
deleted file mode 100644
index 974349e229..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol.log
+++ /dev/null
@@ -1,23 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	netcontrol
-#open	2016-08-12-17-38-49
-#fields	ts	rule_id	category	cmd	state	action	target	entity_type	entity	mod	msg	priority	expire	location	plugin
-#types	time	string	enum	string	enum	string	enum	string	string	string	string	int	interval	string	string
-1471023529.752740	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activating plugin with priority 0	-	-	-	Debug-All
-1471023529.752740	-	NetControl::MESSAGE	-	-	-	-	-	-	-	activation finished	-	-	-	Debug-All
-1471023529.752740	-	NetControl::MESSAGE	-	-	-	-	-	-	-	plugin initialization done	-	-	-	-
-1471023532.819263	2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	connection drop worker-1	Debug-All
-1471023532.819263	worker-1:2	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	0.100000	direct drop worker-1	Debug-All
-1471023532.819263	2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	connection drop worker-1	Debug-All
-1471023532.819263	worker-1:2	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	0.100000	direct drop worker-1	Debug-All
-1471023532.920126	worker-1:2	NetControl::RULE	EXPIRE	NetControl::TIMEOUT	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	0.100000	direct drop worker-1	Debug-All
-1471023532.920126	worker-1:2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	0.100000	direct drop worker-1	Debug-All
-1471023532.921768	worker-1:2	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	0.100000	direct drop worker-1	Debug-All
-1471023534.308087	2	NetControl::RULE	REMOVE	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	worker-2	0	600.000000	connection drop worker-1	Debug-All
-1471023534.308087	2	NetControl::RULE	REMOVE	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	192.168.18.50/32	-	-	0	600.000000	connection drop worker-1	Debug-All
-1471023534.308087	4	NetControl::RULE	ADD	NetControl::REQUESTED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	3600.000000	Re-drop by catch-and-release: direct cr worker-1	Debug-All
-1471023534.308087	4	NetControl::RULE	ADD	NetControl::SUCCEEDED	NetControl::DROP	NetControl::FORWARD	NetControl::ADDRESS	8.8.8.8/32	-	-	0	3600.000000	Re-drop by catch-and-release: direct cr worker-1	Debug-All
-#close	2016-08-12-17-38-54
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol_catch_release.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol_catch_release.log
deleted file mode 100644
index 54202fffbe..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/manager-1.netcontrol_catch_release.log
+++ /dev/null
@@ -1,18 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	netcontrol_catch_release
-#open	2016-08-12-17-38-52
-#fields	ts	rule_id	ip	action	block_interval	watch_interval	blocked_until	watched_until	num_blocked	location	message
-#types	time	string	addr	enum	interval	interval	time	time	count	string	string
-1471023532.819263	2	192.168.18.50	NetControl::DROP	600.000000	3600.000000	1471024132.819263	1471027132.819263	1	connection drop worker-1	-
-1471023532.819263	2	192.168.18.50	NetControl::DROPPED	600.000000	3600.000000	1471024132.819263	1471027132.819263	1	connection drop worker-1	-
-1471023532.819263	worker-1:2	8.8.8.8	NetControl::ADDED	600.000000	3600.000000	-	1471027132.819263	1	direct cr worker-1	Address already blocked outside of catch-and-release. Catch and release will monitor and only actively block if it appears in network traffic.
-1471023532.920126	worker-1:2	8.8.8.8	NetControl::UNBLOCK	600.000000	3600.000000	-	1471027132.819263	1	direct cr worker-1	-
-1471023534.308087	2	192.168.18.50	NetControl::INFO	600.000000	3600.000000	1471024132.819263	1471027132.819263	1	connection drop worker-1	Block seen while in rule_entities. No action taken.
-1471023534.308087	2	192.168.18.50	NetControl::UNBLOCK	600.000000	3600.000000	1471024132.819263	1471027132.819263	1	connection drop worker-1	worker-2
-1471023534.308087	4	8.8.8.8	NetControl::SEEN_AGAIN	3600.000000	86400.000000	1471027134.308087	1471109934.308087	2	direct cr worker-1	-
-1471023534.308087	4	8.8.8.8	NetControl::DROPPED	3600.000000	86400.000000	1471027134.308087	1471109934.308087	2	direct cr worker-1	-
-1471023532.239980	2	192.168.18.50	NetControl::INFO	600.000000	3600.000000	1471024132.819263	1471027132.819263	1	connection drop worker-1	Already blocked using catch-and-release - ignoring duplicate
-#close	2016-08-12-17-38-54
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/worker-2..stdout b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/worker-2..stdout
deleted file mode 100644
index f61fe92474..0000000000
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.catch-and-release-cluster/worker-2..stdout
+++ /dev/null
@@ -1,9 +0,0 @@
-Suspend, worker-2
-New block, 192.168.18.50, [block_until=1471027194.791177, watch_until=1471030194.791177, num_reblocked=0, current_interval=0, current_block_id=2, location=connection drop worker-1]
-New block, 8.8.8.8, [block_until=<uninitialized>, watch_until=1471030194.791177, num_reblocked=0, current_interval=0, current_block_id=worker-1:2, location=direct cr worker-1]
-Resume, worker-2
-Connection established
-Info, [block_until=1471027194.791177, watch_until=1471030194.791177, num_reblocked=0, current_interval=0, current_block_id=2, location=connection drop worker-1]
-Delete block, 192.168.18.50
-New block, 8.8.8.8, [block_until=1471030196.295249, watch_until=1471112996.295249, num_reblocked=1, current_interval=1, current_block_id=4, location=direct cr worker-1]
-remote connection closed
diff --git a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log
index fa77d35343..9a673f80e2 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.netcontrol.packetfilter/conn.log
@@ -6,10 +6,10 @@
 #open	2016-07-13-16-15-38
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1254722767.492060	CHhAvVGS1DHFjwGM9	10.10.1.4	56166	10.10.1.1	53	udp	dns	0.034025	34	100	SF	-	-	0	Dd	1	62	1	128	(empty)
-1254722776.690444	C4J4Th3PJpwUYZZ6gc	10.10.1.20	138	10.10.1.255	138	udp	-	-	-	-	S0	-	-	0	D	1	229	0	0	(empty)
-1254722767.529046	ClEkJM2Vm5giqnMf4h	10.10.1.4	1470	74.53.140.153	25	tcp	-	0.346950	0	0	S1	-	-	0	Sh	1	48	1	48	(empty)
-1437831776.764391	CtPZjS20MLrsMUOJi2	192.168.133.100	49285	66.196.121.26	5050	tcp	-	0.343008	41	0	OTH	-	-	0	Da	1	93	1	52	(empty)
-1437831787.856895	CUM0KZ3MLUfNB0cl11	192.168.133.100	49648	192.168.133.102	25	tcp	-	0.048043	162	154	S1	-	-	154	ShDA	3	192	1	60	(empty)
-1437831798.533765	CmES5u32sYpV7JYN	192.168.133.100	49336	74.125.71.189	443	tcp	-	-	-	-	OTH	-	-	0	A	1	52	0	0	(empty)
+1254722767.492060	CHhAvVGS1DHFjwGM9	10.10.1.4	56166	10.10.1.1	53	udp	dns	0.034025	34	100	SF	-	-	0	Dd	1	62	1	128	-
+1254722776.690444	C4J4Th3PJpwUYZZ6gc	10.10.1.20	138	10.10.1.255	138	udp	-	-	-	-	S0	-	-	0	D	1	229	0	0	-
+1254722767.529046	ClEkJM2Vm5giqnMf4h	10.10.1.4	1470	74.53.140.153	25	tcp	-	0.346950	0	0	S1	-	-	0	Sh	1	48	1	48	-
+1437831776.764391	CtPZjS20MLrsMUOJi2	192.168.133.100	49285	66.196.121.26	5050	tcp	-	0.343008	41	0	OTH	-	-	0	Da	1	93	1	52	-
+1437831787.856895	CUM0KZ3MLUfNB0cl11	192.168.133.100	49648	192.168.133.102	25	tcp	-	0.048043	162	154	S1	-	-	154	ShDA	3	192	1	60	-
+1437831798.533765	CmES5u32sYpV7JYN	192.168.133.100	49336	74.125.71.189	443	tcp	-	-	-	-	OTH	-	-	0	A	1	52	0	0	-
 #close	2016-07-13-16-15-38
diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log
index 03c42d5849..9b79fc7adc 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log
+++ b/testing/btest/Baseline/scripts.base.frameworks.notice.suppression/notice.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2014-04-01-23-15-34
+#open	2017-12-20-23-33-05
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1396394134.092329	-	-	-	-	-	-	-	-	-	Test_Notice	test	-	-	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2014-04-01-23-15-34
+1513812785.342226	-	-	-	-	-	-	-	-	-	Test_Notice	test	-	-	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2017-12-20-23-33-05
diff --git a/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/recv.recv.out b/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/recv.recv.out
index b1c2ed5050..ab6eefe646 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/recv.recv.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/recv.recv.out
@@ -1,4 +1,4 @@
-Broker::incoming_connection_established
+Broker peer added
 flow_clear, 42
 got flow_mod, 42, [in_port=<uninitialized>, dl_src=<uninitialized>, dl_dst=<uninitialized>, dl_vlan=<uninitialized>, dl_vlan_pcp=<uninitialized>, dl_type=<uninitialized>, nw_tos=<uninitialized>, nw_proto=<uninitialized>, nw_src=<uninitialized>, nw_dst=<uninitialized>, tp_src=<uninitialized>, tp_dst=<uninitialized>], [cookie=4398046511105, table_id=<uninitialized>, command=OpenFlow::OFPFC_ADD, idle_timeout=0, hard_timeout=0, priority=0, out_port=<uninitialized>, out_group=<uninitialized>, flags=0, actions=[out_ports=[3, 7], vlan_vid=<uninitialized>, vlan_pcp=<uninitialized>, vlan_strip=F, dl_src=<uninitialized>, dl_dst=<uninitialized>, nw_tos=<uninitialized>, nw_src=<uninitialized>, nw_dst=<uninitialized>, tp_src=<uninitialized>, tp_dst=<uninitialized>]]
 got flow_mod, 42, [in_port=<uninitialized>, dl_src=<uninitialized>, dl_dst=<uninitialized>, dl_vlan=<uninitialized>, dl_vlan_pcp=<uninitialized>, dl_type=2048, nw_tos=<uninitialized>, nw_proto=6, nw_src=10.10.1.4/32, nw_dst=74.53.140.153/32, tp_src=1470, tp_dst=25], [cookie=4398046511146, table_id=<uninitialized>, command=OpenFlow::OFPFC_ADD, idle_timeout=30, hard_timeout=0, priority=5, out_port=<uninitialized>, out_group=<uninitialized>, flags=0, actions=[out_ports=[], vlan_vid=<uninitialized>, vlan_pcp=<uninitialized>, vlan_strip=F, dl_src=<uninitialized>, dl_dst=<uninitialized>, nw_tos=<uninitialized>, nw_src=<uninitialized>, nw_dst=<uninitialized>, tp_src=<uninitialized>, tp_dst=<uninitialized>]]
diff --git a/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/send.send.out b/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/send.send.out
index 5f4fadfb81..ec860918ba 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/send.send.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.openflow.broker-basic/send.send.out
@@ -1,4 +1,4 @@
-Broker::outgoing_connection_established, 127.0.0.1, 9999/tcp
+Broker peer added, [address=127.0.0.1, bound_port=9999/tcp]
 Flow_mod_success
 Flow_mod_failure
 connection established
diff --git a/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output b/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output
index 956b5a86e4..6f59b224b3 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output
+++ b/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output
@@ -1,46 +1,12 @@
-success on: wu-2.4.2-academ[BETA-18-VR14](1)
-success on: Python-urllib/3.1
-success on: libwww-perl/5.820
-success on: Apache
-success on: Apple iPhone v4.3.1 Weather v1.0.0.8G4
-success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.11) Gecko/20101013 Lightning/1.0b2 Thunderbird/3.1.5
-success on: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; Media Center PC 3.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
-success on: Mozilla/5.0 (Windows; U; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0
-success on: Java/1.6.0_13
-success on: The Bat! (v2.00.9) Personal
-success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
-success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Creative AutoUpdate v1.40.02)
-success on: curl/7.15.1 (i486-pc-linux-gnu) libcurl/7.15.1 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.5.18
-success on: Mozilla/4.0 (compatible; MSIE 8.0; Android 2.2.2; Linux; Opera Mobi/ADR-1103311355; en) Opera 11.00
-success on: mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731
-success on: CacheFlyServe v26b
-success on: Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
-success on: Mozilla/5.0 (iPod; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7
-success on: Total Commander
-success on: OpenSSH_5.2
-success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27
-success on: Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54
-success on: Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18741/18.794; U; en) Presto/2.4.15
-success on: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; InfoPath.2; InfoPath.3)
-success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C)
-success on: Wget/1.9+cvs-stable (Red Hat modified)
-success on: Wget/1.11.4 (Red Hat modified)
-success on: Opera/9.80 (Windows NT 6.1; U; sv) Presto/2.7.62 Version/11.01
-success on: Java1.3.1_04
-success on: OpenSSH_4.4
-success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)
-success on: (vsFTPd 2.0.5)
-success on: wu-2.6.2(1)
-success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)
-success on: The Bat! (3.0.1 RC3) Professional
-success on: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0
 success on: Flash/10,2,153,1
 success on: Apache/2.0.46 (Win32) mod_ssl/2.0.46 OpenSSL/0.9.7b mod_jk2/2.0.4
 success on: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
+success on: %E6%9C%89%E9%81%93%E8%AF%8D%E5%85%B8/128 CFNetwork/760.2.6 Darwin/15.3.0 (x86_64)
 success on: Java1.2.2-JDeveloper
 success on: Zope/(Zope 2.7.8-final, python 2.3.5, darwin) ZServer/1.1 Plone/Unknown
 success on: iTunes/9.0 (Macintosh; Intel Mac OS X 10.5.8) AppleWebKit/531.9
 success on: ProFTPD 1.2.5rc1 Server (Debian)
+success on: Flash%20Player/26.0.0.137 CFNetwork/811.5.4 Darwin/16.6.0 (x86_64)
 success on: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_2 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8H7 Safari/6533.18.5
 success on: Opera/9.80 (Windows NT 5.1; Opera Mobi/49; U; en) Presto/2.4.18 Version/10.00
 success on: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
@@ -48,3 +14,42 @@ success on: Apple Mail (2.1084)
 success on: Apache/2.0.63 (Unix) mod_auth_kerb/5.3 mod_ssl/2.0.63 OpenSSL/0.9.7a mod_fastcgi/2.4.2
 success on: Apache/1.3.19 (Unix)
 success on: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
+success on: Wget/1.11.4 (Red Hat modified)
+success on: \xe6\xbc\xab\xe7\x94\xbb\xe4\xba\xba 2.6.2 rv:1.2 (iPhone; iOS 10.3.2; en_US)
+success on: wu-2.6.2(1)
+success on: QQ%E9%82%AE%E7%AE%B1/5.3.2.8 CFNetwork/811.5.4 Darwin/16.6.0
+success on: The Bat! (3.0.1 RC3) Professional
+success on: Mozilla/5.0 (iPod; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7
+success on: The Bat! (v2.00.9) Personal
+success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)
+success on: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; Media Center PC 3.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
+success on: wu-2.4.2-academ[BETA-18-VR14](1)
+success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Creative AutoUpdate v1.40.02)
+success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)
+success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
+success on: Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Mobile Safari/537.36 Edge/15.15063
+success on: Total Commander
+success on: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Trident/7.0; .NET4.0E; .NET4.0C)
+success on: libwww-perl/5.820
+success on: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0
+success on: Java/1.6.0_13
+success on: Python-urllib/3.1
+success on: Mozilla/4.0 (compatible; MSIE 8.0; Android 2.2.2; Linux; Opera Mobi/ADR-1103311355; en) Opera 11.00
+success on: CacheFlyServe v26b
+success on: Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
+success on: OpenSSH_5.2
+success on: (vsFTPd 2.0.5)
+success on: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27
+success on: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; InfoPath.2; InfoPath.3)
+success on: Apache
+success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.11) Gecko/20101013 Lightning/1.0b2 Thunderbird/3.1.5
+success on: Mozilla/5.0 (Windows; U; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0
+success on: curl/7.15.1 (i486-pc-linux-gnu) libcurl/7.15.1 OpenSSL/0.9.8a zlib/1.2.3 libidn/0.5.18
+success on: Apple iPhone v4.3.1 Weather v1.0.0.8G4
+success on: Java1.3.1_04
+success on: OpenSSH_4.4
+success on: mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731
+success on: Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54
+success on: Opera/9.80 (Windows NT 6.1; U; sv) Presto/2.7.62 Version/11.01
+success on: Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.18741/18.794; U; en) Presto/2.4.15
+success on: Wget/1.9+cvs-stable (Red Hat modified)
diff --git a/testing/btest/Baseline/scripts.base.frameworks.sumstats.basic/standalone..stdout b/testing/btest/Baseline/scripts.base.frameworks.sumstats.basic/standalone..stdout
index 6820df8d93..b345cbf850 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.sumstats.basic/standalone..stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.sumstats.basic/standalone..stdout
@@ -1,2 +1,3 @@
 Host: 1.2.3.4 - num:5 - sum:221.0 - var:1144.2 - avg:44.2 - max:94.0 - min:5.0 - std_dev:33.8 - unique:4 - hllunique:4
 Host: 6.5.4.3 - num:1 - sum:2.0 - var:0.0 - avg:2.0 - max:2.0 - min:2.0 - std_dev:0.0 - unique:1 - hllunique:1
+Host: 7.2.1.5 - num:1 - sum:1.0 - var:0.0 - avg:1.0 - max:1.0 - min:1.0 - std_dev:0.0 - unique:1 - hllunique:1
diff --git a/testing/btest/Baseline/scripts.base.protocols.arp.bad/.stdout b/testing/btest/Baseline/scripts.base.protocols.arp.bad/.stdout
new file mode 100644
index 0000000000..4c6945ec64
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.arp.bad/.stdout
@@ -0,0 +1,6 @@
+BAD, 192.168.123.1, 7e:8e:20:d8:23:a7, 192.168.123.2, 00:00:00:00:00:00, corrupt-arp-header (hrd=1, hln=255)
+BAD, 192.168.123.2, 52:54:00:12:34:57, 192.168.123.1, 7e:8e:20:d8:23:a7, corrupt-arp-header (hrd=1, hln=255)
+BAD, 192.168.123.1, 7e:8e:20:d8:23:a7, 192.168.123.2, 00:00:00:00:00:00, corrupt-arp-header (pro=2048, pln=255)
+BAD, 192.168.123.2, 52:54:00:12:34:57, 192.168.123.1, 7e:8e:20:d8:23:a7, corrupt-arp-header (pro=2048, pln=255)
+BAD, 192.168.123.1, 7e:8e:20:d8:23:a7, 192.168.123.2, 00:00:00:00:00:00, corrupt-arp-header (hrd=1, hln=255)
+BAD, 192.168.123.2, 52:54:00:12:34:57, 192.168.123.1, 7e:8e:20:d8:23:a7, corrupt-arp-header (hrd=1, hln=255)
diff --git a/testing/btest/Baseline/scripts.base.protocols.arp.radiotap/.stdout b/testing/btest/Baseline/scripts.base.protocols.arp.radiotap/.stdout
new file mode 100644
index 0000000000..d45f9ba0d7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.arp.radiotap/.stdout
@@ -0,0 +1,2 @@
+78:31:c1:c6:3f:c2, ff:ff:ff:ff:ff:ff, 10.0.0.2, 78:31:c1:c6:3f:c2, 10.0.0.1, 00:00:00:00:00:00
+f8:ed:a5:c0:a4:f1, 78:31:c1:c6:3f:c2, 10.0.0.1, f8:ed:a5:c0:a4:f1, 10.0.0.2, 78:31:c1:c6:3f:c2
diff --git a/testing/btest/Baseline/scripts.base.protocols.arp.wlanmon/.stdout b/testing/btest/Baseline/scripts.base.protocols.arp.wlanmon/.stdout
new file mode 100644
index 0000000000..d45f9ba0d7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.arp.wlanmon/.stdout
@@ -0,0 +1,2 @@
+78:31:c1:c6:3f:c2, ff:ff:ff:ff:ff:ff, 10.0.0.2, 78:31:c1:c6:3f:c2, 10.0.0.1, 00:00:00:00:00:00
+f8:ed:a5:c0:a4:f1, 78:31:c1:c6:3f:c2, 10.0.0.1, f8:ed:a5:c0:a4:f1, 10.0.0.2, 78:31:c1:c6:3f:c2
diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/dce_rpc.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/dce_rpc.log
index 578ac1c0d3..1efbd46b3c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/dce_rpc.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/dce_rpc.log
@@ -3,19 +3,19 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dce_rpc
-#open	2016-10-08-03-48-34
+#open	2018-08-16-22-09-39
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	rtt	named_pipe	endpoint	operation
 #types	time	string	addr	port	addr	port	interval	string	string	string
-1056991898.891148	CmES5u32sYpV7JYN	192.168.0.173	1066	192.168.0.2	135	0.000375	135	epmapper	ept_map
-1056991898.895146	CP5puj4I8PtEU4qzYg	192.168.0.173	1067	192.168.0.2	4997	0.000749	4997	nspi	NspiBind
-1056991898.902393	C37jN32gN3y3AZzyf6	192.168.0.173	1068	192.168.0.2	4997	0.026606	4997	nspi	NspiBind
-1056991898.931248	C3eiCBGOLw3VtHfOj	192.168.0.173	1069	192.168.0.2	135	0.000500	135	epmapper	ept_lookup
-1056991899.586840	C0LAHyvtKSQHyJxIl	192.168.0.173	1072	192.168.0.2	135	0.000374	135	epmapper	ept_map
-1056991899.594336	CFLRIC3zaTU1loLGxh	192.168.0.173	1073	192.168.0.2	1032	0.031980	1032	exchange_mapi	EcDoConnect
-1056991899.626566	CFLRIC3zaTU1loLGxh	192.168.0.173	1073	192.168.0.2	1032	0.024359	1032	exchange_mapi	EcDoRpc
-1056991899.652798	CFLRIC3zaTU1loLGxh	192.168.0.173	1073	192.168.0.2	1032	0.001374	1032	exchange_mapi	EcDoRpc
-1056991899.655922	CFLRIC3zaTU1loLGxh	192.168.0.173	1073	192.168.0.2	1032	0.000999	1032	exchange_mapi	EcDoRpc
-1056991899.658670	CFLRIC3zaTU1loLGxh	192.168.0.173	1073	192.168.0.2	1032	0.001624	1032	exchange_mapi	EcDoRpc
-1056991899.660794	CFLRIC3zaTU1loLGxh	192.168.0.173	1073	192.168.0.2	1032	0.003998	1032	exchange_mapi	EcRRegisterPushNotification
-1056991899.707516	CFLRIC3zaTU1loLGxh	192.168.0.173	1073	192.168.0.2	1032	0.003998	1032	exchange_mapi	EcRRegisterPushNotification
-#close	2016-10-08-03-48-34
+1056991898.891148	C37jN32gN3y3AZzyf6	192.168.0.173	1066	192.168.0.2	135	0.000375	135	epmapper	ept_map
+1056991898.895146	C3eiCBGOLw3VtHfOj	192.168.0.173	1067	192.168.0.2	4997	0.000749	4997	nspi	NspiBind
+1056991898.902393	CwjjYJ2WqgTbAqiHl6	192.168.0.173	1068	192.168.0.2	4997	0.026606	4997	nspi	NspiBind
+1056991898.931248	CFLRIC3zaTU1loLGxh	192.168.0.173	1069	192.168.0.2	135	0.000500	135	epmapper	ept_lookup
+1056991899.586840	Ck51lg1bScffFj34Ri	192.168.0.173	1072	192.168.0.2	135	0.000374	135	epmapper	ept_map
+1056991899.594336	C9mvWx3ezztgzcexV7	192.168.0.173	1073	192.168.0.2	1032	0.031980	1032	exchange_mapi	EcDoConnect
+1056991899.626566	C9mvWx3ezztgzcexV7	192.168.0.173	1073	192.168.0.2	1032	0.024359	1032	exchange_mapi	EcDoRpc
+1056991899.652798	C9mvWx3ezztgzcexV7	192.168.0.173	1073	192.168.0.2	1032	0.001374	1032	exchange_mapi	EcDoRpc
+1056991899.655922	C9mvWx3ezztgzcexV7	192.168.0.173	1073	192.168.0.2	1032	0.000999	1032	exchange_mapi	EcDoRpc
+1056991899.658670	C9mvWx3ezztgzcexV7	192.168.0.173	1073	192.168.0.2	1032	0.001624	1032	exchange_mapi	EcDoRpc
+1056991899.660794	C9mvWx3ezztgzcexV7	192.168.0.173	1073	192.168.0.2	1032	0.003998	1032	exchange_mapi	EcRRegisterPushNotification
+1056991899.707516	C9mvWx3ezztgzcexV7	192.168.0.173	1073	192.168.0.2	1032	0.003998	1032	exchange_mapi	EcRRegisterPushNotification
+#close	2018-08-16-22-09-39
diff --git a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/ntlm.log b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/ntlm.log
index ffe3248400..7087b0c7dd 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/ntlm.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dce-rpc.mapi/ntlm.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ntlm
-#open	2016-10-08-03-48-34
+#open	2018-08-16-22-12-09
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	hostname	domainname	success	status
 #types	time	string	addr	port	addr	port	string	string	string	bool	string
-1056991898.902392	C37jN32gN3y3AZzyf6	192.168.0.173	1068	192.168.0.2	4997	ALeonard	ALEONARD-XP	CNAMIS	-	-
-1056991899.594334	CFLRIC3zaTU1loLGxh	192.168.0.173	1073	192.168.0.2	1032	ALeonard	ALEONARD-XP	CNAMIS	-	-
-#close	2016-10-08-03-48-34
+1056991898.902392	CwjjYJ2WqgTbAqiHl6	192.168.0.173	1068	192.168.0.2	4997	ALeonard	ALEONARD-XP	CNAMIS	-	-
+1056991899.594334	C9mvWx3ezztgzcexV7	192.168.0.173	1073	192.168.0.2	1032	ALeonard	ALEONARD-XP	CNAMIS	-	-
+#close	2018-08-16-22-12-09
diff --git a/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-ack-msg-types/dhcp.log b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-ack-msg-types/dhcp.log
new file mode 100644
index 0000000000..7131010acb
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-ack-msg-types/dhcp.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dhcp
+#open	2018-03-01-15-18-30
+#fields	ts	uids	client_addr	server_addr	mac	host_name	client_fqdn	domain	requested_addr	assigned_addr	lease_time	client_message	server_message	msg_types	duration
+#types	time	set[string]	addr	addr	string	string	string	string	addr	addr	interval	string	string	vector[string]	interval
+1102274184.387798	CHhAvVGS1DHFjwGM9	192.168.0.10	10.10.0.1	00:0a:28:00:fa:42	-	-	-	-	192.168.0.10	3600.000000	-	-	ACK	0.000000
+#close	2018-03-01-15-18-30
diff --git a/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-all-msg-types/dhcp.log b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-all-msg-types/dhcp.log
index 5f7aeee659..cf36777c6d 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-all-msg-types/dhcp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-all-msg-types/dhcp.log
@@ -3,8 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dhcp
-#open	2016-07-13-16-15-58
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	mac	assigned_ip	lease_time	trans_id
-#types	time	string	addr	port	addr	port	string	addr	interval	count
-1370200444.371332	CtPZjS20MLrsMUOJi2	128.2.6.189	68	128.2.6.152	67	90:b1:1c:99:49:29	128.2.6.189	900.000000	1984
-#close	2016-07-13-16-15-58
+#open	2018-03-01-15-19-24
+#fields	ts	uids	client_addr	server_addr	mac	host_name	client_fqdn	domain	requested_addr	assigned_addr	lease_time	client_message	server_message	msg_types	duration
+#types	time	set[string]	addr	addr	string	string	string	string	addr	addr	interval	string	string	vector[string]	interval
+1370200447.422207	CHhAvVGS1DHFjwGM9	-	-	-	btest.is.cool	-	-	128.2.6.189	-	-	-	-	INFORM	0.000000
+1370200442.323173	CtPZjS20MLrsMUOJi2,CHhAvVGS1DHFjwGM9,C4J4Th3PJpwUYZZ6gc,ClEkJM2Vm5giqnMf4h	128.2.6.97	128.2.6.152	90:b1:1c:99:49:29	btest.is.cool	-	cmu.edu	128.2.6.189	128.2.6.189	900.000000	-	requested address not available	DISCOVER,OFFER,REQUEST,NAK,REQUEST,ACK,DECLINE	3.058797
+1370200446.402928	CHhAvVGS1DHFjwGM9	-	-	-	-	-	-	-	-	-	-	-	RELEASE	0.000000
+#close	2018-03-01-15-19-24
diff --git a/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-discover-msg-types/dhcp.log b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-discover-msg-types/dhcp.log
new file mode 100644
index 0000000000..48c6f36cf1
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-discover-msg-types/dhcp.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dhcp
+#open	2018-03-01-15-30-31
+#fields	ts	uids	client_addr	server_addr	mac	host_name	client_fqdn	domain	requested_addr	assigned_addr	lease_time	client_message	server_message	msg_types	duration
+#types	time	set[string]	addr	addr	string	string	string	string	addr	addr	interval	string	string	vector[string]	interval
+1102274184.317453	CHhAvVGS1DHFjwGM9	-	-	00:0b:82:01:fc:42	test0000	-	-	208.67.222.222	-	-	-	-	DISCOVER	0.000000
+#close	2018-03-01-15-30-31
diff --git a/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-sub-opts/dhcp.log b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-sub-opts/dhcp.log
new file mode 100644
index 0000000000..5534459dd2
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dhcp.dhcp-sub-opts/dhcp.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dhcp
+#open	2018-03-01-15-30-58
+#fields	ts	uids	client_addr	server_addr	mac	host_name	client_fqdn	domain	requested_addr	assigned_addr	lease_time	client_message	server_message	msg_types	duration	circuit_id	agent_remote_id	subscriber_id
+#types	time	set[string]	addr	addr	string	string	string	string	addr	addr	interval	string	string	vector[string]	interval	string	string	string
+1102274184.387798	CHhAvVGS1DHFjwGM9	192.168.0.10	10.10.0.1	00:0a:28:00:fa:42	-	-	-	-	192.168.0.10	3600.000000	-	-	ACK	0.000000	this is only a test...	\x13	-subID-
+#close	2018-03-01-15-30-58
diff --git a/testing/btest/Baseline/scripts.base.protocols.dhcp.inform/dhcp.log b/testing/btest/Baseline/scripts.base.protocols.dhcp.inform/dhcp.log
index 0a92c6c32d..ef1f5483ce 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dhcp.inform/dhcp.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dhcp.inform/dhcp.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dhcp
-#open	2016-07-13-16-15-59
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	mac	assigned_ip	lease_time	trans_id
-#types	time	string	addr	port	addr	port	string	addr	interval	count
-1374432420.191205	CHhAvVGS1DHFjwGM9	128.2.6.122	68	128.2.6.152	67	90:b1:1c:99:49:29	128.2.6.122	0.000000	2754407505
-#close	2016-07-13-16-15-59
+#open	2018-03-01-15-32-52
+#fields	ts	uids	client_addr	server_addr	mac	host_name	client_fqdn	domain	requested_addr	assigned_addr	lease_time	client_message	server_message	msg_types	duration
+#types	time	set[string]	addr	addr	string	string	string	string	addr	addr	interval	string	string	vector[string]	interval
+1374432420.186878	CHhAvVGS1DHFjwGM9	128.2.6.122	-	90:b1:1c:99:49:29	-	-	-	-	-	-	-	-	INFORM,ACK	0.004327
+#close	2018-03-01-15-32-52
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_del_measure/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_del_measure/output
index 85c7c845f0..477a98f389 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_del_measure/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_del_measure/output
@@ -1,6 +1,6 @@
-dnp3_header_block, T, 25605, 8, 196, 2, 3
+dnp3_header_block, T, 8, 196, 2, 3
 dnp3_application_request_header, T, 196, 23
-dnp3_header_block, F, 25605, 16, 68, 3, 2
+dnp3_header_block, F, 16, 68, 3, 2
 dnp3_application_response_header, F, 196, 129, 0
 dnp3_object_header, F, 13314, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_en_spon/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_en_spon/output
index 53c6dc8700..57545988cf 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_en_spon/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_en_spon/output
@@ -1,7 +1,7 @@
-dnp3_header_block, T, 25605, 17, 196, 2, 3
+dnp3_header_block, T, 17, 196, 2, 3
 dnp3_application_request_header, T, 203, 20
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 2
+dnp3_header_block, F, 10, 68, 3, 2
 dnp3_application_response_header, F, 203, 129, 0
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_del/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_del/output
index 9c63a41ae4..ef59d269b0 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_del/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_del/output
@@ -1,8 +1,8 @@
-dnp3_header_block, T, 25605, 99, 196, 4, 3
+dnp3_header_block, T, 99, 196, 4, 3
 dnp3_application_request_header, T, 201, 27
 dnp3_object_header, T, 17923, 91, 1, 1, 0
 dnp3_object_prefix, T, 85
-dnp3_header_block, F, 25605, 29, 68, 3, 4
+dnp3_header_block, F, 29, 68, 3, 4
 dnp3_application_response_header, F, 201, 129, 0
 dnp3_object_header, F, 17924, 91, 1, 1, 0
 dnp3_object_prefix, F, 13
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/output
index f7cdc29b74..cc762c3625 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_read/output
@@ -1,44 +1,44 @@
-dnp3_header_block, T, 25605, 50, 196, 4, 3
+dnp3_header_block, T, 50, 196, 4, 3
 dnp3_application_request_header, T, 206, 25
 dnp3_object_header, T, 17923, 91, 1, 1, 0
 dnp3_object_prefix, T, 36
-dnp3_header_block, F, 25605, 29, 68, 3, 4
+dnp3_header_block, F, 29, 68, 3, 4
 dnp3_application_response_header, F, 206, 129, 4096
 dnp3_object_header, F, 17924, 91, 1, 1, 0
 dnp3_object_prefix, F, 13
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 22, 196, 4, 3
+dnp3_header_block, T, 22, 196, 4, 3
 dnp3_application_request_header, T, 207, 1
 dnp3_object_header, T, 17925, 91, 1, 1, 0
 dnp3_object_prefix, T, 8
 dnp3_file_transport, T, 305419896, 0
                                                   \x0a
-dnp3_header_block, F, 25605, 255, 68, 3, 4
+dnp3_header_block, F, 255, 68, 3, 4
 dnp3_application_response_header, F, 239, 129, 4096
 dnp3_object_header, F, 17925, 91, 1, 1, 0
 dnp3_object_prefix, F, 838
 dnp3_file_transport, F, 305419896, 2147483648
 0000  ef bb bf 3c 3f 78 6d 6c  20 76 65 72 73 69 6f 6e  ...<?xml  version\x0a0010  3d 22 31 2e 30 22 20 65  6e 63 6f 64 69 6e 67 3d  ="1.0" e ncoding=\x0a0020  22 75 74 66 2d 38 22 3f  3e 0d 0a 3c 3f 78 6d 6c  "utf-8"? >..<?xml\x0a0030  2d 73 74 79 6c 65 73 68  65 65 74 20 74 79 70 65  -stylesh eet type\x0a0040  3d 27 74 65 78 74 2f 78  73 6c 27 20 68 72 65 66  ='text/x sl' href\x0a0050  3d 27 44 4e 50 33 44 65  76 69 63 65 50 72 6f 66  ='DNP3De viceProf\x0a0060  69 6c 65 4a 61 6e 32 30  31 30 2e 78 73 6c 74 27  ileJan20 10.xslt'\x0a0070  20 6d 65 64 69 61 3d 27  73 63 72 65 65 6e 27 3f   media=' screen'?\x0a0080  3e 0d 0a 3c 44 4e 50 33  44 65 76 69 63 65 50 72  >..<DNP3 DevicePr\x0a0090  6f 66 69 6c 65 44 6f 63  75 6d 65 6e 74 20 78 6d  ofileDoc ument xm\x0a00a0  6c 6e 73 3a 78 73 69 3d  22 68 74 74 70 3a 2f 2f  lns:xsi= "http://\x0a00b0  77 77 77 2e 77 33 2e 6f  72 67 2f 32 30 30 31 2f  www.w3.o rg/2001/\x0a00c0  58 4d 4c 53 63 68 65 6d  61 2d 69 6e 73 74 61 6e  XMLSchem a-instan\x0a00d0  63 65 22 20 78 6d 6c 6e  73 3a 78 73 64 3d 22 68  ce" xmln s:xsd="h\x0a00e0  74 74 70 3a 2f 2f 77 77  77 2e 77 33 2e 6f 72 67  ttp://ww w.w3.org\x0a00f0  2f 32 30 30 31 2f 58 4d  4c 53 63 68 65 6d 61 22  /2001/XM LSchema"\x0a0100  20 73 63 68 65 6d 61 56  65 72 73 69 6f 6e 3d 22   schemaV ersion="\x0a0110  32 2e 30 37 2e 30 30 22  20 78 6d 6c 6e 73 3d 22  2.07.00"  xmlns="\x0a0120  68 74 74 70 3a 2f 2f 77  77 77 2e 64 6e 70 33 2e  http://w ww.dnp3.\x0a0130  6f 72 67 2f 44 4e 50 33  2f 44 65 76 69 63 65 50  org/DNP3 /DeviceP\x0a0140  72 6f 66 69 6c 65 2f 4a  61 6e 32 30 31 30 22 3e  rofile/J an2010">\x0a0150  0d 0a 20 20 3c 21 2d 2d  44 6f 63 75 6d 65 6e 74  ..  <!-- Document\x0a0160  20 48 65 61 64 65 72 2d  2d 3e 0d 0a 20 20 3c 64   Header- ->..  <d\x0a0170  6f 63 75 6d 65 6e 74 48  65 61 64 65 72 3e 0d 0a  ocumentH eader>..\x0a0180  20 20 20 20 3c 64 6f 63  75 6d 65 6e 74 4e 61 6d      <doc umentNam\x0a0190  65 3e 41 20 44 4e 50 33  20 58 4d 4c 20 46 69 6c  e>A DNP3  XML Fil\x0a01a0  65 3c 2f 64 6f 63 75 6d  65 6e 74 4e 61 6d 65 3e  e</docum entName>\x0a01b0  0d 0a 20 20 20 20 3c 64  6f 63 75 6d 65 6e 74 44  ..    <d ocumentD\x0a01c0  65 73 63 72 69 70 74 69  6f 6e 3e 54 68 69 73 20  escripti on>This \x0a01d0  69 73 20 61 20 44 4e 50  33 20 43 6f 6d 70 6c 65  is a DNP 3 Comple\x0a01e0  74 65 20 44 65 76 69 63  65 20 50 72 6f 66 69 6c  te Devic e Profil\x0a01f0  65 20 66 6f 72 20 44 4e  50 20 4f 75 74 73 74 61  e for DN P Outsta\x0a0200  74 69 6f 6e 20 69 6e 20  74 68 65 20 54 4d 57 20  tion in  the TMW \x0a0210  43 6f 6d 6d 75 6e 69 63  61 74 69 6f 6e 20 50 72  Communic ation Pr\x0a0220  6f 74 6f 63 6f 6c 20 54  65 73 74 20 48 61 72 6e  otocol T est Harn\x0a0230  65 73 73 3c 2f 64 6f 63  75 6d 65 6e 74 44 65 73  ess</doc umentDes\x0a0240  63 72 69 70 74 69 6f 6e  3e 0d 0a 20 20 20 20 3c  cription >..    <\x0a0250  72 65 76 69 73 69 6f 6e  48 69 73 74 6f 72 79 20  revision History \x0a0260  76 65 72 73 69 6f 6e 3d  22 32 22 3e 0d 0a 20 20  version= "2">..  \x0a0270  20 20 20 20 3c 64 61 74  65 3e 32 30 31 30 2d 31      <dat e>2010-1\x0a0280  32 2d 30 31 3c 2f 64 61  74 65 3e 0d 0a 20 20 20  2-01</da te>..   \x0a0290  20 20 20 3c 61 75 74 68  6f 72 3e 53 74 65 76 65     <auth or>Steve\x0a02a0  20 4d 63 43 6f 79 3c 2f  61 75 74 68 6f 72 3e 0d   McCoy</ author>.\x0a02b0  0a 20 20 20 20 20 20 3c  72 65 61 73 6f 6e 3e 44  .      < reason>D\x0a02c0  6f 63 75 6d 65 6e 74 65  64 20 54 65 73 74 20 48  ocumente d Test H\x0a02d0  61 72 6e 65 73 73 20 53  44 4e 50 20 44 65 76 69  arness S DNP Devi\x0a02e0  63 65 20 50 72 6f 66 69  6c 65 3c 2f 72 65 61 73  ce Profi le</reas\x0a02f0  6f 6e 3e 0d 0a 20 20 20  20 3c 2f 72 65 76 69 73  on>..     </revis\x0a0300  69 6f 6e 48 69 73 74 6f  72 79 3e 0d 0a 20 20 3c  ionHisto ry>..  <\x0a0310  2f 64 6f 63 75 6d 65 6e  74 48 65 61 64 65 72 3e  /documen tHeader>\x0a0320  0d 0a 3c 2f 44 4e 50 33  44 65 76 69 63 65 50 72  ..</DNP3 DevicePr\x0a0330  6f 66 69 6c 65 44 6f 63  75 6d 65 6e 74 3e        ofileDoc ument>\x0a
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 207, 0
-dnp3_header_block, T, 25605, 18, 196, 4, 3
+dnp3_header_block, T, 18, 196, 4, 3
 dnp3_application_request_header, T, 192, 2
 dnp3_object_header, T, 12801, 7, 1, 1, 0
 dnp3_object_prefix, T, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 192, 129, 0
-dnp3_header_block, T, 25605, 18, 196, 4, 3
+dnp3_header_block, T, 18, 196, 4, 3
 dnp3_application_request_header, T, 193, 2
 dnp3_object_header, T, 12801, 7, 1, 1, 0
 dnp3_object_prefix, T, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 193, 129, 0
-dnp3_header_block, T, 25605, 27, 196, 4, 3
+dnp3_header_block, T, 27, 196, 4, 3
 dnp3_application_request_header, T, 194, 26
 dnp3_object_header, T, 17924, 91, 1, 1, 0
 dnp3_object_prefix, T, 13
-dnp3_header_block, F, 25605, 29, 68, 3, 4
+dnp3_header_block, F, 29, 68, 3, 4
 dnp3_application_response_header, F, 194, 129, 0
 dnp3_object_header, F, 17924, 91, 1, 1, 0
 dnp3_object_prefix, F, 13
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_write/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_write/output
index 1e4a23c30f..1c7ef759e0 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_write/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_file_write/output
@@ -1,28 +1,28 @@
-dnp3_header_block, T, 25605, 99, 196, 4, 3
+dnp3_header_block, T, 99, 196, 4, 3
 dnp3_application_request_header, T, 198, 25
 dnp3_object_header, T, 17923, 91, 1, 1, 0
 dnp3_object_prefix, T, 85
-dnp3_header_block, F, 25605, 29, 68, 3, 4
+dnp3_header_block, F, 29, 68, 3, 4
 dnp3_application_response_header, F, 198, 129, 0
 dnp3_object_header, F, 17924, 91, 1, 1, 0
 dnp3_object_prefix, F, 13
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 255, 196, 4, 3
+dnp3_header_block, T, 255, 196, 4, 3
 dnp3_application_request_header, T, 199, 2
 dnp3_object_header, T, 17925, 91, 1, 1, 0
 dnp3_object_prefix, T, 838
 dnp3_file_transport, T, 305419896, 2147483648
 0000  ef bb bf 3c 3f 78 6d 6c  20 76 65 72 73 69 6f 6e  ...<?xml  version\x0a0010  3d 22 31 2e 30 22 20 65  6e 63 6f 64 69 6e 67 3d  ="1.0" e ncoding=\x0a0020  22 75 74 66 2d 38 22 3f  3e 0d 0a 3c 3f 78 6d 6c  "utf-8"? >..<?xml\x0a0030  2d 73 74 79 6c 65 73 68  65 65 74 20 74 79 70 65  -stylesh eet type\x0a0040  3d 27 74 65 78 74 2f 78  73 6c 27 20 68 72 65 66  ='text/x sl' href\x0a0050  3d 27 44 4e 50 33 44 65  76 69 63 65 50 72 6f 66  ='DNP3De viceProf\x0a0060  69 6c 65 4a 61 6e 32 30  31 30 2e 78 73 6c 74 27  ileJan20 10.xslt'\x0a0070  20 6d 65 64 69 61 3d 27  73 63 72 65 65 6e 27 3f   media=' screen'?\x0a0080  3e 0d 0a 3c 44 4e 50 33  44 65 76 69 63 65 50 72  >..<DNP3 DevicePr\x0a0090  6f 66 69 6c 65 44 6f 63  75 6d 65 6e 74 20 78 6d  ofileDoc ument xm\x0a00a0  6c 6e 73 3a 78 73 69 3d  22 68 74 74 70 3a 2f 2f  lns:xsi= "http://\x0a00b0  77 77 77 2e 77 33 2e 6f  72 67 2f 32 30 30 31 2f  www.w3.o rg/2001/\x0a00c0  58 4d 4c 53 63 68 65 6d  61 2d 69 6e 73 74 61 6e  XMLSchem a-instan\x0a00d0  63 65 22 20 78 6d 6c 6e  73 3a 78 73 64 3d 22 68  ce" xmln s:xsd="h\x0a00e0  74 74 70 3a 2f 2f 77 77  77 2e 77 33 2e 6f 72 67  ttp://ww w.w3.org\x0a00f0  2f 32 30 30 31 2f 58 4d  4c 53 63 68 65 6d 61 22  /2001/XM LSchema"\x0a0100  20 73 63 68 65 6d 61 56  65 72 73 69 6f 6e 3d 22   schemaV ersion="\x0a0110  32 2e 30 37 2e 30 30 22  20 78 6d 6c 6e 73 3d 22  2.07.00"  xmlns="\x0a0120  68 74 74 70 3a 2f 2f 77  77 77 2e 64 6e 70 33 2e  http://w ww.dnp3.\x0a0130  6f 72 67 2f 44 4e 50 33  2f 44 65 76 69 63 65 50  org/DNP3 /DeviceP\x0a0140  72 6f 66 69 6c 65 2f 4a  61 6e 32 30 31 30 22 3e  rofile/J an2010">\x0a0150  0d 0a 20 20 3c 21 2d 2d  44 6f 63 75 6d 65 6e 74  ..  <!-- Document\x0a0160  20 48 65 61 64 65 72 2d  2d 3e 0d 0a 20 20 3c 64   Header- ->..  <d\x0a0170  6f 63 75 6d 65 6e 74 48  65 61 64 65 72 3e 0d 0a  ocumentH eader>..\x0a0180  20 20 20 20 3c 64 6f 63  75 6d 65 6e 74 4e 61 6d      <doc umentNam\x0a0190  65 3e 41 20 44 4e 50 33  20 58 4d 4c 20 46 69 6c  e>A DNP3  XML Fil\x0a01a0  65 3c 2f 64 6f 63 75 6d  65 6e 74 4e 61 6d 65 3e  e</docum entName>\x0a01b0  0d 0a 20 20 20 20 3c 64  6f 63 75 6d 65 6e 74 44  ..    <d ocumentD\x0a01c0  65 73 63 72 69 70 74 69  6f 6e 3e 54 68 69 73 20  escripti on>This \x0a01d0  69 73 20 61 20 44 4e 50  33 20 43 6f 6d 70 6c 65  is a DNP 3 Comple\x0a01e0  74 65 20 44 65 76 69 63  65 20 50 72 6f 66 69 6c  te Devic e Profil\x0a01f0  65 20 66 6f 72 20 44 4e  50 20 4f 75 74 73 74 61  e for DN P Outsta\x0a0200  74 69 6f 6e 20 69 6e 20  74 68 65 20 54 4d 57 20  tion in  the TMW \x0a0210  43 6f 6d 6d 75 6e 69 63  61 74 69 6f 6e 20 50 72  Communic ation Pr\x0a0220  6f 74 6f 63 6f 6c 20 54  65 73 74 20 48 61 72 6e  otocol T est Harn\x0a0230  65 73 73 3c 2f 64 6f 63  75 6d 65 6e 74 44 65 73  ess</doc umentDes\x0a0240  63 72 69 70 74 69 6f 6e  3e 0d 0a 20 20 20 20 3c  cription >..    <\x0a0250  72 65 76 69 73 69 6f 6e  48 69 73 74 6f 72 79 20  revision History \x0a0260  76 65 72 73 69 6f 6e 3d  22 32 22 3e 0d 0a 20 20  version= "2">..  \x0a0270  20 20 20 20 3c 64 61 74  65 3e 32 30 31 30 2d 31      <dat e>2010-1\x0a0280  32 2d 30 31 3c 2f 64 61  74 65 3e 0d 0a 20 20 20  2-01</da te>..   \x0a0290  20 20 20 3c 61 75 74 68  6f 72 3e 53 74 65 76 65     <auth or>Steve\x0a02a0  20 4d 63 43 6f 79 3c 2f  61 75 74 68 6f 72 3e 0d   McCoy</ author>.\x0a02b0  0a 20 20 20 20 20 20 3c  72 65 61 73 6f 6e 3e 44  .      < reason>D\x0a02c0  6f 63 75 6d 65 6e 74 65  64 20 54 65 73 74 20 48  ocumente d Test H\x0a02d0  61 72 6e 65 73 73 20 53  44 4e 50 20 44 65 76 69  arness S DNP Devi\x0a02e0  63 65 20 50 72 6f 66 69  6c 65 3c 2f 72 65 61 73  ce Profi le</reas\x0a02f0  6f 6e 3e 0d 0a 20 20 20  20 3c 2f 72 65 76 69 73  on>..     </revis\x0a0300  69 6f 6e 48 69 73 74 6f  72 79 3e 0d 0a 20 20 3c  ionHisto ry>..  <\x0a0310  2f 64 6f 63 75 6d 65 6e  74 48 65 61 64 65 72 3e  /documen tHeader>\x0a0320  0d 0a 3c 2f 44 4e 50 33  44 65 76 69 63 65 50 72  ..</DNP3 DevicePr\x0a0330  6f 66 69 6c 65 44 6f 63  75 6d 65 6e 74 3e        ofileDoc ument>\x0a
-dnp3_header_block, F, 25605, 25, 68, 3, 4
+dnp3_header_block, F, 25, 68, 3, 4
 dnp3_application_response_header, F, 199, 129, 0
 dnp3_object_header, F, 17926, 91, 1, 1, 0
 dnp3_object_prefix, F, 9
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 27, 196, 4, 3
+dnp3_header_block, T, 27, 196, 4, 3
 dnp3_application_request_header, T, 200, 26
 dnp3_object_header, T, 17924, 91, 1, 1, 0
 dnp3_object_prefix, T, 13
-dnp3_header_block, F, 25605, 29, 68, 3, 4
+dnp3_header_block, F, 29, 68, 3, 4
 dnp3_application_response_header, F, 200, 129, 0
 dnp3_object_header, F, 17924, 91, 1, 1, 0
 dnp3_object_prefix, F, 13
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_link_only/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_link_only/output
index 8f59ab2bf2..924455b357 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_link_only/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_link_only/output
@@ -1,7 +1,7 @@
-dnp3_header_block, T, 25605, 11, 196, 1, 100
+dnp3_header_block, T, 11, 196, 1, 100
 dnp3_application_request_header, T, 199, 1
 dnp3_object_header, T, 15361, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 255, 68, 100, 1
+dnp3_header_block, F, 255, 68, 100, 1
 dnp3_application_response_header, F, 135, 129, 5120
 dnp3_object_header, F, 257, 1, 1024, 0, 1023
 dnp3_object_prefix, F, 0
@@ -2114,7 +2114,7 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 0
 dnp3_analog_input_SPwFlag, F, 1, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, F, 25605, 255, 68, 100, 1
+dnp3_header_block, F, 255, 68, 100, 1
 dnp3_application_response_header, F, 72, 129, 5120
 dnp3_object_header, F, 7685, 1, 224, 276, 499
 dnp3_object_prefix, F, 0
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_read/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_read/output
index 2bd2d1005e..cabe1eb0cb 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_read/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_read/output
@@ -1,10 +1,10 @@
-dnp3_header_block, T, 25605, 20, 196, 2, 3
+dnp3_header_block, T, 20, 196, 2, 3
 dnp3_application_request_header, T, 200, 1
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
 dnp3_object_header, T, 15361, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 116, 68, 3, 2
+dnp3_header_block, F, 116, 68, 3, 2
 dnp3_application_response_header, F, 200, 129, 0
 dnp3_object_header, F, 258, 0, 9, 0, 8
 dnp3_object_prefix, F, 0
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_rec_time/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_rec_time/output
index ddcbbd9a8c..835de091b3 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_rec_time/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_rec_time/output
@@ -1,4 +1,4 @@
-dnp3_header_block, T, 25605, 8, 196, 2, 3
+dnp3_header_block, T, 8, 196, 2, 3
 dnp3_application_request_header, T, 193, 24
-dnp3_header_block, F, 25605, 10, 68, 3, 2
+dnp3_header_block, F, 10, 68, 3, 2
 dnp3_application_response_header, F, 193, 129, 0
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_select_operate/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_select_operate/output
index 3dcbb63da0..ad84bc3d3b 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_select_operate/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_select_operate/output
@@ -1,20 +1,20 @@
-dnp3_header_block, T, 25605, 26, 196, 2, 3
+dnp3_header_block, T, 26, 196, 2, 3
 dnp3_application_request_header, T, 199, 3
 dnp3_object_header, T, 3073, 40, 1, 256, 0
 dnp3_object_prefix, T, 1
 dnp3_crob, T, 3, 1, 100, 100, 0
-dnp3_header_block, F, 25605, 28, 68, 3, 2
+dnp3_header_block, F, 28, 68, 3, 2
 dnp3_application_response_header, F, 199, 129, 0
 dnp3_object_header, F, 3073, 40, 1, 256, 0
 dnp3_object_prefix, F, 1
 dnp3_crob, F, 3, 1, 100, 100, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 26, 196, 2, 3
+dnp3_header_block, T, 26, 196, 2, 3
 dnp3_application_request_header, T, 200, 4
 dnp3_object_header, T, 3073, 40, 1, 256, 0
 dnp3_object_prefix, T, 1
 dnp3_crob, T, 3, 1, 100, 100, 0
-dnp3_header_block, F, 25605, 28, 68, 3, 2
+dnp3_header_block, F, 28, 68, 3, 2
 dnp3_application_response_header, F, 200, 129, 0
 dnp3_object_header, F, 3073, 40, 1, 256, 0
 dnp3_object_prefix, F, 1
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/output
index ea77e744fb..56d544603c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_en_spon/output
@@ -1,7 +1,7 @@
-dnp3_header_block, T, 25605, 17, 196, 1, 100
+dnp3_header_block, T, 17, 196, 1, 100
 dnp3_application_request_header, T, 207, 20
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 100, 1
+dnp3_header_block, F, 10, 68, 100, 1
 dnp3_application_response_header, F, 207, 129, 1
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/output
index c875efced0..54340ea328 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_read/output
@@ -1,10 +1,10 @@
-dnp3_header_block, T, 25605, 20, 196, 1, 100
+dnp3_header_block, T, 20, 196, 1, 100
 dnp3_application_request_header, T, 199, 1
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
 dnp3_object_header, T, 15361, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 255, 68, 100, 1
+dnp3_header_block, F, 255, 68, 100, 1
 dnp3_application_response_header, F, 135, 129, 36864
 dnp3_object_header, F, 257, 1, 1024, 0, 1023
 dnp3_object_prefix, F, 0
@@ -2117,7 +2117,7 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 0
 dnp3_analog_input_SPwFlag, F, 1, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, F, 25605, 255, 68, 100, 1
+dnp3_header_block, F, 255, 68, 100, 1
 dnp3_application_response_header, F, 72, 129, 36864
 dnp3_object_header, F, 7685, 1, 224, 276, 499
 dnp3_object_prefix, F, 0
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/output
index 394bdb1fe9..63d5c992d5 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_select_operate/output
@@ -1,32 +1,32 @@
-dnp3_header_block, T, 25605, 26, 196, 1, 100
+dnp3_header_block, T, 26, 196, 1, 100
 dnp3_application_request_header, T, 201, 3
 dnp3_object_header, T, 3073, 40, 1, 256, 0
 dnp3_object_prefix, T, 1
 dnp3_crob, T, 3, 1, 100, 100, 0
-dnp3_header_block, F, 25605, 28, 68, 100, 1
+dnp3_header_block, F, 28, 68, 100, 1
 dnp3_application_response_header, F, 201, 129, 36864
 dnp3_object_header, F, 3073, 40, 1, 256, 0
 dnp3_object_prefix, F, 1
 dnp3_crob, F, 3, 1, 100, 100, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 26, 196, 1, 100
+dnp3_header_block, T, 26, 196, 1, 100
 dnp3_application_request_header, T, 202, 4
 dnp3_object_header, T, 3073, 40, 1, 256, 0
 dnp3_object_prefix, T, 1
 dnp3_crob, T, 3, 1, 100, 100, 0
-dnp3_header_block, F, 25605, 28, 68, 100, 1
+dnp3_header_block, F, 28, 68, 100, 1
 dnp3_application_response_header, F, 202, 129, 36864
 dnp3_object_header, F, 3073, 40, 1, 256, 0
 dnp3_object_prefix, F, 1
 dnp3_crob, F, 3, 1, 100, 100, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 20, 196, 1, 100
+dnp3_header_block, T, 20, 196, 1, 100
 dnp3_application_request_header, T, 203, 1
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
 dnp3_object_header, T, 2560, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 255, 68, 100, 1
+dnp3_header_block, F, 255, 68, 100, 1
 dnp3_application_response_header, F, 203, 129, 36864
 dnp3_object_header, F, 2562, 1, 512, 0, 511
 dnp3_object_prefix, F, 0
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/output
index f8ee638f76..774da81628 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_udp_write/output
@@ -1,6 +1,6 @@
-dnp3_header_block, T, 25605, 14, 196, 1, 100
+dnp3_header_block, T, 14, 196, 1, 100
 dnp3_application_request_header, T, 206, 2
 dnp3_object_header, T, 20481, 0, 1, 7, 7
 dnp3_object_prefix, T, 0
-dnp3_header_block, F, 25605, 10, 68, 100, 1
+dnp3_header_block, F, 10, 68, 100, 1
 dnp3_application_response_header, F, 206, 129, 0
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_write/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_write/output
index ab9af7f74a..20aa311b58 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_write/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.dnp3_write/output
@@ -1,6 +1,6 @@
-dnp3_header_block, T, 25605, 18, 196, 2, 3
+dnp3_header_block, T, 18, 196, 2, 3
 dnp3_application_request_header, T, 192, 2
 dnp3_object_header, T, 12801, 7, 1, 1, 0
 dnp3_object_prefix, T, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 2
+dnp3_header_block, F, 10, 68, 3, 2
 dnp3_application_response_header, F, 192, 129, 0
diff --git a/testing/btest/Baseline/scripts.base.protocols.dnp3.events/output b/testing/btest/Baseline/scripts.base.protocols.dnp3.events/output
index cafddf9eae..f7f89bad79 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dnp3.events/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dnp3.events/output
@@ -1,40 +1,40 @@
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 247, 130, 4096
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 215, 0
-dnp3_header_block, T, 25605, 18, 196, 4, 3
+dnp3_header_block, T, 18, 196, 4, 3
 dnp3_application_request_header, T, 193, 2
 dnp3_object_header, T, 12801, 7, 1, 1, 0
 dnp3_object_prefix, T, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 193, 129, 0
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 194, 21
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 194, 129, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 249, 130, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 242, 130, 4096
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 210, 0
-dnp3_header_block, T, 25605, 18, 196, 4, 3
+dnp3_header_block, T, 18, 196, 4, 3
 dnp3_application_request_header, T, 193, 2
 dnp3_object_header, T, 12801, 7, 1, 1, 0
 dnp3_object_prefix, T, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 193, 129, 0
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 194, 20
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 194, 129, 0
-dnp3_header_block, F, 25605, 76, 68, 3, 4
+dnp3_header_block, F, 76, 68, 3, 4
 dnp3_application_response_header, F, 243, 130, 0
 dnp3_object_header, F, 13057, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
@@ -60,9 +60,9 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 2
 dnp3_analog_input_event_32woTime, F, 1, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 211, 0
-dnp3_header_block, F, 25605, 71, 68, 3, 4
+dnp3_header_block, F, 71, 68, 3, 4
 dnp3_application_response_header, F, 244, 130, 0
 dnp3_object_header, F, 13057, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
@@ -86,9 +86,9 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 1
 dnp3_analog_input_event_32woTime, F, 1, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 212, 0
-dnp3_header_block, F, 25605, 76, 68, 3, 4
+dnp3_header_block, F, 76, 68, 3, 4
 dnp3_application_response_header, F, 245, 130, 0
 dnp3_object_header, F, 13057, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
@@ -114,9 +114,9 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 2
 dnp3_analog_input_event_32woTime, F, 1, 198
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 213, 0
-dnp3_header_block, F, 25605, 71, 68, 3, 4
+dnp3_header_block, F, 71, 68, 3, 4
 dnp3_application_response_header, F, 246, 130, 0
 dnp3_object_header, F, 13057, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
@@ -140,9 +140,9 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 1
 dnp3_analog_input_event_32woTime, F, 1, 200
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 214, 0
-dnp3_header_block, F, 25605, 76, 68, 3, 4
+dnp3_header_block, F, 76, 68, 3, 4
 dnp3_application_response_header, F, 247, 130, 0
 dnp3_object_header, F, 13057, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
@@ -168,9 +168,9 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 2
 dnp3_analog_input_event_32woTime, F, 1, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 215, 0
-dnp3_header_block, F, 25605, 50, 68, 3, 4
+dnp3_header_block, F, 50, 68, 3, 4
 dnp3_application_response_header, F, 248, 130, 0
 dnp3_object_header, F, 13057, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
@@ -186,9 +186,9 @@ dnp3_object_prefix, F, 2
 dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 216, 0
-dnp3_header_block, F, 25605, 76, 68, 3, 4
+dnp3_header_block, F, 76, 68, 3, 4
 dnp3_application_response_header, F, 249, 130, 0
 dnp3_object_header, F, 13057, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
@@ -214,9 +214,9 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 2
 dnp3_analog_input_event_32woTime, F, 1, 199
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 217, 0
-dnp3_header_block, F, 25605, 66, 68, 3, 4
+dnp3_header_block, F, 66, 68, 3, 4
 dnp3_application_response_header, F, 250, 130, 0
 dnp3_object_header, F, 13057, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
@@ -238,9 +238,9 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 1
 dnp3_analog_input_event_32woTime, F, 1, 200
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 218, 0
-dnp3_header_block, F, 25605, 76, 68, 3, 4
+dnp3_header_block, F, 76, 68, 3, 4
 dnp3_application_response_header, F, 251, 130, 0
 dnp3_object_header, F, 13057, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
@@ -266,9 +266,9 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 2
 dnp3_analog_input_event_32woTime, F, 1, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 219, 0
-dnp3_header_block, F, 25605, 56, 68, 3, 4
+dnp3_header_block, F, 56, 68, 3, 4
 dnp3_application_response_header, F, 252, 130, 0
 dnp3_object_header, F, 13057, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
@@ -286,53 +286,53 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 2
 dnp3_analog_input_event_32woTime, F, 1, 199
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 220, 0
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 195, 13
-dnp3_header_block, F, 25605, 16, 68, 3, 4
+dnp3_header_block, F, 16, 68, 3, 4
 dnp3_application_response_header, F, 195, 129, 0
 dnp3_object_header, F, 13314, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 193, 13
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 247, 130, 0
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 248, 130, 0
-dnp3_header_block, F, 25605, 16, 68, 3, 4
+dnp3_header_block, F, 16, 68, 3, 4
 dnp3_application_response_header, F, 193, 129, 0
 dnp3_object_header, F, 13314, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 11, 196, 4, 3
+dnp3_header_block, T, 11, 196, 4, 3
 dnp3_application_request_header, T, 194, 1
 dnp3_object_header, T, 512, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 194, 129, 32768
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 249, 130, 32768
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 195, 21
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 195, 129, 32768
-dnp3_header_block, T, 25605, 14, 196, 4, 3
+dnp3_header_block, T, 14, 196, 4, 3
 dnp3_application_request_header, T, 196, 2
 dnp3_object_header, T, 20481, 0, 1, 7, 7
 dnp3_object_prefix, T, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 196, 129, 0
-dnp3_header_block, T, 25605, 20, 196, 4, 3
+dnp3_header_block, T, 20, 196, 4, 3
 dnp3_application_request_header, T, 197, 1
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
 dnp3_object_header, T, 15361, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 78, 68, 3, 4
+dnp3_header_block, F, 78, 68, 3, 4
 dnp3_application_response_header, F, 197, 129, 0
 dnp3_object_header, F, 257, 0, 6, 0, 5
 dnp3_object_prefix, F, 0
@@ -380,90 +380,90 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 0
 dnp3_analog_input_32woFlag, F, 7184
 dnp3_response_data_object, F, 255
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 250, 130, 0
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 251, 130, 0
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 252, 130, 0
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 253, 130, 0
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 254, 130, 0
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 255, 130, 0
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 240, 130, 0
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 241, 130, 0
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 198, 20
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 198, 129, 0
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 242, 130, 0
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 199, 20
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 199, 129, 0
-dnp3_header_block, F, 25605, 10, 68, 6, 4
+dnp3_header_block, F, 10, 68, 6, 4
 dnp3_application_response_header, F, 243, 130, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 240, 130, 36864
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 208, 0
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 193, 21
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 193, 129, 36864
-dnp3_header_block, T, 25605, 18, 196, 4, 3
+dnp3_header_block, T, 18, 196, 4, 3
 dnp3_application_request_header, T, 194, 2
 dnp3_object_header, T, 12801, 7, 1, 1, 0
 dnp3_object_prefix, T, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 194, 129, 32768
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 195, 21
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 195, 129, 32768
-dnp3_header_block, T, 25605, 18, 196, 4, 3
+dnp3_header_block, T, 18, 196, 4, 3
 dnp3_application_request_header, T, 196, 2
 dnp3_object_header, T, 12801, 7, 1, 1, 0
 dnp3_object_prefix, T, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 196, 129, 32768
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 197, 21
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 197, 129, 32768
-dnp3_header_block, T, 25605, 14, 196, 4, 3
+dnp3_header_block, T, 14, 196, 4, 3
 dnp3_application_request_header, T, 198, 2
 dnp3_object_header, T, 20481, 0, 1, 7, 7
 dnp3_object_prefix, T, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 198, 129, 0
-dnp3_header_block, T, 25605, 20, 196, 4, 3
+dnp3_header_block, T, 20, 196, 4, 3
 dnp3_application_request_header, T, 199, 1
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
 dnp3_object_header, T, 15361, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 78, 68, 3, 4
+dnp3_header_block, F, 78, 68, 3, 4
 dnp3_application_response_header, F, 199, 129, 0
 dnp3_object_header, F, 257, 0, 6, 0, 5
 dnp3_object_prefix, F, 0
@@ -511,144 +511,144 @@ dnp3_response_data_object, F, 255
 dnp3_object_prefix, F, 0
 dnp3_analog_input_32woFlag, F, 8523
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 200, 14
-dnp3_header_block, F, 25605, 16, 68, 3, 4
+dnp3_header_block, F, 16, 68, 3, 4
 dnp3_application_response_header, F, 200, 129, 0
 dnp3_object_header, F, 13314, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 8, 196, 4, 3
+dnp3_header_block, T, 8, 196, 4, 3
 dnp3_application_request_header, T, 201, 14
-dnp3_header_block, F, 25605, 16, 68, 3, 4
+dnp3_header_block, F, 16, 68, 3, 4
 dnp3_application_response_header, F, 201, 129, 0
 dnp3_object_header, F, 13314, 7, 1, 1, 0
 dnp3_object_prefix, F, 0
 dnp3_response_data_object, F, 255
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 253, 130, 256
-dnp3_header_block, T, 25605, 17, 196, 65535, 3
+dnp3_header_block, T, 17, 196, 65535, 3
 dnp3_application_request_header, T, 193, 21
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 237, 0, 0, 0
-dnp3_header_block, T, 25605, 17, 196, 65535, 3
+dnp3_header_block, T, 17, 196, 65535, 3
 dnp3_application_request_header, T, 193, 21
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 237, 0, 0, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 241, 130, 4096
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 193, 18
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 263, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 237, 0, 0, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 195, 129, 4097
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 193, 18
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 263, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 237, 0, 0, 0
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 196, 129, 4097
-dnp3_header_block, F, 25605, 10, 68, 3, 6
+dnp3_header_block, F, 10, 68, 3, 6
 dnp3_application_response_header, F, 246, 130, 38145
-dnp3_header_block, T, 25605, 17, 196, 65535, 3
+dnp3_header_block, T, 17, 196, 65535, 3
 dnp3_application_request_header, T, 193, 18
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 263, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 237, 0, 0, 0
-dnp3_header_block, T, 25605, 17, 196, 65535, 3
+dnp3_header_block, T, 17, 196, 65535, 3
 dnp3_application_request_header, T, 193, 18
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 263, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 237, 0, 0, 0
-dnp3_header_block, T, 25605, 17, 196, 4, 3
+dnp3_header_block, T, 17, 196, 4, 3
 dnp3_application_request_header, T, 194, 1
 dnp3_object_header, T, 15362, 6, 0, 65535, 65535
 dnp3_object_header, T, 15363, 6, 0, 65535, 65535
 dnp3_object_header, T, 15364, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 194, 129, 0
-dnp3_header_block, T, 25605, 26, 196, 4, 3
+dnp3_header_block, T, 26, 196, 4, 3
 dnp3_application_request_header, T, 195, 3
 dnp3_object_header, T, 3073, 40, 1, 256, 0
 dnp3_object_prefix, T, 34463
 dnp3_crob, T, 3, 1, 100, 100, 0
-dnp3_header_block, F, 25605, 28, 68, 3, 4
+dnp3_header_block, F, 28, 68, 3, 4
 dnp3_application_response_header, F, 195, 129, 4
 dnp3_object_header, F, 3073, 40, 1, 256, 0
 dnp3_object_prefix, F, 34463
 dnp3_crob, F, 3, 1, 100, 100, 4
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 26, 196, 4, 3
+dnp3_header_block, T, 26, 196, 4, 3
 dnp3_application_request_header, T, 196, 3
 dnp3_object_header, T, 3073, 40, 1, 256, 0
 dnp3_object_prefix, T, 34463
 dnp3_crob, T, 3, 1, 100, 100, 0
-dnp3_header_block, F, 25605, 28, 68, 3, 4
+dnp3_header_block, F, 28, 68, 3, 4
 dnp3_application_response_header, F, 196, 129, 4
 dnp3_object_header, F, 3073, 40, 1, 256, 0
 dnp3_object_prefix, F, 34463
 dnp3_crob, F, 3, 1, 100, 100, 4
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 26, 196, 4, 3
+dnp3_header_block, T, 26, 196, 4, 3
 dnp3_application_request_header, T, 197, 3
 dnp3_object_header, T, 3073, 40, 1, 256, 0
 dnp3_object_prefix, T, 34463
 dnp3_crob, T, 3, 1, 100, 100, 0
-dnp3_header_block, F, 25605, 28, 68, 3, 4
+dnp3_header_block, F, 28, 68, 3, 4
 dnp3_application_response_header, F, 197, 129, 4
 dnp3_object_header, F, 3073, 40, 1, 256, 0
 dnp3_object_prefix, F, 34463
 dnp3_crob, F, 3, 1, 100, 100, 4
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 26, 196, 4, 3
+dnp3_header_block, T, 26, 196, 4, 3
 dnp3_application_request_header, T, 198, 3
 dnp3_object_header, T, 3073, 40, 1, 256, 0
 dnp3_object_prefix, T, 34463
 dnp3_crob, T, 3, 1, 100, 100, 0
-dnp3_header_block, F, 25605, 28, 68, 3, 4
+dnp3_header_block, F, 28, 68, 3, 4
 dnp3_application_response_header, F, 198, 129, 4
 dnp3_object_header, F, 3073, 40, 1, 256, 0
 dnp3_object_prefix, F, 34463
 dnp3_crob, F, 3, 1, 100, 100, 4
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 26, 196, 4, 3
+dnp3_header_block, T, 26, 196, 4, 3
 dnp3_application_request_header, T, 199, 3
 dnp3_object_header, T, 3073, 40, 1, 256, 0
 dnp3_object_prefix, T, 34463
 dnp3_crob, T, 3, 1, 100, 100, 0
-dnp3_header_block, F, 25605, 28, 68, 3, 4
+dnp3_header_block, F, 28, 68, 3, 4
 dnp3_application_response_header, F, 199, 129, 4
 dnp3_object_header, F, 3073, 40, 1, 256, 0
 dnp3_object_prefix, F, 34463
 dnp3_crob, F, 3, 1, 100, 100, 4
 dnp3_response_data_object, F, 255
-dnp3_header_block, T, 25605, 11, 196, 4, 3
+dnp3_header_block, T, 11, 196, 4, 3
 dnp3_application_request_header, T, 200, 1
 dnp3_object_header, T, 65280, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 200, 129, 6
-dnp3_header_block, T, 25605, 11, 196, 4, 3
+dnp3_header_block, T, 11, 196, 4, 3
 dnp3_application_request_header, T, 201, 1
 dnp3_object_header, T, 65280, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 201, 129, 6
-dnp3_header_block, T, 25605, 11, 196, 4, 3
+dnp3_header_block, T, 11, 196, 4, 3
 dnp3_application_request_header, T, 202, 1
 dnp3_object_header, T, 65280, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 202, 129, 6
-dnp3_header_block, T, 25605, 11, 196, 4, 3
+dnp3_header_block, T, 11, 196, 4, 3
 dnp3_application_request_header, T, 203, 1
 dnp3_object_header, T, 65280, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 203, 129, 6
-dnp3_header_block, T, 25605, 11, 196, 4, 3
+dnp3_header_block, T, 11, 196, 4, 3
 dnp3_application_request_header, T, 204, 1
 dnp3_object_header, T, 65280, 6, 0, 65535, 65535
-dnp3_header_block, F, 25605, 10, 68, 3, 4
+dnp3_header_block, F, 10, 68, 3, 4
 dnp3_application_response_header, F, 204, 129, 6
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log
index d06db5cb06..e9d388f1fc 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log
@@ -3,10 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	weird
-#open	2016-07-13-16-16-12
+#open	2017-12-13-19-40-49
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
 #types	time	string	addr	port	addr	port	string	string	bool	string
 1363716396.798286	CHhAvVGS1DHFjwGM9	55.247.223.174	27285	222.195.43.124	53	DNS_RR_unknown_type	46	F	bro
-1363716396.798374	CHhAvVGS1DHFjwGM9	55.247.223.174	27285	222.195.43.124	53	dns_unmatched_reply	-	F	bro
-1363716396.798374	CHhAvVGS1DHFjwGM9	55.247.223.174	27285	222.195.43.124	53	dns_unmatched_msg	-	F	bro
-#close	2016-07-13-16-16-12
+#close	2017-12-13-19-40-49
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log
index 46d0dcc971..8990518008 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.cwd-navigation/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-16-15
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1464385864.999633	CHhAvVGS1DHFjwGM9	10.3.22.91	58218	10.167.25.101	21	tcp	ftp	600.931043	41420	159830	S1	-	-	233	ShAdDa	4139	206914	4178	326799	(empty)
+1464385864.999633	CHhAvVGS1DHFjwGM9	10.3.22.91	58218	10.167.25.101	21	tcp	ftp	600.931043	41420	159830	S1	-	-	233	ShAdDa	4139	206914	4178	326799	-
 #close	2016-07-13-16-16-15
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log
index 3aeefea5fa..163c932e2c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv4/conn.log
@@ -6,9 +6,9 @@
 #open	2016-07-13-16-16-17
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1329843175.736107	ClEkJM2Vm5giqnMf4h	141.142.220.235	37604	199.233.217.249	56666	tcp	ftp-data	0.112432	0	342	SF	-	-	0	ShAdfFa	4	216	4	562	(empty)
-1329843179.871641	C4J4Th3PJpwUYZZ6gc	141.142.220.235	59378	199.233.217.249	56667	tcp	ftp-data	0.111218	0	77	SF	-	-	0	ShAdfFa	4	216	4	297	(empty)
-1329843194.151526	CtPZjS20MLrsMUOJi2	199.233.217.249	61920	141.142.220.235	33582	tcp	ftp-data	0.056211	342	0	SF	-	-	0	ShADaFf	5	614	3	164	(empty)
-1329843197.783443	CUM0KZ3MLUfNB0cl11	199.233.217.249	61918	141.142.220.235	37835	tcp	ftp-data	0.056005	77	0	SF	-	-	0	ShADaFf	5	349	3	164	(empty)
-1329843161.968492	CHhAvVGS1DHFjwGM9	141.142.220.235	50003	199.233.217.249	21	tcp	ftp	38.055625	180	3146	SF	-	-	0	ShAdDfFa	38	2164	25	4458	(empty)
+1329843175.736107	ClEkJM2Vm5giqnMf4h	141.142.220.235	37604	199.233.217.249	56666	tcp	ftp-data	0.112432	0	342	SF	-	-	0	ShAdfFa	4	216	4	562	-
+1329843179.871641	C4J4Th3PJpwUYZZ6gc	141.142.220.235	59378	199.233.217.249	56667	tcp	ftp-data	0.111218	0	77	SF	-	-	0	ShAdfFa	4	216	4	297	-
+1329843194.151526	CtPZjS20MLrsMUOJi2	199.233.217.249	61920	141.142.220.235	33582	tcp	ftp-data	0.056211	342	0	SF	-	-	0	ShADaFf	5	614	3	164	-
+1329843197.783443	CUM0KZ3MLUfNB0cl11	199.233.217.249	61918	141.142.220.235	37835	tcp	ftp-data	0.056005	77	0	SF	-	-	0	ShADaFf	5	349	3	164	-
+1329843161.968492	CHhAvVGS1DHFjwGM9	141.142.220.235	50003	199.233.217.249	21	tcp	ftp	38.055625	180	3146	SF	-	-	0	ShAdDfFa	38	2164	25	4458	-
 #close	2016-07-13-16-16-17
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log
index 7433d79105..d51f953f4c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.ftp-ipv6/conn.log
@@ -6,10 +6,10 @@
 #open	2016-07-13-16-16-18
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1329327783.316897	ClEkJM2Vm5giqnMf4h	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49186	2001:470:4867:99::21	57086	tcp	ftp-data	0.219721	0	342	SF	-	-	0	ShAdfFa	5	372	4	642	(empty)
-1329327786.524332	C4J4Th3PJpwUYZZ6gc	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49187	2001:470:4867:99::21	57087	tcp	ftp-data	0.217501	0	43	SF	-	-	0	ShAdfFa	5	372	4	343	(empty)
-1329327787.289095	CtPZjS20MLrsMUOJi2	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49188	2001:470:4867:99::21	57088	tcp	ftp-data	0.217941	0	77	SF	-	-	0	ShAdfFa	5	372	4	377	(empty)
-1329327795.571921	CUM0KZ3MLUfNB0cl11	2001:470:4867:99::21	55785	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49189	tcp	ftp-data	0.109813	77	0	SF	-	-	0	ShADFaf	5	449	4	300	(empty)
-1329327777.822004	CHhAvVGS1DHFjwGM9	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49185	2001:470:4867:99::21	21	tcp	ftp	26.658219	310	3448	SF	-	-	0	ShAdDfFa	57	4426	34	5908	(empty)
-1329327800.017649	CmES5u32sYpV7JYN	2001:470:4867:99::21	55647	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49190	tcp	ftp-data	0.109181	342	0	SF	-	-	0	ShADFaf	5	714	4	300	(empty)
+1329327783.316897	ClEkJM2Vm5giqnMf4h	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49186	2001:470:4867:99::21	57086	tcp	ftp-data	0.219721	0	342	SF	-	-	0	ShAdfFa	5	372	4	642	-
+1329327786.524332	C4J4Th3PJpwUYZZ6gc	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49187	2001:470:4867:99::21	57087	tcp	ftp-data	0.217501	0	43	SF	-	-	0	ShAdfFa	5	372	4	343	-
+1329327787.289095	CtPZjS20MLrsMUOJi2	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49188	2001:470:4867:99::21	57088	tcp	ftp-data	0.217941	0	77	SF	-	-	0	ShAdfFa	5	372	4	377	-
+1329327795.571921	CUM0KZ3MLUfNB0cl11	2001:470:4867:99::21	55785	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49189	tcp	ftp-data	0.109813	77	0	SF	-	-	0	ShADFaf	5	449	4	300	-
+1329327777.822004	CHhAvVGS1DHFjwGM9	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49185	2001:470:4867:99::21	21	tcp	ftp	26.658219	310	3448	SF	-	-	0	ShAdDfFa	57	4426	34	5908	-
+1329327800.017649	CmES5u32sYpV7JYN	2001:470:4867:99::21	55647	2001:470:1f11:81f:c999:d94:aa7c:2e3e	49190	tcp	ftp-data	0.109181	342	0	SF	-	-	0	ShADFaf	5	714	4	300	-
 #close	2016-07-13-16-16-18
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log
index 10920126e4..362fb42ced 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/conn.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2016-07-13-16-16-18
+#open	2018-02-18-22-12-45
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1348168976.546371	ClEkJM2Vm5giqnMf4h	192.168.57.103	35391	192.168.57.101	55968	tcp	ssl,gridftp-data	0.010760	2109	3196	S1	-	-	0	ShADad	7	2481	6	3516	(empty)
-1348168976.274919	CHhAvVGS1DHFjwGM9	192.168.57.103	60108	192.168.57.101	2811	tcp	ftp,gridftp,ssl	0.294743	4491	6659	SF	-	-	0	ShAdDaFf	22	5643	21	7759	(empty)
-#close	2016-07-13-16-16-18
+1348168976.546371	ClEkJM2Vm5giqnMf4h	192.168.57.103	35391	192.168.57.101	55968	tcp	ssl,gridftp-data	0.010760	2109	3196	S1	-	-	0	ShADad	7	2481	6	3516	-
+1348168976.274919	CHhAvVGS1DHFjwGM9	192.168.57.103	60108	192.168.57.101	2811	tcp	ftp,gridftp,ssl	0.294743	4491	6659	SF	-	-	0	ShAdDaFf	22	5643	21	7759	-
+#close	2018-02-18-22-12-45
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log
index 2c2a0570e8..c8f76ae4d0 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/notice.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2016-07-13-16-16-18
+#open	2017-12-21-02-27-54
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1348168976.557131	ClEkJM2Vm5giqnMf4h	192.168.57.103	35391	192.168.57.101	55968	-	-	-	tcp	GridFTP::Data_Channel	GridFTP data channel over threshold 2 bytes	-	192.168.57.103	192.168.57.101	55968	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2016-07-13-16-16-18
+1348168976.557131	ClEkJM2Vm5giqnMf4h	192.168.57.103	35391	192.168.57.101	55968	-	-	-	tcp	GridFTP::Data_Channel	GridFTP data channel over threshold 2 bytes	-	192.168.57.103	192.168.57.101	55968	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2017-12-21-02-27-54
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log
index 1091d026f4..1904e9eaa5 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/ssl.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
-#open	2016-07-13-16-16-18
+#open	2017-12-21-02-27-54
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
 1348168976.508038	CHhAvVGS1DHFjwGM9	192.168.57.103	60108	192.168.57.101	2811	TLSv10	TLS_RSA_WITH_AES_256_CBC_SHA	-	-	F	-	-	T	FBtbj87tgpyeDSj31,F8TfgZ31c1dFu8Kt2k	FVNYOh2BeQBb7MpCPe,FwjBou1e5DbpE0eOgk,FbYQmk4x4M4Bx3PZme	CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
 1348168976.551422	ClEkJM2Vm5giqnMf4h	192.168.57.103	35391	192.168.57.101	55968	TLSv10	TLS_RSA_WITH_NULL_SHA	-	-	F	-	-	T	F4SSqN31HDIrrH5Q8h,FJHp5Pf6VLQsRQK3,FHACqa3dX9BXRV2av,FNnDVT1NURRWeoLLN3	FFWYVj4BcvQb35WIaf,Fj16G835fnJgnVlKU6,FGONoc1Nj0Ka5zlxDa	CN=932373381,CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid
-#close	2016-07-13-16-16-18
+#close	2017-12-21-02-27-54
diff --git a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/x509.log b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/x509.log
index 7ffa645cbe..294175f0be 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/x509.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ftp.gridftp/x509.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	x509
-#open	2016-07-13-16-16-18
+#open	2017-12-21-02-27-54
 #fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
 #types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
 1348168976.510615	FBtbj87tgpyeDSj31	3	01	CN=host/alpha,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161979.000000	1379697979.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	-	-
@@ -18,4 +18,4 @@
 1348168976.554445	FFWYVj4BcvQb35WIaf	3	36B07110	CN=917532944,CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162941.000000	1348206441.000000	rsaEncryption	sha1WithRSAEncryption	rsa	512	65537	-	-	-	-	-	-	-
 1348168976.554445	Fj16G835fnJgnVlKU6	3	02	CN=Jon Siwek,OU=local,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348162263.000000	1379698263.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	-	-
 1348168976.554445	FGONoc1Nj0Ka5zlxDa	3	EA83D17188B68E4D	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	CN=Globus Simple CA,OU=simpleCA-alpha,OU=GlobusTest,O=Grid	1348161502.000000	1505841502.000000	rsaEncryption	sha1WithRSAEncryption	rsa	1024	65537	-	-	-	-	-	T	-
-#close	2016-07-13-16-16-18
+#close	2017-12-21-02-27-54
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.101-switching-protocols/.stdout b/testing/btest/Baseline/scripts.base.protocols.http.101-switching-protocols/.stdout
new file mode 100644
index 0000000000..0e9c739b00
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.101-switching-protocols/.stdout
@@ -0,0 +1 @@
+Connection upgraded to websocket
diff --git a/testing/btest/Baseline/istate.events/receiver.http.log b/testing/btest/Baseline/scripts.base.protocols.http.101-switching-protocols/http.log
similarity index 64%
rename from testing/btest/Baseline/istate.events/receiver.http.log
rename to testing/btest/Baseline/scripts.base.protocols.http.101-switching-protocols/http.log
index a9624fab9f..a1e96de25e 100644
--- a/testing/btest/Baseline/istate.events/receiver.http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.101-switching-protocols/http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-07-13-16-13-32
+#open	2017-08-04-00-45-31
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1468426411.716196	ClEkJM2Vm5giqnMf4h	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	1.1	Wget/1.10	0	9130	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
-#close	2016-07-13-16-13-33
+1501770877.501001	CHhAvVGS1DHFjwGM9	192.168.0.5	50798	54.148.114.85	80	1	GET	sandbox.kaazing.net	/echo?.kl=Y	-	1.1	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0	0	0	101	Web Socket Protocol Handshake	101	Web Socket Protocol Handshake	(empty)	-	-	-	-	-	-	-	-	-
+#close	2017-08-04-00-45-31
diff --git a/testing/btest/Baseline/istate.events/sender.http.log b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/http.log
similarity index 69%
rename from testing/btest/Baseline/istate.events/sender.http.log
rename to testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/http.log
index a9624fab9f..5ff9ffc319 100644
--- a/testing/btest/Baseline/istate.events/sender.http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-07-13-16-13-32
+#open	2018-05-08-20-04-16
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1468426411.716196	ClEkJM2Vm5giqnMf4h	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	1.1	Wget/1.10	0	9130	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
-#close	2016-07-13-16-13-33
+1523627611.747988	CHhAvVGS1DHFjwGM9	127.0.0.1	58128	127.0.0.1	80	1	GET	localhost	/	-	1.1	Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0	0	33	206	ok	-	-	(empty)	-	-	-	-	-	-	FE5OS23mJkGTBhF8ig	-	text/plain
+#close	2018-05-08-20-04-17
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log
new file mode 100644
index 0000000000..7cd09fb789
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.content-range-less-than-len/weird.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2018-05-08-20-04-16
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1523627611.748118	CHhAvVGS1DHFjwGM9	127.0.0.1	58128	127.0.0.1	80	HTTP_range_not_matching_len	-	F	bro
+#close	2018-05-08-20-04-17
diff --git a/testing/btest/Baseline/istate.events-ssl/receiver.http.log b/testing/btest/Baseline/scripts.base.protocols.http.fake-content-length/http.log
similarity index 69%
rename from testing/btest/Baseline/istate.events-ssl/receiver.http.log
rename to testing/btest/Baseline/scripts.base.protocols.http.fake-content-length/http.log
index cddd16ad65..aa9c61af96 100644
--- a/testing/btest/Baseline/istate.events-ssl/receiver.http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.fake-content-length/http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-07-13-16-13-42
+#open	2018-05-08-20-10-35
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1468426421.247540	ClEkJM2Vm5giqnMf4h	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	1.1	Wget/1.10	0	9130	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
-#close	2016-07-13-16-13-43
+1523631796.315381	CHhAvVGS1DHFjwGM9	127.0.0.1	58176	127.0.0.1	80	1	GET	localhost	/	-	1.1	Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0	0	14	200	ok	-	-	(empty)	-	-	-	-	-	-	FCcRXl1oyxVr6ipJA8	-	text/plain
+#close	2018-05-08-20-10-35
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/conn.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/conn.log
index fe20e19e6d..fcc76c8cd7 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect-with-header/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-16-21
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1443732977.727740	CHhAvVGS1DHFjwGM9	::1	52522	::1	80	tcp	ssl,http	0.691241	3644	55499	S1	-	-	0	ShAaDd	29	5744	29	57599	(empty)
+1443732977.727740	CHhAvVGS1DHFjwGM9	::1	52522	::1	80	tcp	ssl,http	0.691241	3644	55499	S1	-	-	0	ShAaDd	29	5744	29	57599	-
 #close	2016-07-13-16-16-21
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
index 92db604406..af890ad64a 100644
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-connect/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-16-21
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1078232251.833846	CHhAvVGS1DHFjwGM9	79.26.245.236	3378	254.228.86.79	8240	tcp	smtp,http	6.722274	1685	223	SF	-	-	0	ShADadfF	14	2257	16	944	(empty)
+1078232251.833846	CHhAvVGS1DHFjwGM9	79.26.245.236	3378	254.228.86.79	8240	tcp	smtp,http	6.722274	1685	223	SF	-	-	0	ShADadfF	14	2257	16	944	-
 #close	2016-07-13-16-16-21
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log
new file mode 100644
index 0000000000..8b2f960d80
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/http.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open	2017-07-28-05-03-01
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+1501217955.063524	CHhAvVGS1DHFjwGM9	192.168.0.9	57322	192.150.187.12	80	1	GET	icir.org	/%	-	1.1	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0	0	300	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	Fp16kg2g0K5oCDByh2	-	text/html
+1501217957.423701	ClEkJM2Vm5giqnMf4h	192.168.0.9	57323	192.150.187.12	80	1	GET	icir.org	/%5	-	1.1	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0	0	300	400	Bad Request	-	-	(empty)	-	-	-	-	-	-	FAjakt4YvddFQlySjk	-	text/html
+#close	2017-07-28-05-03-01
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log
new file mode 100644
index 0000000000..df24831d15
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.percent-end-of-line/weird.log
@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2017-07-28-05-03-01
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1501217955.063524	CHhAvVGS1DHFjwGM9	192.168.0.9	57322	192.150.187.12	80	illegal_%_at_end_of_URI	-	F	bro
+1501217957.423701	ClEkJM2Vm5giqnMf4h	192.168.0.9	57323	192.150.187.12	80	partial_escape_at_end_of_URI	-	F	bro
+#close	2017-07-28-05-03-01
diff --git a/testing/btest/Baseline/istate.events-ssl/sender.http.log b/testing/btest/Baseline/scripts.base.protocols.http.x-gzip/http.log
similarity index 68%
rename from testing/btest/Baseline/istate.events-ssl/sender.http.log
rename to testing/btest/Baseline/scripts.base.protocols.http.x-gzip/http.log
index cddd16ad65..c90eb3315a 100644
--- a/testing/btest/Baseline/istate.events-ssl/sender.http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.x-gzip/http.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	http
-#open	2016-07-13-16-13-42
+#open	2018-05-08-19-59-11
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
-1468426421.247540	ClEkJM2Vm5giqnMf4h	141.42.64.125	56730	125.190.109.199	80	1	GET	www.icir.org	/	-	1.1	Wget/1.10	0	9130	200	OK	-	-	(empty)	-	-	-	-	-	-	-	-	-
-#close	2016-07-13-16-13-43
+1473086764.095192	CHhAvVGS1DHFjwGM9	127.0.0.1	54890	127.0.0.1	80	1	GET	localhost	/	-	1.1	Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.6.0	0	19	200	ok	-	-	(empty)	-	-	-	-	-	-	FLWf9w4QphGhQ5XQRa	-	text/plain
+#close	2018-05-08-19-59-11
diff --git a/testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log
index fa8ef4cf91..c313e0ea2d 100644
--- a/testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.imap.starttls/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-16-27
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1437584567.812552	CHhAvVGS1DHFjwGM9	192.168.17.53	49640	212.227.17.186	143	tcp	ssl,imap	2.827002	540	5653	SF	-	-	0	ShAdDafFr	18	1284	14	6225	(empty)
+1437584567.812552	CHhAvVGS1DHFjwGM9	192.168.17.53	49640	212.227.17.186	143	tcp	ssl,imap	2.827002	540	5653	SF	-	-	0	ShAdDafFr	18	1284	14	6225	-
 #close	2016-07-13-16-16-27
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log b/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log
index cf5b249b79..d7064790ae 100644
--- a/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.basic/conn.log
@@ -6,6 +6,6 @@
 #open	2016-07-13-16-16-28
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1311189318.898709	ClEkJM2Vm5giqnMf4h	192.168.1.77	57655	209.197.168.151	1024	tcp	irc-dcc-data	2.256935	124	42208	SF	-	-	0	ShAdDaFf	28	1592	43	44452	(empty)
-1311189164.064603	CHhAvVGS1DHFjwGM9	192.168.1.77	57640	66.198.80.67	6667	tcp	irc	178.237017	453	25404	S3	-	-	0	ShADdaf	63	3761	52	28194	(empty)
+1311189318.898709	ClEkJM2Vm5giqnMf4h	192.168.1.77	57655	209.197.168.151	1024	tcp	irc-dcc-data	2.256935	124	42208	SF	-	-	0	ShAdDaFf	28	1592	43	44452	-
+1311189164.064603	CHhAvVGS1DHFjwGM9	192.168.1.77	57640	66.198.80.67	6667	tcp	irc	178.237017	453	25404	S3	-	-	0	ShADdaf	63	3761	52	28194	-
 #close	2016-07-13-16-16-28
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log b/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log
new file mode 100644
index 0000000000..b88f8724c5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.longline/weird.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2017-11-03-19-17-18
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1509735979.080381	CtPZjS20MLrsMUOJi2	127.0.0.1	50164	127.0.0.1	6667	contentline_size_exceeded	-	F	bro
+1509735979.080381	CtPZjS20MLrsMUOJi2	127.0.0.1	50164	127.0.0.1	6667	irc_line_size_exceeded	-	F	bro
+1509735981.241042	CtPZjS20MLrsMUOJi2	127.0.0.1	50164	127.0.0.1	6667	irc_invalid_command	-	F	bro
+#close	2017-11-03-19-17-18
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.irc.starttls/conn.log
index 59114a03b4..8d54d0c260 100644
--- a/testing/btest/Baseline/scripts.base.protocols.irc.starttls/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.starttls/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-16-28
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1438145937.325196	CHhAvVGS1DHFjwGM9	203.143.168.47	55123	185.18.76.170	6667	tcp	ssl,irc	4.923144	913	1903	SF	-	-	0	ShADadFRf	11	1469	9	2379	(empty)
+1438145937.325196	CHhAvVGS1DHFjwGM9	203.143.168.47	55123	185.18.76.170	6667	tcp	ssl,irc	4.923144	913	1903	SF	-	-	0	ShADadFRf	11	1469	9	2379	-
 #close	2016-07-13-16-16-28
diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output b/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output
index 0bec7ee13c..20b0b568c3 100644
--- a/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output
+++ b/testing/btest/Baseline/scripts.base.protocols.krb.kinit/output
@@ -1,3 +1,3 @@
 KRB_AP_REQUEST
-[pvno=5, realm=VLADG.NET, service_name=krbtgt/VLADG.NET, cipher=18]
+[pvno=5, realm=VLADG.NET, service_name=krbtgt/VLADG.NET, cipher=18, ciphertext={\x9fY\xd0f\x8dS\xf4I\x88\x04\xfa\xc1\xd8m\xa2\xb7+\xbb\x19\xcag\x0c\x13\xd1g*\xfc\x18\xd1\xb1\x80!\xbd\x85\xec\xf9\x9b\xfa-\x18\xb6\xf5h\x91\xe7\x99\xf4\xdb\x93\xa0\xc7\x90\x1e\xa9\x95v\xd3\x12\xfa,9\x1d\x0b\xd0\xa1\xd25\x0f\x1f[G\xdf\xd0\xbbd\x06$2\xd1\xae\x130qZiY\x07@\xe9\xf9\xff\xa4\x9a\xd4\x09\xf0\x0d\xc1R\x10M\xbdKOV\xfd\xf6\x13\xf6\x9a\x95N\xdf!\xf6x\x94\xd8j\xa5\xdcp\xa8\x04\x99\x02x\xdb$\xd8\xfa_o\x8dV\xc8\x0a\xfe\x00\xf3&c\x0c8\xd1\xd0\xe9\x8e\xab\xfe&\xfe\x00\x8d$\x98I\xe5\x8d\x94rM4%\xd8\xfe\xa9\x08\x06\xc6\x95H7\xf7HCq\xb9\x0d$\x95?\x83B\x82\xdd\xea\xc3f3\xcc\xbb\x09\x0d-\x09;\xa6i%\xcd\xba\x11\xd4\xe0\x12w\xd0G&\xdaj\x82\x7f;\xf3\x1d\x10\xa4l\x06\x16l\x1bc\xa1\xd1\x15!\x00\x8a\xff\x8a\x06\xe7U^:<d\xba"\x02I\xf0\xce\xc7\xad\xb2, authenticationinfo=<uninitialized>]
 [use_session_key=F, mutual_required=F]
diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb/.stdout b/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb/.stdout
new file mode 100644
index 0000000000..cd2430defe
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb/.stdout
@@ -0,0 +1 @@
+wallior@DS.SUSQ.COM
diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stderr b/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stderr
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stdout b/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stdout
new file mode 100644
index 0000000000..cf84443e49
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.krb.smb2_krb_nokeytab/.stdout
@@ -0,0 +1 @@
+F
diff --git a/testing/btest/Baseline/scripts.base.protocols.krb.smb_gssapi/kerberos.log b/testing/btest/Baseline/scripts.base.protocols.krb.smb_gssapi/kerberos.log
new file mode 100644
index 0000000000..d55cd5281a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.krb.smb_gssapi/kerberos.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	kerberos
+#open	2017-09-17-21-25-06
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	request_type	client	service	success	error_msg	from	till	cipher	forwardable	renewable	client_cert_subject	client_cert_fuid	server_cert_subject	server_cert_fuid
+#types	time	string	addr	port	addr	port	string	string	string	bool	string	time	time	string	bool	bool	string	string	string	string
+1165958411.822000	CHhAvVGS1DHFjwGM9	10.24.64.228	1227	10.24.8.44	445	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+#close	2017-09-17-21-25-06
diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn.log b/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn.log
index 128c1e225f..dbdf6b2bef 100644
--- a/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.modbus.events/conn.log
@@ -6,13 +6,13 @@
 #open	2016-07-13-16-16-30
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1093521678.945447	CHhAvVGS1DHFjwGM9	10.0.0.57	2387	10.0.0.3	502	tcp	-	0.000493	0	0	SF	-	-	0	FafA	2	80	2	80	(empty)
-1093521953.490353	C4J4Th3PJpwUYZZ6gc	10.0.0.57	2579	10.0.0.8	502	tcp	modbus	23.256631	24	0	SF	-	-	0	ShADaFf	6	272	5	208	(empty)
-1093521681.696827	ClEkJM2Vm5giqnMf4h	10.0.0.57	2578	10.0.0.3	502	tcp	modbus	385.694948	112	138	S3	-	-	0	ShADdf	20	920	12	626	(empty)
-1093522326.102435	CtPZjS20MLrsMUOJi2	10.0.0.9	3082	10.0.0.3	502	tcp	modbus	177.095534	72	69	SF	-	-	0	ShADdFaf	16	720	9	437	(empty)
-1093522946.554059	CUM0KZ3MLUfNB0cl11	10.0.0.57	2585	10.0.0.8	502	tcp	-	76.561880	926	0	SF	-	-	0	ShADafF	8	1254	7	288	(empty)
-1093523065.562221	CmES5u32sYpV7JYN	10.0.0.8	502	10.0.0.57	4446	tcp	-	155.114237	128	0	SF	-	-	0	ShADaFf	16	776	15	608	(empty)
-1153491879.610371	CP5puj4I8PtEU4qzYg	192.168.66.235	2582	166.161.16.230	502	tcp	-	2.905078	0	0	S0	-	-	0	S	2	96	0	0	(empty)
-1153491888.530306	C37jN32gN3y3AZzyf6	192.168.66.235	2582	166.161.16.230	502	tcp	modbus	85.560847	1692	1278	S1	-	-	0	ShADad	167	8380	181	8522	(empty)
-1342774499.588269	C3eiCBGOLw3VtHfOj	10.1.1.234	51411	10.10.5.85	502	tcp	modbus	2100.811351	237936	4121200	S2	-	-	0	ShADdaF	39659	2300216	20100	5166412	(empty)
+1093521678.945447	CHhAvVGS1DHFjwGM9	10.0.0.57	2387	10.0.0.3	502	tcp	-	0.000493	0	0	SF	-	-	0	FafA	2	80	2	80	-
+1093521953.490353	C4J4Th3PJpwUYZZ6gc	10.0.0.57	2579	10.0.0.8	502	tcp	modbus	23.256631	24	0	SF	-	-	0	ShADaFf	6	272	5	208	-
+1093521681.696827	ClEkJM2Vm5giqnMf4h	10.0.0.57	2578	10.0.0.3	502	tcp	modbus	385.694948	112	138	S3	-	-	0	ShADdf	20	920	12	626	-
+1093522326.102435	CtPZjS20MLrsMUOJi2	10.0.0.9	3082	10.0.0.3	502	tcp	modbus	177.095534	72	69	SF	-	-	0	ShADdFaf	16	720	9	437	-
+1093522946.554059	CUM0KZ3MLUfNB0cl11	10.0.0.57	2585	10.0.0.8	502	tcp	-	76.561880	926	0	SF	-	-	0	ShADafF	8	1254	7	288	-
+1093523065.562221	CmES5u32sYpV7JYN	10.0.0.8	502	10.0.0.57	4446	tcp	-	155.114237	128	0	SF	-	-	0	ShADaFf	16	776	15	608	-
+1153491879.610371	CP5puj4I8PtEU4qzYg	192.168.66.235	2582	166.161.16.230	502	tcp	-	2.905078	0	0	S0	-	-	0	S	2	96	0	0	-
+1153491888.530306	C37jN32gN3y3AZzyf6	192.168.66.235	2582	166.161.16.230	502	tcp	modbus	85.560847	1692	1278	S1	-	-	0	ShADad	167	8380	181	8522	-
+1342774499.588269	C3eiCBGOLw3VtHfOj	10.1.1.234	51411	10.10.5.85	502	tcp	modbus	2100.811351	237936	4121200	S2	-	-	0	ShADdaF	39659	2300216	20100	5166412	-
 #close	2016-07-13-16-16-33
diff --git a/testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log b/testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log
new file mode 100644
index 0000000000..a00df5267e
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.modbus.length_mismatch/weird.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2018-05-22-17-16-17
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
+#types	time	string	addr	port	addr	port	string	string	bool	string
+1445502056.228889	CHhAvVGS1DHFjwGM9	192.168.2.166	1987	192.168.88.95	502	binpac exception: out_of_bound: ReadWriteMultipleRegistersRequest:write_register_values: 16932 > 200	-	F	bro
+#close	2018-05-22-17-16-17
diff --git a/testing/btest/Baseline/scripts.base.protocols.mount.basic/.stdout b/testing/btest/Baseline/scripts.base.protocols.mount.basic/.stdout
new file mode 100644
index 0000000000..b3e377595b
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.mount.basic/.stdout
@@ -0,0 +1,2 @@
+mount_proc_mnt: [id=[orig_h=10.111.131.18, orig_p=765/udp, resp_h=10.111.131.132, resp_p=20048/udp], orig=[size=144, state=1, num_pkts=2, num_bytes_ip=200, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=84, state=1, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.621984, duration=0.000553, service={\x0a\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, mnt_stat=MOUNT3::MNT3_OK, req_start=1514568131.62212, req_dur=0.0, req_len=96, rep_start=1514568131.622537, rep_dur=0.0, rep_len=52, rpc_uid=0, rpc_gid=0, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 5, 10, 24]]\x0a\x09[dirname=/pddevbal801]\x0a\x09[dirfh=\x01\x00\x06\x00\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2, auth_flavors=[MOUNT3::AUTH_UNIX]]\x0a
+mount_proc_umnt: [id=[orig_h=10.111.131.18, orig_p=1016/udp, resp_h=10.111.131.132, resp_p=20048/udp], orig=[size=92, state=1, num_pkts=1, num_bytes_ip=120, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=24, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.665918, duration=0.000266, service={\x0a\x0a}, history=Dd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, mnt_stat=MOUNT3::MNT3_OK, req_start=1514568131.665918, req_dur=0.0, req_len=84, rep_start=1514568131.666184, rep_dur=0.0, rep_len=16, rpc_uid=0, rpc_gid=0, rpc_stamp=1514568131, rpc_machine_name=pddevbal802, rpc_auxgids=[0]]\x0a\x09[dirname=/pddevbal801]\x0a
diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log b/testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log
index 201f5e65ea..58b1974c67 100644
--- a/testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log
+++ b/testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log
@@ -3,7 +3,7 @@
 #empty_field	(empty)
 #unset_field	-
 #path	mysql
-#open	2016-07-13-16-16-46
+#open	2018-05-17-12-54-47
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cmd	arg	success	rows	response
 #types	time	string	addr	port	addr	port	string	string	bool	count	string
 1362452327.618353	CtPZjS20MLrsMUOJi2	192.168.1.3	55845	192.168.1.8	3306	login	root_nope	F	-	Access denied for user 'root_nope'@'lumberjack.home' (using password: NO)
@@ -16,6 +16,6 @@
 1362452360.410803	C0LAHyvtKSQHyJxIl	192.168.1.3	55863	192.168.1.8	3306	login	root	F	-	Access denied for user 'root'@'lumberjack.home' (using password: YES)
 1362452361.886123	CFLRIC3zaTU1loLGxh	192.168.1.3	55864	192.168.1.8	3306	login	root	F	-	Access denied for user 'root'@'lumberjack.home' (using password: YES)
 1362452372.452858	C9rXSW3KSpTYvPrlI1	192.168.1.3	55865	192.168.1.8	3306	login	root	T	0	-
-1362452372.454995	C9rXSW3KSpTYvPrlI1	192.168.1.3	55865	192.168.1.8	3306	query	select @@version_comment limit 1	T	1	-
+1362452372.454995	C9rXSW3KSpTYvPrlI1	192.168.1.3	55865	192.168.1.8	3306	query	select @@version_comment limit 1	T	0	-
 1362452372.991997	C9rXSW3KSpTYvPrlI1	192.168.1.3	55865	192.168.1.8	3306	quit	(empty)	-	-	-
-#close	2016-07-13-16-16-46
+#close	2018-05-17-12-54-47
diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log b/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log
index da1de035b2..ac18135111 100644
--- a/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log
+++ b/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log
@@ -3,25 +3,25 @@
 #empty_field	(empty)
 #unset_field	-
 #path	mysql
-#open	2016-07-13-16-16-46
+#open	2018-05-17-04-01-33
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cmd	arg	success	rows	response
 #types	time	string	addr	port	addr	port	string	string	bool	count	string
 1216281025.136728	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	login	tfoerste	T	0	-
-1216281025.137062	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select @@version_comment limit 1	T	1	-
-1216281030.835001	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	SELECT DATABASE()	T	1	-
+1216281025.137062	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select @@version_comment limit 1	T	0	-
+1216281030.835001	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	SELECT DATABASE()	T	0	-
 1216281030.835395	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	init_db	test	T	0	-
-1216281030.835742	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	show databases	T	1	-
-1216281030.836349	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	show tables	T	1	-
-1216281030.836757	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	field_list	agent	T	3	-
+1216281030.835742	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	show databases	T	0	-
+1216281030.836349	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	show tables	T	0	-
+1216281030.836757	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	field_list	agent	-	-	-
 1216281048.287657	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	create table foo (id BIGINT( 10 ) UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, animal VARCHAR(64) NOT NULL, name VARCHAR(64) NULL DEFAULT NULL) ENGINE = MYISAM	T	0	-
 1216281057.746222	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	insert into foo (animal, name) values ("dog", "Goofy")	T	1	-
 1216281061.713980	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	insert into foo (animal, name) values ("cat", "Garfield")	T	1	-
-1216281066.549786	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select * from foo	T	3	-
+1216281066.549786	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select * from foo	T	0	-
 1216281072.304467	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	delete from foo where name like '%oo%'	T	1	-
 1216281079.450037	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	delete from foo where id = 1	T	0	-
-1216281087.437392	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select count(*) from foo	T	1	-
-1216281109.107769	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select * from foo	T	3	-
+1216281087.437392	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select count(*) from foo	T	0	-
+1216281109.107769	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	select * from foo	T	0	-
 1216281116.209268	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	delete from foo	T	1	-
 1216281122.880561	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	query	drop table foo	T	0	-
 1216281124.418765	CHhAvVGS1DHFjwGM9	192.168.0.254	56162	192.168.0.254	3306	quit	(empty)	-	-	-
-#close	2016-07-13-16-16-46
+#close	2018-05-17-04-01-33
diff --git a/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/out b/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/out
new file mode 100644
index 0000000000..d322011e9d
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/out
@@ -0,0 +1,42 @@
+mysql ok, 0
+mysql request, 3, select @@version_comment limit 1
+mysql ok, 0
+mysql result row, [Gentoo Linux mysql-5.0.54]
+mysql request, 3, SELECT DATABASE()
+mysql ok, 0
+mysql result row, []
+mysql request, 2, test
+mysql ok, 0
+mysql request, 3, show databases
+mysql ok, 0
+mysql result row, [information_schema]
+mysql result row, [test]
+mysql request, 3, show tables
+mysql ok, 0
+mysql result row, [agent]
+mysql request, 4, agent\x00
+mysql request, 3, create table foo (id BIGINT( 10 ) UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, animal VARCHAR(64) NOT NULL, name VARCHAR(64) NULL DEFAULT NULL) ENGINE = MYISAM
+mysql ok, 0
+mysql request, 3, insert into foo (animal, name) values ("dog", "Goofy")
+mysql ok, 1
+mysql request, 3, insert into foo (animal, name) values ("cat", "Garfield")
+mysql ok, 1
+mysql request, 3, select * from foo
+mysql ok, 0
+mysql result row, [1, dog, Goofy]
+mysql result row, [2, cat, Garfield]
+mysql request, 3, delete from foo where name like '%oo%'
+mysql ok, 1
+mysql request, 3, delete from foo where id = 1
+mysql ok, 0
+mysql request, 3, select count(*) from foo
+mysql ok, 0
+mysql result row, [1]
+mysql request, 3, select * from foo
+mysql ok, 0
+mysql result row, [2, cat, Garfield]
+mysql request, 3, delete from foo
+mysql ok, 1
+mysql request, 3, drop table foo
+mysql ok, 0
+mysql request, 1, 
diff --git a/testing/btest/Baseline/scripts.base.protocols.ncp.event/out b/testing/btest/Baseline/scripts.base.protocols.ncp.event/out
new file mode 100644
index 0000000000..6374c60f5d
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ncp.event/out
@@ -0,0 +1,468 @@
+ncp reply, 13107, 70, 0, 0, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 59, 89
+ncp reply, 13107, 2, 8738, 89, 255
+ncp request, 8738, 59, 89
+ncp reply, 13107, 2, 8738, 89, 255
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 66, 89
+ncp reply, 13107, 92, 8738, 89, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 66, 89
+ncp reply, 13107, 92, 8738, 89, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 46, 89
+ncp reply, 13107, 88, 8738, 89, 0
+ncp request, 8738, 40, 89
+ncp reply, 13107, 11, 8738, 89, 0
+ncp request, 8738, 40, 89
+ncp reply, 13107, 102, 8738, 89, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 6, 22338
+ncp reply, 13107, 10, 8738, 22338, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 163, 8738, 72, 0
+ncp request, 8738, 14, 72
diff --git a/testing/btest/Baseline/scripts.base.protocols.ncp.frame_size_tuning/out b/testing/btest/Baseline/scripts.base.protocols.ncp.frame_size_tuning/out
new file mode 100644
index 0000000000..cfb805ee70
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ncp.frame_size_tuning/out
@@ -0,0 +1,418 @@
+ncp reply, 13107, 70, 0, 0, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 59, 89
+ncp reply, 13107, 2, 8738, 89, 255
+ncp request, 8738, 59, 89
+ncp reply, 13107, 2, 8738, 89, 255
+ncp request, 8738, 79, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp reply, 13107, 86, 8738, 72, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 66, 89
+ncp reply, 13107, 92, 8738, 89, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 66, 89
+ncp reply, 13107, 92, 8738, 89, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 46, 89
+ncp reply, 13107, 88, 8738, 89, 0
+ncp request, 8738, 40, 89
+ncp reply, 13107, 11, 8738, 89, 0
+ncp request, 8738, 40, 89
+ncp reply, 13107, 102, 8738, 89, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 6, 22338
+ncp reply, 13107, 10, 8738, 22338, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 8, 66
+ncp reply, 13107, 2, 8738, 66, 0
+ncp request, 8738, 72, 89
+ncp reply, 13107, 70, 8738, 89, 0
+ncp request, 8738, 7, 22306
+ncp reply, 13107, 2, 8738, 22306, 0
+ncp request, 8738, 14, 72
+ncp request, 8738, 14, 72
diff --git a/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout b/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout
new file mode 100644
index 0000000000..f80d355e65
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.nfs.basic/.stdout
@@ -0,0 +1,28 @@
+nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=160, state=4, num_pkts=5, num_bytes_ip=368, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=112, state=4, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.000529, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.623455, req_dur=0.0, req_len=104, rep_start=1514568131.623576, rep_dur=0.0, rep_len=72, rpc_uid=0, rpc_gid=0, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 5, 10, 24]]\x0a\x09NFS3::PROC_FSINFO\x0a
+nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=276, state=4, num_pkts=6, num_bytes_ip=524, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=172, state=4, num_pkts=4, num_bytes_ip=280, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.000673, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.6236, req_dur=0.0, req_len=104, rep_start=1514568131.62372, rep_dur=0.0, rep_len=48, rpc_uid=0, rpc_gid=0, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 5, 10, 24]]\x0a\x09NFS3::PROC_PATHCONF\x0a
+nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=508, state=4, num_pkts=8, num_bytes_ip=836, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=372, state=4, num_pkts=6, num_bytes_ip=536, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.001007, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.623937, req_dur=0.0, req_len=104, rep_start=1514568131.624054, rep_dur=0.0, rep_len=72, rpc_uid=0, rpc_gid=0, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 5, 10, 24]]\x0a\x09NFS3::PROC_FSINFO\x0a
+nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=744, state=4, num_pkts=10, num_bytes_ip=1152, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=612, state=4, num_pkts=8, num_bytes_ip=816, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.00556, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.628447, req_dur=0.0, req_len=108, rep_start=1514568131.628607, rep_dur=0.0, rep_len=112, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09NFS3::PROC_ACCESS\x0a
+nfs_proc_mkdir: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=900, state=4, num_pkts=11, num_bytes_ip=1348, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=888, state=4, num_pkts=9, num_bytes_ip=980, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.006413, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.628646, req_dur=0.0, req_len=144, rep_start=1514568131.62946, rep_dur=0.0, rep_len=264, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x00\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2, fname=bro-nfs]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, obj_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=6, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387], dir_pre_attr=[size=4096, atime=1514568092.592619, mtime=1514568092.592619], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=17407, nlink=16, uid=0, gid=0, size=4096, used=4096, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=128, atime=0.0, mtime=1514568131.625387, ctime=1514568131.625387]]\x0a
+nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1032, state=4, num_pkts=12, num_bytes_ip=1520, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1012, state=4, num_pkts=10, num_bytes_ip=1296, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.007316, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.630213, req_dur=0.0, req_len=120, rep_start=1514568131.630363, rep_dur=0.0, rep_len=112, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09NFS3::PROC_ACCESS\x0a
+nfs_proc_lookup: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1172, state=4, num_pkts=13, num_bytes_ip=1700, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1132, state=4, num_pkts=11, num_bytes_ip=1460, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.007542, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1514568131.63039, req_dur=0.0, req_len=128, rep_start=1514568131.630589, rep_dur=0.0, rep_len=108, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile]\x0a\x09[fh=<uninitialized>, obj_attr=<uninitialized>, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=6, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387]]\x0a
+nfs_proc_create: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1344, state=4, num_pkts=14, num_bytes_ip=1912, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1408, state=4, num_pkts=12, num_bytes_ip=1620, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.008344, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.63061, req_dur=0.0, req_len=160, rep_start=1514568131.631391, rep_dur=0.0, rep_len=264, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, obj_attr=[ftype=NFS3::FTYPE_REG, mode=33188, nlink=1, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387], dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.625387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387]]\x0a
+nfs_proc_sattr: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1500, state=4, num_pkts=15, num_bytes_ip=2108, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1556, state=4, num_pkts=13, num_bytes_ip=1936, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.008933, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.63142, req_dur=0.0, req_len=144, rep_start=1514568131.63198, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, new_attributes=[mode=<uninitialized>, uid=<uninitialized>, gid=<uninitialized>, size=<uninitialized>, atime=NFS3::SET_TO_SERVER_TIME, mtime=NFS3::SET_TO_SERVER_TIME]]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.625387], dir_post_attr=[ftype=NFS3::FTYPE_REG, mode=33188, nlink=1, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387]]\x0a
+nfs_proc_sattr: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1660, state=4, num_pkts=16, num_bytes_ip=2308, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1704, state=4, num_pkts=14, num_bytes_ip=2124, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.010357, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.632743, req_dur=0.0, req_len=148, rep_start=1514568131.633404, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, new_attributes=[mode=448, uid=<uninitialized>, gid=<uninitialized>, size=<uninitialized>, atime=NFS3::DONT_CHANGE, mtime=NFS3::DONT_CHANGE]]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.625387], dir_post_attr=[ftype=NFS3::FTYPE_REG, mode=33216, nlink=1, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.629387]]\x0a
+nfs_proc_sattr: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1820, state=4, num_pkts=17, num_bytes_ip=2508, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1852, state=4, num_pkts=15, num_bytes_ip=2312, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.011929, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.634369, req_dur=0.0, req_len=148, rep_start=1514568131.634976, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, new_attributes=[mode=511, uid=<uninitialized>, gid=<uninitialized>, size=<uninitialized>, atime=NFS3::DONT_CHANGE, mtime=NFS3::DONT_CHANGE]]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.629387], dir_post_attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=1, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.629387]]\x0a
+nfs_proc_lookup: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=1968, state=4, num_pkts=18, num_bytes_ip=2696, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=1972, state=4, num_pkts=16, num_bytes_ip=2500, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.012799, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1514568131.635694, req_dur=0.0, req_len=136, rep_start=1514568131.635846, rep_dur=0.0, rep_len=108, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-symlink]\x0a\x09[fh=<uninitialized>, obj_attr=<uninitialized>, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.625387]]\x0a
+nfs_proc_symlink: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=2184, state=4, num_pkts=19, num_bytes_ip=2952, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=2248, state=4, num_pkts=17, num_bytes_ip=2660, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.013431, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.635899, req_dur=0.0, req_len=204, rep_start=1514568131.636478, rep_dur=0.0, rep_len=264, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[link=[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-symlink], symlinkdata=[symlink_attributes=[mode=511, uid=<uninitialized>, gid=<uninitialized>, size=<uninitialized>, atime=NFS3::DONT_CHANGE, mtime=NFS3::DONT_CHANGE], nfspath=/nfs/pddevbal801/bro-nfs/testfile]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xfa\xdf\xa3@\x00\x00\x00\x00\x135nf, obj_attr=[ftype=NFS3::FTYPE_LNK, mode=41471, nlink=1, uid=3125, gid=200, size=33, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481530, atime=1514568131.629387, mtime=1514568131.629387, ctime=1514568131.629387], dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.625387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=44, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.629387, ctime=1514568131.629387]]\x0a
+nfs_proc_sattr: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=2348, state=4, num_pkts=20, num_bytes_ip=3156, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=2396, state=4, num_pkts=18, num_bytes_ip=2976, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.015041, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.637343, req_dur=0.0, req_len=152, rep_start=1514568131.638088, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, new_attributes=[mode=<uninitialized>, uid=3125, gid=10, size=<uninitialized>, atime=NFS3::DONT_CHANGE, mtime=NFS3::DONT_CHANGE]]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.629387], dir_post_attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=1, uid=3125, gid=10, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.633387]]\x0a
+nfs_proc_sattr: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=2512, state=4, num_pkts=21, num_bytes_ip=3360, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=2544, state=4, num_pkts=19, num_bytes_ip=3164, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.016413, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.638929, req_dur=0.0, req_len=152, rep_start=1514568131.63946, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, new_attributes=[mode=<uninitialized>, uid=3125, gid=200, size=<uninitialized>, atime=NFS3::DONT_CHANGE, mtime=NFS3::DONT_CHANGE]]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.625387, mtime=1514568131.633387], dir_post_attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=1, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.633387]]\x0a
+nfs_proc_lookup: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=2668, state=4, num_pkts=22, num_bytes_ip=3556, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=2664, state=4, num_pkts=20, num_bytes_ip=3352, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.017567, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1514568131.640452, req_dur=0.0, req_len=144, rep_start=1514568131.640614, rep_dur=0.0, rep_len=108, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-symlink.renamed]\x0a\x09[fh=<uninitialized>, obj_attr=<uninitialized>, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=44, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.629387, ctime=1514568131.629387]]\x0a
+nfs_proc_rename: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=2880, state=4, num_pkts=23, num_bytes_ip=3808, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=2928, state=4, num_pkts=21, num_bytes_ip=3512, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.018252, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.640669, req_dur=0.0, req_len=200, rep_start=1514568131.641299, rep_dur=0.0, rep_len=252, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[src_dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, src_fname=testfile-symlink, dst_dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, dst_fname=testfile-symlink.renamed]\x0a\x09[src_dir_pre_attr=[size=0, atime=1514568131.629387, mtime=1514568131.629387], src_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=52, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.637387, ctime=1514568131.637387], dst_dir_pre_attr=[size=0, atime=1514568131.629387, mtime=1514568131.629387], dst_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=52, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.637387, ctime=1514568131.637387]]\x0a
+nfs_proc_readlink: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=3136, state=4, num_pkts=25, num_bytes_ip=4144, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=3204, state=4, num_pkts=23, num_bytes_ip=3972, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.019333, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.64222, req_dur=0.0, req_len=116, rep_start=1514568131.64238, rep_dur=0.0, rep_len=148, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xfa\xdf\xa3@\x00\x00\x00\x00\x135nf\x0a\x09[attr=[ftype=NFS3::FTYPE_LNK, mode=41471, nlink=1, uid=3125, gid=200, size=33, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481530, atime=1514568131.629387, mtime=1514568131.629387, ctime=1514568131.637387], nfspath=/nfs/pddevbal801/bro-nfs/testfile]\x0a
+nfs_proc_remove: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=3292, state=4, num_pkts=26, num_bytes_ip=4340, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=3352, state=4, num_pkts=24, num_bytes_ip=4172, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.020916, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.643131, req_dur=0.0, req_len=144, rep_start=1514568131.643963, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-symlink.renamed]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.637387, mtime=1514568131.637387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.637387, ctime=1514568131.637387]]\x0a
+nfs_proc_lookup: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=3440, state=4, num_pkts=27, num_bytes_ip=4528, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=3472, state=4, num_pkts=25, num_bytes_ip=4360, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.021753, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1514568131.644663, req_dur=0.0, req_len=136, rep_start=1514568131.6448, rep_dur=0.0, rep_len=108, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-link]\x0a\x09[fh=<uninitialized>, obj_attr=<uninitialized>, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.637387, ctime=1514568131.637387]]\x0a
+nfs_proc_link: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=3624, state=4, num_pkts=28, num_bytes_ip=4752, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=3708, state=4, num_pkts=26, num_bytes_ip=4520, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.022398, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.644833, req_dur=0.0, req_len=172, rep_start=1514568131.645445, rep_dur=0.0, rep_len=224, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf, link=[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-link]]\x0a\x09[post_attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=2, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.641387], preattr=[size=0, atime=1514568131.637387, mtime=1514568131.637387], postattr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=41, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.641387, ctime=1514568131.641387]]\x0a
+nfs_proc_readdir: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=3904, state=4, num_pkts=30, num_bytes_ip=5112, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=4588, state=4, num_pkts=28, num_bytes_ip=4952, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.023841, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.646733, req_dur=0.0, req_len=140, rep_start=1514568131.646888, rep_dur=0.0, rep_len=752, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[isplus=T, dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, cookie=0, cookieverf=0, dircount=512, maxcount=4096]\x0a\x09[isplus=T, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=41, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.641387, ctime=1514568131.641387], cookieverf=0, entries=[, [fileid=1084481527, fname=., cookie=4, attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=41, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.641387, ctime=1514568131.641387], fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf], [fileid=128, fname=.., cookie=6, attr=[ftype=NFS3::FTYPE_DIR, mode=17407, nlink=16, uid=0, gid=0, size=4096, used=4096, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=128, atime=0.0, mtime=1514568131.625387, ctime=1514568131.625387], fh=\x01\x00\x06\x00\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2], [fileid=1084481529, fname=testfile, cookie=9, attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=2, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.641387], fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf], [fileid=1084481529, fname=testfile-link, cookie=512, attr=[ftype=NFS3::FTYPE_REG, mode=33279, nlink=2, uid=3125, gid=200, size=0, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481529, atime=1514568131.625387, mtime=1514568131.625387, ctime=1514568131.641387], fh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf9\xdf\xa3@\x00\x00\x00\x00\x135nf]], eof=T]\x0a
+nfs_proc_remove: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=4052, state=4, num_pkts=31, num_bytes_ip=5300, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=4736, state=4, num_pkts=29, num_bytes_ip=5756, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.025477, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.647753, req_dur=0.0, req_len=136, rep_start=1514568131.648524, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile-link]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.641387, mtime=1514568131.641387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.641387, ctime=1514568131.641387]]\x0a
+nfs_proc_lookup: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=4200, state=4, num_pkts=32, num_bytes_ip=5488, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=4856, state=4, num_pkts=30, num_bytes_ip=5944, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.026817, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_NOENT, req_start=1514568131.649721, req_dur=0.0, req_len=136, rep_start=1514568131.649864, rep_dur=0.0, rep_len=108, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile.renamed]\x0a\x09[fh=<uninitialized>, obj_attr=<uninitialized>, dir_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=21, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.641387, ctime=1514568131.641387]]\x0a
+nfs_proc_rename: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=4524, state=4, num_pkts=34, num_bytes_ip=5892, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=5236, state=4, num_pkts=32, num_bytes_ip=6260, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.027593, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.65007, req_dur=0.0, req_len=184, rep_start=1514568131.65064, rep_dur=0.0, rep_len=252, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[src_dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, src_fname=testfile, dst_dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, dst_fname=testfile.renamed]\x0a\x09[src_dir_pre_attr=[size=0, atime=1514568131.641387, mtime=1514568131.641387], src_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=29, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.645387, ctime=1514568131.645387], dst_dir_pre_attr=[size=0, atime=1514568131.641387, mtime=1514568131.641387], dst_dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=29, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.645387, ctime=1514568131.645387]]\x0a
+nfs_proc_not_implemented: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=4784, state=4, num_pkts=36, num_bytes_ip=6232, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=5476, state=4, num_pkts=34, num_bytes_ip=6720, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.028734, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.651603, req_dur=0.0, req_len=120, rep_start=1514568131.651781, rep_dur=0.0, rep_len=112, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09NFS3::PROC_ACCESS\x0a
+nfs_proc_remove: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=4932, state=4, num_pkts=37, num_bytes_ip=6420, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=5624, state=4, num_pkts=35, num_bytes_ip=6884, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.029354, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.651806, req_dur=0.0, req_len=136, rep_start=1514568131.652401, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x81\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2\xf7\xdf\xa3@\x00\x00\x00\x00\x1a5nf, fname=testfile.renamed]\x0a\x09[dir_pre_attr=[size=0, atime=1514568131.645387, mtime=1514568131.645387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=16877, nlink=2, uid=3125, gid=200, size=6, used=0, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=1084481527, atime=1514568131.625387, mtime=1514568131.645387, ctime=1514568131.645387]]\x0a
+nfs_proc_rmdir: [id=[orig_h=10.111.131.18, orig_p=720/tcp, resp_h=10.111.131.132, resp_p=2049/tcp], orig=[size=5060, state=4, num_pkts=38, num_bytes_ip=6588, flow_label=0, l2_addr=00:50:56:b2:4e:d3], resp=[size=5772, state=4, num_pkts=36, num_bytes_ip=7072, flow_label=0, l2_addr=00:50:56:b2:78:69], start_time=1514568131.623047, duration=0.030704, service={\x0a\x0a}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>]\x0a\x09[rpc_stat=RPC_SUCCESS, nfs_stat=NFS3::NFS3ERR_OK, req_start=1514568131.653118, req_dur=0.0, req_len=116, rep_start=1514568131.653751, rep_dur=0.0, rep_len=136, rpc_uid=3125, rpc_gid=200, rpc_stamp=19078341, rpc_machine_name=pddevbal802, rpc_auxgids=[0, 10, 24, 200]]\x0a\x09[dirfh=\x01\x00\x06\x00\xea,\xbbJ\x9e\xf7I\x95\xa56V(\xce\xda`\xa2, fname=bro-nfs]\x0a\x09[dir_pre_attr=[size=4096, atime=1514568131.625387, mtime=1514568131.625387], dir_post_attr=[ftype=NFS3::FTYPE_DIR, mode=17407, nlink=15, uid=0, gid=0, size=4096, used=4096, rdev1=0, rdev2=0, fsid=3974757969411512911, fileid=128, atime=0.0, mtime=1514568131.649387, ctime=1514568131.649387]]\x0a
diff --git a/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/conn.log
index e5cec1bccc..dee9141a7c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.pop3.starttls/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-16-46
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1400173552.423915	CHhAvVGS1DHFjwGM9	192.168.4.149	54775	192.168.4.149	110	tcp	pop3,ssl	2.489002	851	2590	SF	-	-	0	ShAadDfFr	16	1695	17	3462	(empty)
+1400173552.423915	CHhAvVGS1DHFjwGM9	192.168.4.149	54775	192.168.4.149	110	tcp	pop3,ssl	2.489002	851	2590	SF	-	-	0	ShAadDfFr	16	1695	17	3462	-
 #close	2016-07-13-16-16-46
diff --git a/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log b/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log
index 944b5a3ad3..bd536ecca2 100644
--- a/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log
+++ b/testing/btest/Baseline/scripts.base.protocols.radius.auth/radius.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	radius
-#open	2016-07-13-16-16-47
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	mac	remote_ip	connect_info	result
-#types	time	string	addr	port	addr	port	string	string	addr	string	string
-1217631137.916736	CHhAvVGS1DHFjwGM9	10.0.0.1	1645	10.0.0.100	1812	John.McGuirk	00:14:22:e9:54:5e	-	-	success
-#close	2016-07-13-16-16-47
+#open	2017-02-20-04-53-55
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	mac	framed_addr	remote_ip	connect_info	reply_msg	result	ttl
+#types	time	string	addr	port	addr	port	string	string	addr	addr	string	string	string	interval
+1217631137.872968	CHhAvVGS1DHFjwGM9	10.0.0.1	1645	10.0.0.100	1812	John.McGuirk	00:14:22:e9:54:5e	255.255.255.254	-	-	Hello, %u	success	0.043882
+#close	2017-02-20-04-53-55
diff --git a/testing/btest/Baseline/scripts.base.protocols.radius.radius-multiple-attempts/radius.log b/testing/btest/Baseline/scripts.base.protocols.radius.radius-multiple-attempts/radius.log
new file mode 100644
index 0000000000..8dac83de65
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.radius.radius-multiple-attempts/radius.log
@@ -0,0 +1,16 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	radius
+#open	2017-02-20-04-56-31
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	username	mac	framed_addr	remote_ip	connect_info	reply_msg	result	ttl
+#types	time	string	addr	port	addr	port	string	string	addr	addr	string	string	string	interval
+1440447766.440305	CHhAvVGS1DHFjwGM9	127.0.0.1	53031	127.0.0.1	1812	steve	-	172.16.3.33	-	-	-	failed	1.005906
+1440447839.947454	ClEkJM2Vm5giqnMf4h	127.0.0.1	65443	127.0.0.1	1812	steve	-	172.16.3.33	-	-	-	success	0.000779
+1440447848.196115	C4J4Th3PJpwUYZZ6gc	127.0.0.1	57717	127.0.0.1	1812	steve	-	-	-	-	-	success	0.000275
+1440447860.613743	CtPZjS20MLrsMUOJi2	127.0.0.1	64691	127.0.0.1	1812	steve	-	-	-	-	-	success	0.000273
+1440447880.931272	CUM0KZ3MLUfNB0cl11	127.0.0.1	52178	127.0.0.1	1812	steve	-	-	-	-	-	failed	1.001459
+1440447904.122012	CmES5u32sYpV7JYN	127.0.0.1	62956	127.0.0.1	1812	steve	-	-	-	-	-	unknown	-
+1440448190.335333	CP5puj4I8PtEU4qzYg	127.0.0.1	53127	127.0.0.1	1812	steve	-	-	-	-	-	success	0.000517
+#close	2017-02-20-04-56-31
diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-request/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-request/.stdout
new file mode 100644
index 0000000000..b9d6e354ee
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-request/.stdout
@@ -0,0 +1 @@
+smb1_transaction_request hdr: [command=37, status=0, flags=0, flags2=0, tid=31335, pid=1, uid=11132, mid=2], name: \\PIPE\lsarpc, sub_cmd: 2600, params: some_params, data: some_data
diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-response/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-response/.stdout
new file mode 100644
index 0000000000..f4d00733bf
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-response/.stdout
@@ -0,0 +1 @@
+smb1_transaction_response hdr: [command=37, status=0, flags=128, flags2=0, tid=41669, pid=1, uid=17768, mid=2], params: some_params, data: some_data
diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-secondary-request/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-secondary-request/.stdout
new file mode 100644
index 0000000000..10cad0c702
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction-secondary-request/.stdout
@@ -0,0 +1 @@
+smb1_transaction_secondary_request hdr: [command=38, status=0, flags=0, flags2=0, tid=45374, pid=1, uid=57674, mid=2], args: [total_param_count=11, total_data_count=9, param_count=11, param_offset=52, param_displacement=9, data_count=9, data_offset=66, data_displacement=11], params: some_params, data: some_data
diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-request/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-request/.stdout
new file mode 100644
index 0000000000..a31a286d1f
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-request/.stdout
@@ -0,0 +1 @@
+smb1_transaction2_request hdr: [command=50, status=0, flags=0, flags2=0, tid=47242, pid=1, uid=2017, mid=2], args: [total_param_count=13, total_data_count=0, max_param_count=0, max_data_count=0, max_setup_count=0, flags=0, trans_timeout=0, param_count=13, param_offset=69, data_count=0, data_offset=0, setup_count=1], sub_cmd: 5
diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-secondary-request/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-secondary-request/.stdout
new file mode 100644
index 0000000000..7be34af9ea
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb1-transaction2-secondary-request/.stdout
@@ -0,0 +1 @@
+smb1_transaction2_secondary_request hdr: [command=51, status=0, flags=0, flags2=0, tid=29550, pid=1, uid=25541, mid=2], args: [total_param_count=11, total_data_count=9, param_count=11, param_offset=54, param_displacement=9, data_count=9, data_offset=68, data_displacement=11, FID=65535], params: some_params, data: some_data
diff --git a/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout
new file mode 100644
index 0000000000..299b36fd33
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.smb.smb2/.stdout
@@ -0,0 +1,12 @@
+smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=1, create_options=32]
+smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=69, volatile=18446744069414584321], size=8192, times=[modified=1323202604.512058, accessed=1323202604.512058, created=1322343963.945297, changed=1323202604.512058], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
+smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=srvsvc, disposition=1, create_options=4194368]
+smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=73, volatile=18446744069414584325], size=0, times=[modified=-1.164447e+10, accessed=-1.164447e+10, created=-1.164447e+10, changed=-1.164447e+10], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=T, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
+smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=2, create_options=2097185]
+smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=WP_SMBPlugin.pdf, disposition=2, create_options=68]
+smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=77, volatile=18446744069414584329], size=0, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1323202695.427036, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=F, archive=T, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=2]
+smb2_file_sattr 10.0.0.11 -> 10.0.0.12:445 [persistent=77, volatile=18446744069414584329] MACTimes:[modified=1319047808.3125, accessed=-1.164447e+10, created=-1.164447e+10, changed=-1.164447e+10] FileAttrs:[read_only=F, hidden=F, system=F, directory=F, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F]
+smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=1, create_options=32]
+smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=81, volatile=18446744069414584333], size=8192, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
+smb2_create_request 10.0.0.11 -> 10.0.0.12:445 [filename=<share_root>, disposition=1, create_options=32]
+smb2_create_response 10.0.0.11 -> 10.0.0.12:445 [file_id=[persistent=85, volatile=18446744069414584337], size=8192, times=[modified=1323202695.427036, accessed=1323202695.427036, created=1322343963.945297, changed=1323202695.427036], attrs=[read_only=F, hidden=F, system=F, directory=T, archive=F, normal=F, temporary=F, sparse_file=F, reparse_point=F, compressed=F, offline=F, not_content_indexed=F, encrypted=F, integrity_stream=F, no_scrub_data=F], create_action=1]
diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/socks.log b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/socks.log
new file mode 100644
index 0000000000..2f7963dbd6
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/socks.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	socks
+#open	2017-12-01-22-33-17
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	user	password	status	request.host	request.name	request_p	bound.host	bound.name	bound_p
+#types	time	string	addr	port	addr	port	count	string	string	string	addr	string	port	addr	string	port
+1368517392.724989	CHhAvVGS1DHFjwGM9	192.168.0.2	55951	192.168.0.1	1080	5	bob	-	succeeded	192.168.0.2	-	22	192.168.0.1	-	55951
+#close	2017-12-01-22-33-17
diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/tunnel.log b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/tunnel.log
new file mode 100644
index 0000000000..ef6bdc5b33
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/tunnel.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open	2017-12-01-22-33-17
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+1368517392.728523	-	192.168.0.2	0	192.168.0.1	1080	Tunnel::SOCKS	Tunnel::DISCOVER
+#close	2017-12-01-22-33-17
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/conn.log b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/conn.log
index 48becca872..679ab63a76 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/conn.log
@@ -6,29 +6,29 @@
 #open	2016-07-13-16-16-57
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1324071333.493287	CHhAvVGS1DHFjwGM9	192.168.1.79	51880	131.159.21.1	22	tcp	ssh	6.159326	2669	2501	SF	-	-	0	ShAdDaFf	25	3981	20	3549	(empty)
-1409516196.337184	ClEkJM2Vm5giqnMf4h	10.0.0.18	40184	128.2.6.88	41644	tcp	ssh	2.079071	3813	3633	SF	-	-	0	ShADadFf	22	4965	26	5017	(empty)
-1419870189.485611	C4J4Th3PJpwUYZZ6gc	192.168.2.1	57189	192.168.2.158	22	tcp	ssh	6.641754	5253	3489	SF	-	-	0	ShADadFf	38	7241	29	5005	(empty)
-1419870206.101883	CtPZjS20MLrsMUOJi2	192.168.2.1	57191	192.168.2.158	22	tcp	ssh	3.862198	576	813	SF	-	-	0	ShAdDaFf	23	1784	16	1653	(empty)
-1419996264.318569	CUM0KZ3MLUfNB0cl11	192.168.2.1	55179	192.168.2.158	2200	tcp	ssh	2.557930	2757	1721	RSTR	-	-	0	ShADadFr	37	4693	29	3225	(empty)
-1420588548.721272	CmES5u32sYpV7JYN	192.168.2.1	56594	192.168.2.158	22	tcp	ssh	8.841749	480	537	SF	-	-	0	ShAdDaFf	17	1376	14	1273	(empty)
-1420590124.879760	CP5puj4I8PtEU4qzYg	192.168.2.1	56821	192.168.2.158	22	tcp	ssh	1.106250	820	1125	SF	-	-	0	ShAdDaFf	26	2184	20	2173	(empty)
-1420590308.775525	C37jN32gN3y3AZzyf6	192.168.2.1	56837	192.168.2.158	22	tcp	ssh	1.080767	692	997	SF	-	-	0	ShAdDaFf	25	2004	19	1993	(empty)
-1420590322.673363	C3eiCBGOLw3VtHfOj	192.168.2.1	56845	192.168.2.158	22	tcp	ssh	1.302395	660	965	SF	-	-	0	ShAdDaFf	26	2024	20	2013	(empty)
-1420590636.473213	CwjjYJ2WqgTbAqiHl6	192.168.2.1	56875	192.168.2.158	22	tcp	ssh	12.013506	588	549	SF	-	-	0	ShAdDaFf	19	1588	16	1389	(empty)
-1420590659.422161	C0LAHyvtKSQHyJxIl	192.168.2.1	56878	192.168.2.158	22	tcp	ssh	3.628964	684	825	SF	-	-	0	ShAdDaFf	25	1996	19	1821	(empty)
-1420591379.650462	CFLRIC3zaTU1loLGxh	192.168.2.1	56940	192.168.2.158	22	tcp	ssh	0.104978	500	609	SF	-	-	0	ShAdDaFf	14	1240	10	1137	(empty)
-1420599430.822385	C9rXSW3KSpTYvPrlI1	192.168.2.1	57831	192.168.2.158	22	tcp	ssh	2.758790	576	813	SF	-	-	0	ShAdDaFf	23	1784	18	1757	(empty)
-1420851448.309629	Ck51lg1bScffFj34Ri	192.168.2.1	59246	192.168.2.158	22	tcp	ssh	3.076752	3049	4165	SF	-	-	0	ShADadFf	32	4725	23	5369	(empty)
-1420860283.029061	C9mvWx3ezztgzcexV7	192.168.1.32	41164	128.2.10.238	22	tcp	ssh	8.485357	6087	3015	SF	-	-	0	ShADadFf	32	7759	33	4763	(empty)
-1420860616.400297	CNnMIj2QSd84NKf7U3	192.168.1.32	33910	128.2.13.133	22	tcp	ssh	1.910959	6471	6037	SF	-	-	0	ShADadFf	33	8195	29	7565	(empty)
-1420868281.639103	C7fIlMZDuRiqjpYbb	192.168.1.32	41268	128.2.10.238	22	tcp	ssh	2.710778	5613	2487	SF	-	-	0	ShADadFf	24	6869	20	3535	(empty)
-1420917487.220407	CpmdRlaUoJLN3uIRa	192.168.1.31	52294	192.168.1.32	22	tcp	ssh	3.658968	3729	2229	SF	-	-	0	ShADadFf	36	5613	24	3497	(empty)
-1420917487.213378	CykQaM33ztNt0csB9a	192.168.1.31	57621	192.168.1.255	57621	udp	-	-	-	-	S0	-	-	0	D	1	72	0	0	(empty)
-1420917487.213468	CtxTCR2Yer0FR1tIBg	192.168.1.32	57621	192.168.1.31	57621	udp	-	-	-	-	S0	-	-	0	D	1	72	0	0	(empty)
-1421006072.431795	CqlVyW1YwZ15RhTBc4	192.168.1.31	51476	192.168.1.32	8118	tcp	-	0.000539	76	0	SF	-	-	0	DaFfA	6	388	5	284	(empty)
-1421006072.001012	C1Xkzz2MaGtLrc1Tla	192.168.1.31	51489	192.168.1.32	22	tcp	ssh	4.926958	4029	2497	SF	-	-	0	ShAdDaFf	42	6249	27	3937	(empty)
-1421041176.944687	CLNN1k2QMum1aexUK7	192.168.1.32	58641	131.103.20.168	22	tcp	ssh	0.587601	2885	2309	SF	-	-	0	ShADdaFf	16	3725	13	2993	(empty)
-1421041299.738916	CBA8792iHmnhPLksKa	192.168.1.32	58646	131.103.20.168	22	tcp	ssh	2.236727	4477	535101	SF	-	-	0	ShADadFf	179	13793	226	546861	(empty)
-1421041526.312919	CGLPPc35OzDQij1XX8	192.168.1.32	58649	131.103.20.168	22	tcp	ssh	2.066433	4477	534861	SF	-	-	0	ShADadFf	183	14001	236	547141	(empty)
+1324071333.493287	CHhAvVGS1DHFjwGM9	192.168.1.79	51880	131.159.21.1	22	tcp	ssh	6.159326	2669	2501	SF	-	-	0	ShAdDaFf	25	3981	20	3549	-
+1409516196.337184	ClEkJM2Vm5giqnMf4h	10.0.0.18	40184	128.2.6.88	41644	tcp	ssh	2.079071	3813	3633	SF	-	-	0	ShADadFf	22	4965	26	5017	-
+1419870189.485611	C4J4Th3PJpwUYZZ6gc	192.168.2.1	57189	192.168.2.158	22	tcp	ssh	6.641754	5253	3489	SF	-	-	0	ShADadFf	38	7241	29	5005	-
+1419870206.101883	CtPZjS20MLrsMUOJi2	192.168.2.1	57191	192.168.2.158	22	tcp	ssh	3.862198	576	813	SF	-	-	0	ShAdDaFf	23	1784	16	1653	-
+1419996264.318569	CUM0KZ3MLUfNB0cl11	192.168.2.1	55179	192.168.2.158	2200	tcp	ssh	2.557930	2757	1721	RSTR	-	-	0	ShADadFr	37	4693	29	3225	-
+1420588548.721272	CmES5u32sYpV7JYN	192.168.2.1	56594	192.168.2.158	22	tcp	ssh	8.841749	480	537	SF	-	-	0	ShAdDaFf	17	1376	14	1273	-
+1420590124.879760	CP5puj4I8PtEU4qzYg	192.168.2.1	56821	192.168.2.158	22	tcp	ssh	1.106250	820	1125	SF	-	-	0	ShAdDaFf	26	2184	20	2173	-
+1420590308.775525	C37jN32gN3y3AZzyf6	192.168.2.1	56837	192.168.2.158	22	tcp	ssh	1.080767	692	997	SF	-	-	0	ShAdDaFf	25	2004	19	1993	-
+1420590322.673363	C3eiCBGOLw3VtHfOj	192.168.2.1	56845	192.168.2.158	22	tcp	ssh	1.302395	660	965	SF	-	-	0	ShAdDaFf	26	2024	20	2013	-
+1420590636.473213	CwjjYJ2WqgTbAqiHl6	192.168.2.1	56875	192.168.2.158	22	tcp	ssh	12.013506	588	549	SF	-	-	0	ShAdDaFf	19	1588	16	1389	-
+1420590659.422161	C0LAHyvtKSQHyJxIl	192.168.2.1	56878	192.168.2.158	22	tcp	ssh	3.628964	684	825	SF	-	-	0	ShAdDaFf	25	1996	19	1821	-
+1420591379.650462	CFLRIC3zaTU1loLGxh	192.168.2.1	56940	192.168.2.158	22	tcp	ssh	0.104978	500	609	SF	-	-	0	ShAdDaFf	14	1240	10	1137	-
+1420599430.822385	C9rXSW3KSpTYvPrlI1	192.168.2.1	57831	192.168.2.158	22	tcp	ssh	2.758790	576	813	SF	-	-	0	ShAdDaFf	23	1784	18	1757	-
+1420851448.309629	Ck51lg1bScffFj34Ri	192.168.2.1	59246	192.168.2.158	22	tcp	ssh	3.076752	3049	4165	SF	-	-	0	ShADadFf	32	4725	23	5369	-
+1420860283.029061	C9mvWx3ezztgzcexV7	192.168.1.32	41164	128.2.10.238	22	tcp	ssh	8.485357	6087	3015	SF	-	-	0	ShADadFf	32	7759	33	4763	-
+1420860616.400297	CNnMIj2QSd84NKf7U3	192.168.1.32	33910	128.2.13.133	22	tcp	ssh	1.910959	6471	6037	SF	-	-	0	ShADadFf	33	8195	29	7565	-
+1420868281.639103	C7fIlMZDuRiqjpYbb	192.168.1.32	41268	128.2.10.238	22	tcp	ssh	2.710778	5613	2487	SF	-	-	0	ShADadFf	24	6869	20	3535	-
+1420917487.220407	CpmdRlaUoJLN3uIRa	192.168.1.31	52294	192.168.1.32	22	tcp	ssh	3.658968	3729	2229	SF	-	-	0	ShADadFf	36	5613	24	3497	-
+1420917487.213378	CykQaM33ztNt0csB9a	192.168.1.31	57621	192.168.1.255	57621	udp	-	-	-	-	S0	-	-	0	D	1	72	0	0	-
+1420917487.213468	CtxTCR2Yer0FR1tIBg	192.168.1.32	57621	192.168.1.31	57621	udp	-	-	-	-	S0	-	-	0	D	1	72	0	0	-
+1421006072.431795	CqlVyW1YwZ15RhTBc4	192.168.1.31	51476	192.168.1.32	8118	tcp	-	0.000539	76	0	SF	-	-	0	DaFfA	6	388	5	284	-
+1421006072.001012	C1Xkzz2MaGtLrc1Tla	192.168.1.31	51489	192.168.1.32	22	tcp	ssh	4.926958	4029	2497	SF	-	-	0	ShAdDaFf	42	6249	27	3937	-
+1421041176.944687	CLNN1k2QMum1aexUK7	192.168.1.32	58641	131.103.20.168	22	tcp	ssh	0.587601	2885	2309	SF	-	-	0	ShADdaFf	16	3725	13	2993	-
+1421041299.738916	CBA8792iHmnhPLksKa	192.168.1.32	58646	131.103.20.168	22	tcp	ssh	2.236727	4477	535101	SF	-	-	0	ShADadFf	179	13793	226	546861	-
+1421041526.312919	CGLPPc35OzDQij1XX8	192.168.1.32	58649	131.103.20.168	22	tcp	ssh	2.066433	4477	534861	SF	-	-	0	ShADadFf	183	14001	236	547141	-
 #close	2016-07-13-16-16-57
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log
index 6af991f2fd..37d33ec57c 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log
@@ -3,22 +3,22 @@
 #empty_field	(empty)
 #unset_field	-
 #path	ssh
-#open	2016-10-13-19-57-11
+#open	2017-08-01-16-26-21
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	auth_success	auth_attempts	direction	client	server	cipher_alg	mac_alg	compression_alg	kex_alg	host_key_alg	host_key
 #types	time	string	addr	port	addr	port	count	bool	count	enum	string	string	string	string	string	string	string	string
 1324071333.792887	CHhAvVGS1DHFjwGM9	192.168.1.79	51880	131.159.21.1	22	2	F	2	-	SSH-2.0-OpenSSH_5.9	SSH-2.0-OpenSSH_5.8	aes128-ctr	hmac-md5	none	ecdh-sha2-nistp256	ssh-rsa	a7:26:62:3f:75:1f:33:8a:f3:32:90:8b:73:fd:2c:83
 1409516196.413240	ClEkJM2Vm5giqnMf4h	10.0.0.18	40184	128.2.6.88	41644	2	T	1	-	SSH-2.0-OpenSSH_6.6	SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1	aes128-ctr	hmac-md5	none	ecdh-sha2-nistp256	ssh-rsa	8a:8d:55:28:1e:71:04:99:94:43:22:89:e5:ff:e9:03
 1419870189.489202	C4J4Th3PJpwUYZZ6gc	192.168.2.1	57189	192.168.2.158	22	2	T	3	-	SSH-2.0-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	aes128-ctr	hmac-md5-etm@openssh.com	none	diffie-hellman-group-exchange-sha256	ssh-rsa	28:78:65:c1:c3:26:f7:1b:65:6a:44:14:d0:04:8f:b3
-1419870206.111841	CtPZjS20MLrsMUOJi2	192.168.2.1	57191	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1419996264.344957	CUM0KZ3MLUfNB0cl11	192.168.2.1	55179	192.168.2.158	2200	2	-	-	-	SSH-2.0-OpenSSH_6.2	SSH-2.0-paramiko_1.15.2	aes128-ctr	hmac-sha1	none	diffie-hellman-group14-sha1	ssh-rsa	60:73:38:44:cb:51:86:65:7f:de:da:a2:2b:5a:57:d5
-1420588548.729561	CmES5u32sYpV7JYN	192.168.2.1	56594	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_5.3	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590124.885826	CP5puj4I8PtEU4qzYg	192.168.2.1	56821	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590308.781231	C37jN32gN3y3AZzyf6	192.168.2.1	56837	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590322.682536	C3eiCBGOLw3VtHfOj	192.168.2.1	56845	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590636.482711	CwjjYJ2WqgTbAqiHl6	192.168.2.1	56875	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420590659.429570	C0LAHyvtKSQHyJxIl	192.168.2.1	56878	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420591379.658705	CFLRIC3zaTU1loLGxh	192.168.2.1	56940	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
-1420599430.828441	C9rXSW3KSpTYvPrlI1	192.168.2.1	57831	192.168.2.158	22	1	-	-	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1419870206.111841	CtPZjS20MLrsMUOJi2	192.168.2.1	57191	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1419996264.344957	CUM0KZ3MLUfNB0cl11	192.168.2.1	55179	192.168.2.158	2200	2	-	0	-	SSH-2.0-OpenSSH_6.2	SSH-2.0-paramiko_1.15.2	aes128-ctr	hmac-sha1	none	diffie-hellman-group14-sha1	ssh-rsa	60:73:38:44:cb:51:86:65:7f:de:da:a2:2b:5a:57:d5
+1420588548.729561	CmES5u32sYpV7JYN	192.168.2.1	56594	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_5.3	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590124.885826	CP5puj4I8PtEU4qzYg	192.168.2.1	56821	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590308.781231	C37jN32gN3y3AZzyf6	192.168.2.1	56837	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590322.682536	C3eiCBGOLw3VtHfOj	192.168.2.1	56845	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590636.482711	CwjjYJ2WqgTbAqiHl6	192.168.2.1	56875	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420590659.429570	C0LAHyvtKSQHyJxIl	192.168.2.1	56878	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420591379.658705	CFLRIC3zaTU1loLGxh	192.168.2.1	56940	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
+1420599430.828441	C9rXSW3KSpTYvPrlI1	192.168.2.1	57831	192.168.2.158	22	1	-	0	-	SSH-1.5-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	-	-	-	-	-	a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98
 1420851448.310534	Ck51lg1bScffFj34Ri	192.168.2.1	59246	192.168.2.158	22	2	T	2	-	SSH-2.0-OpenSSH_6.2	SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2	arcfour256	hmac-md5-etm@openssh.com	none	diffie-hellman-group-exchange-sha256	ssh-rsa	28:78:65:c1:c3:26:f7:1b:65:6a:44:14:d0:04:8f:b3
 1420860283.057451	C9mvWx3ezztgzcexV7	192.168.1.32	41164	128.2.10.238	22	2	T	5	-	SSH-2.0-OpenSSH_6.6p1-hpn14v4	SSH-1.99-OpenSSH_3.4+p1+gssapi+OpenSSH_3.7.1buf_fix+2006100301	aes128-cbc	hmac-md5	none	diffie-hellman-group-exchange-sha1	ssh-rsa	7f:e5:81:92:26:77:05:44:c4:60:fb:cd:89:c8:81:ee
 1420860616.428738	CNnMIj2QSd84NKf7U3	192.168.1.32	33910	128.2.13.133	22	2	T	1	-	SSH-2.0-OpenSSH_6.6p1-hpn14v4	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	93:d8:4c:0d:b2:c3:2e:da:b9:c0:67:db:e4:8f:95:04
@@ -28,4 +28,4 @@
 1421041177.031508	CLNN1k2QMum1aexUK7	192.168.1.32	58641	131.103.20.168	22	2	F	1	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
 1421041299.777962	CBA8792iHmnhPLksKa	192.168.1.32	58646	131.103.20.168	22	2	T	1	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
 1421041526.353524	CGLPPc35OzDQij1XX8	192.168.1.32	58649	131.103.20.168	22	2	T	1	-	SSH-2.0-OpenSSH_6.7	SSH-2.0-OpenSSH_5.3	aes128-ctr	hmac-md5	none	diffie-hellman-group-exchange-sha256	ssh-rsa	97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40
-#close	2016-10-13-19-57-11
+#close	2017-08-01-16-26-21
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.curve25519_kex/ssh.log b/testing/btest/Baseline/scripts.base.protocols.ssh.curve25519_kex/ssh.log
new file mode 100644
index 0000000000..4364419aff
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.curve25519_kex/ssh.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh
+#open	2017-10-05-19-34-53
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	auth_success	auth_attempts	direction	client	server	cipher_alg	mac_alg	compression_alg	kex_alg	host_key_alg	host_key
+#types	time	string	addr	port	addr	port	count	bool	count	enum	string	string	string	string	string	string	string	string
+1505524964.630115	CHhAvVGS1DHFjwGM9	192.168.1.100	60906	192.168.1.32	22	2	T	2	-	SSH-2.0-OpenSSH_7.4	SSH-2.0-OpenSSH_7.5	chacha20-poly1305@openssh.com	hmac-sha2-512-etm@openssh.com	none	curve25519-sha256	ssh-ed25519	e4:b1:8e:ca:6e:0e:e5:3c:7e:a4:0e:70:34:9d:b2:b1
+#close	2017-10-05-19-34-53
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout
index 7b2d255900..bbdfb4a3a6 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout
@@ -8,3 +8,6 @@ Start test run
 Client hello, 10.0.0.80, 68.233.76.12, 771
 Start test run
 Client hello, 192.168.6.217, 67.207.128.99, 771
+Start test run
+Client hello, 192.168.6.240, 139.162.123.134, 771
+Client hello, 192.168.6.240, 139.162.123.134, 771
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/ssl1_2.log b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/ssl1_2.log
new file mode 100644
index 0000000000..519af88f6a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/ssl1_2.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-11-30-19-59-22
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1512070268.983215	CHhAvVGS1DHFjwGM9	192.168.17.58	60934	165.227.57.17	4400	DTLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	Fox0Fc3MY8kLKfhNK6	(empty)	O=Internet Widgits Pty Ltd,ST=Some-State,C=AU	O=Internet Widgits Pty Ltd,ST=Some-State,C=AU	-	-
+#close	2017-11-30-19-59-22
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/x5091_2.log b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/x5091_2.log
new file mode 100644
index 0000000000..7eb8b9edbc
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.dtls/x5091_2.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2017-11-30-19-59-22
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1512070269.021156	Fox0Fc3MY8kLKfhNK6	3	87AAFFBCA26E44BF	O=Internet Widgits Pty Ltd,ST=Some-State,C=AU	O=Internet Widgits Pty Ltd,ST=Some-State,C=AU	1512070108.000000	1543606108.000000	rsaEncryption	sha256WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-
+#close	2017-11-30-19-59-22
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log b/testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log
new file mode 100644
index 0000000000..74883271b6
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.keyexchange/ssl-all.log
@@ -0,0 +1,62 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-11-30-20-15-05
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
+1398558136.319509	CHhAvVGS1DHFjwGM9	192.168.18.50	62277	162.219.2.166	443	TLSv12	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA	-	-	F	-	-	T	F6fLv13PBYz8MNqx68,F8cTDl1penwXxGu4K7	(empty)	emailAddress=denicadmmail@arcor.de,CN=www.lilawelt.net,C=US	CN=StartCom Class 1 Primary Intermediate Server CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL	-	-	1f7f8ae4d8dd45f31ed2e158f5f9ee676b7cb2c92585d8a3e1c2da7e	TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	5c3660849d1ba4081e9c5863f11c64233c045d58380ea393bdca5322	bbbc2dcad84674907c43fcf580e9cfdbd958a3f568b42d4b08eed4eb0fb3504c6c030276e710800c5ccbbaa8922614c5beeca565a5fdf1d287a2bc049be6778060e91a92a757e3048f68b076f7d36cc8f29ba5df81dc2ca725ece66270cc9a5035d8ceceef9ea0274a63ab1e58fafd4988d0f65d146757da071df045cfe16b9b	02	af5e4cde6c7ac4ad3f62f9df82e6a378a1c80fccf26abcbd13120339707baae172c0381abde73c3d607c14706bb8ab4d09dd39c5961ea86114c37f6b803554925a3e4c64c54ed1ba171e52f97fa2df2ef7e52725c62635e4c3ab625a018bfa75b266446f24b8e0c13dcc258db35b52e8ed5add68ca54de905395304cf3e1eeac	-	1	6	18fd31815d4c5316d23bddb61ada198272ffa76ab0a4f7505b2a232150bd79874a9e5aabd7e39aef8cccdd2eba9cfcef6cc77842c7b359899b976f930e671d9308c3a07eeb6eaf1411a4c91a3523e4a8a4ccf523df2b70d56da5173e862643ad894495f14a94bda7115cedda87d520e524f917197dec625ffa1283d156e39f2daa49424a42aba2e0d0e43ebd537f348db770fe6c901a17432c7dd1a9146a2039c383f293cab5b04cb653332454883396863dd419b63745cc65bfc905c06a5d4283f5ff33a1d59584610293a1b08da9a6884c8e67675568e2c357b3d040350694c8b1c74c4be16e76eafeb8efe69dc501154fd36347d04ffc0c6e9a5646a1902a	c3d48226a8f94d3bbb49918ac02187493258e74e	-	0080545ca1e5a9978e411a23f7ce3b50d2919cb7da2dfd4c97d1dd20db9535d6240b684751b08845d44b780750371c5f229903cf59216bcfbe255de370f9a801177fa0dd11061a0173cd7fe4d740e3a74cc594a8c2510d03039126388730c2c73ca0db5fdad2a2021e9ea025b86dc0ba87aea5629246a4cf0f98726fcda9c89d4483	-
+#close	2017-11-30-20-15-05
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-11-30-20-15-06
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
+1398529018.678827	CHhAvVGS1DHFjwGM9	192.168.18.50	56981	74.125.239.97	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp256r1	-	F	-	-	T	FDy6ve1m58lwPRfhE9,FnGjwc1EVGk5x0WZk5,F2T07R1XZFCmeWafv2	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-	d170a048a025925479f1a573610851d30a1f3e7267836932797def95	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	5cb1fbd2e5c1f3605984d826eca11a8562b3c36d1f70fa44ba2f723c	-	-	-	04c177ab173fed188d8455b2bd0eeac7c1fc334b5d9d38e651b6a31cbda4a7b62a4a222493711e6aec7590d27292ba300d722841ca52795ca55b9b26d12730b807	1	6	bb8ed698a89f33367af245236d1483c2caa406f61a6e3639a6483c8ed3baadaf18bfdfd967697ad29497dd7f16fde1b5d8933b6f5d72e63f0e0dfd416785a3ee3ad7b6d65e71c67c219740723695136678feaca0db5f1cd00a2f2c5b1a0b83098e796bb6539b486639ab02a288d0f0bf68123151437e1b2ef610af17993a107acfcb3791d00b509a5271ddcf60b31b202571c06ceaf51b846a0ff8fd85cf1bc99f82bb936bae69a13f81727f0810280306abb942fd80e0fdf93a51e7e036c26e429295aa60e36506ab1762d49e31152d02bd7850fcaa251219b3dde81ea5fc61c4c63b940120fa6847ccc43fad0a2ac252153254baa03b0baebb6db899ade45e	e2fb0771ee6fc0d0e324bc863c02b57921257c86	-	-	4104a92b630b25f4404c632dcf9cf454d1cf685a95f4d7c34e1bed244d1051c6bf9fda52edd0c840620b6ddf7941f9ee8a2684eec11a5a2131a0a3389d1e49122472
+#close	2017-11-30-20-15-06
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-11-30-20-15-06
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
+1170717505.549109	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FeCwNK3rzqPnZ7eBQ5,FfqS7r3rymnsSKq0m2	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	e6b8efdf91cf44f7eae43c83398fdcb2	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	2b658d5183bbaedbf35e8f126ff926b14979cd703d242aea996a5fda	-	-	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	008057aaeea52e6d030e54fa9328781fda6f8de80ed8531946bfa8adc4b51ca7502cbce62bae6949f6b865d7125e256643b5ede4dd4cf42107cfa73c418f10881edf38a75f968b507f08f9c1089ef26bfd322cf44c0b746b8e3dff731f2585dcf26abb048d55e661e1d2868ccc9c338e451c30431239f96a00e4843b6aa00ba51785	-	-
+1170717508.697180	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FjkLnG4s34DVZlaBNc,FpMjNF4snD7UDqI5sk	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	a8a2ab739a64abb4e68cfcfc3470ff6269b1a86858501fbbd1327ed8	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	0fac7f7823587c68438c87876533af7b0baa2a8f1078eb8d182247e9	-	-	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	0080891c1b6b5f0ec9da1b38d5ba6efe9c0380219d1ac4e63a0e8993306cddc6944a57c9292beb5652794181f747d0e868b84dca7dfe9783d1baa2ef3bb68d929b2818c5b58b8f47663220f9781fa469fea7e7d17d410d3979aa15a7be651c9f16fbf1a04f87a95e742c3fe20ca6faf0d2e950708533fd3346e17e410f0f86c01f52	-	-
+1170717511.722913	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	TLSv10	TLS_RSA_WITH_RC4_128_MD5	-	-	F	-	-	T	FQXAWgI2FB5STbrff,FUmSiM3TCtsyMGhcd	(empty)	CN=www.dresdner-privat.de,OU=Terms of use at www.verisign.com/rpa (c)00,O=AGIS Allianz Dresdner Informationssysteme GmbH,L=Muenchen,ST=Bayern,C=DE	OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign\\, Inc.,O=VeriSign Trust Network	-	-	240604be2f5644c8dfd2e51cc2b3a30171bd58853ed7c6e3fcd18846	TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_FIPS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	fd1b8c1308a2caac010fcb76e9bd21987d897cb6c028cdb3176d5904	-	-	-	-	-	-	-	2c322ae2b7fe91391345e070b63668978bb1c9da	008032a6f5fd530f342e4d5b4043765005ba018f488800f897c259b005ad2a544f5800e99812d9a6336e84b07e4595d1b8ae00a582d91804fe715c132d1bdb112e66361db80a57a441fc8ea784ea76ec44b9f3a0f9ddc29be68010ff3bcfffc285a294511991d7952cbbfee88a869818bae31f32f7099b0754d9ce75b8fea887e1b8	-	-
+#close	2017-11-30-20-15-06
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-11-30-20-15-07
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
+1512072318.429417	CHhAvVGS1DHFjwGM9	192.168.17.58	62987	216.58.192.14	443	TLSv11	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	secp256r1	-	F	-	-	T	F1uIRd10FHM79akjJ1,FBy2pg1ix88ibHSEEf,FlfUEZ3rbay3xxsd9i	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-	ae1b693f91b97315fc38b4b19f600e2aff7f24ce9b11bf538b1667e5	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	0bdeb3f9e87d53e65a458a89d647f40fab7658f9d4a6ac93a5a65d71	-	-	-	04c8dd2cfb5dce034588f47acea36d8a0443857ec302c7be2974ce2a5a6d8db18e6161b1ee657dacc3b6ceb92f52dd122f0d466e01f21a39dfe35d48143e41d3cb	256	256	72abf64adf8d025394e3dddab15681f669efc25301458e20a35d2c0c8aa696992c49baca5096656dbae6acd79374aaec2c0be0b85614d8d647f4e56e956d52d959761f3a18ef80a695e6cd549ba4f2802e44983382b07d0fde27296bbb1fa72bb7ceb1b0ae1959bbcf9e4560d9771c2267518b44b9e6f472fa6b9fe6c60d41a57dc0de81d9cc57706a80e0818170e503dd44f221160096593ea2f83bd8755e0ae4a3380b5c52811eb33d95944535148bed5f16817df4b9938be40b4bc8f55f86ded30efe48a0f37fd66316fba484f62dd2f7e1c0825b59b84aa5cbee6c0fd09779023f3e5ea6e7ec337d9acc1cb831c5df5f6499ed97c1f454d31e5a323b541a	b453697b78df7c522c3e2bfc889b7fa6674903ca	-	-	4104887d740719eb306e32bf94ba4b9bf31ecabf9cca860e12f7fa55ac95c6676b0da90513aa453b18b82bf424bf2654a72a46b8d3d19210502a88381ba146533792
+#close	2017-11-30-20-15-07
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-11-30-20-15-08
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
+1425932016.520157	CHhAvVGS1DHFjwGM9	192.168.6.86	63721	104.236.167.107	4433	DTLSv10	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	secp256r1	-	F	-	-	T	FZi2Ct2AcCswhiIjKe	(empty)	CN=bro	CN=bro	-	-	543f24d1a377e53b63d935157e76c81e2067b1333bccaad6c24ce92d	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_DES_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DH_RSA_WITH_DES_CBC_SHA,TLS_DH_DSS_WITH_DES_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	e29e9780bd73e567dba0ae66ed5b7fb1ee86efba4b09f98bd7b03ad2	-	-	-	043c5e4b4508b840ef8ac34f592fba8716445aeb9ab2028695541ea62eb79b735da9dbfdbdd01a7beab2c832a633b7fd1ce278659355d7b8a1c88503bfb938b7ef	256	256	17569f292088d5383ffa009ffd5ae4a34b5aec68a206d68eea910b808831c098e5385b2fcf49bbd5df914d2b9d7efcd67a493c324daf48c929bdb3838e56fef25d67f45d6f03f7b195a9d688ec5efe96f1ffe0d88e73458b87175fac7073ca8d8e340657e805cb1e91db02ee687fe5ce37c57fb177368bf3ac787971591a67eaf1880eabac8307ec74e269539b9894781c0026ea61101dafbac1995bc32d39584a03ef82d413731df06dae085dc5984b7fcbedd860715fb84ebb75e74406b88bee23533eba46fe5b3f0936c130e262dcc48d3809f5e208719a70a2a918c0e9fe60b4e992ac555048ff6c2cd077ca2afdc0c36cde432a38c1058fb6bd9cb2cc39	fa6d780625219f5e1ae0b4c863e8321328241134	-	-	4104093d316a7b6bdfdbc28c02516e145b8f52881cbb7a5f327e3d0967fc4303617d03d423277420024e6f89b9ab16414681d47a221998a2ba85c4e2f625a0ad7c49
+#close	2017-11-30-20-15-08
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-11-30-20-15-09
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	client_random	client_cipher_suites	server_random	server_dh_p	server_dh_q	server_dh_Ys	server_ecdh_point	server_signature_sig_alg	server_signature_hash_alg	server_signature	server_cert_sha1	client_rsa_pms	client_dh_Yc	client_ecdh_point
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	string	string	string	string	string	string	count	count	string	string	string	string	string
+1512070268.983215	CHhAvVGS1DHFjwGM9	192.168.17.58	60934	165.227.57.17	4400	DTLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	Fox0Fc3MY8kLKfhNK6	(empty)	O=Internet Widgits Pty Ltd,ST=Some-State,C=AU	O=Internet Widgits Pty Ltd,ST=Some-State,C=AU	-	-	e701fd74cac15bdb8d0fb735dca354f8e4cc1e65944f8d443a1af9b2	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DH_RSA_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_SEED_CBC_SHA,TLS_DHE_DSS_WITH_SEED_CBC_SHA,TLS_DH_RSA_WITH_SEED_CBC_SHA,TLS_DH_DSS_WITH_SEED_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_SEED_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_IDEA_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV	1fea3e397e8a4533a9f4fd6e82cd650533269d28dc7b2d62496dc490	-	-	-	049e5bb8781f90c66cae6b86d7a74977bccd02963bb55631fe7d916ba91c9af9a9562dec1c71b66005503523fbb72a95874bc77394aed429093ad69d7971fb13a9	1	6	e55f866f29d42c23dc5e87acaccff3fd5da17f001fbfcc1060188cc4351101bb53355ee7015edec32874dad840669578101ec98f898b87d1ce5f045ed990e1655dc9562dc83193ec2b6fbcb9410af9efd6d04c434d29cf809ee0be4bde51674ccfc2c662f76a6c2092cae471c0560f3cc358ed4211b8c6da4f2350ed479f82da84ec6d072e2b31cc0b982c2181af2066b502f5cb1b2e6becdd1e8bbd897a1038939121491c39294e3b584b618d5f9ae7dbc4b36b1a6ac99b92799ab2c8600f1698423bdde64e7476db84afaef919655f6b3dda48400995cf9334564ba70606004d805f4d9aeb4f0df42cea6034d42261d03544efeee721204c30de62268a217c	1cb43b5f1de3fe36d595da76210bbf5572a721be	-	-	41049c7a642fbbd5847c306ee295360442e353d78aef43297523f92be70b68b882ac708aefcb7a224b34130d6c6041030e5b62fc3def72d7774fd61043a0a430a416
+#close	2017-11-30-20-15-09
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout
new file mode 100644
index 0000000000..45bec12af2
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout
@@ -0,0 +1,3 @@
+ocsp_response_status, successful
+ocsp_response_certificate, sha1, F2E06AF9858A1D8D709B4919237AA9B51A287E64, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 3D474496FF942316, good, 0.0, , 1436577056.0, 1437181856.0
+ocsp_response_bytes, successful, 0, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 1436577056.0, sha1WithRSAEncryption
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
new file mode 100644
index 0000000000..3c092fce95
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ocsp
+#open	2017-09-11-16-24-17
+#fields	ts	id	hashAlgorithm	issuerNameHash	issuerKeyHash	serialNumber	certStatus	revoketime	revokereason	thisUpdate	nextUpdate
+#types	time	string	string	string	string	string	string	time	string	time	time
+1436909712.329517	Ft368Gc1ce0Juvj0d	sha1	F2E06AF9858A1D8D709B4919237AA9B51A287E64	4ADD06161BBCF668B576F581B6BB621ABA5A812F	3D474496FF942316	good	-	-	1436577056.000000	1437181856.000000
+#close	2017-09-11-16-24-17
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout
new file mode 100644
index 0000000000..293ea05c75
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout
@@ -0,0 +1,2 @@
+request, 0, 
+request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 081C862DC8AAC9
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout
new file mode 100644
index 0000000000..0f3ad8f536
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout
@@ -0,0 +1,5 @@
+request, 0, 
+request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 081C862DC8AAC9
+ocsp_response_status, successful
+ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 081C862DC8AAC9, good, 0.0, , 1434665014.0, 1434794614.0
+ocsp_response_bytes, successful, 0, C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2, 1434665014.0, sha1WithRSAEncryption
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
new file mode 100644
index 0000000000..a2ea3b6893
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ocsp
+#open	2017-09-11-16-24-41
+#fields	ts	id	hashAlgorithm	issuerNameHash	issuerKeyHash	serialNumber	certStatus	revoketime	revokereason	thisUpdate	nextUpdate
+#types	time	string	string	string	string	string	string	time	string	time	time
+1434666864.070748	Fb215u2y5byABaV747	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	good	-	-	1434665014.000000	1434794614.000000
+#close	2017-09-11-16-24-41
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout
new file mode 100644
index 0000000000..7ca240f05c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout
@@ -0,0 +1,3 @@
+ocsp_response_status, successful
+ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 081C862DC8AAC9, good, 0.0, , 1434665014.0, 1434794614.0
+ocsp_response_bytes, successful, 0, C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2, 1434665014.0, sha1WithRSAEncryption
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
new file mode 100644
index 0000000000..306819f251
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ocsp
+#open	2017-09-11-16-24-53
+#fields	ts	id	hashAlgorithm	issuerNameHash	issuerKeyHash	serialNumber	certStatus	revoketime	revokereason	thisUpdate	nextUpdate
+#types	time	string	string	string	string	string	string	time	string	time	time
+1434666864.070748	Fb215u2y5byABaV747	sha1	B6080D5F6C6B76EB13E438A5F8660BA85233344E	40C2BD278ECC348330A233D7FB6CB3F0B42C80CE	081C862DC8AAC9	good	-	-	1434665014.000000	1434794614.000000
+#close	2017-09-11-16-24-53
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout
new file mode 100644
index 0000000000..5e444491b2
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout
@@ -0,0 +1,20 @@
+request, 0, 
+request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 010BF45E184C4169AB61B41168DF802E
+ocsp_response_status, successful
+ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 010BF45E184C4169AB61B41168DF802E, revoked, 1431615529.0, superseded, 1436286514.0, 1443489162.0
+ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436286514.0, sha1WithRSAEncryption
+request, 0, 
+request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 013D34BFD6348EBA231D6925768ACD87
+ocsp_response_status, successful
+ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 013D34BFD6348EBA231D6925768ACD87, revoked, 1422391081.0, unspecified, 1436304214.0, 1443597239.0
+ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436304214.0, sha1WithRSAEncryption
+request, 0, 
+request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4
+ocsp_response_status, successful
+ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0150C0C06D53F9D39205D84EFB5F2BA4, revoked, 1432792428.0, (UNKNOWN), 1436238224.0, 1443473859.0
+ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436238224.0, sha1WithRSAEncryption
+request, 0, 
+request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 017447CB30072EE15B9C1B057B731C5A
+ocsp_response_status, successful
+ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 017447CB30072EE15B9C1B057B731C5A, revoked, 1421494379.0, keyCompromise, 1436321024.0, 1443459307.0
+ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436321024.0, sha1WithRSAEncryption
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
new file mode 100644
index 0000000000..387342197a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
@@ -0,0 +1,13 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ocsp
+#open	2017-09-11-16-25-05
+#fields	ts	id	hashAlgorithm	issuerNameHash	issuerKeyHash	serialNumber	certStatus	revoketime	revokereason	thisUpdate	nextUpdate
+#types	time	string	string	string	string	string	string	time	string	time	time
+1438374032.607476	Ftl4F41OsGtUDrOTWc	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	010BF45E184C4169AB61B41168DF802E	revoked	1431615529.000000	superseded	1436286514.000000	1443489162.000000
+1438374032.731983	FXISxH2UuTiDn0qCa1	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	013D34BFD6348EBA231D6925768ACD87	revoked	1422391081.000000	unspecified	1436304214.000000	1443597239.000000
+1438374032.848476	F3OYfx3A0JvMX787V3	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0150C0C06D53F9D39205D84EFB5F2BA4	revoked	1432792428.000000	(UNKNOWN)	1436238224.000000	1443473859.000000
+1438374033.033189	FVty9v3KTnCvbg0Xf2	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	017447CB30072EE15B9C1B057B731C5A	revoked	1421494379.000000	keyCompromise	1436321024.000000	1443459307.000000
+#close	2017-09-11-16-25-05
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout
new file mode 100644
index 0000000000..327b97df41
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.signed_certificate_timestamp/.stdout
@@ -0,0 +1,15 @@
+0, Google 'Pilot' log, 1406997753.366, [HashAlgorithm=4, SignatureAlgorithm=3]
+0, Google 'Aviator' log, 1407002457.456, [HashAlgorithm=4, SignatureAlgorithm=3]
+0, Google 'Rocketeer' log, 1410299366.023, [HashAlgorithm=4, SignatureAlgorithm=3]
+Verify of, Google 'Pilot' log, T
+Bad verify of, Google 'Pilot' log, F
+Verify of, Google 'Aviator' log, T
+Bad verify of, Google 'Aviator' log, F
+Verify of, Google 'Rocketeer' log, T
+Bad verify of, Google 'Rocketeer' log, F
+0, Google 'Rocketeer' log, 1509548284.428, [HashAlgorithm=4, SignatureAlgorithm=3]
+0, Symantec log, 1509548284.713, [HashAlgorithm=4, SignatureAlgorithm=3]
+Verify of, Google 'Rocketeer' log, T
+Bad verify of, Google 'Rocketeer' log, F
+Verify of, Symantec log, T
+Bad verify of, Symantec log, F
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout
index c9434d9ddd..d5ab2cf618 100644
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout
@@ -20,3 +20,69 @@ uncompressed
 ansiX962_compressed_prime
 ansiX962_compressed_char2
 ALPN, 192.168.4.149, 74.125.239.152, [spdy/3.1]
+Point formats, 192.168.6.240, 139.162.123.134, T
+uncompressed
+ansiX962_compressed_prime
+ansiX962_compressed_char2
+Curves, 192.168.6.240, 139.162.123.134
+x25519
+secp256r1
+secp521r1
+secp384r1
+signature_algorithm, 192.168.6.240, 139.162.123.134
+sha256, ecdsa
+sha384, ecdsa
+sha512, ecdsa
+unknown-8, unknown-4
+unknown-8, unknown-5
+unknown-8, unknown-6
+sha256, rsa
+sha384, rsa
+sha512, rsa
+sha1, ecdsa
+sha1, rsa
+sha1, dsa
+sha256, dsa
+sha384, dsa
+sha512, dsa
+supported_versions(, 192.168.6.240, 139.162.123.134
+TLSv13-draft19
+TLSv12
+TLSv11
+TLSv10
+psk_key_exchange_modes, 192.168.6.240, 139.162.123.134
+1
+0
+Point formats, 192.168.6.240, 139.162.123.134, T
+uncompressed
+ansiX962_compressed_prime
+ansiX962_compressed_char2
+Curves, 192.168.6.240, 139.162.123.134
+x25519
+secp256r1
+secp521r1
+secp384r1
+signature_algorithm, 192.168.6.240, 139.162.123.134
+sha256, ecdsa
+sha384, ecdsa
+sha512, ecdsa
+unknown-8, unknown-4
+unknown-8, unknown-5
+unknown-8, unknown-6
+sha256, rsa
+sha384, rsa
+sha512, rsa
+sha1, ecdsa
+sha1, rsa
+sha1, dsa
+sha256, dsa
+sha384, dsa
+sha512, dsa
+supported_versions(, 192.168.6.240, 139.162.123.134
+TLSv13-draft19
+TLSv12
+TLSv11
+TLSv10
+psk_key_exchange_modes, 192.168.6.240, 139.162.123.134
+1
+0
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/.stdout
new file mode 100644
index 0000000000..0b7bcb5742
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/.stdout
@@ -0,0 +1 @@
+7e01
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/ssl.log
new file mode 100644
index 0000000000..e7e6bc5f54
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-experiment/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2018-03-27-21-54-13
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1505019126.007778	CHhAvVGS1DHFjwGM9	192.168.0.2	62873	104.196.219.53	443	unknown-32257	TLS_AES_128_GCM_SHA256	x25519	tls.ctf.network	T	-	-	T	-	-	-	-	-	-
+#close	2018-03-27-21-54-13
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-version/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-version/ssl.log
new file mode 100644
index 0000000000..b5106d5830
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls13-version/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2018-03-27-21-57-37
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1520820013.621497	CHhAvVGS1DHFjwGM9	192.168.86.23	63449	52.32.149.186	443	TLSv13-draft23	TLS_AES_128_GCM_SHA256	-	tls13.crypto.mozilla.org	T	-	-	T	-	-	-	-	-	-
+#close	2018-03-27-21-57-37
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/ssl.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/ssl.log
new file mode 100644
index 0000000000..de6af18a69
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-11-30-20-08-27
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1512072318.429417	CHhAvVGS1DHFjwGM9	192.168.17.58	62987	216.58.192.14	443	TLSv11	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	secp256r1	-	F	-	-	T	F1uIRd10FHM79akjJ1,FBy2pg1ix88ibHSEEf,FlfUEZ3rbay3xxsd9i	(empty)	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	-	-
+#close	2017-11-30-20-08-27
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/x509.log b/testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/x509.log
new file mode 100644
index 0000000000..f6a3eac608
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.tls1_1/x509.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2017-11-30-20-08-27
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1512072318.462960	F1uIRd10FHM79akjJ1	3	3D1DE44E346ECE68	CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US	CN=Google Internet Authority G2,O=Google Inc,C=US	1509544136.000000	1516800660.000000	rsaEncryption	sha256WithRSAEncryption	rsa	2048	65537	-	*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.db833953.google.cn,*.g.co,*.gcp.gvt2.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gvt1.com,*.gvt2.com,*.metric.gstatic.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.yt.be,*.ytimg.com,android.clients.google.com,android.com,developer.android.google.cn,developers.android.google.cn,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,source.android.google.cn,urchin.com,www.goo.gl,youtu.be,youtube.com,youtubeeducation.com,yt.be	-	-	-	F	-
+1512072318.462960	FBy2pg1ix88ibHSEEf	3	0100212588B0FA59A777EF057B6627DF	CN=Google Internet Authority G2,O=Google Inc,C=US	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	1495452757.000000	1546300799.000000	rsaEncryption	sha256WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0
+1512072318.462960	FlfUEZ3rbay3xxsd9i	3	12BBE6	CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US	OU=Equifax Secure Certificate Authority,O=Equifax,C=US	1021953600.000000	1534824000.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	-
+#close	2017-11-30-20-08-27
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.x509-invalid-extension/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.x509-invalid-extension/.stdout
new file mode 100644
index 0000000000..a56a7a6080
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.x509-invalid-extension/.stdout
@@ -0,0 +1,4 @@
+UNDEF
+\x04a0_\xa1]\xa0[0Y0W0U\x16\x09image/gif0!0\x1f0\x07\x06\x05+\x0e\x03\x02\x1a\x04\x14\x8f\xe5\xd3\x1a\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H\x18,{\x19.0%\x16#http://logo.verisign.com/vslogo.gif
+UNDEF
+\x04a0_\xa1]\xa0[0Y0W0U\x16\x09image/gif0!0\x1f0\x07\x06\x05+\x0e\x03\x02\x1a\x04\x14\x8f\xe5\xd3\x1a\x86\xac\x8d\x8ek\xc3\xcf\x80j\xd4H\x18,{\x19.0%\x16#http://logo.verisign.com/vslogo.gif
diff --git a/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log
index 0d22b36e23..2d1899f02e 100644
--- a/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log
+++ b/testing/btest/Baseline/scripts.base.protocols.xmpp.starttls/conn.log
@@ -6,5 +6,5 @@
 #open	2016-07-13-16-17-08
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1437091701.732171	CHhAvVGS1DHFjwGM9	198.128.203.95	56048	146.255.57.229	5222	tcp	ssl,xmpp	2.213218	676	4678	SF	-	-	0	ShADadfFr	19	1676	15	5442	(empty)
+1437091701.732171	CHhAvVGS1DHFjwGM9	198.128.203.95	56048	146.255.57.229	5222	tcp	ssl,xmpp	2.213218	676	4678	SF	-	-	0	ShADadfFr	19	1676	15	5442	-
 #close	2016-07-13-16-17-08
diff --git a/testing/btest/Baseline/scripts.base.utils.hash_hrw/output b/testing/btest/Baseline/scripts.base.utils.hash_hrw/output
new file mode 100644
index 0000000000..2c37b5b752
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.utils.hash_hrw/output
@@ -0,0 +1,40 @@
+T
+F
+T
+T
+T
+T
+T
+F
+[id=0, user_data=alice]
+[id=3, user_data=dave]
+[id=3, user_data=dave]
+[id=0, user_data=alice]
+[id=0, user_data=alice]
+[id=4, user_data=eve]
+[id=0, user_data=alice]
+[id=1, user_data=bob]
+[id=0, user_data=alice]
+[id=1, user_data=bob]
+T
+[id=3, user_data=dave]
+[id=3, user_data=dave]
+[id=3, user_data=dave]
+[id=4, user_data=eve]
+[id=4, user_data=eve]
+[id=4, user_data=eve]
+[id=3, user_data=dave]
+[id=1, user_data=bob]
+[id=4, user_data=eve]
+[id=1, user_data=bob]
+T
+[id=0, user_data=alice]
+[id=3, user_data=dave]
+[id=3, user_data=dave]
+[id=0, user_data=alice]
+[id=0, user_data=alice]
+[id=4, user_data=eve]
+[id=0, user_data=alice]
+[id=1, user_data=bob]
+[id=0, user_data=alice]
+[id=1, user_data=bob]
diff --git a/testing/btest/Baseline/scripts.base.utils.json/output b/testing/btest/Baseline/scripts.base.utils.json/output
new file mode 100644
index 0000000000..43513e43f9
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.utils.json/output
@@ -0,0 +1,39 @@
+true
+123
+-999
+3.14
+-1.23456789e+308
+9e-308
+1480788576.868945
+"-12.0 hrs"
+"hello"
+""
+65535
+1
+123
+0
+"1.2.3.4"
+"ffff:1234::1"
+"123.123.123.123"
+"192.0.0.0/8"
+"fe80::/64"
+"Red"
+{"s": "test", "c": 100}
+{"s": "test"}
+{"s": "test"}
+{"m": {"s": "test"}}
+[]
+[2, 1]
+["1.2.3.4"]
+[[true, false]]
+[{"s": "test"}]
+[]
+[2, 1]
+["1.2.3.4"]
+[{"s": "test"}]
+[{"s": "test"}]
+{}
+{"2": "10.2.2.2", "1": "10.1.1.1"}
+{"10.1.1.1": {"a": 1}, "10.2.2.2": {"b": 2}}
+{"10.1.1.1": [1, 2], "10.2.2.2": [3, 5]}
+{"1": {"s": "test"}}
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
index 6bb3e47e60..25c032e488 100644
--- a/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.intel.seen.certs/intel-all.log
@@ -3,23 +3,23 @@
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2016-08-05-13-22-37
+#open	2017-05-02-20-45-26
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1416942644.593119	CHhAvVGS1DHFjwGM9	192.168.4.149	49422	23.92.19.75	443	www.pantz.org	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	Fi6J8q3lDJpbQWAnvi	application/pkix-cert	23.92.19.75:443/tcp
-#close	2016-08-05-13-22-37
+1416942644.593119	CHhAvVGS1DHFjwGM9	192.168.4.149	49422	23.92.19.75	443	www.pantz.org	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	Fi6J8q3lDJpbQWAnvi	application/x-x509-user-cert	23.92.19.75:443/tcp
+#close	2017-05-02-20-45-26
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	intel
-#open	2016-08-05-13-22-37
+#open	2017-05-02-20-45-27
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
-1170717505.735416	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FeCwNK3rzqPnZ7eBQ5	application/pkix-cert	194.127.84.106:443/tcp
+1170717505.735416	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FeCwNK3rzqPnZ7eBQ5	application/x-x509-user-cert	194.127.84.106:443/tcp
 1170717505.934612	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	FeCwNK3rzqPnZ7eBQ5	-	-
-1170717508.883051	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FjkLnG4s34DVZlaBNc	application/pkix-cert	194.127.84.106:443/tcp
+1170717508.883051	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FjkLnG4s34DVZlaBNc	application/x-x509-user-cert	194.127.84.106:443/tcp
 1170717509.082241	ClEkJM2Vm5giqnMf4h	192.150.187.164	58869	194.127.84.106	443	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	FjkLnG4s34DVZlaBNc	-	-
-1170717511.909717	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FQXAWgI2FB5STbrff	application/pkix-cert	194.127.84.106:443/tcp
+1170717511.909717	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	2c322ae2b7fe91391345e070b63668978bb1c9da	Intel::CERT_HASH	X509::IN_CERT	bro	Intel::CERT_HASH	source1	FQXAWgI2FB5STbrff	application/x-x509-user-cert	194.127.84.106:443/tcp
 1170717512.108799	C4J4Th3PJpwUYZZ6gc	192.150.187.164	58870	194.127.84.106	443	www.dresdner-privat.de	Intel::DOMAIN	X509::IN_CERT	bro	Intel::DOMAIN	source1	FQXAWgI2FB5STbrff	-	-
-#close	2016-08-05-13-22-38
+#close	2017-05-02-20-45-27
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/notice.log b/testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/notice.log
new file mode 100644
index 0000000000..21181bceba
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/notice.log
@@ -0,0 +1,16 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2017-12-21-02-29-09
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1513823349.733021	-	-	-	-	-	-	-	-	-	Software::Software_Version_Change	1513823349.733021 Software::UNKNOWN 'my_fake_software' version changed from 1.0.0 to 1.1.0	my_fake_software 1.1.0	127.0.0.1	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1513823349.733021	-	-	-	-	-	-	-	-	-	Software::Software_Version_Change	1513823349.733021 Software::UNKNOWN 'my_fake_software' version changed from 1.1.0 to 1.2.0	my_fake_software 1.2.0	127.0.0.1	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1513823349.733021	-	-	-	-	-	-	-	-	-	Software::Software_Version_Change	1513823349.733021 Software::UNKNOWN 'my_fake_software' version changed from 1.2.0 to 1.0.0	my_fake_software 1.0.0	127.0.0.1	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1513823349.733021	-	-	-	-	-	-	-	-	-	Software::Software_Version_Change	1513823349.733021 Software::UNKNOWN 'my_fake_software' version changed from 1.0.0 to 1.1.0	my_fake_software 1.1.0	127.0.0.1	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1513823349.733021	-	-	-	-	-	-	-	-	-	Software::Software_Version_Change	1513823349.733021 Software::UNKNOWN 'my_fake_software' version changed from 1.1.0 to 1.2.0	my_fake_software 1.2.0	127.0.0.1	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1513823349.733021	-	-	-	-	-	-	-	-	-	Software::Software_Version_Change	1513823349.733021 Software::UNKNOWN 'my_fake_software' version changed from 1.2.0 to 1.0.0	my_fake_software 1.0.0	127.0.0.1	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1513823349.733021	-	-	-	-	-	-	-	-	-	Software::Software_Version_Change	1513823349.733021 Software::UNKNOWN 'my_fake_software' version changed from 1.0.0 to 1.1.0	my_fake_software 1.1.0	127.0.0.1	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2017-12-21-02-29-09
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/software.log b/testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/software.log
new file mode 100644
index 0000000000..c2f6764003
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.frameworks.software.version-changes/software.log
@@ -0,0 +1,17 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	software
+#open	2017-12-21-02-29-09
+#fields	ts	host	host_p	software_type	name	version.major	version.minor	version.minor2	version.minor3	version.addl	unparsed_version
+#types	time	addr	port	enum	string	count	count	count	count	string	string
+1513823349.733021	127.0.0.1	-	Software::UNKNOWN	my_fake_software	1	0	0	-	-	my_fake_software 1.0.0
+1513823349.733021	127.0.0.1	-	Software::UNKNOWN	my_fake_software	1	1	0	-	-	my_fake_software 1.1.0
+1513823349.733021	127.0.0.1	-	Software::UNKNOWN	my_fake_software	1	2	0	-	-	my_fake_software 1.2.0
+1513823349.733021	127.0.0.1	-	Software::UNKNOWN	my_fake_software	1	0	0	-	-	my_fake_software 1.0.0
+1513823349.733021	127.0.0.1	-	Software::UNKNOWN	my_fake_software	1	1	0	-	-	my_fake_software 1.1.0
+1513823349.733021	127.0.0.1	-	Software::UNKNOWN	my_fake_software	1	2	0	-	-	my_fake_software 1.2.0
+1513823349.733021	127.0.0.1	-	Software::UNKNOWN	my_fake_software	1	0	0	-	-	my_fake_software 1.0.0
+1513823349.733021	127.0.0.1	-	Software::UNKNOWN	my_fake_software	1	1	0	-	-	my_fake_software 1.1.0
+#close	2017-12-21-02-29-09
diff --git a/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log b/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log
index 9dcb672b24..1ba280bc78 100644
--- a/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log
+++ b/testing/btest/Baseline/scripts.policy.frameworks.software.vulnerable/notice.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2014-04-01-23-16-19
+#open	2017-12-21-02-29-27
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1396394179.027101	-	-	-	-	-	-	-	-	-	Software::Vulnerable_Version	1.2.3.4 is running Java 1.7.0.15 which is vulnerable.	Java 1.7.0.15	1.2.3.4	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-1396394179.027101	-	-	-	-	-	-	-	-	-	Software::Vulnerable_Version	1.2.3.5 is running Java 1.6.0.43 which is vulnerable.	Java 1.6.0.43	1.2.3.5	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2014-04-01-23-16-19
+1513823367.386212	-	-	-	-	-	-	-	-	-	Software::Vulnerable_Version	1.2.3.4 is running Java 1.7.0.15 which is vulnerable.	Java 1.7.0.15	1.2.3.4	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1513823367.386212	-	-	-	-	-	-	-	-	-	Software::Vulnerable_Version	1.2.3.5 is running Java 1.6.0.43 which is vulnerable.	Java 1.6.0.43	1.2.3.5	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2017-12-21-02-29-27
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
index 067dd0ffc2..b4be2cc92f 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
@@ -174,6 +174,7 @@
 1437831799.764576 file_new
 1437831799.764576 file_over_new_connection
 1437831799.764576 file_sniff
+1437831799.764576 file_hash
 1437831799.764576 x509_certificate
 1437831799.764576 x509_extension
 1437831799.764576 x509_extension
@@ -191,6 +192,7 @@
 1437831799.764576 file_new
 1437831799.764576 file_over_new_connection
 1437831799.764576 file_sniff
+1437831799.764576 file_hash
 1437831799.764576 x509_certificate
 1437831799.764576 x509_extension
 1437831799.764576 x509_extension
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index ae295814ac..b29c097b88 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -4,60 +4,60 @@
 1254722767.492060 ChecksumOffloading::check
 1254722767.492060 filter_change_tracking
 1254722767.492060 new_connection
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722767.492060 dns_message
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
                   [3] len: count         = 34
 
 1254722767.492060 dns_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=<uninitialized>, qclass=<uninitialized>, qclass_name=<uninitialized>, qtype=<uninitialized>, qtype_name=<uninitialized>, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=F, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
                   [2] query: string      = mail.patriots.in
                   [3] qtype: count       = 1
                   [4] qclass: count      = 1
 
 1254722767.492060 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_DNS
                   [2] aid: count         = 3
 
 1254722767.492060 dns_end
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0aDNS\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.0, service={\x0aDNS\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=F, AA=F, TC=F, RD=T, RA=F, Z=0, num_queries=1, num_answers=0, num_auth=0, num_addl=0]
 
 1254722767.526085 dns_message
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x09[31062] = [initialized=T, vals={\x0a\x09\x09[0] = [ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=T, saw_reply=F]\x0a\x09}, settings=[max_len=<uninitialized>], top=1, bottom=0, size=0]\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
                   [3] len: count         = 100
 
 1254722767.526085 dns_CNAME_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
                   [2] ans: dns_answer    = [answer_type=1, query=mail.patriots.in, qtype=5, qclass=1, TTL=3.0 hrs 27.0 secs]
                   [3] name: string       = patriots.in
 
 1254722767.526085 dns_A_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.0 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in], TTLs=[3.0 hrs 27.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.0 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in], TTLs=[3.0 hrs 27.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
                   [2] ans: dns_answer    = [answer_type=1, query=patriots.in, qtype=1, qclass=1, TTL=3.0 hrs 28.0 secs]
                   [3] a: addr            = 74.53.140.153
 
 1254722767.526085 dns_end
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.0 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in, 74.53.140.153], TTLs=[3.0 hrs 27.0 secs, 3.0 hrs 28.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=1254722767.49206, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=34.0 msecs 24.0 usecs, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=0, rcode_name=NOERROR, AA=F, TC=F, RD=T, RA=T, Z=0, answers=[patriots.in, 74.53.140.153], TTLs=[3.0 hrs 27.0 secs, 3.0 hrs 28.0 secs], rejected=F, total_answers=2, total_replies=4, saw_query=T, saw_reply=F], dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] msg: dns_msg       = [id=31062, opcode=0, rcode=0, QR=T, AA=F, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=2, num_auth=2, num_addl=0]
 
 1254722767.529046 new_connection
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.0, service={\x0a\x0a}, history=, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.0, service={\x0a\x0a}, history=, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722767.875996 connection_established
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.34695, service={\x0a\x0a}, history=Sh, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.34695, service={\x0a\x0a}, history=Sh, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -65,7 +65,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -73,7 +73,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -81,18 +81,18 @@
                   [5] cont_resp: bool    = F
 
 1254722768.224809 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.695763, service={\x0a\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.695763, service={\x0a\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SMTP
                   [2] aid: count         = 7
 
 1254722768.224809 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.695763, service={\x0aSMTP\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.695763, service={\x0aSMTP\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = EHLO
                   [3] arg: string        = GP
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -100,7 +100,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -108,7 +108,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -116,7 +116,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -124,7 +124,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -132,7 +132,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -140,13 +140,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.568729 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.039683, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.039683, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = AUTH
                   [3] arg: string        = LOGIN
 
 1254722768.911081 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382035, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382035, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH
@@ -154,13 +154,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.911655 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382609, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382609, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = Z3VycGFydGFwQHBhdHJpb3RzLmlu
 
 1254722769.253544 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.724498, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.724498, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH_ANSWER
@@ -168,13 +168,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.254118 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.725072, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.725072, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = cHVuamFiQDEyMw==
 
 1254722769.613798 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.084752, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.084752, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 235
                   [3] cmd: string        = AUTH_ANSWER
@@ -182,13 +182,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.614414 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.085368, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.085368, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = MAIL
                   [3] arg: string        = FROM: <gurpartap@patriots.in>
 
 1254722769.956765 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.427719, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.427719, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = MAIL
@@ -196,13 +196,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.957250 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.428204, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.428204, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO: <raj_deol2002in@yahoo.co.in>
 
 1254722770.319708 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.790662, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.790662, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -210,16 +210,16 @@
                   [5] cont_resp: bool    = F
 
 1254722770.320203 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = DATA
                   [3] arg: string        = 
 
 1254722770.320203 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.661679 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.132633, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.132633, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 354
                   [3] cmd: string        = DATA
@@ -227,243 +227,243 @@
                   [5] cont_resp: bool    = F
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=FROM, value="Gurpartap Singh" <gurpartap@patriots.in>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=TO, value=<raj_deol2002in@yahoo.co.in>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=SUBJECT, value=SMTP]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=DATE, value=Mon, 5 Oct 2009 11:36:07 +0530]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=MESSAGE-ID, value=<000301ca4581$ef9e57f0$cedb07d0$@in>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=MIME-VERSION, value=1.0]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=multipart/mixed;\x09boundary="----=_NextPart_000_0004_01CA45B0.095693F0"]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=X-MAILER, value=Microsoft Office Outlook 12.0]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=THREAD-INDEX, value=AcpFgem9BvjjZEDeR1Kh8i+hUyVo0A==]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-LANGUAGE, value=en-us]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=X-CR-HASHEDPUZZLE, value=SeA= AAR2 ADaH BpiO C4G1 D1gW FNB1 FPkR Fn+W HFCP HnYJ JO7s Kum6 KytW LFcI LjUt;1;cgBhAGoAXwBkAGUAbwBsADIAMAAwADIAaQBuAEAAeQBhAGgAbwBvAC4AYwBvAC4AaQBuAA==;Sosha1_v1;7;{CAA37F59-1850-45C7-8540-AA27696B5398};ZwB1AHIAcABhAHIAdABhAHAAQABwAGEAdAByAGkAbwB0AHMALgBpAG4A;Mon, 05 Oct 2009 06:06:01 GMT;UwBNAFQAUAA=]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=X-CR-PUZZLEID, value={CAA37F59-1850-45C7-8540-AA27696B5398}]
 
 1254722770.692743 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=multipart/alternative;\x09boundary="----=_NextPart_001_0005_01CA45B0.095693F0"]
 
 1254722770.692743 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=2], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/plain;\x09charset="us-ascii"]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=7bit]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692743 file_new
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 file_over_new_connection
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692743 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692743 file_sniff
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T]
 
 1254722770.692743 file_state_remove
-                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fel9gs4OtNEV6gUJZ5, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Hello\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aI send u smtp pcap file \x0d\x0a\x0d\x0aFind the attachment\x0d\x0a\x0d\x0a \x0d\x0a\x0d\x0aGPS\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Fel9gs4OtNEV6gUJZ5, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=3, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=77, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692743 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=3], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/html;\x09charset="us-ascii"]
 
 1254722770.692743 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=quoted-printable]
 
 1254722770.692743 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692743 file_new
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692743 file_over_new_connection
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692743, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=1610, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163697, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692804 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692804 file_sniff
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] meta: fa_metadata  = [mime_type=text/html, mime_types=[[strength=100, mime=text/html], [strength=20, mime=text/html], [strength=-20, mime=text/plain]]]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] meta: fa_metadata  = [mime_type=text/html, mime_types=[[strength=100, mime=text/html], [strength=20, mime=text/html], [strength=-20, mime=text/plain]], inferred=T]
 
 1254722770.692804 file_state_remove
-                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=text/html, filename=<uninitialized>, duration=61.0 usecs, local_orig=<uninitialized>, is_orig=T, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Ft4M3f2yMvLlmwtbq9, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">\x0d\x0a\x0d\x0a<head>\x0d\x0a<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">\x0d\x0a<meta name=Generator content="Microsoft Word 12 (filtered medium)">\x0d\x0a<style>\x0d\x0a<!--\x0d\x0a /* Font Definitions */\x0d\x0a @font-face\x0d\x0a\x09{font-family:"Cambria Math";\x0d\x0a\x09panose-1:2 4 5 3 5 4 6 3 2 4;}\x0d\x0a@font-face\x0d\x0a\x09{font-family:Calibri;\x0d\x0a\x09panose-1:2 15 5 2 2 2 4 3 2 4;}\x0d\x0a /* Style Definitions */\x0d\x0a p.MsoNormal, li.MsoNormal, div.MsoNormal\x0d\x0a\x09{margin:0in;\x0d\x0a\x09margin-bottom:.0001pt;\x0d\x0a\x09font-size:11.0pt;\x0d\x0a\x09font-family:"Calibri","sans-serif";}\x0d\x0aa:link, span.MsoHyperlink\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:blue;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aa:visited, span.MsoHyperlinkFollowed\x0d\x0a\x09{mso-style-priority:99;\x0d\x0a\x09color:purple;\x0d\x0a\x09text-decoration:underline;}\x0d\x0aspan.EmailStyle17\x0d\x0a\x09{mso-style-type:personal-compose;\x0d\x0a\x09font-family:"Calibri","sans-serif";\x0d\x0a\x09color:windowtext;}\x0d\x0a.MsoChpDefault\x0d\x0a\x09{mso-style-type:export-only;}\x0d\x0a@page Section1\x0d\x0a\x09{size:8.5in 11.0in;\x0d\x0a\x09margin:1.0in 1.0in 1.0in 1.0in;}\x0d\x0adiv.Section1\x0d\x0a\x09{page:Section1;}\x0d\x0a-->\x0d\x0a</style>\x0d\x0a<!--[if gte mso 9]><xml>\x0d\x0a <o:shapedefaults v:ext="edit" spidmax="1026" />\x0d\x0a</xml><![endif]--><!--[if gte mso 9]><xml>\x0d\x0a <o:shapelayout v:ext="edit">\x0d\x0a  <o:idmap v:ext="edit" data="1" />\x0d\x0a </o:shapelayout></xml><![endif]-->\x0d\x0a</head>\x0d\x0a\x0d\x0a<body lang=EN-US link=blue vlink=purple>\x0d\x0a\x0d\x0a<div class=Section1>\x0d\x0a\x0d\x0a<p class=MsoNormal>Hello<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>I send u smtp pcap file <o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>Find the attachment<o:p></o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal><o:p>&nbsp;</o:p></p>\x0d\x0a\x0d\x0a<p class=MsoNormal>GPS<o:p></o:p></p>\x0d\x0a\x0d\x0a</div>\x0d\x0a\x0d\x0a</body>\x0d\x0a\x0d\x0a</html>\x0d\x0a\x0d\x0a, info=[ts=1254722770.692743, fuid=Ft4M3f2yMvLlmwtbq9, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=4, analyzers={\x0a\x0a}, mime_type=text/html, filename=<uninitialized>, duration=61.0 usecs, local_orig=<uninitialized>, is_orig=T, seen_bytes=1868, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692804 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722770.692804 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=4], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722770.692804 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/plain;\x09name="NEWS.txt"]
 
 1254722770.692804 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=quoted-printable]
 
 1254722770.692804 mime_one_header
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-DISPOSITION, value=attachment;\x09filename="NEWS.txt"]
 
 1254722770.692804 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.692804 file_new
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722770.692804 file_over_new_connection
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722770.692804, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722770.695115 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], start_time=1254722770.695115, duration=0.0, service={\x0a\x0a}, history=, uid=C4J4Th3PJpwUYZZ6gc, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], start_time=1254722770.695115, duration=0.0, service={\x0a\x0a}, history=, uid=C4J4Th3PJpwUYZZ6gc, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722771.494181 file_sniff
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a  - Strip executable\x0d\x0a  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a  include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a  (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a  compiler: -D__DEBUG__\x0d\x0a* Each project creates a <project_name>_private.h file containing version\x0d\x0a  information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=4530, state=4, num_pkts=11, num_bytes_ip=3518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=10, num_bytes_ip=870, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.163758, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722771.494181, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a  - Strip executable\x0d\x0a  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a  include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a  (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a  compiler: -D__DEBUG__\x0d\x0a* Each project creates a <project_name>_private.h file containing version\x0d\x0a  information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=NEWS.txt, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T]
 
 1254722771.858334 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=NEWS.txt], fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722771.858334 file_state_remove
-                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a\x09}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a  - Strip executable\x0d\x0a  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a  include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a  (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a  compiler: -D__DEBUG__\x0d\x0a* Each project creates a <project_name>_private.h file containing version\x0d\x0a  information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.0 usecs, local_orig=<uninitialized>, is_orig=T, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FL9Y0d45OI4LpS6fmh, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp]] = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a\x09}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a\x09}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a\x09}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1254722771.858316, seen_bytes=10809, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=Version 4.9.9.1\x0d\x0a* Many bug fixes\x0d\x0a* Improved editor\x0d\x0a\x0d\x0aVersion 4.9.9.0\x0d\x0a* Support for latest Mingw compiler system builds\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.9\x0d\x0a* New code tooltip display\x0d\x0a* Improved Indent/Unindent and Remove Comment\x0d\x0a* Improved automatic indent\x0d\x0a* Added support for the "interface" keyword\x0d\x0a* WebUpdate should now report installation problems from PackMan\x0d\x0a* New splash screen and association icons\x0d\x0a* Improved installer\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.7\x0d\x0a* Added support for GCC > 3.2\x0d\x0a* Debug variables are now resent during next debug session\x0d\x0a* Watched Variables not in correct context are now kept and updated when it is needed\x0d\x0a* Added new compiler/linker options: \x0d\x0a  - Strip executable\x0d\x0a  - Generate instructions for a specific machine (i386, i486, i586, i686, pentium, pentium-mmx, pentiumpro, pentium2, pentium3, pentium4, \x0d\x0a    k6, k6-2, k6-3, athlon, athlon-tbird, athlon-4, athlon-xp, athlon-mp, winchip-c6, winchip2, k8, c3 and c3-2)\x0d\x0a  - Enable use of processor specific built-in functions (mmmx, sse, sse2, pni, 3dnow)\x0d\x0a* "Default" button in Compiler Options is back\x0d\x0a* Error messages parsing improved\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.5\x0d\x0a* Added the possibility to modify the value of a variable during debugging (right click on a watch variable and select "Modify value")\x0d\x0a* During Dev-C++ First Time COnfiguration window, users can now choose between using or not class browser and code completion features.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.4\x0d\x0a* Added the possibility to specify an include directory for the code completion cache to be created at Dev-C++ first startup\x0d\x0a* Improved code completion cache\x0d\x0a* WebUpdate will now backup downloaded DevPaks in Dev-C++\Packages directory, and Dev-C++ executable in devcpp.exe.BACKUP\x0d\x0a* Big speed up in function parameters listing while editing\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.3\x0d\x0a* On Dev-C++ first time configuration dialog, a code completion cache of all the standard \x0d\x0a  include files can now be generated.\x0d\x0a* Improved WebUpdate module\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.8.2\x0d\x0a* New debug feature for DLLs: attach to a running process\x0d\x0a* New project option: Use custom Makefile. \x0d\x0a* New WebUpdater module.\x0d\x0a* Allow user to specify an alternate configuration file in Environment Options \x0d\x0a  (still can be overriden by using "-c" command line parameter).\x0d\x0a* Lots of bug fixes.\x0d\x0a\x0d\x0aVersion 4.9.8.1\x0d\x0a* When creating a DLL, the created static lib respects now the project-defined output directory\x0d\x0a\x0d\x0aVersion 4.9.8.0\x0d\x0a* Changed position of compiler/linker parameters in Project Options.\x0d\x0a* Improved help file\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.9\x0d\x0a* Resource errors are now reported in the Resource sheet\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.8\x0d\x0a* Made whole bottom report control floating instead of only debug output.\x0d\x0a* Many bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.7\x0d\x0a* Printing settings are now saved\x0d\x0a* New environment options : "watch variable under mouse" and "Report watch errors"\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.6\x0d\x0a* Debug variable browser\x0d\x0a* Added possibility to include in a Template the Project's directories (include, libs and ressources)\x0d\x0a* Changed tint of Class browser pictures colors to match the New Look style\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.5\x0d\x0a* Bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.4\x0d\x0a* When compiling with debugging symbols, an extra definition is passed to the\x0d\x0a  compiler: -D__DEBUG__\x0d\x0a* Each project creates a <project_name>_private.h file containing version\x0d\x0a  information definitions\x0d\x0a* When compiling the current file only, no dependency checks are performed\x0d\x0a* ~300% Speed-up in class parser\x0d\x0a* Added "External programs" in Tools/Environment Options (for units "Open with")\x0d\x0a* Added "Open with" in project units context menu\x0d\x0a* Added "Classes" toolbar\x0d\x0a* Fixed pre-compilation dependency checks to work correctly\x0d\x0a* Added new file menu entry: Save Project As\x0d\x0a* Bug-fix for double quotes in devcpp.cfg file read by vUpdate\x0d\x0a* Other bug fixes\x0d\x0a\x0d\x0aVersion 4.9.7.3\x0d\x0a* When adding debugging symbols on request, remove "-s" option from linker\x0d\x0a* Compiling progress window\x0d\x0a* Environment options : "Show progress window" and "Auto-close progress , info=[ts=1254722770.692804, fuid=FL9Y0d45OI4LpS6fmh, tx_hosts={\x0a\x0910.10.1.4\x0a}, rx_hosts={\x0a\x0974.53.140.153\x0a}, conn_uids={\x0aClEkJM2Vm5giqnMf4h\x0a}, source=SMTP, depth=5, analyzers={\x0a\x0a}, mime_type=text/plain, filename=NEWS.txt, duration=801.0 msecs 376.0 usecs, local_orig=<uninitialized>, is_orig=T, seen_bytes=4027, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1254722771.858334 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1254722771.858334 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = .
                   [3] arg: string        = .
 
 1254722772.248789 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.719743, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.719743, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = .
@@ -471,13 +471,13 @@
                   [5] cont_resp: bool    = F
 
 1254722774.763825 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.234779, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.234779, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = QUIT
                   [3] arg: string        = 
 
 1254722775.105467 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.576421, service={\x0aSMTP\x0a}, history=ShAdDaTF, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.576421, service={\x0aSMTP\x0a}, history=ShAdDaTF, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 221
                   [3] cmd: string        = QUIT
@@ -485,36 +485,36 @@
                   [5] cont_resp: bool    = F
 
 1254722776.690444 new_connection
-                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:02:3f:ec:61:11], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=ff:ff:ff:ff:ff:ff], start_time=1254722776.690444, duration=0.0, service={\x0a\x0a}, history=, uid=CtPZjS20MLrsMUOJi2, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:02:3f:ec:61:11], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=ff:ff:ff:ff:ff:ff], start_time=1254722776.690444, duration=0.0, service={\x0a\x0a}, history=, uid=CtPZjS20MLrsMUOJi2, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831776.764391 ChecksumOffloading::check
 1437831776.764391 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=1, num_bytes_ip=62, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=100, state=1, num_pkts=1, num_bytes_ip=128, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.49206, duration=0.034025, service={\x0aDNS\x0a}, history=Dd, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=[pending_queries={\x0a\x0a}, pending_replies={\x0a\x0a}], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831776.764391 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=28, num_bytes_ip=21673, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=5, num_pkts=25, num_bytes_ip=1546, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.576953, service={\x0aSMTP\x0a}, history=ShAdDaTFf, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=28, num_bytes_ip=21673, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=5, num_pkts=25, num_bytes_ip=1546, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.576953, service={\x0aSMTP\x0a}, history=ShAdDaTFf, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=221 xc90.websitewelcome.com closing connection, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831776.764391 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=2192, state=1, num_pkts=4, num_bytes_ip=2304, flow_label=0, l2_addr=00:1f:33:d9:81:60], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], start_time=1254722770.695115, duration=0.001519, service={\x0a\x0a}, history=, uid=C4J4Th3PJpwUYZZ6gc, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.1.1, orig_p=3/icmp, resp_h=10.10.1.4, resp_p=4/icmp], orig=[size=2192, state=1, num_pkts=4, num_bytes_ip=2304, flow_label=0, l2_addr=00:1f:33:d9:81:60], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], start_time=1254722770.695115, duration=0.001519, service={\x0a\x0a}, history=, uid=C4J4Th3PJpwUYZZ6gc, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831776.764391 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=201, state=1, num_pkts=1, num_bytes_ip=229, flow_label=0, l2_addr=00:02:3f:ec:61:11], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=ff:ff:ff:ff:ff:ff], start_time=1254722776.690444, duration=0.0, service={\x0a\x0a}, history=D, uid=CtPZjS20MLrsMUOJi2, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.20, orig_p=138/udp, resp_h=10.10.1.255, resp_p=138/udp], orig=[size=201, state=1, num_pkts=1, num_bytes_ip=229, flow_label=0, l2_addr=00:02:3f:ec:61:11], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=ff:ff:ff:ff:ff:ff], start_time=1254722776.690444, duration=0.0, service={\x0a\x0a}, history=D, uid=CtPZjS20MLrsMUOJi2, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831776.764391 filter_change_tracking
 1437831776.764391 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.0, service={\x0a\x0a}, history=, uid=CUM0KZ3MLUfNB0cl11, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.0, service={\x0a\x0a}, history=, uid=CUM0KZ3MLUfNB0cl11, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831777.107399 partial_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=41, state=3, num_pkts=1, num_bytes_ip=93, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.343008, service={\x0a\x0a}, history=Da, uid=CUM0KZ3MLUfNB0cl11, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=41, state=3, num_pkts=1, num_bytes_ip=93, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.343008, service={\x0a\x0a}, history=Da, uid=CUM0KZ3MLUfNB0cl11, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831787.856895 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.0, service={\x0a\x0a}, history=, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.0, service={\x0a\x0a}, history=, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831787.861602 connection_established
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.004707, service={\x0a\x0a}, history=Sh, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.004707, service={\x0a\x0a}, history=Sh, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831787.867142 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.010247, service={\x0a\x0a}, history=ShAd, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.010247, service={\x0a\x0a}, history=ShAd, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -522,18 +522,18 @@
                   [5] cont_resp: bool    = F
 
 1437831787.883306 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.026411, service={\x0a\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.026411, service={\x0a\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SMTP
                   [2] aid: count         = 21
 
 1437831787.883306 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.026411, service={\x0aSMTP\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.026411, service={\x0aSMTP\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = EHLO
                   [3] arg: string        = [192.168.133.100]
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -541,7 +541,7 @@
                   [5] cont_resp: bool    = T
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 uprise, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 uprise, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -549,7 +549,7 @@
                   [5] cont_resp: bool    = T
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 8BITMIME, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 8BITMIME, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -557,7 +557,7 @@
                   [5] cont_resp: bool    = T
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH LOGIN, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH LOGIN, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -565,13 +565,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.887031 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=5, num_bytes_ip=296, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.030136, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=5, num_bytes_ip=296, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.030136, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = MAIL
                   [3] arg: string        = FROM:<albert@example.com>
 
 1437831787.889785 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.03289, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.03289, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = MAIL
@@ -579,13 +579,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.890232 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.033337, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.033337, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO:<ericlim220@yahoo.com>
 
 1437831787.892986 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036091, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036091, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -593,13 +593,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.893587 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036692, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036692, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO:<felica4uu@hotmail.com>
 
 1437831787.897624 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.040729, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.040729, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -607,13 +607,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.898413 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.041518, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.041518, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO:<davis_mark1@outlook.com>
 
 1437831787.901069 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044174, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044174, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -621,16 +621,16 @@
                   [5] cont_resp: bool    = F
 
 1437831787.901697 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = DATA
                   [3] arg: string        = 
 
 1437831787.901697 mime_begin_entity
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831787.904758 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.047863, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.047863, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 354
                   [3] cmd: string        = DATA
@@ -638,104 +638,104 @@
                   [5] cont_resp: bool    = F
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TYPE, value=text/plain; charset=us-ascii]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=MIME-VERSION, value=1.0 (Mac OS X Mail 8.2 \(2102\))]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=SUBJECT, value=Re: Bro SMTP CC Header]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=FROM, value=Albert Zaharovits <albert@example.com>]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=IN-REPLY-TO, value=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=DATE, value=Sat, 25 Jul 2015 16:43:07 +0300]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CC, value=felica4uu@hotmail.com, davis_mark1@outlook.com]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=CONTENT-TRANSFER-ENCODING, value=7bit]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=MESSAGE-ID, value=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=REFERENCES, value=<FA60128E-63CF-4C4E-8241-C5805EA0F66E@example.com> <9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to=<uninitialized>, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=TO, value=ericlim220@yahoo.com]
 
 1437831787.905375 mime_one_header
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] h: mime_header_rec = [name=X-MAILER, value=Apple Mail (2.2102)]
 
 1437831787.905375 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1437831787.905375 file_new
-                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831787.905375 file_over_new_connection
-                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SMTP, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1437831787.905375 mime_end_entity
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831787.905375 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1437831787.905375 file_sniff
-                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]]]
+                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] meta: fa_metadata  = [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T]
 
 1437831787.905375 file_state_remove
-                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=FKX8fw2lEHCTK8syM3, parent_id=<uninitialized>, source=SMTP, is_orig=T, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a\x09}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a\x09}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a\x09}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a\x09}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831787.905375, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0d\x0a> On 25 Jul 2015, at 16:38, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a> \x0d\x0a> \x0d\x0a>> On 25 Jul 2015, at 16:21, Albert Zaharovits <albert@example.com> wrote:\x0d\x0a>> \x0d\x0a>> Bro SMTP CC Header\x0d\x0a>> TEST\x0d\x0a> \x0d\x0a\x0d\x0a, info=[ts=1437831787.905375, fuid=FKX8fw2lEHCTK8syM3, tx_hosts={\x0a\x09192.168.133.100\x0a}, rx_hosts={\x0a\x09192.168.133.102\x0a}, conn_uids={\x0aCmES5u32sYpV7JYN\x0a}, source=SMTP, depth=1, analyzers={\x0a\x0a}, mime_type=text/plain, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=T, seen_bytes=204, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831787.905375 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1437831787.905375 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = T
 
 1437831787.905375 get_file_handle
                   [0] tag: enum          = Analyzer::ANALYZER_SMTP
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1437831787.905375 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = .
                   [3] arg: string        = .
 
 1437831787.914113 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.057218, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.057218, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = .
@@ -743,65 +743,65 @@
                   [5] cont_resp: bool    = F
 
 1437831798.533593 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.0, service={\x0a\x0a}, history=^, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.0, service={\x0a\x0a}, history=^, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831798.533765 partial_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.000172, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000172, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831799.262632 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.0, service={\x0a\x0a}, history=, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.0, service={\x0a\x0a}, history=, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831799.410135 partial_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.147503, service={\x0a\x0a}, history=Da, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.147503, service={\x0a\x0a}, history=Da, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831799.461152 new_connection
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.0, service={\x0a\x0a}, history=, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.0, service={\x0a\x0a}, history=, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831799.610433 connection_established
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.149281, service={\x0a\x0a}, history=Sh, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.149281, service={\x0a\x0a}, history=Sh, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831799.611764 ssl_extension_server_name
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] names: vector of string = [p31-keyvalueservice.icloud.com]
 
 1437831799.611764 ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] code: count        = 0
                   [3] val: string        = \x00!\x00\x00\x1ep31-keyvalueservice.icloud.com
 
 1437831799.611764 ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] code: count        = 10
                   [3] val: string        = \x00\x06\x00\x17\x00\x18\x00\x19
 
 1437831799.611764 ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] code: count        = 11
                   [3] val: string        = \x01\x00
 
 1437831799.611764 ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] code: count        = 13
                   [3] val: string        = \x00\x0a\x05\x01\x04\x01\x02\x01\x04\x03\x02\x03
 
 1437831799.611764 ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] code: count        = 13172
                   [3] val: string        = 
 
 1437831799.611764 protocol_confirmation
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SSL
                   [2] aid: count         = 35
 
 1437831799.611764 ssl_client_hello
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 771
                   [2] possible_ts: time  = 1437831799.0
                   [3] client_random: string = \xd4\xda\xbe{\xfa\xaa\x16\xb2\xe7\x92\x9d\xbf\xe1c\x97\xde\xdca7\x92\x90\xf6\x967\xf7\xec\x1e\xe6
@@ -810,7 +810,7 @@
                   [6] comp_methods: vector of count = [0]
 
 1437831799.611764 ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.150612, service={\x0aSSL\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] msg_type: count    = 1
                   [3] length: count      = 192
@@ -823,13 +823,13 @@
                   [4] length: count      = 196
 
 1437831799.764576 ssl_extension
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 65281
                   [3] val: string        = \x00
 
 1437831799.764576 ssl_server_hello
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] version: count     = 771
                   [2] possible_ts: time  = 1437831799.0
                   [3] server_random: string = \xe2RB\xdds\x11\xa9\xd4\x1d\xbc\x8e\xe2]\x09\xc5\xfc\xb1\xedl\xed\x17\xb2?a\xac\x81QM
@@ -838,145 +838,155 @@
                   [6] comp_method: count = 0
 
 1437831799.764576 ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg_type: count    = 2
                   [3] length: count      = 77
 
 1437831799.764576 file_new
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831799.764576 file_over_new_connection
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1437831799.764576 file_sniff
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] meta: fa_metadata  = [mime_type=<uninitialized>, mime_types=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fuids=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fuids=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] meta: fa_metadata  = [mime_type=application/x-x509-user-cert, mime_types=<uninitialized>, inferred=F]
+
+1437831799.764576 file_hash
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] kind: string       = sha1
+                  [2] hash: string       = f5ccb1a724133607548b00d8eb402efca3076d58
 
 1437831799.764576 x509_certificate
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] cert_ref: opaque of x509 = <no value description>
                   [2] cert: X509::Certificate = [version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]
 
 1437831799.764576 x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::BasicConstraints = [ca=F, path_len=<uninitialized>]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]
 
 1437831799.764576 x509_ext_subject_alternative_name
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::SubjectAlternativeName = [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]
 
 1437831799.764576 file_hash
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] kind: string       = sha1
-                  [2] hash: string       = f5ccb1a724133607548b00d8eb402efca3076d58
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] kind: string       = md5
+                  [2] hash: string       = 1bf9696d9f337805383427e88781d001
 
 1437831799.764576 file_state_remove
-                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00@fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=F1vce92FT1oRjKI328, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831799.764576 file_new
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831799.764576 file_over_new_connection
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 1437831799.764576 file_sniff
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] meta: fa_metadata  = [mime_type=<uninitialized>, mime_types=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] meta: fa_metadata  = [mime_type=application/x-x509-ca-cert, mime_types=<uninitialized>, inferred=F]
+
+1437831799.764576 file_hash
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] kind: string       = sha1
+                  [2] hash: string       = 8e8321ca08b08e3726fe1d82996884eeb5f0d655
 
 1437831799.764576 x509_certificate
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] cert_ref: opaque of x509 = <no value description>
                   [2] cert: X509::Certificate = [version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]
 
 1437831799.764576 x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::BasicConstraints = [ca=T, path_len=0]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]
 
 1437831799.764576 x509_extension
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]
 
 1437831799.764576 file_hash
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
-                  [1] kind: string       = sha1
-                  [2] hash: string       = 8e8321ca08b08e3726fe1d82996884eeb5f0d655
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [1] kind: string       = md5
+                  [2] hash: string       = 48f0e38385112eeca5fc9ffd402eaecd
 
 1437831799.764576 file_state_remove
-                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04@0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
+                  [0] f: fa_file         = [id=Fxp53s3wA5G3zdEJg8, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=1437831799.764576, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>, u2_events=<uninitialized>]
 
 1437831799.764576 ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg_type: count    = 11
                   [3] length: count      = 2507
 
 1437831799.764576 ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.303424, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg_type: count    = 14
                   [3] length: count      = 0
@@ -989,7 +999,7 @@
                   [4] length: count      = 2596
 
 1437831799.838196 ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377044, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377044, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] msg_type: count    = 16
                   [3] length: count      = 258
@@ -1002,7 +1012,7 @@
                   [4] length: count      = 262
 
 1437831799.838197 ssl_change_cipher_spec
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377045, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.377045, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
 
 1437831799.838197 ssl_plaintext_data
@@ -1013,7 +1023,7 @@
                   [4] length: count      = 1
 
 1437831800.045701 ssl_change_cipher_spec
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
 
 1437831800.045701 ssl_plaintext_data
@@ -1024,41 +1034,41 @@
                   [4] length: count      = 1
 
 1437831800.045701 ssl_established
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.584549, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 net_done
                   [0] t: time            = 1437831800.217854
 
 1437831800.217854 filter_change_tracking
 1437831800.217854 connection_pending
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=41, state=3, num_pkts=1, num_bytes_ip=93, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.343008, service={\x0a\x0a}, history=Da, uid=CUM0KZ3MLUfNB0cl11, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=41, state=3, num_pkts=1, num_bytes_ip=93, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.343008, service={\x0a\x0a}, history=Da, uid=CUM0KZ3MLUfNB0cl11, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=41, state=3, num_pkts=1, num_bytes_ip=93, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.343008, service={\x0a\x0a}, history=Da, uid=CUM0KZ3MLUfNB0cl11, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49285/tcp, resp_h=66.196.121.26, resp_p=5050/tcp], orig=[size=41, state=3, num_pkts=1, num_bytes_ip=93, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831776.764391, duration=0.343008, service={\x0a\x0a}, history=Da, uid=CUM0KZ3MLUfNB0cl11, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_pending
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.147503, service={\x0a\x0a}, history=Da, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.147503, service={\x0a\x0a}, history=Da, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.147503, service={\x0a\x0a}, history=Da, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.262632, duration=0.147503, service={\x0a\x0a}, history=Da, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_pending
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=17, num_bytes_ip=1865, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=10, num_bytes_ip=690, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.05732, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.914113, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=2, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=1, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=17, num_bytes_ip=1865, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=10, num_bytes_ip=690, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.05732, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.914113, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=2, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=1, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=17, num_bytes_ip=1865, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=10, num_bytes_ip=690, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.05732, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.914113, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=2, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=1, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=17, num_bytes_ip=1865, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=10, num_bytes_ip=690, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.05732, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.914113, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=2, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=1, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_pending
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=cc:b2:55:f4:62:92], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=58:b0:35:86:54:8d], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49336/tcp, resp_h=74.125.71.189, resp_p=443/tcp], orig=[size=0, state=3, num_pkts=3, num_bytes_ip=156, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=3, num_pkts=3, num_bytes_ip=411, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831798.533593, duration=0.000221, service={\x0a\x0a}, history=^dA, uid=CP5puj4I8PtEU4qzYg, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_pending
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/pkix-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=1437831799.461152, duration=0.756702, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=1437831799.611764, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, server_appdata=0, client_appdata=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, delay_tokens=<uninitialized>, cert_chain=[[ts=1437831799.764576, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=1437831799.764576, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aMD5,\x0aSHA1,\x0aX509\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=<uninitialized>, x509=[ts=1437831799.764576, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 1437831800.217854 bro_done
 1437831800.217854 ChecksumOffloading::check
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
index ee7ec709a2..1f69e86325 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/smtp-events.log
@@ -1,5 +1,5 @@
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -7,7 +7,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 xc90.websitewelcome.com ESMTP Exim 4.69 #1 Mon, 05 Oct 2009 01:05:54 -0500 , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -15,7 +15,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.219663 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=1, num_bytes_ip=48, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.690617, service={\x0a\x0a}, history=ShAd, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 We do not authorize the use of this system to transport unsolicited, , path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -23,13 +23,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.224809 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.695763, service={\x0aSMTP\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=0.695763, service={\x0aSMTP\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = EHLO
                   [3] arg: string        = GP
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -37,7 +37,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 xc90.websitewelcome.com Hello GP [122.162.143.157], path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -45,7 +45,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 SIZE 52428800, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -53,7 +53,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 PIPELINING, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -61,7 +61,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH PLAIN LOGIN, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -69,7 +69,7 @@
                   [5] cont_resp: bool    = T
 
 1254722768.566183 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=3, num_bytes_ip=309, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.037137, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 STARTTLS, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -77,13 +77,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.568729 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.039683, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=3, num_bytes_ip=137, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=318, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.039683, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = AUTH
                   [3] arg: string        = LOGIN
 
 1254722768.911081 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382035, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=21, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=4, num_bytes_ip=486, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382035, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 HELP, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH
@@ -91,13 +91,13 @@
                   [5] cont_resp: bool    = F
 
 1254722768.911655 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382609, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=4, num_bytes_ip=189, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=336, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.382609, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = Z3VycGFydGFwQHBhdHJpb3RzLmlu
 
 1254722769.253544 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.724498, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=51, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=5, num_bytes_ip=544, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.724498, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 VXNlcm5hbWU6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 334
                   [3] cmd: string        = AUTH_ANSWER
@@ -105,13 +105,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.254118 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.725072, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=5, num_bytes_ip=259, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=354, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=1.725072, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = **
                   [3] arg: string        = cHVuamFiQDEyMw==
 
 1254722769.613798 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.084752, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=69, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=6, num_bytes_ip=602, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.084752, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=334 UGFzc3dvcmQ6, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 235
                   [3] cmd: string        = AUTH_ANSWER
@@ -119,13 +119,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.614414 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.085368, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=6, num_bytes_ip=317, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=384, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.085368, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = MAIL
                   [3] arg: string        = FROM: <gurpartap@patriots.in>
 
 1254722769.956765 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.427719, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=105, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=7, num_bytes_ip=672, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.427719, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=235 Authentication succeeded, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = MAIL
@@ -133,13 +133,13 @@
                   [5] cont_resp: bool    = F
 
 1254722769.957250 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.428204, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=7, num_bytes_ip=393, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=392, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.428204, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO: <raj_deol2002in@yahoo.co.in>
 
 1254722770.319708 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.790662, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=144, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=8, num_bytes_ip=720, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.790662, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 OK, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -147,13 +147,13 @@
                   [5] cont_resp: bool    = F
 
 1254722770.320203 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=8, num_bytes_ip=472, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=406, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=2.791157, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = DATA
                   [3] arg: string        = 
 
 1254722770.661679 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.132633, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=150, state=4, num_pkts=9, num_bytes_ip=518, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=9, num_bytes_ip=774, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=3.132633, service={\x0aSMTP\x0a}, history=ShAdDa, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Accepted, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 354
                   [3] cmd: string        = DATA
@@ -161,13 +161,13 @@
                   [5] cont_resp: bool    = F
 
 1254722771.858334 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=23, num_bytes_ip=21438, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=462, state=4, num_pkts=15, num_bytes_ip=1070, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.329288, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = .
                   [3] arg: string        = .
 
 1254722772.248789 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.719743, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14699, state=4, num_pkts=24, num_bytes_ip=21507, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=21, num_bytes_ip=1310, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=4.719743, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722768.219663, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=GP, mailfrom=gurpartap@patriots.in, rcptto={\x0araj_deol2002in@yahoo.co.in\x0a}, date=Mon, 5 Oct 2009 11:36:07 +0530, from="Gurpartap Singh" <gurpartap@patriots.in>, to={\x0a<raj_deol2002in@yahoo.co.in>\x0a}, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<000301ca4581$ef9e57f0$cedb07d0$@in>, in_reply_to=<uninitialized>, subject=SMTP, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 Enter message, ending with "." on a line by itself, path=[74.53.140.153, 10.10.1.4], user_agent=Microsoft Office Outlook 12.0, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[Fel9gs4OtNEV6gUJZ5, Ft4M3f2yMvLlmwtbq9, FL9Y0d45OI4LpS6fmh]], smtp_state=[helo=GP, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = .
@@ -175,13 +175,13 @@
                   [5] cont_resp: bool    = F
 
 1254722774.763825 smtp_request
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.234779, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=4, num_pkts=25, num_bytes_ip=21547, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=490, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.234779, service={\x0aSMTP\x0a}, history=ShAdDaT, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = QUIT
                   [3] arg: string        = 
 
 1254722775.105467 smtp_reply
-                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.576421, service={\x0aSMTP\x0a}, history=ShAdDaTF, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=14705, state=5, num_pkts=27, num_bytes_ip=21633, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=538, state=4, num_pkts=22, num_bytes_ip=1378, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=1254722767.529046, duration=7.576421, service={\x0aSMTP\x0a}, history=ShAdDaTF, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1254722772.248789, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=2, helo=GP, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=<uninitialized>, path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=GP, messages_transferred=1, pending_messages=<uninitialized>, mime_depth=5], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 221
                   [3] cmd: string        = QUIT
@@ -189,7 +189,7 @@
                   [5] cont_resp: bool    = F
 
 1437831787.867142 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.010247, service={\x0a\x0a}, history=ShAd, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=0, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.010247, service={\x0a\x0a}, history=ShAd, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 220
                   [3] cmd: string        = >
@@ -197,13 +197,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.883306 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.026411, service={\x0aSMTP\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.026411, service={\x0aSMTP\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = EHLO
                   [3] arg: string        = [192.168.133.100]
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -211,7 +211,7 @@
                   [5] cont_resp: bool    = T
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 uprise, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 uprise, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -219,7 +219,7 @@
                   [5] cont_resp: bool    = T
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 8BITMIME, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 8BITMIME, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -227,7 +227,7 @@
                   [5] cont_resp: bool    = T
 
 1437831787.886281 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH LOGIN, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=4, num_bytes_ip=244, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=3, num_bytes_ip=199, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.029386, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 AUTH LOGIN, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = EHLO
@@ -235,13 +235,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.887031 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=5, num_bytes_ip=296, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.030136, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=5, num_bytes_ip=296, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=85, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.030136, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = MAIL
                   [3] arg: string        = FROM:<albert@example.com>
 
 1437831787.889785 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.03289, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=56, state=4, num_pkts=6, num_bytes_ip=380, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=4, num_bytes_ip=301, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.03289, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = MAIL
@@ -249,13 +249,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.890232 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.033337, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=7, num_bytes_ip=432, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=93, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.033337, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO:<ericlim220@yahoo.com>
 
 1437831787.892986 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036091, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=88, state=4, num_pkts=8, num_bytes_ip=516, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=5, num_bytes_ip=361, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036091, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -263,13 +263,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.893587 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036692, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=9, num_bytes_ip=568, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=101, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.036692, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO:<felica4uu@hotmail.com>
 
 1437831787.897624 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.040729, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=121, state=4, num_pkts=10, num_bytes_ip=653, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=6, num_bytes_ip=421, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.040729, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -277,13 +277,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.898413 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.041518, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=11, num_bytes_ip=705, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=109, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.041518, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = RCPT
                   [3] arg: string        = TO:<davis_mark1@outlook.com>
 
 1437831787.901069 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044174, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=156, state=4, num_pkts=12, num_bytes_ip=792, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=7, num_bytes_ip=481, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044174, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = RCPT
@@ -291,13 +291,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.901697 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=13, num_bytes_ip=844, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=117, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.044802, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = DATA
                   [3] arg: string        = 
 
 1437831787.904758 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.047863, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=162, state=4, num_pkts=14, num_bytes_ip=902, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=8, num_bytes_ip=541, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.047863, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=250 Ok, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=T, entity=[filename=<uninitialized>], fuids=[]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 354
                   [3] cmd: string        = DATA
@@ -305,13 +305,13 @@
                   [5] cont_resp: bool    = F
 
 1437831787.905375 smtp_request
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=15, num_bytes_ip=954, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=154, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.04848, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] command: string    = .
                   [3] arg: string        = .
 
 1437831787.914113 smtp_reply
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.057218, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=969, state=4, num_pkts=16, num_bytes_ip=1813, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=162, state=4, num_pkts=9, num_bytes_ip=630, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=1437831787.856895, duration=0.057218, service={\x0aSMTP\x0a}, history=ShAdDa, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, smb_state=<uninitialized>, ntlm=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smtp=[ts=1437831787.867142, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=[192.168.133.100], mailfrom=albert@example.com, rcptto={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com,\x0aericlim220@yahoo.com\x0a}, date=Sat, 25 Jul 2015 16:43:07 +0300, from=Albert Zaharovits <albert@example.com>, to={\x0aericlim220@yahoo.com\x0a}, cc={\x0adavis_mark1@outlook.com,\x0afelica4uu@hotmail.com\x0a}, reply_to=<uninitialized>, msg_id=<A6202DF2-8E58-4E41-BE0B-C8D3989A4AEE@example.com>, in_reply_to=<9ACEE03C-AB98-4046-AEC1-BF4910C61E96@example.com>, subject=Re: Bro SMTP CC Header, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=354 End data with <CR><LF>.<CR><LF>, path=[192.168.133.102, 192.168.133.100], user_agent=Apple Mail (2.2102), tls=F, process_received_from=T, has_client_activity=T, entity=<uninitialized>, fuids=[FKX8fw2lEHCTK8syM3]], smtp_state=[helo=[192.168.133.100], messages_transferred=0, pending_messages=<uninitialized>, mime_depth=1], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] code: count        = 250
                   [3] cmd: string        = .
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn1.log b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn1.log
index fc07453119..3d415916f2 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn1.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn1.log
@@ -3,41 +3,41 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2016-07-13-16-17-25
+#open	2018-01-12-21-44-59
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	orig_l2_addr	resp_l2_addr
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	string	string
-1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	(empty)	00:13:7f:be:8c:ff	00:e0:db:01:cf:4b
-1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	(empty)	00:17:f2:d7:cf:65	01:00:5e:00:00:fb
-1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	(empty)	00:16:76:23:d9:e3	01:00:5e:00:00:fb
-1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	(empty)	f0:4d:a2:47:ba:25	ff:ff:ff:ff:ff:ff
-1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	(empty)	00:17:f2:d7:cf:65	33:33:00:00:00:fb
-1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	(empty)	f0:4d:a2:47:ba:25	01:00:5e:00:00:fc
-1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	(empty)	00:23:32:b6:0c:46	ff:ff:ff:ff:ff:ff
-1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	(empty)	f0:4d:a2:47:ba:25	33:33:00:01:00:03
-1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	(empty)	00:30:48:bd:3e:c4	01:00:5e:00:00:fb
-1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	(empty)	f0:4d:a2:47:ba:25	01:00:5e:00:00:fc
-1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	(empty)	f0:4d:a2:47:ba:25	33:33:00:01:00:03
-1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	(empty)	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
-#close	2016-07-13-16-17-25
+1300475169.780331	C3eiCBGOLw3VtHfOj	173.192.163.128	80	141.142.220.235	6705	tcp	-	-	-	-	OTH	-	-	0	H	1	48	0	0	-	00:13:7f:be:8c:ff	00:e0:db:01:cf:4b
+1300475168.892913	CmES5u32sYpV7JYN	141.142.220.118	49999	208.80.152.3	80	tcp	-	0.220961	1137	733	S1	-	-	0	ShADad	6	1457	4	949	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.724007	CHhAvVGS1DHFjwGM9	141.142.220.118	48649	208.80.152.118	80	tcp	-	0.119905	525	232	S1	-	-	0	ShADad	4	741	3	396	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.855330	ClEkJM2Vm5giqnMf4h	141.142.220.118	49997	208.80.152.3	80	tcp	-	0.219720	1125	734	S1	-	-	0	ShADad	6	1445	4	950	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.855305	C4J4Th3PJpwUYZZ6gc	141.142.220.118	49996	208.80.152.3	80	tcp	-	0.218501	1171	733	S1	-	-	0	ShADad	6	1491	4	949	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.652003	CwjjYJ2WqgTbAqiHl6	141.142.220.118	35634	208.80.152.2	80	tcp	-	0.061329	463	350	OTH	-	-	0	DdA	2	567	1	402	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.902635	C37jN32gN3y3AZzyf6	141.142.220.118	35642	208.80.152.2	80	tcp	-	0.120041	534	412	S1	-	-	0	ShADad	4	750	3	576	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.859163	CtPZjS20MLrsMUOJi2	141.142.220.118	49998	208.80.152.3	80	tcp	-	0.215893	1130	734	S1	-	-	0	ShADad	6	1450	4	950	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.892936	CUM0KZ3MLUfNB0cl11	141.142.220.118	50000	208.80.152.3	80	tcp	-	0.229603	1148	734	S1	-	-	0	ShADad	6	1468	4	950	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.895267	CP5puj4I8PtEU4qzYg	141.142.220.118	50001	208.80.152.3	80	tcp	-	0.227284	1178	734	S1	-	-	0	ShADad	6	1498	4	950	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.853899	C0LAHyvtKSQHyJxIl	141.142.220.118	43927	141.142.2.2	53	udp	-	0.000435	38	89	SF	-	-	0	Dd	1	66	1	117	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.901749	CFLRIC3zaTU1loLGxh	141.142.220.118	56056	141.142.2.2	53	udp	-	0.000402	36	131	SF	-	-	0	Dd	1	64	1	159	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.902195	C9rXSW3KSpTYvPrlI1	141.142.220.118	55092	141.142.2.2	53	udp	-	0.000374	36	198	SF	-	-	0	Dd	1	64	1	226	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.858713	Ck51lg1bScffFj34Ri	141.142.220.118	59714	141.142.2.2	53	udp	-	0.000375	38	183	SF	-	-	0	Dd	1	66	1	211	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475167.099816	C9mvWx3ezztgzcexV7	141.142.220.50	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	179	0	0	-	00:17:f2:d7:cf:65	01:00:5e:00:00:fb
+1300475168.854837	CNnMIj2QSd84NKf7U3	141.142.220.118	40526	141.142.2.2	53	udp	-	0.000392	38	183	SF	-	-	0	Dd	1	66	1	211	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.894787	C7fIlMZDuRiqjpYbb	141.142.220.118	48128	141.142.2.2	53	udp	-	0.000423	38	183	SF	-	-	0	Dd	1	66	1	211	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.894422	CykQaM33ztNt0csB9a	141.142.220.118	48479	141.142.2.2	53	udp	-	0.000317	52	99	SF	-	-	0	Dd	1	80	1	127	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475169.899438	CtxTCR2Yer0FR1tIBg	141.142.220.44	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	85	0	0	-	00:16:76:23:d9:e3	01:00:5e:00:00:fb
+1300475170.862384	CpmdRlaUoJLN3uIRa	141.142.220.226	137	141.142.220.255	137	udp	-	2.613017	350	0	S0	-	-	0	D	7	546	0	0	-	f0:4d:a2:47:ba:25	ff:ff:ff:ff:ff:ff
+1300475168.892414	C1Xkzz2MaGtLrc1Tla	141.142.220.118	59746	141.142.2.2	53	udp	-	0.000421	38	183	SF	-	-	0	Dd	1	66	1	211	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.858306	CqlVyW1YwZ15RhTBc4	141.142.220.118	59816	141.142.2.2	53	udp	-	0.000343	52	99	SF	-	-	0	Dd	1	80	1	127	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475167.097012	CLNN1k2QMum1aexUK7	fe80::217:f2ff:fed7:cf65	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	199	0	0	-	00:17:f2:d7:cf:65	33:33:00:00:00:fb
+1300475173.117362	CBA8792iHmnhPLksKa	141.142.220.226	55671	224.0.0.252	5355	udp	-	0.099849	66	0	S0	-	-	0	D	2	122	0	0	-	f0:4d:a2:47:ba:25	01:00:5e:00:00:fc
+1300475173.153679	CGLPPc35OzDQij1XX8	141.142.220.238	56641	141.142.220.255	137	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-	00:23:32:b6:0c:46	ff:ff:ff:ff:ff:ff
+1300475168.892037	CiyBAq1bBLNaTiTAc	141.142.220.118	38911	141.142.2.2	53	udp	-	0.000335	52	99	SF	-	-	0	Dd	1	80	1	127	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475171.675372	CFSwNi4CNGxcuffo49	fe80::3074:17d5:2052:c324	65373	ff02::1:3	5355	udp	-	0.100096	66	0	S0	-	-	0	D	2	162	0	0	-	f0:4d:a2:47:ba:25	33:33:00:01:00:03
+1300475167.096535	Cipfzj1BEnhejw8cGf	141.142.220.202	5353	224.0.0.251	5353	udp	-	-	-	-	S0	-	-	0	D	1	73	0	0	-	00:30:48:bd:3e:c4	01:00:5e:00:00:fb
+1300475168.854378	CV5WJ42jPYbNW9JNWf	141.142.220.118	37676	141.142.2.2	53	udp	-	0.000420	52	99	SF	-	-	0	Dd	1	80	1	127	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475171.677081	CPhDKt12KQPUVbQz06	141.142.220.226	55131	224.0.0.252	5355	udp	-	0.100021	66	0	S0	-	-	0	D	2	122	0	0	-	f0:4d:a2:47:ba:25	01:00:5e:00:00:fc
+1300475173.116749	CAnFrb2Cvxr5T7quOc	fe80::3074:17d5:2052:c324	54213	ff02::1:3	5355	udp	-	0.099801	66	0	S0	-	-	0	D	2	162	0	0	-	f0:4d:a2:47:ba:25	33:33:00:01:00:03
+1300475168.893988	C8rquZ3DjgNW06JGLl	141.142.220.118	45000	141.142.2.2	53	udp	-	0.000384	38	89	SF	-	-	0	Dd	1	66	1	117	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.857956	CzrZOtXqhwwndQva3	141.142.220.118	32902	141.142.2.2	53	udp	-	0.000317	38	89	SF	-	-	0	Dd	1	66	1	117	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+1300475168.891644	CaGCc13FffXe6RkQl9	141.142.220.118	58206	141.142.2.2	53	udp	-	0.000339	38	89	SF	-	-	0	Dd	1	66	1	117	-	00:24:7e:e0:1d:b5	00:13:7f:be:8c:ff
+#close	2018-01-12-21-44-59
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn2.log b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn2.log
index c4746cbd4b..0cfe1b9e4e 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn2.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn2.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2016-07-13-16-17-25
+#open	2018-01-12-21-45-00
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	orig_l2_addr	resp_l2_addr
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	string	string
-1439902891.705224	CHhAvVGS1DHFjwGM9	172.17.156.76	61738	208.67.220.220	53	udp	-	0.041654	35	128	SF	-	-	0	Dd	1	63	1	156	(empty)	90:72:40:97:b6:f5	44:2b:03:aa:ab:8d
-1439903050.580632	ClEkJM2Vm5giqnMf4h	fe80::a667:6ff:fef7:ec54	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	328	0	0	(empty)	a4:67:06:f7:ec:54	33:33:00:00:00:fb
-#close	2016-07-13-16-17-25
+1439902891.705224	CHhAvVGS1DHFjwGM9	172.17.156.76	61738	208.67.220.220	53	udp	-	0.041654	35	128	SF	-	-	0	Dd	1	63	1	156	-	90:72:40:97:b6:f5	44:2b:03:aa:ab:8d
+1439903050.580632	ClEkJM2Vm5giqnMf4h	fe80::a667:6ff:fef7:ec54	5353	ff02::fb	5353	udp	-	-	-	-	S0	-	-	0	D	1	328	0	0	-	a4:67:06:f7:ec:54	33:33:00:00:00:fb
+#close	2018-01-12-21-45-00
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn3.log b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn3.log
index cf205169c1..b738f14754 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn3.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.mac-logging/conn3.log
@@ -3,1340 +3,1340 @@
 #empty_field	(empty)
 #unset_field	-
 #path	conn
-#open	2016-07-13-16-17-25
+#open	2018-01-12-21-45-00
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	orig_l2_addr	resp_l2_addr
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	string	string
-826191058.128321	CHhAvVGS1DHFjwGM9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191118.129144	ClEkJM2Vm5giqnMf4h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191178.297416	C4J4Th3PJpwUYZZ6gc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191238.140114	CtPZjS20MLrsMUOJi2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191298.137032	CUM0KZ3MLUfNB0cl11	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191358.243247	CmES5u32sYpV7JYN	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191418.144505	CP5puj4I8PtEU4qzYg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191478.189218	C37jN32gN3y3AZzyf6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191538.242710	C3eiCBGOLw3VtHfOj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191598.142982	CwjjYJ2WqgTbAqiHl6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191658.206258	C0LAHyvtKSQHyJxIl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191718.141676	CFLRIC3zaTU1loLGxh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191778.139555	C9rXSW3KSpTYvPrlI1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191838.160870	Ck51lg1bScffFj34Ri	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191898.207550	C9mvWx3ezztgzcexV7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826191958.161501	CNnMIj2QSd84NKf7U3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192018.156454	C7fIlMZDuRiqjpYbb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192078.143576	CykQaM33ztNt0csB9a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192138.157070	CtxTCR2Yer0FR1tIBg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192198.209621	CpmdRlaUoJLN3uIRa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192258.213369	C1Xkzz2MaGtLrc1Tla	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192318.168316	CqlVyW1YwZ15RhTBc4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192378.142768	CLNN1k2QMum1aexUK7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192438.145514	CBA8792iHmnhPLksKa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192498.211725	CGLPPc35OzDQij1XX8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192558.254519	CiyBAq1bBLNaTiTAc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192618.151880	CFSwNi4CNGxcuffo49	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192678.152689	Cipfzj1BEnhejw8cGf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192738.148612	CV5WJ42jPYbNW9JNWf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192798.184559	CPhDKt12KQPUVbQz06	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192858.168774	CAnFrb2Cvxr5T7quOc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192918.151045	C8rquZ3DjgNW06JGLl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826192978.149902	CzrZOtXqhwwndQva3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193038.200491	CaGCc13FffXe6RkQl9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193098.159328	CNdne23ox8SQTgPoy3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193158.151344	CeGt004UBsXLoZSeCg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193218.158016	CTrywc2ra7tcWn2af	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193278.162718	CzmEfj4RValNyLfT58	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193338.440718	CCk2V03QgWwIurU3f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193398.155563	Cgc67J2CpHIVN7HAw4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193458.258855	CgwPkWkJfuBIJsNi4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193518.163043	CImWJ03GsvPvA0P67i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193578.166776	CKJVAj1rNx0nolFFc4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193638.349114	CD7vfu1qu4YJKe1nGi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193698.277702	CWhRtK3eXodviHmbo7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193758.259000	CqVUM4vyqCacqFiud	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193818.167095	CudMuD3jKHCaCU5CE	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193878.266468	CRJ9x54IaE7bkVEpad	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193938.404902	CAvUKGaEgLlR4i6t2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826193998.202719	Ck78JG32Y4I7AGp7Vb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194058.784259	Cgwg7Z1MHA1YkiZmm3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194118.356593	CDNchHwRoXhVzzHB2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194178.167100	CeP1sc28dOzbbYkbA	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194238.165957	COOKv01AQPAqfGMN9k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194298.195067	C0JEpR1Ij6308CwEhh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194358.251498	CQcXCjONUKqMfnhXb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194418.279634	CVcd914ZFpaUisaVf2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194478.176984	C5pL731XEkARXOq253	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194538.254895	CB0Ovs3cNZgLQ93FSh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194598.272308	CM4z3Z2rdNfyHYQ0Df	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194658.273130	C1dGa34JRiYAKbMI0c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194718.258333	CtEfXf4f39NRDu1Dr4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194778.255249	CdY2UF17xGQ6lUx7e8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194838.176031	CkD1144ZtRYffh5zjg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194898.187592	CbI5Qt4rlFnOHuL522	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826194958.284053	CjGaD11BLkmCG5cEVf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195018.191134	CdGkzc4fIBRo0721v	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195078.186092	C1ejhC4SXsZ4pEdOd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195138.181047	CisPKv3PhjrFFhZbq7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195198.277505	CCgIHR2Vna1ZW9BPjd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195258.191452	CWqViP2k4EKfYWy7Y1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195318.276192	CBr8Cp4juBTcRQZAA4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195378.246741	CWMTYT1vZEQXErCXY7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195438.187041	C9Mb033HGlhETKxUbj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195498.328394	CGwfOa4GYyzNItzc9j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195558.260878	C4C8Lr4DOGUTRZPAW8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195618.192392	CfQutTEgs3g8sUrsa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195678.183445	CKvlqe4bTVu5HNGrb1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195738.336498	C04EG53Yaw6dgjGT3k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195798.190914	CdzNo91LLZlfe0pmT8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195858.193703	Cb2Rv3Wek35VDwxDk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195918.289198	CsLUyBLEs5x3GKtgk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826195978.194311	CF00uX66iWHtiV1q1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196038.286860	CkVqlMyWLZSpdNcPa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196098.237900	C6Frs83UqNszgcqN15	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196158.192843	CQCAYJ2zCov16vZwf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196218.198534	Cil9Tc1rwfQS9uqdsb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196278.201302	CgHhMv2Ww0Y4oQNtd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196338.294847	CFTS591Wnlb7gnrpP7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196398.194157	CoVJDI3K3qTiTnPoV9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196458.194955	ChHNpz2Xf9xMo2lnC4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196518.242601	Ch5tsG3OlOd7l83JFc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196578.363462	C3AXaL2up5k3PR4VW4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196638.194463	C2qZRm2yQg9RoQNkVg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196698.220656	C6tA8aOk3QI9oIaHl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196758.207790	CggxJkLPcdPyKjfma	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196818.238833	CI5pddk2aeicnmmoj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196878.202555	CKpb612OxJundLAeRf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196938.212156	CcwXC81REVUrKprLz	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826196998.239313	C5OBjqCVHlPAjKQXi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197058.200122	Cb7w0T1dHZUPXzdgRi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197118.310249	Cuhrwt2ypWdmhxNcjb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197178.309093	CJmTVn4YcEf19Wo137	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197238.207420	COvnS21VmREmS5Xzuf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197298.208237	CpKJJiDUPEBNMGSC	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197358.217839	C5II0Z3yZFhDzHSKrl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197418.275266	CQ7b0y4Vd4NVQ3nJRi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197478.334646	C68HZHafWQbOYWkYi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197538.212478	CX9xXW3s3cSCaIB9a2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197598.225962	CUTgljebkkh2Ydhzi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197658.309739	CsnMLaDyNeIqxq6i2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197718.241266	CuIjKg2hEOBmXsIvx4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197778.378715	C1alUz23K74AR4WZUc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197838.344394	C9ywcdnOP5TLfD97e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197898.249569	C7aJ8S1bYoBzPdxRDb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826197958.398725	CTISqXQMVxGJCVG2i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198018.215078	CjsoT83JnYI2Be2f8j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198078.218834	CohWkh4QvZcB1WXOVe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198138.216728	CL7JR54e4lOc3aUAph	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198198.217548	CS9xQJ3Jly032E9jC2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198258.267159	CPOg0SZxpoHbNzpG5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198318.222088	CgYh1L1mwsOxSqVBu9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198378.269737	CPEPje2CwXXxGGPo27	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198438.216854	CIWOQa2vaf6TxyZ2Jg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198498.219601	CqyxRG6TRKYW41Zz5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198558.233108	C3HR3r12iwKiqXa9c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198618.222208	C823dt2fd3qQ26XyU	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198678.234721	CalQkN3MoYim6AEEe4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198738.223849	CzZuKd2XEy2jlcWqT6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198798.377868	CVgpXQ1plHZSjZoGq9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198858.273279	CPnPwW1vseaFvOVKZc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198918.231128	Cr5ot64fYu8c0wBtik	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826198978.225059	CceZRf3q969iOibom4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199038.226843	Cfv1oI1ypkphPOMD7g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199098.229611	CkgPZ03tcwpxYjnOSc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199158.229450	CeYlkM3WxZVUmujyB9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199218.227329	C8yjkq23bmUk9MkLf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199278.340384	CevQX3116xo72LIoK9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199338.231893	ChN5cQ1faCW2xBl8Ki	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199398.231727	CjTrQkID6Z2SNK3ha	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199818.339795	CA4o9G1CB2Af4WWhCf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199878.341563	Cf8FAq4I77xaBMSVT9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199938.340438	CPjxvb4XleEtywR72	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826199998.238772	C7XVqL2qUJ1enNZYag	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200058.240561	CjqWgiHlaYFi9YImg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200118.239417	C1uJul2gbxeDRNFura	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200178.241203	CbIFhV2t1dFcA47mxb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200238.243969	CAy1xs4SqOffMYYoi6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200298.255520	C3sUxYJbMLLrlkY2l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200358.245608	Cz7T4t4CVp8k2htbIk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200418.241558	Cqn0E64YUKHGEJtXE9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200478.379987	CwkPvf43XtOGn09xUb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200538.687256	CQKymemsGWxk8qNhi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200598.867643	C4DpKm2ihMjo33xAK9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200658.261374	Cx1J5T2RlUHdnWX4P7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200718.287570	Cq5Tn24Flxl5ykcPB4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200778.408439	CBMc5Bq8xeq3TqHyl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200838.424863	CwalhH1EmkTCp6Z5oj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200898.441277	CoBPIr1bmfwOHYS8k7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826200958.658763	CauDdy1kS45qWx7Jaf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201018.254540	CeivHI16nJNE1XoDn8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201078.268039	Cwks1t1XCX1VVKWlui	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201138.255207	COzc1t4726TvteJAq9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201198.275551	CySyNg2Q7X5Wig9qXc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201258.252935	CdHHGD21PDk8qHCNZi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201318.289854	CytmUVLD1AW7Bjdda	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201378.426313	CyAz9V2XDShWvc9X85	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201438.335369	C9mSwv1EoAGeQwdxia	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201498.320561	CSqd0W3t872JJDPQR7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201558.320384	CBdUFS64H8SD3CRc7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201618.267492	CXmENaHXj6AAZ6z67	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201678.371750	CHxNzE4i1HGC9aNQb8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201738.266200	CCOssQ1lVW9L4luov7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201798.263102	CH4Zqaz7LIoXnVdx6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201858.260975	CmYN6N1hsT2MgdKQo9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201918.266689	CkH9U915OzOOjvkSJi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826201978.271412	CCwJVWbbaSCkRe2K9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202038.344449	CRGnRy2aYiKuVFnIG	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202098.825455	C3JRhD4EKTLL9ETgB6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202158.956074	CTy7qulV8eG6LkeUd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202218.304913	CUN1fq1Nh9yg0qjEZk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202278.282291	Cy1IPuLzKTRb2fGF8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202338.312374	C2sbOw4qh4NrDdHRH2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202398.465444	CsTLYp3UVyKHvvF8jl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202458.270082	COJL3m2IFflzZ1Cvdk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202518.370443	CAR8U13yNQoRQJZLcd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202578.275607	CYXkGL3OwfyucBURVl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202638.285208	CfyyuF35s6IHIKaPy1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202698.272334	C6lrWz3udBitB6moKf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202758.277055	CJBk991FDSqc8wRBK1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202818.279800	CeoHSa1uBAQlDI3FEe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202878.415282	CnB5fj2ShUFnGngqf8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202938.279472	C850go2IsfiAcSGCfc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826202998.275417	CRM6Kv2JvySZyj1qrl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203058.292814	ChDijs42aziwiDYP4c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203118.283859	CiZMlr41UYw4zUSiH7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203178.277842	Car6PO34Q2yGqFhtw8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203238.279637	CwUICHbZAZuWABr9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203298.293148	CLvoof1o65FluhXQI6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203358.339838	C45NxP1qI6S5UMi6Ta	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203418.287944	C73cNq1ss4gZpfV8Jj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203478.446865	CWnddL27sIwroPwU4h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203538.287610	CwP7As3BK8V5lwj7D8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203598.284519	CaEkUY1AI0qcJSl8Cd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203658.453200	CBkOwg2KK7rXFXUTmd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203718.292998	C0u03i3hv4B4fSd7zg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203778.296740	CITjhO2n7PZKsy3Mw4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203838.288761	Ci0XPI2JfTjInNGHJ7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203898.288604	CvRIiA3mohju9nTku6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826203958.306005	CUAWQS1YtxjDhtxxte	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204018.302916	Cgcc4N2eKsv3m3nA87	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204078.295923	CWT4zv7sNwj1cnBeb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204138.292825	CylDMs45x5z5lRx9se	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204198.293633	CT4t8k1zeBe7ZRUBg5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204258.303229	CQHUiY2AW9ZT2iB0x8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204318.297196	CZvB3g1drtq6h6KP8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204378.332142	CBeoy737B8VrP0iSS6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204438.374915	Cs4vHa2laJaNpjym2a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204498.296670	CYwHEGkAUO1v9YGk8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204558.295509	CzcPSa4HIZVpmSAZQ1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204618.307043	CmVWUQ1Zj8v9tk8Tn9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204678.296142	Cyyy781JVg92X5mDUc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204738.304744	CMU7t24bL4QMZtMO2l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204798.310410	Czv7tI2Aq1yfgdryG	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204858.301417	CR7XxA2W5vLwE5KTs	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204918.303191	CmDpIN2aFGjiOMOJWe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826204978.324493	C5p9eh4XiSATtqsZi5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205038.300903	CVLeLf3d954JlCj5Ch	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205098.305623	CUeKfb4nbjydJsNdId	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205158.322052	Cekrs3zkM6eSou1mg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205218.303340	CUVPVWOtpPH13Hfck	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205278.385157	CfhuF84Ji7AdXxsAA6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205338.307892	CgfSWCkLmMlaKMWUl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205398.364345	CRYwli4VJ5IlPTDWIl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205458.311479	CguHTc3ErOLWFoQyBa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205518.310351	CpDj0c1fnKaDIGyqma	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205578.312118	CF5tR03Af5y0DJD2he	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205638.310976	CbaJQC9l9K3ELB1u1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205698.312761	C9xsW63PP2wB8hiDUk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205758.334077	CzWoyC1HE4FO1zdT3a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205818.418825	CyVhox28QHRlYRbY9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205878.319114	C57jQA4eBlGbOkJ0xc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205938.317005	CimLTH3Vi2F5nxs6Bf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826205998.320749	COlS4I3p8lZG3vxBag	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206058.316670	Ch4OGK13MCwxE2a1O9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206178.372932	CzTeK32euJBRHTY2z5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206238.321042	CA1qPq3zXlCZGMTF3d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206298.327724	ClzajT3YA0FYcHeIsi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206358.322675	CoW1ycpevZQjU9uK	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206418.433774	C4mAqd3q1os6WQrFGi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206478.335035	CoLfC03bP9cbW0s7Cb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206538.446151	CDZen84XixQL22chD7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206598.357171	CEUdRVRpBWnzWSuJl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206658.324795	COUblG2yCsr6J0Z8k3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206718.330487	CtAsd2ykOOaUv0sel	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206778.331300	C8iXoIHQrMuYvFD7d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206838.371150	CEZ4zB1w0bcdFufPv5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206898.501767	CHwfwB4tWYNdiXgqj9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826206958.338610	CpXYCp3HhrY4ziK5w6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207018.353094	Cu3mx7WQp10fiKvVd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207078.357820	CJK73d2tv5bceelJs1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207138.439665	CiBJbd1e77zhCc8o92	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207198.330243	CrDDne3jAfXkyEZLZh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207258.399375	CrtbM81EwribjjBbs6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207318.339670	CinzyU2OZ3RzfO3iQb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207378.337548	CdMDAn1K65PDClegO2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207438.341279	CL72Eb6pZzrrF1MPc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207498.337215	CTH9yVeqRZ7hCysmc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207558.342907	C7dQb6wN8PS99nDpc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207618.357377	C7zVw01Vz6Gp5SUxgl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207678.467498	ChrOVe26x8jzyNa2uf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207738.447804	CNSAUE2BML8biNfBQ	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207798.341241	CNJ4Xn4VtXlynW3J3a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207858.349856	ChGNUG3biEoPUuqOa6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207918.418989	CXw2CyoyLEXO1cDi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826207978.339771	CjvpgV6kqW0852q3f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208038.347415	CxUw172WrEAdzXMRL7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208098.425324	CeRlLB2HA8cgJm1oe9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208158.352927	CkQkiC4YuLauG6WZEa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208218.344948	CfgLCv4QFww6gvQ87j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208278.344772	C8jLEg3BRmkSv2OTHd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208338.350459	CGCF331JLuHl54L5rd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208398.352240	CWBzQU3jlmCFJxIvW7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208458.448653	CuQnVY1S26nokuHtw9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208518.346965	CDLpxA3tPGVgwxSem	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208578.371204	CqWOXg3fwJ6pVRPP41	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208638.382748	CH9f4S31R76ubzMqXl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208698.354276	C7NKKJ363Po1sp1G76	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208758.393143	Coa3vE2Wqxw7XtPyaf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208818.351978	CPbwgd4HAWmMrjHmBl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208878.364498	Cg3va11ZQR3RERyK2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208938.434595	CX1G5j2XAjJVbgRRYg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826208998.354384	C1BbhC2e0BR83RHPhe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209058.435227	CBMwL219aumFxhrnzd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209118.356985	Ce8sjQ1yXYbarn3Mv	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209178.536399	C78sjv46n0JEJJ9Ixa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209238.366407	C2z8sX3Zt54zcv7nHb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209298.357460	CrmZ753z4MFkzJPjfk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209358.367044	CmZgh34NMetxae8Pm8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209418.459570	CtsyPdY3mkmf7kLb4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209478.362786	Ct0FdeHeoqV11oqi3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209538.816451	CHpfPUBDLI48ElQX6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209598.447358	C6QeBz4zMAkwfJKzp8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209658.373018	CvZvjb1h22zExFA9Z5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209718.371878	CQnxI03CHdqwafO4o2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209778.369758	CV85Bg1jB95m3NCt2b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209838.378365	Cpa0UQ2794FcjpykQh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209898.371356	C9U9nP2cjbHpr2TZZc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826209958.412180	CIkXHw1k27sxdK1IL3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210018.593545	C6sQTZ3batj1lRDpFf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210078.395223	CrLzH72bC4Py0O0Pw9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210138.522899	CwByX11akVrJXiAL89	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210198.386118	CMrmZC4fwKKms3eVfe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210258.375204	CIMbgg4rrK1rYO007	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210318.372116	Cl92e44KbzduaHbhyg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210378.373906	C5yYvFfVOJPVQqJWb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210438.392281	CaIW4B1CNbhrY3Z9P5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210498.466302	CuFyuJ3RcaoYD2YSlb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210558.373412	CkeuvB3U6Z48hwsmd7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210618.381066	CmZ5913VmiwYcCMsV9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210678.444343	C4iWMr1o5OhwPrp8sc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210738.786745	CeVw7f1PrVOGyux7f8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210798.378604	Cv7Ojs44cHurW5mca	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210858.393065	CG1IZO2kmbIytfrjF	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210918.388978	CFo4ijFpPMOaVkxyc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826210978.524464	C6aRsb3UekWRpglS77	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211038.380818	CFOKe2YkWP7etA8pi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211098.456790	C37mAJ2U5Kisle0Qgl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211158.595216	Cgjcpf4p7v2QzNmLSf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211218.386167	CH7oxC2LFgxSRkfdi8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211278.396726	CaQ3deHsj3TrWL6J	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211338.568337	CHfOyV1EmktPdJYs1c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211398.491118	CAP1W92itot6anqOh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211458.395342	C42zWs36ET4H6JkMAf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211518.504492	ChCctc1RXXIqfN02T2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211578.416483	CMIGG63blVyQrgtKZc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211638.390960	Cm5hUStLXU9qmc9oi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211698.525482	CST4021EoQxELJXa23	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211758.535067	CEUV1F4e4X7KZmIQjg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211818.464624	CMXu7r17v95iIWljHb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211880.427357	Cf2iT43rdptpnlRFaf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211938.496475	CKee4U3Z4oY4yRz57c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826211998.412364	CyyAsI1bENRZJHsPxi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212058.558577	CFfE5G2444nCYFZKB2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212118.608187	C3qdoZ1n9Z9JKjUDzg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212178.505544	C8F0wsJvnG24pWYob	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212238.398986	CeHfJV2oKMDd0Y5Q7i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212298.417363	CnDV6B3aFu2Rig5pDc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212358.419147	CAYs6PGpPpvE5HD45	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212418.567316	CnYoeO12NNlpv8vJw5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212478.954585	C7qhx8MH4aXtRLCz5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212538.490773	CmqlEJhGZCyPSVeVg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212598.433975	C30S013blQYUkUFuKb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212658.488438	CfUaZj2hvTwscPvXpa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212718.422866	CI8nPFXkU5AYE84Ei	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212778.479312	CtnR3q3r0iCKvV7N7b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212838.407898	CKjWKd4Mq2FDzB7lNa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826212898.595122	CsmwQW1n5WCKtRZWOa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213138.524203	CisUSAKIZdFFX8lWh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213318.422154	CeyYdH2Qfmpzbjsr2h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213378.462951	C0i55oDRpoYXbScq	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213438.435434	Cog8rV2Ws6Hv7UCGta	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213498.448913	CW524A4Jvs7LV4nSi2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213558.431157	CZImj8vHpyMzhT9Xh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213618.429994	CZ7qJ91KzEqUNJwu96	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213678.421046	Cz0TOI3Oz84uu7WmSc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213738.417958	CpkFh021CJKOiZXyPg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213798.461704	Cggyq72pcsVl1twmKc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213858.459578	CkjjDD4mVrHaOHrTpb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213918.542352	Cl2Pp43hVt8yeVkbI9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826213978.451395	CXahDdeDuBzEqAb1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214038.428786	CTecLV1manIXTrjAIe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214098.423739	CsLyVu1YU7im0wl04e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214158.438205	CLYYbS2z9Ou3vNkkZb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214218.450701	Cpj9DeO0yZuq6Ute	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214278.423204	Cc8BePGbhxSxkHHjf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214338.476713	CwYtAfMvzk9Fod7cb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214398.556580	CUfWl31hYnv6Wwvt1j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214458.448105	C89fm75JmUuUqVjL2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214518.471366	CR8db31SCvKcWQu7se	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214578.803035	CZ5SE92qMLKBRvXPTg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214638.471966	CextRf3AOZqeA1XkZk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214698.459073	CTPOjD2rPLS9mqWtI6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214758.622869	Cx2fdd4vASV4hGNamk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214818.450923	CxO4Hl2za3S1dI7BF1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214878.554209	CbTCX64fnBOz5Rnss5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214938.443726	C7fmrSMRs5eEbiXEj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826214998.442581	Cfoam51KJQvseaC6O4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215058.447292	C1Cfql1xwhiHqaEiGk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215118.470537	CcKAdX2Q0thi02ReMe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215178.443043	CR4uj7veM5o7mhLT2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215238.472167	CM36EW1l3dYeFyEps8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215298.434914	C6RIBPCLUqy7QrkG7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215358.444512	Czd0jk2Saz3xxLJsU3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215418.593672	C6IvVK1opBeZQ7AQ7a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215478.442217	CUDpIg3BIilKU95Loh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215538.446917	CYSUaV17LYTkbrEVpa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215598.440880	CnSEAH1VZnpGoxnDPb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215658.447537	CNJWdr1axp5uTe7O79	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215718.497136	Cd0PwY1sOnxvxlpOUd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215778.541854	C3plZ01VSnQwnkq1Ce	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215838.718352	CF0xAHahJVVCD5Fi4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215898.652795	CTPJGE4d84dfLkqXCb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826215958.455473	CVuUh142e1YgH4Ofll	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216018.446512	CLMQOF35kFy3YN5Xx8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216078.459038	CuMT6LYNk1J990vRk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216138.454975	C1Almd46wwAwBRkkE5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216198.451877	Cx2o7z1ve2pwRELwm2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216258.478050	C7ORHD2Ge1bznHOYxb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216318.508142	C1hBHK2Ako3EciFj8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216378.615328	CAKOnF2dhpD2lIpMW5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216438.513650	CsVB753IMy3ksnCXJc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216498.455902	CnPxgy4t7wZRlJlXic	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216558.506493	CUgy2o3FvSC7r4Z9ya	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216618.627343	Cxd0L53LzmLx1GQL3i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216678.455377	CdERFK2TuqeY6bOLIk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216738.463003	C7gYx43YuJLYHaolL	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216798.484306	CQ02Hh28fM99vbB7t8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216858.464603	CZ6vmo2iQaPNxh2Cp5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216918.457605	CkOZDv22AxQ2YWa9d9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826216978.463284	C913kM1HJAW0Z0QCWc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217038.656359	CKgKAx20fbelsVSjj3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217098.472702	CRhBnt2F6fTBWyjylj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217158.458863	Css94F2wp6eqs3AG2g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217218.685135	C5Iwq42ShwCJuekrR8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217278.460500	CiThk046sKXUN21yT7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217338.809744	CIKTEw1hGfX8fLggpl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217398.468952	Cuqf1SXU2lRMru8ab	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217458.473659	CViQRu2F6CP81AHxN7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217518.644301	ClxNef4rXFifWlnVe5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217578.554358	Ce9ZL977eCsGAEVwh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217638.574699	CcsJ6S3KeIOnq32dUf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217698.468159	CNeOYwF6hHL1iYy7a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217758.628043	CtIalz3JApUL6lBk5c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217818.476557	CiGbMU1lOEKc8ZcnJ5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217878.468586	CZ7cfF1ZmnbEKFCL86	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217938.582596	CtwugB8dqTukJE53l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826217998.477002	CzuDds1p0W3c1OxtQa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218058.883849	C8icM720Rm3KFNSaO3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218118.482549	CBqI3A3aZ9wbTqAHKc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218178.482392	CDI2sycOSZMfUwDej	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218238.474417	CdPmeZ2wefP1W2pDaf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218298.507434	Ctqz3r2Q6Hhh45ynBb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218358.560950	CZ3VMr9TGKr4pDG49	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218418.478818	C9L1P41WGLblqJ5lX9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218478.483546	CjpsNzwm6pkRPysTl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218538.483389	CXKlOW2OXCLUH0tag2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218598.558389	CaX41W2rQe7myStGic	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218658.787580	CwL1AP20TmhyPubBzi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218718.583409	CGsgYT2M54ThS9dD1i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218778.619355	Ct7NPa2Gjw99Ds55Fa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218838.509870	CmYrUP1Jii5rRzA2N4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218898.485297	CfAQDb3ztIZ9Esdhnb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826218958.502698	C6gNhw2NFYJKnnBJAb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219018.634278	CLrESm1lxkihbOfujc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219078.491595	CGxlGu1ohd5JBhXb3l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219138.488486	CTCzwn49MMq762o5wl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219198.592761	CLvYvUL9THPcxwH09	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219258.492052	CordDM2ka874SoTG4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219318.490911	C6SzT4NIAosKk51Ne	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219378.959227	CzpRvg1ZARpYbvKZLd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219438.545233	CRJfqUBQrh1OECRKh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219498.525544	CUD9vt2xm6AFEFb9te	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219558.500988	CGTvIE10hTfMDqvRg8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219618.532072	C1USEM2mkGmssUQFnc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219678.555324	CuwWUn1WWhrDuebDLg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219738.527822	Cn0jH9tRvniY1wOdi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219798.597931	C3JTJw4PGH9c3y1zOk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219858.854441	CpvOTy47aAhFPLLhy2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219918.507732	CBZ93D1F4V32UnHVuc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826219978.497853	CU5NwdnJySKzDO6Ia	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220038.515262	CxseO02jluUsidcJ62	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220098.578550	CUxHC03hhHZPPZPPd7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220158.735531	C4F8Mc19wr3znjj7ec	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220218.628969	CCa0k62q3tTbsgMjD6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220278.712744	CgPOxw4ZcDNtb4qUGb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220338.505674	Cr2WN61qD7lqnpZNrd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220398.664581	CmcxqC1uCPLsuEWiwh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220458.510190	CAYq3UzQvLCe76Zc3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220518.507097	CyO8GYetxJ83COadh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220578.526459	Cn4Im3oIZPuXCwbBl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220638.618046	CGvCUk133LGTDCu1j1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220698.513457	CpXlZE1JfmFmO9ezNe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220758.537687	CereAezpP5CfTQdme	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220818.575589	C8ldQR1zcqOsEUFCO8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220878.554922	CvZeCEJYay1Ly86ce	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220938.527428	CTUAHv3hD1FX8aHrlc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826220998.547748	C4Badl1Yn0KV5EiZI4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221058.528063	CZTcLz2NmHcn4ZD5cc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221118.541565	C6VgL03HYoBgYkYcwe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221178.570688	CBekaf1GPCZTu5hfEb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221238.529546	CorcCoU4w4ta7bXdb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221298.524518	CIBpBT20L8Wr5vMz6e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221358.579005	CiFKHS3FlSxbhZirR8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221418.523209	CyeHfv5JsaGfR6Q9h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221478.515248	CiCUSr4CVHoG6yVoce	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221538.650743	C4gVAPgEpkdEDZxR8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221598.545164	CpkdiS3JOJCsLKSJh5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221658.673828	CF9ZRQ3YWkwyOaZtZ3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221718.527284	CVtLls2idlUP7gvVfa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221778.630584	C0iDve2iVKhr0DZq4j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221838.526966	CEpMvc44Y9buZQW9R	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221898.545333	CSznMg1xj0hV5nntTd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826221958.534428	CRMyfvgvdHPOGXlY5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222018.583071	CKVSkGTNGUHtVkSih	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222078.557534	CPSiwK2DMpE2jH6Vyh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222138.536850	Coz5244kxG3F2Uwsp1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222198.593281	C4ZIj1N89EJ4eXGG	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222258.593131	CQnl3dyMoPF8TrJKb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222318.816482	CBEXHD3r3x6EhHlQak	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222378.818261	C4qlRm371SZUAlFHTe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222438.632643	COUK6C40KLFuCC2Bnj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222498.589524	C5aYAD4Cn2Ubc3Lhgc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222558.568852	CHBOAd3sRJs4TZG5rk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222618.564786	C1KXFY1d00OW56NOug	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222678.624152	CaqiRv1kssCwKFiAEi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222738.578089	C2ImrtGJ5Was24kO5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222798.596391	CkIEMY2v5zXcCRAK06	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222858.573723	C9nK7T2OW1zdBcXRr	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222918.646725	CyNYn63xqRCtJ0Swci	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826222978.538235	CuxhD94HGUTuDMCPeh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223038.987043	CztBgE4sLwXhmXQ1V7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223098.542807	CtBp2AhjFqcG9qhq5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223158.613896	CIVadw3MmsEwKSXoRc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223218.551280	CsJlJw3gPwZPfiVGdf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223278.578458	CXe01x1FHRzA4kaake	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223338.920871	CY25m12Au0LbTQ7ajh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223398.710865	Cz9mVbJ3mLhtk3Vda	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223458.611153	CBGwJBRTFD8aLOKJc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223519.399189	CkSzRz17ol01kBjlNf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223578.634244	CZLdPO2kd9vZKOmwTh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223638.568696	CEmAHt4Xvq0HLd9W82	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223698.552911	C3838x22eO0vcv6Mgb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223758.619132	CpltvGXeH3DLAPPT4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223818.616998	C3Z4pJiqtIGHawj0g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223878.588534	ChL9vB4VvykErujpb4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223938.560053	Ca5orO1gBdPoGkIAGe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826223998.553003	CcwdAP1q3qj9kGbD64	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224058.654340	CGoZfnZAUfEApqP12	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224118.580976	CULfbN3hEwMuuClQlj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224178.669638	C5CCVa2TESFWWp4h2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224238.648991	CbEhxC3seucNFjJzl7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224298.566850	CNkqdY1uFJUpLHcIfd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224358.578406	CJ5lKt1FBnPOLExVJi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224418.601677	C7tQLt4nj8nmymJNBb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224478.615185	CNndLX2qcoBO1T5h3i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224538.557437	Cl6URq30CgLqZmHbdl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224598.601200	CQrWXaeiNsamnLxJe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224658.584449	CUUubM1kNFUIoAtRDi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224718.714092	Cdm9Cl2oExwyIrTygf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826224778.590942	CnKdXm4Tf4ML9ukOYh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227058.642220	C66i3N2Qa1eqAyN8N8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227118.588374	CoXkaI3nBcggoQSFO3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227179.008863	CRJy7L2YDZXsYxDhC3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227238.597804	Cl2pecmmIw1GjkVJb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227298.642536	CHWRw82poLxopSRDzg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227358.735113	CnflkX1d2USQ4QeAK8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227418.698844	C16ibw2KpRbXYrd0Yl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227478.606937	CFiVSW1o9EVx5N4Jb6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227538.632140	CbGXIX2xTZKRuIZwCj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227598.843766	CCvExA2GM22zrnZkZi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227658.607429	CV5jTHZXiRRacOOud	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227778.631493	ClpAsC4U0tWM3Z6Gz1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227838.700623	CGToTMGh5q3VrJjni	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227898.735615	CfEaWC21ew1UaBmeLa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826227958.728618	CoNHfb4cDZSJh2h1l2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228018.837749	CAu0Oo4x3iftOu5dF4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228078.611153	CoysEl2JglWGPKCEF8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228138.664679	CfPVQm1k7F6Fd9dXi8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228198.822629	CXEAGK24uAf1EMpLV4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228258.998144	Cga10I1NjMZq5YSNWd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228378.685506	CABy0s1rpWlZ6X6tW5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228438.978170	CFIQPc4ShJClVxKPr4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228498.661770	CIYmfgVlNE7B6N4ec	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228558.651863	Ctu1Eu1GyUwEttbbRb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228618.701470	CUBLiE4H0lDoOyqIr3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228678.650545	CdoKkT2Ke5De7MWN6l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228738.665995	CkibYw4PuXuckQflIh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228798.694152	C9HQs14k8DJZQaqRmd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228858.666644	Ct2bcYZHIODrba6hg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228918.714285	CgUlJjlqbB9Kzozkj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826228979.077767	CI6Avt2cWWdmpsQnb9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229038.727630	CUn1iH2S48i4Heqnzh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229098.860212	C7CXmL3ysk9qbtIpVl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229160.016217	C1Zh983vVGDE8rpT2b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229218.786701	CwhQVj4Sr6YxoNBRek	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229278.847042	CC1mwWtpL7QIsnIu	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229338.642872	CqQ3mZ3WK7Dpj8ebI1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229458.657132	Cuoe3c3Hv3XA5H3auc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229518.649148	CNm68aOVy0Yxl7tHg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229578.759279	CecHQz1SmJzVmrjLc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229638.661509	C7FoyE15oylgO2D0vh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229698.619359	CdjqSs1yLtNe7Xiylk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229758.681659	CaQnjV3UHc2hg5HvJ9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229818.639541	CPqeCK3u65w4FShPC2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229878.937049	CJIWFo1ifuQFC3myBb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229938.677242	CpIBX42j0JTDLqNky9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826229998.670222	CrDPHt2myMadMHRtGj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230058.696392	ChUf2j8A2cckuCB9c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230118.687435	CodUX14FayPV287Dka	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230178.687273	CpYISz2x0t1IB0QTDf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230238.666614	C9aPOm1XvemsGRM5n2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230298.675238	CwA7AO3h7M0tClfk14	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230358.663380	C5OuLn1RyWY1Cbhc24	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230418.669078	CTrEfQ2OTZ6XwuqzF6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230478.769466	CB7oN32GMSHJRH46Q9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230538.701949	Cts2Bw3UyYSC8eJbw5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230598.701785	COVKbVuLViTpKix0i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230658.684023	CtcBaG9xFLC4GY3f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230718.697517	CEukfh1EN6VBqvS5V5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230778.669049	CwK86z3GfLlLdBtjf7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230838.655236	CgKGYB4pW3vOfMBV	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230898.676545	CMn4xD3x1CpYubrX2f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826230958.677362	CY9Su7UUQHd3QxCU7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231018.675249	ChWyT7DaScEmURW7i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231078.648723	CHCWma4mS3ppsLP48e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231138.705163	CLDNHl1Z4OK0sDBoif	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231198.675715	CM2JMA3ZfXFcSbIVb1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231258.652131	CLe3ci30E20BAchq3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231318.682228	CfgmfA4jTr8Y6eLJHg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231378.688895	CW4Csw229iMW5e0Rlk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231438.682849	CeoYqm4Iisj3ozpq92	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231498.666083	Cbr3ZX2RpOAHKjmCff	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231558.651282	COwrPBGIpzPLJeW68	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231618.668673	CNsMUUGQHroPHA8Ci	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231678.701684	C426X13okmzS5nezed	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231738.666386	Ctvhwu1lrpdV6DZdwb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231798.665239	C6b9XS2XeGtwYY87xk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231858.658224	CYCYdh13mKTqx1ydmg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231918.705874	CzzvQk2VG9RA5JUFa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826231978.670582	C3qPT62UwGnCqVIHe3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232038.659686	CsBdJ51j1nLK3tl2F3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232098.654639	CGF4CK3UKYLwIPRwyl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232158.749160	CS9Igm4X2rCHxh8EI2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232218.694336	CZVWmQN2v8aUbBLrl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232278.658067	CiWSbfVPxd3DU1Tkl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232338.689134	CN8vYE2x91ejKzzsD1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232398.689943	CWfGo22Wn4dNhEMG06	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232458.685863	CQwX581RWAcdloUaCl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232518.661313	CcHqZF4mAmTipPOItj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232578.668970	CDbHurHHYzQh16a75	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232638.677580	CeOJdl3twOYDJJ71De	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232698.834546	CB2C6x1g0GQKuoDeTj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232758.673342	CrynIf4rhiaSYubZmk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232818.695626	Cgpa8U1xzUsAFVfqac	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232878.693516	CLSa0ZadTj6WeeEu5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232938.676758	CnxPqm1SEHF2WwWUG4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826232998.696103	CXhpq14dW9SZTBfHJ4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233058.672523	CCgTLd2teo52h0Wstf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233118.673347	CeFdYqfRlkaD4rak9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233178.684889	C9mchV3W5GidlSM84	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233238.710110	CMErzU3stNQPLKaMU9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233298.683598	C0I0Rx1ymjsyaZC0jh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233358.812265	CiKVFD1jyEZMI1gXIb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233418.818938	Cdnacw1CFnnqrlU3O4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233478.726052	CPStWmXe4km0Cl0ol	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233538.712213	CJRkQA3jOwlmlfcqU1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233598.675928	CeEFRd4qMWwv0Jh8k7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233658.821184	CQ9bIuaEcQxsRROo5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233718.692187	C284OX195pTFFffz36	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233778.695922	CNGTy6cxx7ybLF9W9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233838.705511	C7q4oH2DTPedalIPWe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233898.768793	ChBuyc19gI9J1KGmY	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826233958.691530	CqDFty3SRyrnf90hfi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234018.686472	Cggwuf3G2K5ZN4oakd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234078.765344	CM7VSScmo8RxJVRq4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234138.676343	CouMIolaAAuU3uBsl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234198.788417	CEAWkJ28DI9nEKRfOj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234258.724814	CLYTyf2HBOn3UVjHO1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234318.692441	CO6Ebe3kdaK8oiVzs	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234378.781109	CGTZtF4cqefNQf85xi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234438.715539	Ch03izqlxvJxYGLH2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234498.765130	C9I5rZ3zk42R1XANoc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234558.756185	CaU2kGXngY73q9ukb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234618.754067	CTm5e81lzI1LnBExS	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234678.682658	CxmPyngR6MzIa1Eh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234738.705925	CbFrYB4DZH8tDkL0Y	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234798.711622	CMXdX44qcXXU2h79Z3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234858.698771	CEFFYl4SiGIgQVBwlj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234918.694710	Ch7jT14FYeXA4zibfh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826234978.883896	CJGat7FcGiecvRUsg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235038.712921	CNatvs4kRF4PKwSQa6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235098.696154	C2NBCp3jV77cmR5Zt8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235158.697939	C6WtsQczYdAqti8rf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235218.836370	CUhe5I3aTm7jZot2n3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235338.920938	CNFZJ71R8kIIoPNIk5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235398.737276	CcUcWO2v7gHgNp7Q62	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235458.732217	Cb3KX21dAVvTruW5u5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235518.757406	Ck2Rvb2bOsJDxQIHh2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235578.831421	CDI95K1GQpHhlE1WO3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235638.732696	CkQ1G62jdm35jCXtlh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235698.778410	CPVwfY3kLDmu8VeKdi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235758.710891	CXOtEWMw2dl3XsTGj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235818.701921	C96Nem3M5LAE4wmxq8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235878.700775	Ch4s3N255T98eOAbg7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235939.808964	CRfKrw2WpPG0f6YNab	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826235998.908367	CkvEuA3A1e1PDP6u9l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236058.833061	CJGA6LrfAhefNKwZg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236118.756764	CxAT1S1sipPu2RSOK5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236178.750737	CR9GIt1uVcCEzQmX0d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236238.758377	CG0N5A4T0LUzvnAdr9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236298.718200	CfXYNY2Gtu2mOvJMAb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236358.744379	CqUr0V2Ejojsue0UB2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236418.820342	CvrWt84lulkHNvYqk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236478.762593	CGb1NjWtOcccF7wwj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236538.720468	CilF4d1b6woayAE906	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236598.720300	C8j5rU2S8wOqxY7Xzf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236658.811881	CuUrLB3Xprhr47zsPg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236718.736563	CpIcgv424hVeESIlv2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236778.761764	CgVp8E3o8WDS25ZEah	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236838.741101	CaN1s3SLGBQ4aYcp4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236898.722394	CLIxGjgqmKhRAW0A6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826236958.714419	CBcpca4v5bAbAgFPnk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237018.722085	Cx0S392Jm2GGs57Vqh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237078.810745	C0rM4y1xCN8gaJlx65	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237139.031717	CWTYeZLvhVCqQ0Oii	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237258.752607	CHdNJ23h8TGauylVzi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237318.847110	CmlD1G1PBWF7V3AqC4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237378.904555	CxD8fj1FHwuZnvlIDj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237438.753128	CpXPjc2FWuGLYIHrq7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237498.727592	CXStoPw0l608HE7Wa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237558.949964	CppWZ13XXmGNWo1sa5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237618.841486	CsOsbJtpfytT4Zwmk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826237978.730259	CAp5VrBkO3ZBZDw7d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238038.726230	CdArbn3VkPQ2LQ6IZk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238098.730892	CFQWWm3dCGqvIQuOIf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238158.744403	Cuf8Te1rhfkUe3Ps39	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238218.757871	CXQYhQ1U3eH1eCHbO1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238278.772353	CLd7E94pRH1IAYvYYe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238338.739988	CXSjf889bs6zGkd1l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238398.789594	CmudKn4wcczZ81CgS	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238458.816759	C7cysk1k80rr0XAVGc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238518.761940	CeAngf2WowKEx9bxt4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238578.781285	COlxFa21bPstCyqFbj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238638.756717	CFLsus24dYUFU43gT4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826238698.789742	COPxfr3aAGe1RkBpY5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239058.742858	CkChJz10kLSqA8jzMh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239118.817844	CZLWOymP9apVN0cS1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239178.749343	ClpiTi38HDCVH757G8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239238.770674	Cc6Ywj2npKqeQWf0Xj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239298.761685	CURyWM3JQc50i4uAy4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239358.746873	CPlAAd1glpWofm9c48	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239418.919459	Cs22AT1iDlXjpnEh23	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239478.847061	CX9APc3bZVpG3EOoJ9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239538.746371	Cu5n8i1eR1Uq7cpNp8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239598.748166	CQZgXn37WW1G2MlGkd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239658.781183	CfSvmp2TftQyAmW5Zi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239718.803472	CjVLso4czHP84pCpIe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239778.818943	C4SV4k38RC1OUl5bJg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239838.753386	CLODqD4BvYLZkLD46e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239898.798115	CYrTQs2MBgNd1gdB54	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826239958.766735	CEePRr28Y2Y1Mk7fol	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240018.815379	Cp9nfP3Ll0DU202fD5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240078.990916	CB1p8vzDu27Xh8mjb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240138.857062	C1cf2A1IEXB6OWP7g8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240198.789568	CNH2dH2ojKinxj8Znl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240258.770860	CSw824rvuPrp6U7lb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240318.877996	CSLQtD1VcMg50oXYij	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240378.759724	CtS0rHoMhL7UNXlk9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240438.752743	CpNVijnE2lWwqFUTd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240498.795532	CjsNda3kT7BMmn79r5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240558.806102	CgYgjg4uU6EPRMKrHe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240618.805927	CGv6GGMohalagEtfh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240678.804787	CSW3Ia4wgHVN2LR2x6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240738.827089	CIocUB2QmNtAt98Raa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240798.758610	Cc4qTzr0Vrfu3VYJ8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240858.757472	CbTdzs3jEHRNU2hFC6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240918.765106	CnxLUi2KiCwChGAqX8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826240978.797143	CQWG8r2dfrbg8LUlua	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241218.771213	CngLM039cnn4Mvt3Df	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241278.766164	CPchod2Y4uAM4sSS9c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241338.777724	CFTJ5k1BeIJn84TMH3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241398.765852	CyZqmk3JlFJTzRoIM4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241458.768609	CvI2Po42hxTw7EWx0d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241518.769419	CUNPU92OvaTuTi9Mn6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241578.776090	CCljqz1dhNjSOwPtt2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241638.772991	CQxarQ3Old0ATLJU34	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241698.791353	Cw0Nu83mpEDdLy8MC6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241758.774582	ChnNNF3g5zHZRnTnB4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241818.771469	CuuVrm28b4g38DwYsc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241878.863055	CMXwF2rCJiIRPl6jd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241939.284125	Cvez3u2SD3arHlyAhb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826241998.780750	Ca4smwv5Bm87TV2Tl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242059.025161	CPm8hfqbQLr7uupN8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242118.790175	CpkkHm4vwb3YqzXCZf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242178.788064	CfjnpA16loSFIdknW6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242238.835729	Cps5Az3rXyb1nHevh1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242298.779917	CXmQLh4nwA2enaBMqg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242358.860709	Cw3UIy3L6yJtxXSNa2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242418.804890	CZKPJ624uO7F4s4uH8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242478.905255	CqPUf01ahHtGb1RWvf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242538.810416	C0KvlV3xhBAS0TjIDj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242598.786827	CyMvF62XUvVdRK9MI8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242658.838395	CGOfGiDKJQjG94tMd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242718.874347	CwA19D3CGPf5cw6el7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242778.838084	CTR9yW1pU9hdggZRuk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242838.787168	ChvW5E4jKCLmJGFNg5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242898.920704	CjJLKQ1Tjc2vp8BG8a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826242958.863934	CsXjRw16FavgTXwrbf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243018.841315	CUCes41sQHFSrH1ZEe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243078.829442	CH3IYJ2c8Jen6r8iV8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243138.797073	ClE3yWP7k1x6qEyPl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243198.790087	CDMnmw29INxxeNQYE5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243318.790753	CNncBmG60jrMYE6l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243378.939943	C8eX4r3Cp2UPufTe1c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243438.803122	Cgt8oPuPHbri1sDsf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243498.837082	C0tU0J3qBSNPZvvCs2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243558.806671	C8KI9R1ifxBOWmcYbk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243618.902231	Chmysb4fi1r6OFHDDj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243678.799713	C0QO6i301914TaOGJl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243738.801488	C1ORxn3XJz6yGFeo1g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243798.797409	C16xpV1tjLQ8icxRRe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243858.808938	CEMDMT1e4PPAuvjdM8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243918.824396	CIUQGp3FrmzWVrNbWi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826243978.811537	CmQYii6kvBaNTuNVk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244038.808443	C75hcC2LEEqHPcTGQg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244098.843419	CgOLAF3SB0Iuo1RoGb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244158.807117	CdThD72YLnxl0tAhx9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244218.805965	C7pyIc1SjyxmZqpP2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244278.871193	CG40jK2kO1NXwdRjlf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244338.832976	CFT5QX2NGkWvDoS73b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244398.829901	Culfcf32j5G4hy5STj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244458.854146	CbyYXp3OuxgvSs1rnd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244518.802259	CX4BSWvxCOPQSsoz8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244578.812840	CJU0ts38Nm9alT7qOa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244638.889787	CmNRTy2A3u7dm89xd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244698.804714	C0iw8dgSzn6Lt2l87	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244758.866022	CaRZ9m4zUs222cMaf6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244818.840494	CyNxcw4xw2VLy5xqM9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244878.841322	CdRhWT3WJiNJd6yI4d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244938.838230	CCZZib3Y9pjgYtJW2f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826244998.816588	C2lPJTbmBFDRGZltf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245058.821315	CBNXBD24hjefp0LZkj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245118.812373	CbnyaU2sWQc9hrOFsg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245178.913723	CrSfRNn9Y6TpKSYwe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245238.866722	CfcTNZ3VzQGbNyOYm1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245298.921238	CnrF0h45yKF5cL7XQ4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245358.819586	Ccw4T01sNMI4v5qGs3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245418.830157	CxZjbb1da9hcaT6Bt4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245478.863177	C840ag3wJtif3z9DV	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245538.856182	CoXTPA2KVYz9zNYlib	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245598.824786	C92XxR3BCHdnrMocM5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245658.816823	Cvjzja4a0xIU8nOkg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245718.819596	Cadfsn2NN5nFfCVO97	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245778.876048	CT2pLJkKDfRbdDUWk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245838.875872	CgQAlXJSKaQ8YnvPg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245898.863029	CQLrXR3icdsWYVPKg2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826245959.038160	CZxRwdVLWuciheCb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826246018.825643	C90m229PgBu1jrrF5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826246438.824533	C4Evyd2E8m6d4Xhqsi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826246558.835921	Ctt4oD26CzPAWcJQCl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826246618.829895	CAVH4i4ZVYN0WDoo27	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826246678.850235	CGiOCL3c4KjdZuXuff	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826246738.830559	Chc8Fa457qFmtuEYY8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826246798.832344	CKMhv2oB2z1eyRX6d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826246858.832179	CSHS0H1H0rjxicgcAg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826246918.902298	CJuvoE1YyLGhjELqf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826246978.837724	CMdhHL152FlWWz9vr1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247038.885394	CJfYiM1E2zyHG1NoGk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247098.844228	CDvkJz2zlMjW4EqRb9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247158.856738	CUozuC4RUktVWsM4C1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247218.840973	C4LIRIHQPjU6UiSOh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247278.845693	CkW4Mh33uCHmIm9Hdf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247338.855270	CTjtV749YvoXcl8Nd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247398.872668	CFEIoY1dUsibWoByJ5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247458.842250	CgBkDF4bRECntkASrc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247518.845986	CWSdwH3KEQ3oqHyRAe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247578.851689	CRwYxf2x9mIXyPwkJl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247638.844676	C6IE5b4s4Qoqk5pgni	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247698.862067	CxyBM33gWvfqTVKzb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247758.911671	CogwD74Lz7PMpUif8i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247818.879290	C93l5e4yKVetWUxmIb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247878.855719	CWKen9tbdg32AFm98	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247938.917065	CeCoMC2Dl66C9enIj2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826247998.846648	CQnCV1iF8YjETdeQf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248058.850394	CYmjX01wozt3Bngyne	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248118.853168	CvDeSJECATHoiOMig	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248178.851054	CcfaGF3WOUkVaqaPs2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248238.858695	C4yqWO3VAbIxES2rH2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248298.850725	CugL4P2LP2PttPSKNj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248358.853490	CCWbyI1qxx4x5p9JCf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248418.885526	Caiz9z3pIV3Vw8bLA2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248478.865847	CLlaSu3305zpdumq64	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248538.858860	CgUrgP2EUQhnVU0mhh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248598.863576	CFS3FG2WRxrhm1dYj9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248658.858523	Cu46pf3vovzIOnRuGj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248718.861298	Cg6txW3WQysgx9vIN	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248778.859179	CWV1P3151cMujgYXRk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248838.870699	C2cQQGuP8RfmlD1yg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248898.875419	C7HQwd40e8TI0qTbCf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826248958.899648	CwddlB7WvzDnYFgOi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249018.864386	CEDuC91bJvWJYKl6d7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249078.867101	CbmmXy37yurxWpeoib	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249138.866899	CtooJF4JHtk2Dew0Vl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249198.876445	CbCZuG4MmggnzhJmL7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249258.863540	CLr3hj4nHaqHaIRjSf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249318.949260	C3LL3aI2IfjynCCu5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249378.880778	Cn15F21dn89NwMjUjh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249438.919666	CniUKjRyvTYk6WBv9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249498.916588	CghlGU17ItoPIDGyn1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249558.883238	CJVKIq4FzEOY3CJmfl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249618.870405	CjGaO63WQ0GHxJJSk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249678.869265	CMI1IP3AFxaLd0eVOh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249738.875938	CwrX304jrMjLIeAM5c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249798.879699	C3Mkiu9LkW3gl5KFc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249858.873691	CAzVmk2t7tdRqXyzqk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249918.969767	CeI5mjbpx6OYSJkrd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826249978.872403	CWMQeA3cuWTnRkxSKb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250038.871257	CBjDGy2vGTS1KryS56	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250098.889646	CuSlgI15ZcagsYuCRh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250158.872911	CiFQosvqoGjiz52G2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250218.873732	CuQyJQ1xb6qBH5mv0g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250278.874538	C8BMk54ff2CdTgLcB4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250338.887065	CRoARV3xDWYArG9vL1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250398.879104	CETFoW1N76CJjEjT9d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250458.879920	CTeOjNzx0LGGuuKX9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250518.888560	CO7Hw14t1CywZ0yUwk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250578.898170	Czne8F2sr7nAi9C5D5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250638.880507	CqqsZIhawJagd7XAa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250698.881338	CIdqf72xgABNn2nYD1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250758.997899	CcyrTu1f7iAFTnrVl5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250818.914243	CrozhMW1WU9fALA72	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250878.887750	CCvsjuhEYzjznKVi7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250938.889540	Cvx5Qs2kADc9pywrK7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826250998.908891	C4wohC17dIkpiAbtv2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251058.901889	CM5Lx21gZyMpPtOOob	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251118.886125	CM4rP44To5Keaj6Xbj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251178.894743	CiLI3a139hB8I8ntOf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251238.889686	C4henr1eVw3EMMJQBa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251298.908089	CzhrlT2CAXztbzeFmk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251358.887436	CifFNK2knaMKUFXnH1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251418.918515	CXMQFe5QDnd36lRki	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251478.896887	C8bErJ3q2mS9xxwSwc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251538.901595	CDkOR54icnCqIB0tN8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251598.893636	CJkGixVUU9nbF8rue	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251658.898345	Cb2zqa3PSKO9Zh9Ull	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251718.893305	CQZ5a64bHSy6ZYaGoe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251778.895096	C7yRPv4jexg8uI21ki	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251838.895901	CDTQan1SsGgBKte2ld	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251898.895715	CLv8H3vjbMwHcVIJ5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826251958.894582	Cq817s1MTFzkHnmih	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252018.924681	CO4vvcBZfWsIRgFBl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252078.901098	C5cF4Q1gr9Sq1DIJw9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252138.910683	C2XXQN3HVBDKRX09Ui	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252198.907574	CM6mii17UPgzVUOOSb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252258.903484	C1miNmjS2Lo1RG2l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252318.967273	CStGtB4Si077kSmnP4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252378.912848	CNJBsF4nhSDAXQ9An1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252438.926355	CVDp5B1mDeUv2LkX22	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252498.905693	CD7fKL2uNfgd9JUnv3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252558.902612	CCK6ws41WuM7BfinG3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252618.908308	CC0oNM20B5fEE2iDJd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252678.907164	Cot7Du210ANamYj5Uf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252739.201367	C8eIdf2rXg9IZJGZa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252798.934171	Cz1Rx629LLmmyzvfF3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252858.911565	Cl9UtTOVQpbj8EQbe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252918.920173	C1vTL64Gr0Nv7uAH23	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826252979.015256	Cd4UghVP1yZSaJmh6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253038.913020	CegO0K37XS9XyGQ0p3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253098.913839	CyMu0h12iZg1usDPM6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253158.920496	CeiKu03BGkM33M6hde	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253218.912474	CuXCbU2pPFsSsDgG3e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253278.914220	C5R4aj3pNdq8ur7KJl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253338.912114	CL8AQ43cVT3zg9mXVe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253398.914923	C4CPZlyAhV7lzddu3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253458.918705	CBbEFo2iNwrO3EmNn4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253518.917565	CU6agx2rD4wFNvYzF3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253578.920324	CNf7VA2g9xKfDq3oic	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253638.927971	CWba3C3KcZdjT76YV6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253698.918042	CVukb93tlV2MQNu2R9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253758.960352	C2kJEa2bWgLLSUMV6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253818.920563	Cc0EBI3i4Sg2p5V1B4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253878.977586	CbHKU34s9H2DTlSin7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253938.921223	C79vGi3WgsbTVBMGYd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826253998.924959	CjpfZMPPll5f3aMO	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254058.922838	Cy1NOD4AzXLyEkvF96	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254118.925608	CgDsU32KkitFRq5lKl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254178.921518	CcMyDA4phiU99YuPj9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254238.924237	CWYF7J1GZoiMLC6p09	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254298.945549	CwzvDa1UBD9o0gY6l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254358.930755	CTJexFQEEX6Q6Y147	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254418.931575	CuURcXPy9Yf3fffp3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254478.927493	C73nFd1kHhSg9H0we	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254538.930243	CbJW752k4xO0AGgb86	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254598.927136	CEQVKVBDKRxjES593	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254659.050546	CBWXZk44HPgXMc89P2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254718.934655	C8cd7s4s2BP6B2fJNi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254778.945240	ClH5jbDR1LYIRXd71	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254838.951909	CaICTV1ibR59BsqEjl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254898.945901	C8SJ9k39WeDEkTYoO3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826254958.937938	CtUWcL3TWvF8KhVem5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255018.934852	CyloG21FfI5ZrMVFn2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255078.932744	C88UNG2NmUgRCRsNue	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255138.978058	CLVT864ykyCrW11LY4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255199.037442	C3IHPG3oSm29zc3p3f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255258.943011	Cw2LWlnnRKp1pyz1c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255318.937976	CoZu1c1NzNQYFKmJKb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255378.936804	CEpktv1QzqZ01hu1Ll	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255438.942466	COLt8K3RVsghUlwwlj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255498.945244	CPNrE51wE94CGcz2y2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255558.943115	CrHjBv4IxQageHT2hf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255618.940043	CakBqG2eh8LpGPpMie	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255678.939884	C8OTyM3QLLANhzAhS1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255738.946546	ChJeRQ1Fk8dImYddYe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255798.959638	CZKmJe3BZnVOLOScJg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255858.942307	Ck0ZIns7FRqEDteY6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255918.943103	CEAAeHq9NVabX7dsl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826255978.952270	CRSG7beuuCV4Awie	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256038.947620	CMGTqYUKMiEPlDu1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256098.952922	C7N6YdogWVuNPxt5c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256158.947284	CHmJal1SqsPRLYVucf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256218.950572	CGV5WX3XamXfeCPIQ4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256278.950427	Csdqbs4Gl2KXcYu4c3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256338.948722	CrSLew3moViFbz1qm6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256398.955968	CRWY5P1O5XpXWdV5w8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256458.950944	C6t8vm2lI5YLsixcL	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256518.950800	CSkk3F4465nT62JjM6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256578.962348	CySinR2Ukr7K255cYk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256638.958265	CSmiWy2ijhhZYx51aj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256698.966875	C5VCTW1d4Y04IFrmyd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256758.955000	CJHfOa2essjP0bgKz2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256818.981197	CgqUvZ1nEsLTpeM14h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256878.965414	CNHO3k4NgRtiR9LGg4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256938.961351	CvTDqyv0AzFZYhvYa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826256998.962186	Cwl5An2Zl1KmfDmeuh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257058.977647	CrPiC82XSrQHnWbSX8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257118.972604	CEqAJrLp6vnKEWMSe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257178.964625	CU1iZ02xS6oIywBvre	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257238.978134	C0xJcY2DtdXEexKa73	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257298.961371	CqqMfq1eRUAlRBVTil	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257358.961204	ChPlIQn7hT4ielqD4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257418.988368	CPzlHT1W7t9ae9GYod	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257478.964774	C8L93h4WLd8rzjnDk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257538.963626	CUxHYs1Khzuo2rNPrc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257598.966389	CeAk8k1y2fNlUN41L9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257659.124337	CNrfn43LSwXw9bRMT2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257719.025602	CzgGhXxDgtHrQx1Cb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257778.972750	CPCuNh4yfaVBf03vwe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257838.988161	CujTOp1hfr9YtLUL77	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257898.970378	CMfhB12Y3M2xmf2lUh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826257958.970224	CMSugk33CuYdOCnrj2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258018.973008	CQU75q2w6MKlL7TOw9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258078.979685	C0jKCV1vJ5dNrFbKyj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258138.973686	CGklVD3bA0Y144Jsd8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258198.980376	C6HGJp3SJ9z8NWIWue	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258258.974347	ClFEx44Cxokti2M5a3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258318.979060	CeUHgQ10eSfaPljB8i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258379.042341	CtHB5M1FZqEMBsDqmc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258438.981621	C3gaJq28J9Z0bJwkt4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258498.980480	CGaqMT2Bkznty4vuRj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258558.978357	C9Kktu3h8egsI8bXul	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258618.979172	C4bhw0253RfFe8QQgb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258678.982917	CkzPML2sTaC8EpDQq1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258738.984715	CTFVYg3F6kPgvvigZ3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258798.979677	C7alhG18cdswwf49B9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258858.986344	CnwiJo3C6bzuaTB2Ng	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258918.981304	CQZvsX2MZK2MLgB8W	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826258978.987979	C6JDfkEbDcWUF325l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259038.984881	CRo99W2oC6tPJyIqmb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259098.983739	Cf8KoB2oIsPLUEaLTl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259158.983560	CjsgRCNRaU0bXmXO6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259218.984345	C98t3N3vGfFxouiY5e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259278.997890	CeJaoEsgZUUehqGXf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259338.990890	CyWDN9mnZGMJ1saLe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259398.988756	CvZPT62WfToKxceyEf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259458.988584	C9pfbjOVDc6OP6iY9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259518.995258	CkO2bn2PlAVTlrXvra	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259578.992149	CgaS9u2aLx3wKaTlml	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259638.991957	C30LxW2Th1gjujVr22	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259698.999553	CcEJR83FsF84gpOd99	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259759.002304	CxSX2XRSWdjDgyNz6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259818.992412	CWwkUh4P2SNipqOgL1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259878.995197	C2ZaFAfQnfzGByPC7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259939.010645	CxQLCs4niKD8U6Pz9i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826259998.993883	CxCf8J2esw472Ielw	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260058.994683	CuaG7w1ufkC6A9gtFh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260119.000360	CPba6z3CUAMjAVWIk5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260178.997278	CfYXN8RcLJE1ncGsf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260238.999066	CtwsWy2janmDrrsrmi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260298.997944	CCBUYR130FjWz8Bg6d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260359.003590	CSlCZo3oIlpqVFvL9i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260419.002447	CuLqt91wSykza0MUr	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260479.004239	Cr6BDA1u5j3a1jfbMf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260539.002119	CznkyN5OS360c7fzg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260599.000967	Cjlzzx3hDTXYwCCZfi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260659.002741	CBlqmd40gboMM18XRj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260719.004517	C4AeuTNzLiWRGK4Te	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260779.009235	Cg39xa3V4NdPUzWJP9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260839.006152	CdN9Ip3sqmcRtT6c06	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260899.006966	CvrdKi3MZkWWOHzZba	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826260959.010702	CsA0Ka1rED2oJVwNh9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261019.008568	CoOuCA3ocam2A7NYCe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261079.025985	C8ECoi1gSfd8MF51Vi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261139.007288	CaRKSZ2vQuFygUO8mk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261199.011013	CbH8HE1wAvU9RKMdOi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261259.012811	CaWQM53kzXuppddTD5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261319.014622	CTGxwZ17I9IK4IPe7d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261379.010557	CZgDR43jpwQ9wjb3d4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261439.011374	CsA5eg2ZCIorZpTdT2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261499.012190	CGIniW2GzJdP6AIbJl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261559.017896	CHDTTo3cs7h0VcRLyd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261619.030434	CLPttK3P6NNlayture	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261679.015624	C8XeSi2ysHv635JUMb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261739.021299	CpApEnPgUSa06tsxb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261799.057228	Cln6984XP6WQL2a6jh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261859.016050	CqEAVT1aXMorGMNSvb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261919.024671	Cg2HHq2uL1cpzLEWOj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826261979.153343	CUrs2G36GBmRYMAeUe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262039.022404	CYJ0oW3tQfJQCAst1d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262099.020289	CN8aXr1Q63uhBnt3gi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262159.032811	CwFpNj16f144BTWjI3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262219.027774	CKUInZ3I9NXuVRJ0Gh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262279.032466	ClDE4n16xMQPvjODEf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262339.024512	CML1AY3hOt5zvH1TT8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262399.022397	COlSNEF18pudbNONd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262459.037847	CYE02G18YwMa6n39k9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262519.025947	CALuC816KX0SuRA93k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262579.053102	CLgXhW3nduerCXCJZh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262639.027550	CUuqeQ1jV5e1C0hRW1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262699.027365	Ci8Hhb32NQGkzEhQxb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262759.030118	CiP0kcArU4JsR0Bg9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262819.029939	CxrLmv46qzXI9L3Wad	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262879.030732	C0CuYWAzapH9Y1N9h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262939.031549	CDXH4xJCnyb5tOLii	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826262999.030389	CykG4n3Dxwvrk8ST9e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263059.037025	CYbdBD1xNg67gOWIHe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263119.033946	CPEstI3RgL6nRsJ8W5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263179.033778	CGoDMnzCLhEMKVLrc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263239.035560	CVPyZY3yBTgzZRquV3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263299.035377	CQghfc2KfUgjWFzIp	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263359.038144	CHmtZi4dWdmwAF1le4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263419.042855	Cr9A2y47TA7mm1zpt4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263479.037751	CnK96q4UmUem8G4KUi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263539.036572	CVKsXw3ESdgONGrYyk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263599.037390	C8Cz1kEKMFmaBpwFk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263659.120188	C1Oihq3c0CnGxnsyb7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263719.051695	C8e6AA3EEmfxrlaA76	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263779.062263	Cn8XC64o03t3dm0UYe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263839.039643	C1gS9LiwgpfSE6c1b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263899.054120	CaQlwk3hIHyw5CbUT3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826263959.041272	CANA543bVGTX8nPqc4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264019.043036	CDqrws3sJtHbatTcof	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264079.045815	CH9Ezw4lGM8yAvG9k9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264139.057337	Clj6pF1D7hB5fnMBg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264199.045453	C3TNnl1P9wFMmMTNll	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264259.045283	CoeZek83RtKuXfxN5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264319.054863	Ci3UVZ1k3npfds09I3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264379.061528	CuMnFP3678h2jQ7ulh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264439.057460	CenkCO2hmdyEL8FPKg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264499.047530	CY2fO53hF8GwkyHa12	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264559.049322	CGJT3l1VgeuACrsEr4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264619.060880	CPt6WNG3WWvYoglu4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264679.071437	CTNsnW3LZuKQ7ybUmj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264739.055629	CtPqGp3ivrqkDfCHW9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264799.057424	CDkrrE4xRnuwaOYzB1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264859.057263	C9tgDs41wRFwrwMHDb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264919.058088	C9VusU2DYszWdN5lv2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826264979.062782	CovX3L36kxML9jD8Ql	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826265039.054836	CK3H7F2i2EFuRQmHr8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826265099.056628	CcAWbc4k7xJ4cwzFcj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267019.094978	CDsfJ83mBfShtP3ra3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267079.081091	CtA8cD3dbZbDyD3ggb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267139.076009	CIMc7c3MIoZBJIrN8l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267199.081708	CxfzyB3K82Ybv72ug7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267319.084284	C4BrGE1jIIuMPtZJjk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267379.081202	ChTknA2H7Dsub8YRxc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267439.082032	CFMigc3cSgZsWMpKff	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267499.082824	CLt9861h4kL32m3j7f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267559.080678	CZz5Al2VYRjHdflA8h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267619.117602	CI8Whj2h6r6LcSfVub	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267679.082308	Cj7NVNNrbAqyXqUw5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267739.085073	Cy6tdt3KfDywtI7Ob2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267799.084918	CrAxoy2GoejEATJvDh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267859.091594	CwaLTn4LXluo7UvqTf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267919.092401	CZqwGT2kwjPGescsFe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826267979.095153	CFKxJC2R9cBSw9fpjf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268039.092073	Cpso3f36rgNdVupv79	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268099.101672	CppBrMUywKphAbms5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268159.091753	CkGInR1qK0eOnMHvkc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268219.127714	CyGCzw47PTvCscGFQh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268279.089493	CKRgKA35Bl8MptEZ98	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268339.241580	CidM6JqQOb2FHVtUi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268399.095944	Ci9Qqo4Mqhkhd7qFZb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268459.097696	CHY8RiUHiFhKhES27	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268519.100469	CjBnuMqmiaV3z7i7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268579.100299	CAZ39E4TQkxd0lBVNg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268639.100120	CLuA6a3JjPP1pqXDgl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268699.104832	Cx3A5Z1dvTDKH5xurg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268759.094878	Ct5q9b3OYGNtBKVNSb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268819.097657	C9WYFL3vuvOx7uhvxg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268879.097488	CPMkCm4JEbNgyx5Ewd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268939.103179	Cva7PE4j6kICfsMksa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826268999.132280	CPfswM1AJyRPS775mf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269059.100881	CVLcgX1RZ13gUgyf5h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269119.099763	C42eDo2F7NJVIz04oa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269179.100583	CU2ANA1Yt4ObqJFRY9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269239.111149	CX3IPy3pUxul2z02q6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269299.439902	CcoTmD3IHZnRv6mtOi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269359.264070	CGT6YF1SsJIs9T9lnf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269419.120439	Cqlwx01oD12uO94Ib8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269479.103684	CDLOMy2vjf76gI0rEb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269539.222577	C1YUOM3kd8rSJQYu4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269599.267269	Cu3NBQsaY2BAcBVN7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269659.148995	CUSG2v16HRuh7yK0S8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269719.104862	CJ0hRn2MsrZOv31smh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269779.127139	CqGMy32Z8uKHOnELh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269839.115267	CDWB1b1haIEHVS9sb3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269899.113179	CRAZht1smUfIWWMRsl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826269959.112020	CBWnVl4AhC2yViYHq6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270019.108940	C7viQw259LpLw1bef1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270079.151713	CWeakb4xAgF95QleOe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270139.112488	Cay5bn2vtLHX9KwOje	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270199.132810	C5LNRFqO8x4l43CF4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270259.112162	CIhkRr4eHA71oq6BC	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270319.135418	CTggH82xFpM171oygh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270379.141103	CNtx0XvYoJ8ljgsj6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270439.127287	CqKkoXjDIKqwN4xp8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270499.117371	CN5oXL1vK53j2UehWc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270559.123058	CyVWZ63RmCoT7Jda67	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270619.126776	C4wshM3dMV4pJySvXi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270679.121718	CDROSq1z8LAIXNUmhk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270739.130345	CcXZsf1GB9mlwwT7F6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270799.119478	ChGADDsCZhKs9BcFe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270859.127121	C5pIAZq3OcXUdJVx	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270919.123056	CVxCZu2vfyEgzJTSZ4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826270979.122865	ChhFkQ36rFvb52Ye61	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271039.124649	CR6t1A3SZnlSLUonm7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271099.126441	CHYPfS2TDpyiCxWKY	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271159.258051	CpjaKw2UzL2pMQIdsa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271219.127113	CPiEgIQRKv8QZLRWf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271279.124989	CsMqt73dlmRROjwIUe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271339.312208	Ca9ZmG4i82iE2d0YR3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271399.140270	CxR52Y3GzT5T7QPGrj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271459.141075	C0m7qm2cK3rhFZySFb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271519.250200	Cq4vle2OoD0gt9mBd6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271579.409125	CiEIqD3A03Z25mZpP1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271639.133701	CcxfVg2FUarIYu7CT7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271699.173537	CkftvZ2kq3sDL3Kco8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271759.143099	C9nivj101nFcyZv5A5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271819.143934	CtefJ6ox2Y36z8fU2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271879.135946	CJjRzu40yZQmdLa7af	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271939.145541	CdEhA81a9gr5DFlDK8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826271999.175638	CpN0AM1QmlCca61py9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272059.134518	CEdPh92zmv83S2Nkl7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272119.147027	CN4lI43Zc9ELnQbdL9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272179.165321	C3cZ3nRZ7QcfNlcA1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272239.165094	Cfd5UC4SjyBeRgJLE5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272299.148322	C22vJE3gkYDqoRi69f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272359.146201	Cyv1Q53irT6Dh7AgHc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272419.156786	C3UJgq2A2RTuKRgt23	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272479.147862	CchdFNQuAo3IiP823	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272539.253121	CY3Z1SRmzjBaIwPZb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272599.142672	CzZawy1pgVAgYUyYKi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272659.190310	C3sEsF3VPXkvtnrzU4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272719.281883	CiRblW13ZKi1thxWQb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272779.149966	Cu35wahBF5Imcilk8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272839.205443	Cm12m71K09UdwP4REb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272899.287243	CFwye24v2TzbFWF6h2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826272959.229489	CDWNQu2lmBr3AjHR5l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273019.146353	Chn0u74Z84C8gRRMk9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273079.280873	CvBNEh2BX7uj2WBB4k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273139.194825	C2wkTtkbOqgitNpie	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273199.225903	CqelPd3lByl65cwW0i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273259.252096	CXXaK91JJmd6qlH3g2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273319.162128	CeyA8eddGDVUGHUud	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273379.159026	CDavIt2ice9TjDxiA3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273439.171553	CkmozifGdEBYaNd2a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273499.155754	CRFhntGpfiLw8Pv0i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273559.177995	C1dZ433UvCCjRtEjzl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273619.166103	Cw2cfZCugd0Q63rI6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273679.164928	CK4u8R36tgECdnBZ04	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273739.212569	C6sJ4j3d8WLg8YnFO7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273799.387098	CofNlYPxkrXg6WnY1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273859.390835	CSMq1t4LlwsA7FZxzc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273919.382854	CJXpd22FaR9f85tITj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826273979.901520	CnKf1OWDIpFR3yip4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274039.467417	CjIFm71sV0Kam01oac	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274099.227156	CcdNPj2qOnTcLkcNej	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274159.250414	CdMKxC2TJXnB2ycVhf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274220.639673	CKByou4dCuNE1OUoPe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274279.311579	CAUTzU3lsdTflOr7Nj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274339.187456	C7Ur701fO8ULRsKar	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274399.171677	CeBTMV30QJxZRtURgj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274459.276903	Cczxwh2v1MVpMCkWf3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274519.208411	CMgjaQencP0Pv3kqj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274579.166270	CAcVss2KDF0ton5JIh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274639.178783	CBHupf4ZYdpKEW6qc1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274699.193243	CVm1PF3PnRHFuJuSKk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274759.247733	CA9q8t4O0VUp7uhQWl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274819.455453	CcpP2rwrG9PfcdDki	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274879.173217	CZAGCb3Fu0tfU51eD2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274939.183773	C3b81P1uqoaf5M4IXi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826274999.291933	CFjfL12CkVQIBjKvb5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275059.171716	CIuGzw4zzngxgGtPed	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275119.176430	Cf2Jq43a5S93qH7Cx7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275179.189919	CTMTvD2czD52f1cpS5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275239.245368	ChIy11cKIY7wF59lb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275299.176864	CS6FIu9dD05jdClR8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275359.180574	CnNZty15Hqn2xhgJGg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275419.174541	Cn8vaY3NVNZcimP1K2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275479.181199	CxBtUd3YCJxBhKCNV6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275539.177143	CpBKFj1oWgquf8Jq5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275599.302874	CQSFxVDVIk4IIuHV4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275659.277325	CZUtzG1SNOonX286De	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275719.190276	CbDLnv3P4wxNruySI8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275779.245738	Ce2gy92a3Zdxn8U5Q	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275839.184073	CAmLMR3rs3nnp7BC7e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275899.188765	C9ni9syojCRMsSjzd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826275959.183704	C0B0K22KRamKeoqSz6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276019.182550	CY5kdp51F3oeCijJ9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276079.189208	CJKWcFBAgZzVVtF03	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276139.187077	CY2VN44UarHiJwjbg6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276199.201536	CQxEWi1F3d6K4qjmb5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276259.191597	ChX0Vn4uasaGJIe7Fg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276319.218739	CxO0Uf4uUDyFU7u9l4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276379.186349	CzY97244I3S03VcMdf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276439.283767	Cl1tlc2gLRTcw4Bcw7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276499.197714	CjhFfB1x1TpkFpuwN	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276559.229740	CrGRrI1ZI7AGukEkUd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276619.195407	CHkdVF40CArtrW2IMb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276679.191323	Ch7MMq0yqytJoNWpk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276739.195159	C8INLO2H6kVl0oKAEc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276799.217455	Cax5UJ3dNqfI1V9N38	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276859.244611	CavCYn4sbKc30BxpQ7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276919.195650	Crf81W1wnKqCkmdQQk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826276979.196463	CvGWHB3BSp1gpHFFKi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826277039.286081	C0Q2If35e26kj6oqL4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826277099.213676	CviTe74vjHLLx7AISe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826277159.197878	Cf0ZeH1gKEDckEkJV1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826277219.225014	C1hQrk1L844cx5tTNd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826277279.235554	CBP3Hu4RKc79x58Y2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826277339.221727	CUbAnm2k9C1iEtTmgd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-826277399.202051	CkWokd3nscpygp5lIc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	(empty)	-	-
-#close	2016-07-13-16-17-25
+826191058.128321	CHhAvVGS1DHFjwGM9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191118.129144	ClEkJM2Vm5giqnMf4h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191178.297416	C4J4Th3PJpwUYZZ6gc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191238.140114	CtPZjS20MLrsMUOJi2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191298.137032	CUM0KZ3MLUfNB0cl11	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191358.243247	CmES5u32sYpV7JYN	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191418.144505	CP5puj4I8PtEU4qzYg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191478.189218	C37jN32gN3y3AZzyf6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191538.242710	C3eiCBGOLw3VtHfOj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191598.142982	CwjjYJ2WqgTbAqiHl6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191658.206258	C0LAHyvtKSQHyJxIl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191718.141676	CFLRIC3zaTU1loLGxh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191778.139555	C9rXSW3KSpTYvPrlI1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191838.160870	Ck51lg1bScffFj34Ri	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191898.207550	C9mvWx3ezztgzcexV7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826191958.161501	CNnMIj2QSd84NKf7U3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192018.156454	C7fIlMZDuRiqjpYbb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192078.143576	CykQaM33ztNt0csB9a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192138.157070	CtxTCR2Yer0FR1tIBg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192198.209621	CpmdRlaUoJLN3uIRa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192258.213369	C1Xkzz2MaGtLrc1Tla	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192318.168316	CqlVyW1YwZ15RhTBc4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192378.142768	CLNN1k2QMum1aexUK7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192438.145514	CBA8792iHmnhPLksKa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192498.211725	CGLPPc35OzDQij1XX8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192558.254519	CiyBAq1bBLNaTiTAc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192618.151880	CFSwNi4CNGxcuffo49	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192678.152689	Cipfzj1BEnhejw8cGf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192738.148612	CV5WJ42jPYbNW9JNWf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192798.184559	CPhDKt12KQPUVbQz06	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192858.168774	CAnFrb2Cvxr5T7quOc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192918.151045	C8rquZ3DjgNW06JGLl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826192978.149902	CzrZOtXqhwwndQva3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193038.200491	CaGCc13FffXe6RkQl9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193098.159328	CNdne23ox8SQTgPoy3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193158.151344	CeGt004UBsXLoZSeCg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193218.158016	CTrywc2ra7tcWn2af	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193278.162718	CzmEfj4RValNyLfT58	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193338.440718	CCk2V03QgWwIurU3f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193398.155563	Cgc67J2CpHIVN7HAw4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193458.258855	CgwPkWkJfuBIJsNi4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193518.163043	CImWJ03GsvPvA0P67i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193578.166776	CKJVAj1rNx0nolFFc4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193638.349114	CD7vfu1qu4YJKe1nGi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193698.277702	CWhRtK3eXodviHmbo7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193758.259000	CqVUM4vyqCacqFiud	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193818.167095	CudMuD3jKHCaCU5CE	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193878.266468	CRJ9x54IaE7bkVEpad	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193938.404902	CAvUKGaEgLlR4i6t2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826193998.202719	Ck78JG32Y4I7AGp7Vb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194058.784259	Cgwg7Z1MHA1YkiZmm3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194118.356593	CDNchHwRoXhVzzHB2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194178.167100	CeP1sc28dOzbbYkbA	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194238.165957	COOKv01AQPAqfGMN9k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194298.195067	C0JEpR1Ij6308CwEhh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194358.251498	CQcXCjONUKqMfnhXb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194418.279634	CVcd914ZFpaUisaVf2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194478.176984	C5pL731XEkARXOq253	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194538.254895	CB0Ovs3cNZgLQ93FSh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194598.272308	CM4z3Z2rdNfyHYQ0Df	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194658.273130	C1dGa34JRiYAKbMI0c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194718.258333	CtEfXf4f39NRDu1Dr4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194778.255249	CdY2UF17xGQ6lUx7e8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194838.176031	CkD1144ZtRYffh5zjg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194898.187592	CbI5Qt4rlFnOHuL522	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826194958.284053	CjGaD11BLkmCG5cEVf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195018.191134	CdGkzc4fIBRo0721v	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195078.186092	C1ejhC4SXsZ4pEdOd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195138.181047	CisPKv3PhjrFFhZbq7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195198.277505	CCgIHR2Vna1ZW9BPjd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195258.191452	CWqViP2k4EKfYWy7Y1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195318.276192	CBr8Cp4juBTcRQZAA4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195378.246741	CWMTYT1vZEQXErCXY7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195438.187041	C9Mb033HGlhETKxUbj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195498.328394	CGwfOa4GYyzNItzc9j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195558.260878	C4C8Lr4DOGUTRZPAW8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195618.192392	CfQutTEgs3g8sUrsa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195678.183445	CKvlqe4bTVu5HNGrb1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195738.336498	C04EG53Yaw6dgjGT3k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195798.190914	CdzNo91LLZlfe0pmT8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195858.193703	Cb2Rv3Wek35VDwxDk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195918.289198	CsLUyBLEs5x3GKtgk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826195978.194311	CF00uX66iWHtiV1q1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196038.286860	CkVqlMyWLZSpdNcPa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196098.237900	C6Frs83UqNszgcqN15	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196158.192843	CQCAYJ2zCov16vZwf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196218.198534	Cil9Tc1rwfQS9uqdsb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196278.201302	CgHhMv2Ww0Y4oQNtd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196338.294847	CFTS591Wnlb7gnrpP7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196398.194157	CoVJDI3K3qTiTnPoV9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196458.194955	ChHNpz2Xf9xMo2lnC4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196518.242601	Ch5tsG3OlOd7l83JFc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196578.363462	C3AXaL2up5k3PR4VW4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196638.194463	C2qZRm2yQg9RoQNkVg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196698.220656	C6tA8aOk3QI9oIaHl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196758.207790	CggxJkLPcdPyKjfma	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196818.238833	CI5pddk2aeicnmmoj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196878.202555	CKpb612OxJundLAeRf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196938.212156	CcwXC81REVUrKprLz	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826196998.239313	C5OBjqCVHlPAjKQXi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197058.200122	Cb7w0T1dHZUPXzdgRi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197118.310249	Cuhrwt2ypWdmhxNcjb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197178.309093	CJmTVn4YcEf19Wo137	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197238.207420	COvnS21VmREmS5Xzuf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197298.208237	CpKJJiDUPEBNMGSC	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197358.217839	C5II0Z3yZFhDzHSKrl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197418.275266	CQ7b0y4Vd4NVQ3nJRi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197478.334646	C68HZHafWQbOYWkYi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197538.212478	CX9xXW3s3cSCaIB9a2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197598.225962	CUTgljebkkh2Ydhzi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197658.309739	CsnMLaDyNeIqxq6i2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197718.241266	CuIjKg2hEOBmXsIvx4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197778.378715	C1alUz23K74AR4WZUc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197838.344394	C9ywcdnOP5TLfD97e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197898.249569	C7aJ8S1bYoBzPdxRDb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826197958.398725	CTISqXQMVxGJCVG2i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198018.215078	CjsoT83JnYI2Be2f8j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198078.218834	CohWkh4QvZcB1WXOVe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198138.216728	CL7JR54e4lOc3aUAph	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198198.217548	CS9xQJ3Jly032E9jC2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198258.267159	CPOg0SZxpoHbNzpG5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198318.222088	CgYh1L1mwsOxSqVBu9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198378.269737	CPEPje2CwXXxGGPo27	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198438.216854	CIWOQa2vaf6TxyZ2Jg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198498.219601	CqyxRG6TRKYW41Zz5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198558.233108	C3HR3r12iwKiqXa9c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198618.222208	C823dt2fd3qQ26XyU	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198678.234721	CalQkN3MoYim6AEEe4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198738.223849	CzZuKd2XEy2jlcWqT6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198798.377868	CVgpXQ1plHZSjZoGq9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198858.273279	CPnPwW1vseaFvOVKZc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198918.231128	Cr5ot64fYu8c0wBtik	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826198978.225059	CceZRf3q969iOibom4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199038.226843	Cfv1oI1ypkphPOMD7g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199098.229611	CkgPZ03tcwpxYjnOSc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199158.229450	CeYlkM3WxZVUmujyB9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199218.227329	C8yjkq23bmUk9MkLf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199278.340384	CevQX3116xo72LIoK9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199338.231893	ChN5cQ1faCW2xBl8Ki	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199398.231727	CjTrQkID6Z2SNK3ha	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199818.339795	CA4o9G1CB2Af4WWhCf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199878.341563	Cf8FAq4I77xaBMSVT9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199938.340438	CPjxvb4XleEtywR72	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826199998.238772	C7XVqL2qUJ1enNZYag	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200058.240561	CjqWgiHlaYFi9YImg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200118.239417	C1uJul2gbxeDRNFura	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200178.241203	CbIFhV2t1dFcA47mxb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200238.243969	CAy1xs4SqOffMYYoi6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200298.255520	C3sUxYJbMLLrlkY2l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200358.245608	Cz7T4t4CVp8k2htbIk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200418.241558	Cqn0E64YUKHGEJtXE9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200478.379987	CwkPvf43XtOGn09xUb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200538.687256	CQKymemsGWxk8qNhi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200598.867643	C4DpKm2ihMjo33xAK9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200658.261374	Cx1J5T2RlUHdnWX4P7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200718.287570	Cq5Tn24Flxl5ykcPB4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200778.408439	CBMc5Bq8xeq3TqHyl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200838.424863	CwalhH1EmkTCp6Z5oj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200898.441277	CoBPIr1bmfwOHYS8k7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826200958.658763	CauDdy1kS45qWx7Jaf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201018.254540	CeivHI16nJNE1XoDn8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201078.268039	Cwks1t1XCX1VVKWlui	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201138.255207	COzc1t4726TvteJAq9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201198.275551	CySyNg2Q7X5Wig9qXc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201258.252935	CdHHGD21PDk8qHCNZi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201318.289854	CytmUVLD1AW7Bjdda	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201378.426313	CyAz9V2XDShWvc9X85	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201438.335369	C9mSwv1EoAGeQwdxia	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201498.320561	CSqd0W3t872JJDPQR7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201558.320384	CBdUFS64H8SD3CRc7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201618.267492	CXmENaHXj6AAZ6z67	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201678.371750	CHxNzE4i1HGC9aNQb8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201738.266200	CCOssQ1lVW9L4luov7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201798.263102	CH4Zqaz7LIoXnVdx6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201858.260975	CmYN6N1hsT2MgdKQo9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201918.266689	CkH9U915OzOOjvkSJi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826201978.271412	CCwJVWbbaSCkRe2K9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202038.344449	CRGnRy2aYiKuVFnIG	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202098.825455	C3JRhD4EKTLL9ETgB6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202158.956074	CTy7qulV8eG6LkeUd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202218.304913	CUN1fq1Nh9yg0qjEZk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202278.282291	Cy1IPuLzKTRb2fGF8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202338.312374	C2sbOw4qh4NrDdHRH2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202398.465444	CsTLYp3UVyKHvvF8jl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202458.270082	COJL3m2IFflzZ1Cvdk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202518.370443	CAR8U13yNQoRQJZLcd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202578.275607	CYXkGL3OwfyucBURVl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202638.285208	CfyyuF35s6IHIKaPy1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202698.272334	C6lrWz3udBitB6moKf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202758.277055	CJBk991FDSqc8wRBK1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202818.279800	CeoHSa1uBAQlDI3FEe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202878.415282	CnB5fj2ShUFnGngqf8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202938.279472	C850go2IsfiAcSGCfc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826202998.275417	CRM6Kv2JvySZyj1qrl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203058.292814	ChDijs42aziwiDYP4c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203118.283859	CiZMlr41UYw4zUSiH7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203178.277842	Car6PO34Q2yGqFhtw8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203238.279637	CwUICHbZAZuWABr9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203298.293148	CLvoof1o65FluhXQI6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203358.339838	C45NxP1qI6S5UMi6Ta	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203418.287944	C73cNq1ss4gZpfV8Jj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203478.446865	CWnddL27sIwroPwU4h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203538.287610	CwP7As3BK8V5lwj7D8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203598.284519	CaEkUY1AI0qcJSl8Cd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203658.453200	CBkOwg2KK7rXFXUTmd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203718.292998	C0u03i3hv4B4fSd7zg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203778.296740	CITjhO2n7PZKsy3Mw4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203838.288761	Ci0XPI2JfTjInNGHJ7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203898.288604	CvRIiA3mohju9nTku6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826203958.306005	CUAWQS1YtxjDhtxxte	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204018.302916	Cgcc4N2eKsv3m3nA87	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204078.295923	CWT4zv7sNwj1cnBeb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204138.292825	CylDMs45x5z5lRx9se	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204198.293633	CT4t8k1zeBe7ZRUBg5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204258.303229	CQHUiY2AW9ZT2iB0x8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204318.297196	CZvB3g1drtq6h6KP8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204378.332142	CBeoy737B8VrP0iSS6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204438.374915	Cs4vHa2laJaNpjym2a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204498.296670	CYwHEGkAUO1v9YGk8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204558.295509	CzcPSa4HIZVpmSAZQ1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204618.307043	CmVWUQ1Zj8v9tk8Tn9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204678.296142	Cyyy781JVg92X5mDUc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204738.304744	CMU7t24bL4QMZtMO2l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204798.310410	Czv7tI2Aq1yfgdryG	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204858.301417	CR7XxA2W5vLwE5KTs	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204918.303191	CmDpIN2aFGjiOMOJWe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826204978.324493	C5p9eh4XiSATtqsZi5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205038.300903	CVLeLf3d954JlCj5Ch	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205098.305623	CUeKfb4nbjydJsNdId	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205158.322052	Cekrs3zkM6eSou1mg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205218.303340	CUVPVWOtpPH13Hfck	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205278.385157	CfhuF84Ji7AdXxsAA6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205338.307892	CgfSWCkLmMlaKMWUl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205398.364345	CRYwli4VJ5IlPTDWIl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205458.311479	CguHTc3ErOLWFoQyBa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205518.310351	CpDj0c1fnKaDIGyqma	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205578.312118	CF5tR03Af5y0DJD2he	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205638.310976	CbaJQC9l9K3ELB1u1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205698.312761	C9xsW63PP2wB8hiDUk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205758.334077	CzWoyC1HE4FO1zdT3a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205818.418825	CyVhox28QHRlYRbY9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205878.319114	C57jQA4eBlGbOkJ0xc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205938.317005	CimLTH3Vi2F5nxs6Bf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826205998.320749	COlS4I3p8lZG3vxBag	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206058.316670	Ch4OGK13MCwxE2a1O9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206178.372932	CzTeK32euJBRHTY2z5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206238.321042	CA1qPq3zXlCZGMTF3d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206298.327724	ClzajT3YA0FYcHeIsi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206358.322675	CoW1ycpevZQjU9uK	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206418.433774	C4mAqd3q1os6WQrFGi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206478.335035	CoLfC03bP9cbW0s7Cb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206538.446151	CDZen84XixQL22chD7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206598.357171	CEUdRVRpBWnzWSuJl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206658.324795	COUblG2yCsr6J0Z8k3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206718.330487	CtAsd2ykOOaUv0sel	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206778.331300	C8iXoIHQrMuYvFD7d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206838.371150	CEZ4zB1w0bcdFufPv5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206898.501767	CHwfwB4tWYNdiXgqj9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826206958.338610	CpXYCp3HhrY4ziK5w6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207018.353094	Cu3mx7WQp10fiKvVd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207078.357820	CJK73d2tv5bceelJs1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207138.439665	CiBJbd1e77zhCc8o92	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207198.330243	CrDDne3jAfXkyEZLZh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207258.399375	CrtbM81EwribjjBbs6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207318.339670	CinzyU2OZ3RzfO3iQb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207378.337548	CdMDAn1K65PDClegO2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207438.341279	CL72Eb6pZzrrF1MPc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207498.337215	CTH9yVeqRZ7hCysmc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207558.342907	C7dQb6wN8PS99nDpc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207618.357377	C7zVw01Vz6Gp5SUxgl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207678.467498	ChrOVe26x8jzyNa2uf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207738.447804	CNSAUE2BML8biNfBQ	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207798.341241	CNJ4Xn4VtXlynW3J3a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207858.349856	ChGNUG3biEoPUuqOa6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207918.418989	CXw2CyoyLEXO1cDi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826207978.339771	CjvpgV6kqW0852q3f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208038.347415	CxUw172WrEAdzXMRL7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208098.425324	CeRlLB2HA8cgJm1oe9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208158.352927	CkQkiC4YuLauG6WZEa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208218.344948	CfgLCv4QFww6gvQ87j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208278.344772	C8jLEg3BRmkSv2OTHd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208338.350459	CGCF331JLuHl54L5rd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208398.352240	CWBzQU3jlmCFJxIvW7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208458.448653	CuQnVY1S26nokuHtw9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208518.346965	CDLpxA3tPGVgwxSem	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208578.371204	CqWOXg3fwJ6pVRPP41	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208638.382748	CH9f4S31R76ubzMqXl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208698.354276	C7NKKJ363Po1sp1G76	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208758.393143	Coa3vE2Wqxw7XtPyaf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208818.351978	CPbwgd4HAWmMrjHmBl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208878.364498	Cg3va11ZQR3RERyK2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208938.434595	CX1G5j2XAjJVbgRRYg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826208998.354384	C1BbhC2e0BR83RHPhe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209058.435227	CBMwL219aumFxhrnzd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209118.356985	Ce8sjQ1yXYbarn3Mv	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209178.536399	C78sjv46n0JEJJ9Ixa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209238.366407	C2z8sX3Zt54zcv7nHb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209298.357460	CrmZ753z4MFkzJPjfk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209358.367044	CmZgh34NMetxae8Pm8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209418.459570	CtsyPdY3mkmf7kLb4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209478.362786	Ct0FdeHeoqV11oqi3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209538.816451	CHpfPUBDLI48ElQX6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209598.447358	C6QeBz4zMAkwfJKzp8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209658.373018	CvZvjb1h22zExFA9Z5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209718.371878	CQnxI03CHdqwafO4o2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209778.369758	CV85Bg1jB95m3NCt2b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209838.378365	Cpa0UQ2794FcjpykQh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209898.371356	C9U9nP2cjbHpr2TZZc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826209958.412180	CIkXHw1k27sxdK1IL3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210018.593545	C6sQTZ3batj1lRDpFf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210078.395223	CrLzH72bC4Py0O0Pw9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210138.522899	CwByX11akVrJXiAL89	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210198.386118	CMrmZC4fwKKms3eVfe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210258.375204	CIMbgg4rrK1rYO007	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210318.372116	Cl92e44KbzduaHbhyg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210378.373906	C5yYvFfVOJPVQqJWb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210438.392281	CaIW4B1CNbhrY3Z9P5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210498.466302	CuFyuJ3RcaoYD2YSlb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210558.373412	CkeuvB3U6Z48hwsmd7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210618.381066	CmZ5913VmiwYcCMsV9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210678.444343	C4iWMr1o5OhwPrp8sc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210738.786745	CeVw7f1PrVOGyux7f8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210798.378604	Cv7Ojs44cHurW5mca	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210858.393065	CG1IZO2kmbIytfrjF	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210918.388978	CFo4ijFpPMOaVkxyc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826210978.524464	C6aRsb3UekWRpglS77	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211038.380818	CFOKe2YkWP7etA8pi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211098.456790	C37mAJ2U5Kisle0Qgl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211158.595216	Cgjcpf4p7v2QzNmLSf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211218.386167	CH7oxC2LFgxSRkfdi8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211278.396726	CaQ3deHsj3TrWL6J	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211338.568337	CHfOyV1EmktPdJYs1c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211398.491118	CAP1W92itot6anqOh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211458.395342	C42zWs36ET4H6JkMAf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211518.504492	ChCctc1RXXIqfN02T2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211578.416483	CMIGG63blVyQrgtKZc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211638.390960	Cm5hUStLXU9qmc9oi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211698.525482	CST4021EoQxELJXa23	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211758.535067	CEUV1F4e4X7KZmIQjg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211818.464624	CMXu7r17v95iIWljHb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211880.427357	Cf2iT43rdptpnlRFaf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211938.496475	CKee4U3Z4oY4yRz57c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826211998.412364	CyyAsI1bENRZJHsPxi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212058.558577	CFfE5G2444nCYFZKB2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212118.608187	C3qdoZ1n9Z9JKjUDzg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212178.505544	C8F0wsJvnG24pWYob	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212238.398986	CeHfJV2oKMDd0Y5Q7i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212298.417363	CnDV6B3aFu2Rig5pDc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212358.419147	CAYs6PGpPpvE5HD45	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212418.567316	CnYoeO12NNlpv8vJw5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212478.954585	C7qhx8MH4aXtRLCz5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212538.490773	CmqlEJhGZCyPSVeVg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212598.433975	C30S013blQYUkUFuKb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212658.488438	CfUaZj2hvTwscPvXpa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212718.422866	CI8nPFXkU5AYE84Ei	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212778.479312	CtnR3q3r0iCKvV7N7b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212838.407898	CKjWKd4Mq2FDzB7lNa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826212898.595122	CsmwQW1n5WCKtRZWOa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213138.524203	CisUSAKIZdFFX8lWh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213318.422154	CeyYdH2Qfmpzbjsr2h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213378.462951	C0i55oDRpoYXbScq	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213438.435434	Cog8rV2Ws6Hv7UCGta	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213498.448913	CW524A4Jvs7LV4nSi2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213558.431157	CZImj8vHpyMzhT9Xh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213618.429994	CZ7qJ91KzEqUNJwu96	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213678.421046	Cz0TOI3Oz84uu7WmSc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213738.417958	CpkFh021CJKOiZXyPg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213798.461704	Cggyq72pcsVl1twmKc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213858.459578	CkjjDD4mVrHaOHrTpb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213918.542352	Cl2Pp43hVt8yeVkbI9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826213978.451395	CXahDdeDuBzEqAb1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214038.428786	CTecLV1manIXTrjAIe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214098.423739	CsLyVu1YU7im0wl04e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214158.438205	CLYYbS2z9Ou3vNkkZb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214218.450701	Cpj9DeO0yZuq6Ute	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214278.423204	Cc8BePGbhxSxkHHjf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214338.476713	CwYtAfMvzk9Fod7cb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214398.556580	CUfWl31hYnv6Wwvt1j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214458.448105	C89fm75JmUuUqVjL2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214518.471366	CR8db31SCvKcWQu7se	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214578.803035	CZ5SE92qMLKBRvXPTg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214638.471966	CextRf3AOZqeA1XkZk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214698.459073	CTPOjD2rPLS9mqWtI6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214758.622869	Cx2fdd4vASV4hGNamk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214818.450923	CxO4Hl2za3S1dI7BF1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214878.554209	CbTCX64fnBOz5Rnss5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214938.443726	C7fmrSMRs5eEbiXEj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826214998.442581	Cfoam51KJQvseaC6O4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215058.447292	C1Cfql1xwhiHqaEiGk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215118.470537	CcKAdX2Q0thi02ReMe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215178.443043	CR4uj7veM5o7mhLT2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215238.472167	CM36EW1l3dYeFyEps8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215298.434914	C6RIBPCLUqy7QrkG7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215358.444512	Czd0jk2Saz3xxLJsU3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215418.593672	C6IvVK1opBeZQ7AQ7a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215478.442217	CUDpIg3BIilKU95Loh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215538.446917	CYSUaV17LYTkbrEVpa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215598.440880	CnSEAH1VZnpGoxnDPb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215658.447537	CNJWdr1axp5uTe7O79	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215718.497136	Cd0PwY1sOnxvxlpOUd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215778.541854	C3plZ01VSnQwnkq1Ce	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215838.718352	CF0xAHahJVVCD5Fi4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215898.652795	CTPJGE4d84dfLkqXCb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826215958.455473	CVuUh142e1YgH4Ofll	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216018.446512	CLMQOF35kFy3YN5Xx8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216078.459038	CuMT6LYNk1J990vRk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216138.454975	C1Almd46wwAwBRkkE5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216198.451877	Cx2o7z1ve2pwRELwm2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216258.478050	C7ORHD2Ge1bznHOYxb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216318.508142	C1hBHK2Ako3EciFj8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216378.615328	CAKOnF2dhpD2lIpMW5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216438.513650	CsVB753IMy3ksnCXJc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216498.455902	CnPxgy4t7wZRlJlXic	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216558.506493	CUgy2o3FvSC7r4Z9ya	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216618.627343	Cxd0L53LzmLx1GQL3i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216678.455377	CdERFK2TuqeY6bOLIk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216738.463003	C7gYx43YuJLYHaolL	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216798.484306	CQ02Hh28fM99vbB7t8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216858.464603	CZ6vmo2iQaPNxh2Cp5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216918.457605	CkOZDv22AxQ2YWa9d9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826216978.463284	C913kM1HJAW0Z0QCWc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217038.656359	CKgKAx20fbelsVSjj3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217098.472702	CRhBnt2F6fTBWyjylj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217158.458863	Css94F2wp6eqs3AG2g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217218.685135	C5Iwq42ShwCJuekrR8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217278.460500	CiThk046sKXUN21yT7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217338.809744	CIKTEw1hGfX8fLggpl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217398.468952	Cuqf1SXU2lRMru8ab	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217458.473659	CViQRu2F6CP81AHxN7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217518.644301	ClxNef4rXFifWlnVe5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217578.554358	Ce9ZL977eCsGAEVwh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217638.574699	CcsJ6S3KeIOnq32dUf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217698.468159	CNeOYwF6hHL1iYy7a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217758.628043	CtIalz3JApUL6lBk5c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217818.476557	CiGbMU1lOEKc8ZcnJ5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217878.468586	CZ7cfF1ZmnbEKFCL86	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217938.582596	CtwugB8dqTukJE53l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826217998.477002	CzuDds1p0W3c1OxtQa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218058.883849	C8icM720Rm3KFNSaO3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218118.482549	CBqI3A3aZ9wbTqAHKc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218178.482392	CDI2sycOSZMfUwDej	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218238.474417	CdPmeZ2wefP1W2pDaf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218298.507434	Ctqz3r2Q6Hhh45ynBb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218358.560950	CZ3VMr9TGKr4pDG49	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218418.478818	C9L1P41WGLblqJ5lX9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218478.483546	CjpsNzwm6pkRPysTl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218538.483389	CXKlOW2OXCLUH0tag2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218598.558389	CaX41W2rQe7myStGic	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218658.787580	CwL1AP20TmhyPubBzi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218718.583409	CGsgYT2M54ThS9dD1i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218778.619355	Ct7NPa2Gjw99Ds55Fa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218838.509870	CmYrUP1Jii5rRzA2N4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218898.485297	CfAQDb3ztIZ9Esdhnb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826218958.502698	C6gNhw2NFYJKnnBJAb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219018.634278	CLrESm1lxkihbOfujc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219078.491595	CGxlGu1ohd5JBhXb3l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219138.488486	CTCzwn49MMq762o5wl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219198.592761	CLvYvUL9THPcxwH09	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219258.492052	CordDM2ka874SoTG4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219318.490911	C6SzT4NIAosKk51Ne	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219378.959227	CzpRvg1ZARpYbvKZLd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219438.545233	CRJfqUBQrh1OECRKh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219498.525544	CUD9vt2xm6AFEFb9te	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219558.500988	CGTvIE10hTfMDqvRg8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219618.532072	C1USEM2mkGmssUQFnc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219678.555324	CuwWUn1WWhrDuebDLg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219738.527822	Cn0jH9tRvniY1wOdi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219798.597931	C3JTJw4PGH9c3y1zOk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219858.854441	CpvOTy47aAhFPLLhy2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219918.507732	CBZ93D1F4V32UnHVuc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826219978.497853	CU5NwdnJySKzDO6Ia	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220038.515262	CxseO02jluUsidcJ62	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220098.578550	CUxHC03hhHZPPZPPd7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220158.735531	C4F8Mc19wr3znjj7ec	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220218.628969	CCa0k62q3tTbsgMjD6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220278.712744	CgPOxw4ZcDNtb4qUGb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220338.505674	Cr2WN61qD7lqnpZNrd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220398.664581	CmcxqC1uCPLsuEWiwh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220458.510190	CAYq3UzQvLCe76Zc3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220518.507097	CyO8GYetxJ83COadh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220578.526459	Cn4Im3oIZPuXCwbBl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220638.618046	CGvCUk133LGTDCu1j1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220698.513457	CpXlZE1JfmFmO9ezNe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220758.537687	CereAezpP5CfTQdme	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220818.575589	C8ldQR1zcqOsEUFCO8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220878.554922	CvZeCEJYay1Ly86ce	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220938.527428	CTUAHv3hD1FX8aHrlc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826220998.547748	C4Badl1Yn0KV5EiZI4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221058.528063	CZTcLz2NmHcn4ZD5cc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221118.541565	C6VgL03HYoBgYkYcwe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221178.570688	CBekaf1GPCZTu5hfEb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221238.529546	CorcCoU4w4ta7bXdb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221298.524518	CIBpBT20L8Wr5vMz6e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221358.579005	CiFKHS3FlSxbhZirR8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221418.523209	CyeHfv5JsaGfR6Q9h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221478.515248	CiCUSr4CVHoG6yVoce	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221538.650743	C4gVAPgEpkdEDZxR8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221598.545164	CpkdiS3JOJCsLKSJh5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221658.673828	CF9ZRQ3YWkwyOaZtZ3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221718.527284	CVtLls2idlUP7gvVfa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221778.630584	C0iDve2iVKhr0DZq4j	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221838.526966	CEpMvc44Y9buZQW9R	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221898.545333	CSznMg1xj0hV5nntTd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826221958.534428	CRMyfvgvdHPOGXlY5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222018.583071	CKVSkGTNGUHtVkSih	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222078.557534	CPSiwK2DMpE2jH6Vyh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222138.536850	Coz5244kxG3F2Uwsp1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222198.593281	C4ZIj1N89EJ4eXGG	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222258.593131	CQnl3dyMoPF8TrJKb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222318.816482	CBEXHD3r3x6EhHlQak	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222378.818261	C4qlRm371SZUAlFHTe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222438.632643	COUK6C40KLFuCC2Bnj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222498.589524	C5aYAD4Cn2Ubc3Lhgc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222558.568852	CHBOAd3sRJs4TZG5rk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222618.564786	C1KXFY1d00OW56NOug	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222678.624152	CaqiRv1kssCwKFiAEi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222738.578089	C2ImrtGJ5Was24kO5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222798.596391	CkIEMY2v5zXcCRAK06	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222858.573723	C9nK7T2OW1zdBcXRr	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222918.646725	CyNYn63xqRCtJ0Swci	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826222978.538235	CuxhD94HGUTuDMCPeh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223038.987043	CztBgE4sLwXhmXQ1V7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223098.542807	CtBp2AhjFqcG9qhq5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223158.613896	CIVadw3MmsEwKSXoRc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223218.551280	CsJlJw3gPwZPfiVGdf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223278.578458	CXe01x1FHRzA4kaake	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223338.920871	CY25m12Au0LbTQ7ajh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223398.710865	Cz9mVbJ3mLhtk3Vda	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223458.611153	CBGwJBRTFD8aLOKJc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223519.399189	CkSzRz17ol01kBjlNf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223578.634244	CZLdPO2kd9vZKOmwTh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223638.568696	CEmAHt4Xvq0HLd9W82	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223698.552911	C3838x22eO0vcv6Mgb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223758.619132	CpltvGXeH3DLAPPT4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223818.616998	C3Z4pJiqtIGHawj0g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223878.588534	ChL9vB4VvykErujpb4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223938.560053	Ca5orO1gBdPoGkIAGe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826223998.553003	CcwdAP1q3qj9kGbD64	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224058.654340	CGoZfnZAUfEApqP12	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224118.580976	CULfbN3hEwMuuClQlj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224178.669638	C5CCVa2TESFWWp4h2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224238.648991	CbEhxC3seucNFjJzl7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224298.566850	CNkqdY1uFJUpLHcIfd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224358.578406	CJ5lKt1FBnPOLExVJi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224418.601677	C7tQLt4nj8nmymJNBb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224478.615185	CNndLX2qcoBO1T5h3i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224538.557437	Cl6URq30CgLqZmHbdl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224598.601200	CQrWXaeiNsamnLxJe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224658.584449	CUUubM1kNFUIoAtRDi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224718.714092	Cdm9Cl2oExwyIrTygf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826224778.590942	CnKdXm4Tf4ML9ukOYh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227058.642220	C66i3N2Qa1eqAyN8N8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227118.588374	CoXkaI3nBcggoQSFO3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227179.008863	CRJy7L2YDZXsYxDhC3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227238.597804	Cl2pecmmIw1GjkVJb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227298.642536	CHWRw82poLxopSRDzg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227358.735113	CnflkX1d2USQ4QeAK8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227418.698844	C16ibw2KpRbXYrd0Yl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227478.606937	CFiVSW1o9EVx5N4Jb6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227538.632140	CbGXIX2xTZKRuIZwCj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227598.843766	CCvExA2GM22zrnZkZi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227658.607429	CV5jTHZXiRRacOOud	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227778.631493	ClpAsC4U0tWM3Z6Gz1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227838.700623	CGToTMGh5q3VrJjni	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227898.735615	CfEaWC21ew1UaBmeLa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826227958.728618	CoNHfb4cDZSJh2h1l2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228018.837749	CAu0Oo4x3iftOu5dF4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228078.611153	CoysEl2JglWGPKCEF8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228138.664679	CfPVQm1k7F6Fd9dXi8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228198.822629	CXEAGK24uAf1EMpLV4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228258.998144	Cga10I1NjMZq5YSNWd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228378.685506	CABy0s1rpWlZ6X6tW5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228438.978170	CFIQPc4ShJClVxKPr4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228498.661770	CIYmfgVlNE7B6N4ec	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228558.651863	Ctu1Eu1GyUwEttbbRb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228618.701470	CUBLiE4H0lDoOyqIr3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228678.650545	CdoKkT2Ke5De7MWN6l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228738.665995	CkibYw4PuXuckQflIh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228798.694152	C9HQs14k8DJZQaqRmd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228858.666644	Ct2bcYZHIODrba6hg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228918.714285	CgUlJjlqbB9Kzozkj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826228979.077767	CI6Avt2cWWdmpsQnb9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229038.727630	CUn1iH2S48i4Heqnzh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229098.860212	C7CXmL3ysk9qbtIpVl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229160.016217	C1Zh983vVGDE8rpT2b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229218.786701	CwhQVj4Sr6YxoNBRek	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229278.847042	CC1mwWtpL7QIsnIu	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229338.642872	CqQ3mZ3WK7Dpj8ebI1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229458.657132	Cuoe3c3Hv3XA5H3auc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229518.649148	CNm68aOVy0Yxl7tHg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229578.759279	CecHQz1SmJzVmrjLc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229638.661509	C7FoyE15oylgO2D0vh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229698.619359	CdjqSs1yLtNe7Xiylk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229758.681659	CaQnjV3UHc2hg5HvJ9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229818.639541	CPqeCK3u65w4FShPC2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229878.937049	CJIWFo1ifuQFC3myBb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229938.677242	CpIBX42j0JTDLqNky9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826229998.670222	CrDPHt2myMadMHRtGj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230058.696392	ChUf2j8A2cckuCB9c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230118.687435	CodUX14FayPV287Dka	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230178.687273	CpYISz2x0t1IB0QTDf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230238.666614	C9aPOm1XvemsGRM5n2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230298.675238	CwA7AO3h7M0tClfk14	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230358.663380	C5OuLn1RyWY1Cbhc24	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230418.669078	CTrEfQ2OTZ6XwuqzF6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230478.769466	CB7oN32GMSHJRH46Q9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230538.701949	Cts2Bw3UyYSC8eJbw5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230598.701785	COVKbVuLViTpKix0i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230658.684023	CtcBaG9xFLC4GY3f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230718.697517	CEukfh1EN6VBqvS5V5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230778.669049	CwK86z3GfLlLdBtjf7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230838.655236	CgKGYB4pW3vOfMBV	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230898.676545	CMn4xD3x1CpYubrX2f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826230958.677362	CY9Su7UUQHd3QxCU7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231018.675249	ChWyT7DaScEmURW7i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231078.648723	CHCWma4mS3ppsLP48e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231138.705163	CLDNHl1Z4OK0sDBoif	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231198.675715	CM2JMA3ZfXFcSbIVb1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231258.652131	CLe3ci30E20BAchq3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231318.682228	CfgmfA4jTr8Y6eLJHg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231378.688895	CW4Csw229iMW5e0Rlk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231438.682849	CeoYqm4Iisj3ozpq92	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231498.666083	Cbr3ZX2RpOAHKjmCff	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231558.651282	COwrPBGIpzPLJeW68	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231618.668673	CNsMUUGQHroPHA8Ci	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231678.701684	C426X13okmzS5nezed	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231738.666386	Ctvhwu1lrpdV6DZdwb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231798.665239	C6b9XS2XeGtwYY87xk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231858.658224	CYCYdh13mKTqx1ydmg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231918.705874	CzzvQk2VG9RA5JUFa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826231978.670582	C3qPT62UwGnCqVIHe3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232038.659686	CsBdJ51j1nLK3tl2F3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232098.654639	CGF4CK3UKYLwIPRwyl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232158.749160	CS9Igm4X2rCHxh8EI2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232218.694336	CZVWmQN2v8aUbBLrl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232278.658067	CiWSbfVPxd3DU1Tkl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232338.689134	CN8vYE2x91ejKzzsD1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232398.689943	CWfGo22Wn4dNhEMG06	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232458.685863	CQwX581RWAcdloUaCl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232518.661313	CcHqZF4mAmTipPOItj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232578.668970	CDbHurHHYzQh16a75	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232638.677580	CeOJdl3twOYDJJ71De	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232698.834546	CB2C6x1g0GQKuoDeTj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232758.673342	CrynIf4rhiaSYubZmk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232818.695626	Cgpa8U1xzUsAFVfqac	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232878.693516	CLSa0ZadTj6WeeEu5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232938.676758	CnxPqm1SEHF2WwWUG4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826232998.696103	CXhpq14dW9SZTBfHJ4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233058.672523	CCgTLd2teo52h0Wstf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233118.673347	CeFdYqfRlkaD4rak9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233178.684889	C9mchV3W5GidlSM84	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233238.710110	CMErzU3stNQPLKaMU9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233298.683598	C0I0Rx1ymjsyaZC0jh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233358.812265	CiKVFD1jyEZMI1gXIb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233418.818938	Cdnacw1CFnnqrlU3O4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233478.726052	CPStWmXe4km0Cl0ol	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233538.712213	CJRkQA3jOwlmlfcqU1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233598.675928	CeEFRd4qMWwv0Jh8k7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233658.821184	CQ9bIuaEcQxsRROo5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233718.692187	C284OX195pTFFffz36	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233778.695922	CNGTy6cxx7ybLF9W9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233838.705511	C7q4oH2DTPedalIPWe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233898.768793	ChBuyc19gI9J1KGmY	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826233958.691530	CqDFty3SRyrnf90hfi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234018.686472	Cggwuf3G2K5ZN4oakd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234078.765344	CM7VSScmo8RxJVRq4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234138.676343	CouMIolaAAuU3uBsl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234198.788417	CEAWkJ28DI9nEKRfOj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234258.724814	CLYTyf2HBOn3UVjHO1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234318.692441	CO6Ebe3kdaK8oiVzs	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234378.781109	CGTZtF4cqefNQf85xi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234438.715539	Ch03izqlxvJxYGLH2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234498.765130	C9I5rZ3zk42R1XANoc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234558.756185	CaU2kGXngY73q9ukb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234618.754067	CTm5e81lzI1LnBExS	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234678.682658	CxmPyngR6MzIa1Eh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234738.705925	CbFrYB4DZH8tDkL0Y	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234798.711622	CMXdX44qcXXU2h79Z3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234858.698771	CEFFYl4SiGIgQVBwlj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234918.694710	Ch7jT14FYeXA4zibfh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826234978.883896	CJGat7FcGiecvRUsg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235038.712921	CNatvs4kRF4PKwSQa6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235098.696154	C2NBCp3jV77cmR5Zt8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235158.697939	C6WtsQczYdAqti8rf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235218.836370	CUhe5I3aTm7jZot2n3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235338.920938	CNFZJ71R8kIIoPNIk5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235398.737276	CcUcWO2v7gHgNp7Q62	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235458.732217	Cb3KX21dAVvTruW5u5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235518.757406	Ck2Rvb2bOsJDxQIHh2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235578.831421	CDI95K1GQpHhlE1WO3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235638.732696	CkQ1G62jdm35jCXtlh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235698.778410	CPVwfY3kLDmu8VeKdi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235758.710891	CXOtEWMw2dl3XsTGj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235818.701921	C96Nem3M5LAE4wmxq8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235878.700775	Ch4s3N255T98eOAbg7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235939.808964	CRfKrw2WpPG0f6YNab	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826235998.908367	CkvEuA3A1e1PDP6u9l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236058.833061	CJGA6LrfAhefNKwZg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236118.756764	CxAT1S1sipPu2RSOK5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236178.750737	CR9GIt1uVcCEzQmX0d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236238.758377	CG0N5A4T0LUzvnAdr9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236298.718200	CfXYNY2Gtu2mOvJMAb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236358.744379	CqUr0V2Ejojsue0UB2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236418.820342	CvrWt84lulkHNvYqk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236478.762593	CGb1NjWtOcccF7wwj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236538.720468	CilF4d1b6woayAE906	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236598.720300	C8j5rU2S8wOqxY7Xzf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236658.811881	CuUrLB3Xprhr47zsPg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236718.736563	CpIcgv424hVeESIlv2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236778.761764	CgVp8E3o8WDS25ZEah	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236838.741101	CaN1s3SLGBQ4aYcp4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236898.722394	CLIxGjgqmKhRAW0A6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826236958.714419	CBcpca4v5bAbAgFPnk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237018.722085	Cx0S392Jm2GGs57Vqh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237078.810745	C0rM4y1xCN8gaJlx65	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237139.031717	CWTYeZLvhVCqQ0Oii	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237258.752607	CHdNJ23h8TGauylVzi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237318.847110	CmlD1G1PBWF7V3AqC4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237378.904555	CxD8fj1FHwuZnvlIDj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237438.753128	CpXPjc2FWuGLYIHrq7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237498.727592	CXStoPw0l608HE7Wa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237558.949964	CppWZ13XXmGNWo1sa5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237618.841486	CsOsbJtpfytT4Zwmk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826237978.730259	CAp5VrBkO3ZBZDw7d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238038.726230	CdArbn3VkPQ2LQ6IZk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238098.730892	CFQWWm3dCGqvIQuOIf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238158.744403	Cuf8Te1rhfkUe3Ps39	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238218.757871	CXQYhQ1U3eH1eCHbO1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238278.772353	CLd7E94pRH1IAYvYYe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238338.739988	CXSjf889bs6zGkd1l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238398.789594	CmudKn4wcczZ81CgS	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238458.816759	C7cysk1k80rr0XAVGc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238518.761940	CeAngf2WowKEx9bxt4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238578.781285	COlxFa21bPstCyqFbj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238638.756717	CFLsus24dYUFU43gT4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826238698.789742	COPxfr3aAGe1RkBpY5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239058.742858	CkChJz10kLSqA8jzMh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239118.817844	CZLWOymP9apVN0cS1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239178.749343	ClpiTi38HDCVH757G8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239238.770674	Cc6Ywj2npKqeQWf0Xj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239298.761685	CURyWM3JQc50i4uAy4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239358.746873	CPlAAd1glpWofm9c48	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239418.919459	Cs22AT1iDlXjpnEh23	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239478.847061	CX9APc3bZVpG3EOoJ9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239538.746371	Cu5n8i1eR1Uq7cpNp8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239598.748166	CQZgXn37WW1G2MlGkd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239658.781183	CfSvmp2TftQyAmW5Zi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239718.803472	CjVLso4czHP84pCpIe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239778.818943	C4SV4k38RC1OUl5bJg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239838.753386	CLODqD4BvYLZkLD46e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239898.798115	CYrTQs2MBgNd1gdB54	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826239958.766735	CEePRr28Y2Y1Mk7fol	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240018.815379	Cp9nfP3Ll0DU202fD5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240078.990916	CB1p8vzDu27Xh8mjb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240138.857062	C1cf2A1IEXB6OWP7g8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240198.789568	CNH2dH2ojKinxj8Znl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240258.770860	CSw824rvuPrp6U7lb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240318.877996	CSLQtD1VcMg50oXYij	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240378.759724	CtS0rHoMhL7UNXlk9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240438.752743	CpNVijnE2lWwqFUTd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240498.795532	CjsNda3kT7BMmn79r5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240558.806102	CgYgjg4uU6EPRMKrHe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240618.805927	CGv6GGMohalagEtfh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240678.804787	CSW3Ia4wgHVN2LR2x6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240738.827089	CIocUB2QmNtAt98Raa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240798.758610	Cc4qTzr0Vrfu3VYJ8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240858.757472	CbTdzs3jEHRNU2hFC6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240918.765106	CnxLUi2KiCwChGAqX8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826240978.797143	CQWG8r2dfrbg8LUlua	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241218.771213	CngLM039cnn4Mvt3Df	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241278.766164	CPchod2Y4uAM4sSS9c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241338.777724	CFTJ5k1BeIJn84TMH3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241398.765852	CyZqmk3JlFJTzRoIM4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241458.768609	CvI2Po42hxTw7EWx0d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241518.769419	CUNPU92OvaTuTi9Mn6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241578.776090	CCljqz1dhNjSOwPtt2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241638.772991	CQxarQ3Old0ATLJU34	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241698.791353	Cw0Nu83mpEDdLy8MC6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241758.774582	ChnNNF3g5zHZRnTnB4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241818.771469	CuuVrm28b4g38DwYsc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241878.863055	CMXwF2rCJiIRPl6jd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241939.284125	Cvez3u2SD3arHlyAhb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826241998.780750	Ca4smwv5Bm87TV2Tl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242059.025161	CPm8hfqbQLr7uupN8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242118.790175	CpkkHm4vwb3YqzXCZf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242178.788064	CfjnpA16loSFIdknW6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242238.835729	Cps5Az3rXyb1nHevh1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242298.779917	CXmQLh4nwA2enaBMqg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242358.860709	Cw3UIy3L6yJtxXSNa2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242418.804890	CZKPJ624uO7F4s4uH8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242478.905255	CqPUf01ahHtGb1RWvf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242538.810416	C0KvlV3xhBAS0TjIDj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242598.786827	CyMvF62XUvVdRK9MI8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242658.838395	CGOfGiDKJQjG94tMd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242718.874347	CwA19D3CGPf5cw6el7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242778.838084	CTR9yW1pU9hdggZRuk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242838.787168	ChvW5E4jKCLmJGFNg5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242898.920704	CjJLKQ1Tjc2vp8BG8a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826242958.863934	CsXjRw16FavgTXwrbf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243018.841315	CUCes41sQHFSrH1ZEe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243078.829442	CH3IYJ2c8Jen6r8iV8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243138.797073	ClE3yWP7k1x6qEyPl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243198.790087	CDMnmw29INxxeNQYE5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243318.790753	CNncBmG60jrMYE6l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243378.939943	C8eX4r3Cp2UPufTe1c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243438.803122	Cgt8oPuPHbri1sDsf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243498.837082	C0tU0J3qBSNPZvvCs2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243558.806671	C8KI9R1ifxBOWmcYbk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243618.902231	Chmysb4fi1r6OFHDDj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243678.799713	C0QO6i301914TaOGJl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243738.801488	C1ORxn3XJz6yGFeo1g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243798.797409	C16xpV1tjLQ8icxRRe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243858.808938	CEMDMT1e4PPAuvjdM8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243918.824396	CIUQGp3FrmzWVrNbWi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826243978.811537	CmQYii6kvBaNTuNVk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244038.808443	C75hcC2LEEqHPcTGQg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244098.843419	CgOLAF3SB0Iuo1RoGb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244158.807117	CdThD72YLnxl0tAhx9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244218.805965	C7pyIc1SjyxmZqpP2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244278.871193	CG40jK2kO1NXwdRjlf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244338.832976	CFT5QX2NGkWvDoS73b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244398.829901	Culfcf32j5G4hy5STj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244458.854146	CbyYXp3OuxgvSs1rnd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244518.802259	CX4BSWvxCOPQSsoz8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244578.812840	CJU0ts38Nm9alT7qOa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244638.889787	CmNRTy2A3u7dm89xd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244698.804714	C0iw8dgSzn6Lt2l87	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244758.866022	CaRZ9m4zUs222cMaf6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244818.840494	CyNxcw4xw2VLy5xqM9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244878.841322	CdRhWT3WJiNJd6yI4d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244938.838230	CCZZib3Y9pjgYtJW2f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826244998.816588	C2lPJTbmBFDRGZltf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245058.821315	CBNXBD24hjefp0LZkj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245118.812373	CbnyaU2sWQc9hrOFsg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245178.913723	CrSfRNn9Y6TpKSYwe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245238.866722	CfcTNZ3VzQGbNyOYm1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245298.921238	CnrF0h45yKF5cL7XQ4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245358.819586	Ccw4T01sNMI4v5qGs3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245418.830157	CxZjbb1da9hcaT6Bt4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245478.863177	C840ag3wJtif3z9DV	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245538.856182	CoXTPA2KVYz9zNYlib	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245598.824786	C92XxR3BCHdnrMocM5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245658.816823	Cvjzja4a0xIU8nOkg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245718.819596	Cadfsn2NN5nFfCVO97	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245778.876048	CT2pLJkKDfRbdDUWk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245838.875872	CgQAlXJSKaQ8YnvPg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245898.863029	CQLrXR3icdsWYVPKg2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826245959.038160	CZxRwdVLWuciheCb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826246018.825643	C90m229PgBu1jrrF5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826246438.824533	C4Evyd2E8m6d4Xhqsi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826246558.835921	Ctt4oD26CzPAWcJQCl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826246618.829895	CAVH4i4ZVYN0WDoo27	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826246678.850235	CGiOCL3c4KjdZuXuff	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826246738.830559	Chc8Fa457qFmtuEYY8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826246798.832344	CKMhv2oB2z1eyRX6d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826246858.832179	CSHS0H1H0rjxicgcAg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826246918.902298	CJuvoE1YyLGhjELqf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826246978.837724	CMdhHL152FlWWz9vr1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247038.885394	CJfYiM1E2zyHG1NoGk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247098.844228	CDvkJz2zlMjW4EqRb9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247158.856738	CUozuC4RUktVWsM4C1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247218.840973	C4LIRIHQPjU6UiSOh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247278.845693	CkW4Mh33uCHmIm9Hdf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247338.855270	CTjtV749YvoXcl8Nd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247398.872668	CFEIoY1dUsibWoByJ5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247458.842250	CgBkDF4bRECntkASrc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247518.845986	CWSdwH3KEQ3oqHyRAe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247578.851689	CRwYxf2x9mIXyPwkJl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247638.844676	C6IE5b4s4Qoqk5pgni	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247698.862067	CxyBM33gWvfqTVKzb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247758.911671	CogwD74Lz7PMpUif8i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247818.879290	C93l5e4yKVetWUxmIb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247878.855719	CWKen9tbdg32AFm98	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247938.917065	CeCoMC2Dl66C9enIj2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826247998.846648	CQnCV1iF8YjETdeQf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248058.850394	CYmjX01wozt3Bngyne	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248118.853168	CvDeSJECATHoiOMig	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248178.851054	CcfaGF3WOUkVaqaPs2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248238.858695	C4yqWO3VAbIxES2rH2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248298.850725	CugL4P2LP2PttPSKNj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248358.853490	CCWbyI1qxx4x5p9JCf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248418.885526	Caiz9z3pIV3Vw8bLA2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248478.865847	CLlaSu3305zpdumq64	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248538.858860	CgUrgP2EUQhnVU0mhh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248598.863576	CFS3FG2WRxrhm1dYj9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248658.858523	Cu46pf3vovzIOnRuGj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248718.861298	Cg6txW3WQysgx9vIN	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248778.859179	CWV1P3151cMujgYXRk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248838.870699	C2cQQGuP8RfmlD1yg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248898.875419	C7HQwd40e8TI0qTbCf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826248958.899648	CwddlB7WvzDnYFgOi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249018.864386	CEDuC91bJvWJYKl6d7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249078.867101	CbmmXy37yurxWpeoib	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249138.866899	CtooJF4JHtk2Dew0Vl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249198.876445	CbCZuG4MmggnzhJmL7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249258.863540	CLr3hj4nHaqHaIRjSf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249318.949260	C3LL3aI2IfjynCCu5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249378.880778	Cn15F21dn89NwMjUjh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249438.919666	CniUKjRyvTYk6WBv9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249498.916588	CghlGU17ItoPIDGyn1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249558.883238	CJVKIq4FzEOY3CJmfl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249618.870405	CjGaO63WQ0GHxJJSk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249678.869265	CMI1IP3AFxaLd0eVOh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249738.875938	CwrX304jrMjLIeAM5c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249798.879699	C3Mkiu9LkW3gl5KFc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249858.873691	CAzVmk2t7tdRqXyzqk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249918.969767	CeI5mjbpx6OYSJkrd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826249978.872403	CWMQeA3cuWTnRkxSKb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250038.871257	CBjDGy2vGTS1KryS56	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250098.889646	CuSlgI15ZcagsYuCRh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250158.872911	CiFQosvqoGjiz52G2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250218.873732	CuQyJQ1xb6qBH5mv0g	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250278.874538	C8BMk54ff2CdTgLcB4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250338.887065	CRoARV3xDWYArG9vL1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250398.879104	CETFoW1N76CJjEjT9d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250458.879920	CTeOjNzx0LGGuuKX9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250518.888560	CO7Hw14t1CywZ0yUwk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250578.898170	Czne8F2sr7nAi9C5D5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250638.880507	CqqsZIhawJagd7XAa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250698.881338	CIdqf72xgABNn2nYD1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250758.997899	CcyrTu1f7iAFTnrVl5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250818.914243	CrozhMW1WU9fALA72	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250878.887750	CCvsjuhEYzjznKVi7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250938.889540	Cvx5Qs2kADc9pywrK7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826250998.908891	C4wohC17dIkpiAbtv2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251058.901889	CM5Lx21gZyMpPtOOob	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251118.886125	CM4rP44To5Keaj6Xbj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251178.894743	CiLI3a139hB8I8ntOf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251238.889686	C4henr1eVw3EMMJQBa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251298.908089	CzhrlT2CAXztbzeFmk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251358.887436	CifFNK2knaMKUFXnH1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251418.918515	CXMQFe5QDnd36lRki	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251478.896887	C8bErJ3q2mS9xxwSwc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251538.901595	CDkOR54icnCqIB0tN8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251598.893636	CJkGixVUU9nbF8rue	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251658.898345	Cb2zqa3PSKO9Zh9Ull	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251718.893305	CQZ5a64bHSy6ZYaGoe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251778.895096	C7yRPv4jexg8uI21ki	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251838.895901	CDTQan1SsGgBKte2ld	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251898.895715	CLv8H3vjbMwHcVIJ5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826251958.894582	Cq817s1MTFzkHnmih	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252018.924681	CO4vvcBZfWsIRgFBl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252078.901098	C5cF4Q1gr9Sq1DIJw9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252138.910683	C2XXQN3HVBDKRX09Ui	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252198.907574	CM6mii17UPgzVUOOSb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252258.903484	C1miNmjS2Lo1RG2l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252318.967273	CStGtB4Si077kSmnP4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252378.912848	CNJBsF4nhSDAXQ9An1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252438.926355	CVDp5B1mDeUv2LkX22	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252498.905693	CD7fKL2uNfgd9JUnv3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252558.902612	CCK6ws41WuM7BfinG3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252618.908308	CC0oNM20B5fEE2iDJd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252678.907164	Cot7Du210ANamYj5Uf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252739.201367	C8eIdf2rXg9IZJGZa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252798.934171	Cz1Rx629LLmmyzvfF3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252858.911565	Cl9UtTOVQpbj8EQbe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252918.920173	C1vTL64Gr0Nv7uAH23	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826252979.015256	Cd4UghVP1yZSaJmh6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253038.913020	CegO0K37XS9XyGQ0p3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253098.913839	CyMu0h12iZg1usDPM6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253158.920496	CeiKu03BGkM33M6hde	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253218.912474	CuXCbU2pPFsSsDgG3e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253278.914220	C5R4aj3pNdq8ur7KJl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253338.912114	CL8AQ43cVT3zg9mXVe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253398.914923	C4CPZlyAhV7lzddu3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253458.918705	CBbEFo2iNwrO3EmNn4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253518.917565	CU6agx2rD4wFNvYzF3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253578.920324	CNf7VA2g9xKfDq3oic	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253638.927971	CWba3C3KcZdjT76YV6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253698.918042	CVukb93tlV2MQNu2R9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253758.960352	C2kJEa2bWgLLSUMV6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253818.920563	Cc0EBI3i4Sg2p5V1B4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253878.977586	CbHKU34s9H2DTlSin7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253938.921223	C79vGi3WgsbTVBMGYd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826253998.924959	CjpfZMPPll5f3aMO	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254058.922838	Cy1NOD4AzXLyEkvF96	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254118.925608	CgDsU32KkitFRq5lKl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254178.921518	CcMyDA4phiU99YuPj9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254238.924237	CWYF7J1GZoiMLC6p09	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254298.945549	CwzvDa1UBD9o0gY6l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254358.930755	CTJexFQEEX6Q6Y147	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254418.931575	CuURcXPy9Yf3fffp3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254478.927493	C73nFd1kHhSg9H0we	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254538.930243	CbJW752k4xO0AGgb86	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254598.927136	CEQVKVBDKRxjES593	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254659.050546	CBWXZk44HPgXMc89P2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254718.934655	C8cd7s4s2BP6B2fJNi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254778.945240	ClH5jbDR1LYIRXd71	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254838.951909	CaICTV1ibR59BsqEjl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254898.945901	C8SJ9k39WeDEkTYoO3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826254958.937938	CtUWcL3TWvF8KhVem5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255018.934852	CyloG21FfI5ZrMVFn2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255078.932744	C88UNG2NmUgRCRsNue	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255138.978058	CLVT864ykyCrW11LY4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255199.037442	C3IHPG3oSm29zc3p3f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255258.943011	Cw2LWlnnRKp1pyz1c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255318.937976	CoZu1c1NzNQYFKmJKb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255378.936804	CEpktv1QzqZ01hu1Ll	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255438.942466	COLt8K3RVsghUlwwlj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255498.945244	CPNrE51wE94CGcz2y2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255558.943115	CrHjBv4IxQageHT2hf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255618.940043	CakBqG2eh8LpGPpMie	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255678.939884	C8OTyM3QLLANhzAhS1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255738.946546	ChJeRQ1Fk8dImYddYe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255798.959638	CZKmJe3BZnVOLOScJg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255858.942307	Ck0ZIns7FRqEDteY6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255918.943103	CEAAeHq9NVabX7dsl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826255978.952270	CRSG7beuuCV4Awie	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256038.947620	CMGTqYUKMiEPlDu1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256098.952922	C7N6YdogWVuNPxt5c	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256158.947284	CHmJal1SqsPRLYVucf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256218.950572	CGV5WX3XamXfeCPIQ4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256278.950427	Csdqbs4Gl2KXcYu4c3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256338.948722	CrSLew3moViFbz1qm6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256398.955968	CRWY5P1O5XpXWdV5w8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256458.950944	C6t8vm2lI5YLsixcL	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256518.950800	CSkk3F4465nT62JjM6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256578.962348	CySinR2Ukr7K255cYk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256638.958265	CSmiWy2ijhhZYx51aj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256698.966875	C5VCTW1d4Y04IFrmyd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256758.955000	CJHfOa2essjP0bgKz2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256818.981197	CgqUvZ1nEsLTpeM14h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256878.965414	CNHO3k4NgRtiR9LGg4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256938.961351	CvTDqyv0AzFZYhvYa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826256998.962186	Cwl5An2Zl1KmfDmeuh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257058.977647	CrPiC82XSrQHnWbSX8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257118.972604	CEqAJrLp6vnKEWMSe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257178.964625	CU1iZ02xS6oIywBvre	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257238.978134	C0xJcY2DtdXEexKa73	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257298.961371	CqqMfq1eRUAlRBVTil	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257358.961204	ChPlIQn7hT4ielqD4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257418.988368	CPzlHT1W7t9ae9GYod	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257478.964774	C8L93h4WLd8rzjnDk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257538.963626	CUxHYs1Khzuo2rNPrc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257598.966389	CeAk8k1y2fNlUN41L9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257659.124337	CNrfn43LSwXw9bRMT2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257719.025602	CzgGhXxDgtHrQx1Cb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257778.972750	CPCuNh4yfaVBf03vwe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257838.988161	CujTOp1hfr9YtLUL77	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257898.970378	CMfhB12Y3M2xmf2lUh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826257958.970224	CMSugk33CuYdOCnrj2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258018.973008	CQU75q2w6MKlL7TOw9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258078.979685	C0jKCV1vJ5dNrFbKyj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258138.973686	CGklVD3bA0Y144Jsd8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258198.980376	C6HGJp3SJ9z8NWIWue	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258258.974347	ClFEx44Cxokti2M5a3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258318.979060	CeUHgQ10eSfaPljB8i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258379.042341	CtHB5M1FZqEMBsDqmc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258438.981621	C3gaJq28J9Z0bJwkt4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258498.980480	CGaqMT2Bkznty4vuRj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258558.978357	C9Kktu3h8egsI8bXul	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258618.979172	C4bhw0253RfFe8QQgb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258678.982917	CkzPML2sTaC8EpDQq1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258738.984715	CTFVYg3F6kPgvvigZ3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258798.979677	C7alhG18cdswwf49B9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258858.986344	CnwiJo3C6bzuaTB2Ng	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258918.981304	CQZvsX2MZK2MLgB8W	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826258978.987979	C6JDfkEbDcWUF325l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259038.984881	CRo99W2oC6tPJyIqmb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259098.983739	Cf8KoB2oIsPLUEaLTl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259158.983560	CjsgRCNRaU0bXmXO6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259218.984345	C98t3N3vGfFxouiY5e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259278.997890	CeJaoEsgZUUehqGXf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259338.990890	CyWDN9mnZGMJ1saLe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259398.988756	CvZPT62WfToKxceyEf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259458.988584	C9pfbjOVDc6OP6iY9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259518.995258	CkO2bn2PlAVTlrXvra	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259578.992149	CgaS9u2aLx3wKaTlml	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259638.991957	C30LxW2Th1gjujVr22	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259698.999553	CcEJR83FsF84gpOd99	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259759.002304	CxSX2XRSWdjDgyNz6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259818.992412	CWwkUh4P2SNipqOgL1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259878.995197	C2ZaFAfQnfzGByPC7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259939.010645	CxQLCs4niKD8U6Pz9i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826259998.993883	CxCf8J2esw472Ielw	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260058.994683	CuaG7w1ufkC6A9gtFh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260119.000360	CPba6z3CUAMjAVWIk5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260178.997278	CfYXN8RcLJE1ncGsf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260238.999066	CtwsWy2janmDrrsrmi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260298.997944	CCBUYR130FjWz8Bg6d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260359.003590	CSlCZo3oIlpqVFvL9i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260419.002447	CuLqt91wSykza0MUr	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260479.004239	Cr6BDA1u5j3a1jfbMf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260539.002119	CznkyN5OS360c7fzg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260599.000967	Cjlzzx3hDTXYwCCZfi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260659.002741	CBlqmd40gboMM18XRj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260719.004517	C4AeuTNzLiWRGK4Te	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260779.009235	Cg39xa3V4NdPUzWJP9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260839.006152	CdN9Ip3sqmcRtT6c06	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260899.006966	CvrdKi3MZkWWOHzZba	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826260959.010702	CsA0Ka1rED2oJVwNh9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261019.008568	CoOuCA3ocam2A7NYCe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261079.025985	C8ECoi1gSfd8MF51Vi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261139.007288	CaRKSZ2vQuFygUO8mk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261199.011013	CbH8HE1wAvU9RKMdOi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261259.012811	CaWQM53kzXuppddTD5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261319.014622	CTGxwZ17I9IK4IPe7d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261379.010557	CZgDR43jpwQ9wjb3d4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261439.011374	CsA5eg2ZCIorZpTdT2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261499.012190	CGIniW2GzJdP6AIbJl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261559.017896	CHDTTo3cs7h0VcRLyd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261619.030434	CLPttK3P6NNlayture	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261679.015624	C8XeSi2ysHv635JUMb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261739.021299	CpApEnPgUSa06tsxb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261799.057228	Cln6984XP6WQL2a6jh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261859.016050	CqEAVT1aXMorGMNSvb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261919.024671	Cg2HHq2uL1cpzLEWOj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826261979.153343	CUrs2G36GBmRYMAeUe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262039.022404	CYJ0oW3tQfJQCAst1d	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262099.020289	CN8aXr1Q63uhBnt3gi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262159.032811	CwFpNj16f144BTWjI3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262219.027774	CKUInZ3I9NXuVRJ0Gh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262279.032466	ClDE4n16xMQPvjODEf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262339.024512	CML1AY3hOt5zvH1TT8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262399.022397	COlSNEF18pudbNONd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262459.037847	CYE02G18YwMa6n39k9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262519.025947	CALuC816KX0SuRA93k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262579.053102	CLgXhW3nduerCXCJZh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262639.027550	CUuqeQ1jV5e1C0hRW1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262699.027365	Ci8Hhb32NQGkzEhQxb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262759.030118	CiP0kcArU4JsR0Bg9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262819.029939	CxrLmv46qzXI9L3Wad	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262879.030732	C0CuYWAzapH9Y1N9h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262939.031549	CDXH4xJCnyb5tOLii	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826262999.030389	CykG4n3Dxwvrk8ST9e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263059.037025	CYbdBD1xNg67gOWIHe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263119.033946	CPEstI3RgL6nRsJ8W5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263179.033778	CGoDMnzCLhEMKVLrc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263239.035560	CVPyZY3yBTgzZRquV3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263299.035377	CQghfc2KfUgjWFzIp	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263359.038144	CHmtZi4dWdmwAF1le4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263419.042855	Cr9A2y47TA7mm1zpt4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263479.037751	CnK96q4UmUem8G4KUi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263539.036572	CVKsXw3ESdgONGrYyk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263599.037390	C8Cz1kEKMFmaBpwFk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263659.120188	C1Oihq3c0CnGxnsyb7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263719.051695	C8e6AA3EEmfxrlaA76	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263779.062263	Cn8XC64o03t3dm0UYe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263839.039643	C1gS9LiwgpfSE6c1b	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263899.054120	CaQlwk3hIHyw5CbUT3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826263959.041272	CANA543bVGTX8nPqc4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264019.043036	CDqrws3sJtHbatTcof	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264079.045815	CH9Ezw4lGM8yAvG9k9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264139.057337	Clj6pF1D7hB5fnMBg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264199.045453	C3TNnl1P9wFMmMTNll	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264259.045283	CoeZek83RtKuXfxN5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264319.054863	Ci3UVZ1k3npfds09I3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264379.061528	CuMnFP3678h2jQ7ulh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264439.057460	CenkCO2hmdyEL8FPKg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264499.047530	CY2fO53hF8GwkyHa12	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264559.049322	CGJT3l1VgeuACrsEr4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264619.060880	CPt6WNG3WWvYoglu4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264679.071437	CTNsnW3LZuKQ7ybUmj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264739.055629	CtPqGp3ivrqkDfCHW9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264799.057424	CDkrrE4xRnuwaOYzB1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264859.057263	C9tgDs41wRFwrwMHDb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264919.058088	C9VusU2DYszWdN5lv2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826264979.062782	CovX3L36kxML9jD8Ql	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826265039.054836	CK3H7F2i2EFuRQmHr8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826265099.056628	CcAWbc4k7xJ4cwzFcj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267019.094978	CDsfJ83mBfShtP3ra3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267079.081091	CtA8cD3dbZbDyD3ggb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267139.076009	CIMc7c3MIoZBJIrN8l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267199.081708	CxfzyB3K82Ybv72ug7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267319.084284	C4BrGE1jIIuMPtZJjk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267379.081202	ChTknA2H7Dsub8YRxc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267439.082032	CFMigc3cSgZsWMpKff	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267499.082824	CLt9861h4kL32m3j7f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267559.080678	CZz5Al2VYRjHdflA8h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267619.117602	CI8Whj2h6r6LcSfVub	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267679.082308	Cj7NVNNrbAqyXqUw5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267739.085073	Cy6tdt3KfDywtI7Ob2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267799.084918	CrAxoy2GoejEATJvDh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267859.091594	CwaLTn4LXluo7UvqTf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267919.092401	CZqwGT2kwjPGescsFe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826267979.095153	CFKxJC2R9cBSw9fpjf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268039.092073	Cpso3f36rgNdVupv79	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268099.101672	CppBrMUywKphAbms5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268159.091753	CkGInR1qK0eOnMHvkc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268219.127714	CyGCzw47PTvCscGFQh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268279.089493	CKRgKA35Bl8MptEZ98	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268339.241580	CidM6JqQOb2FHVtUi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268399.095944	Ci9Qqo4Mqhkhd7qFZb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268459.097696	CHY8RiUHiFhKhES27	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268519.100469	CjBnuMqmiaV3z7i7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268579.100299	CAZ39E4TQkxd0lBVNg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268639.100120	CLuA6a3JjPP1pqXDgl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268699.104832	Cx3A5Z1dvTDKH5xurg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268759.094878	Ct5q9b3OYGNtBKVNSb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268819.097657	C9WYFL3vuvOx7uhvxg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268879.097488	CPMkCm4JEbNgyx5Ewd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268939.103179	Cva7PE4j6kICfsMksa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826268999.132280	CPfswM1AJyRPS775mf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269059.100881	CVLcgX1RZ13gUgyf5h	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269119.099763	C42eDo2F7NJVIz04oa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269179.100583	CU2ANA1Yt4ObqJFRY9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269239.111149	CX3IPy3pUxul2z02q6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269299.439902	CcoTmD3IHZnRv6mtOi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269359.264070	CGT6YF1SsJIs9T9lnf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269419.120439	Cqlwx01oD12uO94Ib8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269479.103684	CDLOMy2vjf76gI0rEb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269539.222577	C1YUOM3kd8rSJQYu4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269599.267269	Cu3NBQsaY2BAcBVN7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269659.148995	CUSG2v16HRuh7yK0S8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269719.104862	CJ0hRn2MsrZOv31smh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269779.127139	CqGMy32Z8uKHOnELh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269839.115267	CDWB1b1haIEHVS9sb3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269899.113179	CRAZht1smUfIWWMRsl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826269959.112020	CBWnVl4AhC2yViYHq6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270019.108940	C7viQw259LpLw1bef1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270079.151713	CWeakb4xAgF95QleOe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270139.112488	Cay5bn2vtLHX9KwOje	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270199.132810	C5LNRFqO8x4l43CF4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270259.112162	CIhkRr4eHA71oq6BC	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270319.135418	CTggH82xFpM171oygh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270379.141103	CNtx0XvYoJ8ljgsj6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270439.127287	CqKkoXjDIKqwN4xp8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270499.117371	CN5oXL1vK53j2UehWc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270559.123058	CyVWZ63RmCoT7Jda67	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270619.126776	C4wshM3dMV4pJySvXi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270679.121718	CDROSq1z8LAIXNUmhk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270739.130345	CcXZsf1GB9mlwwT7F6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270799.119478	ChGADDsCZhKs9BcFe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270859.127121	C5pIAZq3OcXUdJVx	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270919.123056	CVxCZu2vfyEgzJTSZ4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826270979.122865	ChhFkQ36rFvb52Ye61	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271039.124649	CR6t1A3SZnlSLUonm7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271099.126441	CHYPfS2TDpyiCxWKY	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271159.258051	CpjaKw2UzL2pMQIdsa	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271219.127113	CPiEgIQRKv8QZLRWf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271279.124989	CsMqt73dlmRROjwIUe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271339.312208	Ca9ZmG4i82iE2d0YR3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271399.140270	CxR52Y3GzT5T7QPGrj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271459.141075	C0m7qm2cK3rhFZySFb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271519.250200	Cq4vle2OoD0gt9mBd6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271579.409125	CiEIqD3A03Z25mZpP1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271639.133701	CcxfVg2FUarIYu7CT7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271699.173537	CkftvZ2kq3sDL3Kco8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271759.143099	C9nivj101nFcyZv5A5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271819.143934	CtefJ6ox2Y36z8fU2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271879.135946	CJjRzu40yZQmdLa7af	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271939.145541	CdEhA81a9gr5DFlDK8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826271999.175638	CpN0AM1QmlCca61py9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272059.134518	CEdPh92zmv83S2Nkl7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272119.147027	CN4lI43Zc9ELnQbdL9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272179.165321	C3cZ3nRZ7QcfNlcA1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272239.165094	Cfd5UC4SjyBeRgJLE5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272299.148322	C22vJE3gkYDqoRi69f	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272359.146201	Cyv1Q53irT6Dh7AgHc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272419.156786	C3UJgq2A2RTuKRgt23	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272479.147862	CchdFNQuAo3IiP823	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272539.253121	CY3Z1SRmzjBaIwPZb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272599.142672	CzZawy1pgVAgYUyYKi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272659.190310	C3sEsF3VPXkvtnrzU4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272719.281883	CiRblW13ZKi1thxWQb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272779.149966	Cu35wahBF5Imcilk8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272839.205443	Cm12m71K09UdwP4REb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272899.287243	CFwye24v2TzbFWF6h2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826272959.229489	CDWNQu2lmBr3AjHR5l	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273019.146353	Chn0u74Z84C8gRRMk9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273079.280873	CvBNEh2BX7uj2WBB4k	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273139.194825	C2wkTtkbOqgitNpie	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273199.225903	CqelPd3lByl65cwW0i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273259.252096	CXXaK91JJmd6qlH3g2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273319.162128	CeyA8eddGDVUGHUud	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273379.159026	CDavIt2ice9TjDxiA3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273439.171553	CkmozifGdEBYaNd2a	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273499.155754	CRFhntGpfiLw8Pv0i	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273559.177995	C1dZ433UvCCjRtEjzl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273619.166103	Cw2cfZCugd0Q63rI6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273679.164928	CK4u8R36tgECdnBZ04	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273739.212569	C6sJ4j3d8WLg8YnFO7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273799.387098	CofNlYPxkrXg6WnY1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273859.390835	CSMq1t4LlwsA7FZxzc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273919.382854	CJXpd22FaR9f85tITj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826273979.901520	CnKf1OWDIpFR3yip4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274039.467417	CjIFm71sV0Kam01oac	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274099.227156	CcdNPj2qOnTcLkcNej	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274159.250414	CdMKxC2TJXnB2ycVhf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274220.639673	CKByou4dCuNE1OUoPe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274279.311579	CAUTzU3lsdTflOr7Nj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274339.187456	C7Ur701fO8ULRsKar	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274399.171677	CeBTMV30QJxZRtURgj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274459.276903	Cczxwh2v1MVpMCkWf3	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274519.208411	CMgjaQencP0Pv3kqj	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274579.166270	CAcVss2KDF0ton5JIh	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274639.178783	CBHupf4ZYdpKEW6qc1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274699.193243	CVm1PF3PnRHFuJuSKk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274759.247733	CA9q8t4O0VUp7uhQWl	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274819.455453	CcpP2rwrG9PfcdDki	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274879.173217	CZAGCb3Fu0tfU51eD2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274939.183773	C3b81P1uqoaf5M4IXi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826274999.291933	CFjfL12CkVQIBjKvb5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275059.171716	CIuGzw4zzngxgGtPed	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275119.176430	Cf2Jq43a5S93qH7Cx7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275179.189919	CTMTvD2czD52f1cpS5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275239.245368	ChIy11cKIY7wF59lb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275299.176864	CS6FIu9dD05jdClR8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275359.180574	CnNZty15Hqn2xhgJGg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275419.174541	Cn8vaY3NVNZcimP1K2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275479.181199	CxBtUd3YCJxBhKCNV6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275539.177143	CpBKFj1oWgquf8Jq5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275599.302874	CQSFxVDVIk4IIuHV4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275659.277325	CZUtzG1SNOonX286De	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275719.190276	CbDLnv3P4wxNruySI8	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275779.245738	Ce2gy92a3Zdxn8U5Q	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275839.184073	CAmLMR3rs3nnp7BC7e	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275899.188765	C9ni9syojCRMsSjzd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826275959.183704	C0B0K22KRamKeoqSz6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276019.182550	CY5kdp51F3oeCijJ9	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276079.189208	CJKWcFBAgZzVVtF03	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276139.187077	CY2VN44UarHiJwjbg6	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276199.201536	CQxEWi1F3d6K4qjmb5	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276259.191597	ChX0Vn4uasaGJIe7Fg	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276319.218739	CxO0Uf4uUDyFU7u9l4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276379.186349	CzY97244I3S03VcMdf	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276439.283767	Cl1tlc2gLRTcw4Bcw7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276499.197714	CjhFfB1x1TpkFpuwN	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276559.229740	CrGRrI1ZI7AGukEkUd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276619.195407	CHkdVF40CArtrW2IMb	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276679.191323	Ch7MMq0yqytJoNWpk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276739.195159	C8INLO2H6kVl0oKAEc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276799.217455	Cax5UJ3dNqfI1V9N38	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276859.244611	CavCYn4sbKc30BxpQ7	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276919.195650	Crf81W1wnKqCkmdQQk	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826276979.196463	CvGWHB3BSp1gpHFFKi	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826277039.286081	C0Q2If35e26kj6oqL4	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826277099.213676	CviTe74vjHLLx7AISe	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826277159.197878	Cf0ZeH1gKEDckEkJV1	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826277219.225014	C1hQrk1L844cx5tTNd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826277279.235554	CBP3Hu4RKc79x58Y2	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826277339.221727	CUbAnm2k9C1iEtTmgd	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+826277399.202051	CkWokd3nscpygp5lIc	128.3.140.132	2035	194.140.136.34	80	tcp	-	-	-	-	RSTOS0	-	-	0	R	1	40	0	0	-	-	-
+#close	2018-01-12-21-45-00
diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.vlan-logging/conn.log b/testing/btest/Baseline/scripts.policy.protocols.conn.vlan-logging/conn.log
index 44f440c310..ae6d54784f 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.conn.vlan-logging/conn.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.conn.vlan-logging/conn.log
@@ -6,6 +6,6 @@
 #open	2016-07-13-16-17-26
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	vlan	inner_vlan
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	int	int
-1363900699.548138	CHhAvVGS1DHFjwGM9	172.19.51.37	47808	172.19.51.63	47808	udp	-	0.000100	36	0	S0	-	-	0	D	2	92	0	0	(empty)	13	10
-1363900699.549647	ClEkJM2Vm5giqnMf4h	193.1.186.60	9875	224.2.127.254	9875	udp	-	0.000139	552	0	S0	-	-	0	D	2	608	0	0	(empty)	13	10
+1363900699.548138	CHhAvVGS1DHFjwGM9	172.19.51.37	47808	172.19.51.63	47808	udp	-	0.000100	36	0	S0	-	-	0	D	2	92	0	0	-	13	10
+1363900699.549647	ClEkJM2Vm5giqnMf4h	193.1.186.60	9875	224.2.127.254	9875	udp	-	0.000139	552	0	S0	-	-	0	D	2	608	0	0	-	13	10
 #close	2016-07-13-16-17-26
diff --git a/testing/btest/Baseline/scripts.policy.protocols.dhcp.known-devices-and-hostnames.basic/known_devices.log b/testing/btest/Baseline/scripts.policy.protocols.dhcp.known-devices-and-hostnames.basic/known_devices.log
deleted file mode 100644
index 91d37f8950..0000000000
--- a/testing/btest/Baseline/scripts.policy.protocols.dhcp.known-devices-and-hostnames.basic/known_devices.log
+++ /dev/null
@@ -1,11 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	known_devices
-#open	2013-07-31-21-27-41
-#fields	ts	mac	dhcp_host_name
-#types	time	string	string
-1370200443.344965	90:b1:1c:99:49:29	btest.is.cool
-1374432420.186878	90:b1:1c:99:49:29	(empty)
-#close	2013-07-31-21-27-41
diff --git a/testing/btest/Baseline/scripts.policy.protocols.krb.ticket-logging/kerberos.log b/testing/btest/Baseline/scripts.policy.protocols.krb.ticket-logging/kerberos.log
new file mode 100644
index 0000000000..5645378a7e
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.krb.ticket-logging/kerberos.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	kerberos
+#open	2017-02-22-05-02-14
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	request_type	client	service	success	error_msg	from	till	cipher	forwardable	renewable	client_cert_subject	client_cert_fuid	server_cert_subject	server_cert_fuid	auth_ticket	new_ticket
+#types	time	string	addr	port	addr	port	string	string	string	bool	string	time	time	string	bool	bool	string	string	string	string	string	string
+1429583645.478441	CHhAvVGS1DHFjwGM9	192.168.1.31	64889	192.168.1.32	88	TGS	vladg/VLADG.NET	krbtgt/VLADG.NET	T	-	-	0.000000	aes256-cts-hmac-sha1-96	T	F	-	-	-	-	a09fbd89918320cc12a26d4f0c4e6aa2	396a9d9e8975cc5024a83c6e86101f06
+#close	2017-02-22-05-02-14
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssh.detect-bruteforcing/notice.log b/testing/btest/Baseline/scripts.policy.protocols.ssh.detect-bruteforcing/notice.log
index ee206db117..26aa4144c8 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssh.detect-bruteforcing/notice.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssh.detect-bruteforcing/notice.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2015-03-30-15-43-30
+#open	2017-12-21-02-29-44
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1427726711.398575	-	-	-	-	-	-	-	-	-	SSH::Password_Guessing	192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections).	Sampled servers:  192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103	192.168.56.1	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2015-03-30-15-43-30
+1427726759.303199	-	-	-	-	-	-	-	-	-	SSH::Password_Guessing	192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections).	Sampled servers:  192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103	192.168.56.1	-	-	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2017-12-21-02-29-44
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log
index bea2c1f280..cdfc85691a 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.expiring-certs/notice.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2016-07-13-16-17-27
+#open	2017-12-21-02-30-08
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1394745603.293028	CHhAvVGS1DHFjwGM9	192.168.4.149	60539	87.98.220.10	443	F1fX1R2cDOzbvg17ye	-	-	tcp	SSL::Certificate_Expired	Certificate CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated expired at 2014-03-04-23:59:59.000000000	-	192.168.4.149	87.98.220.10	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-1394745619.197766	ClEkJM2Vm5giqnMf4h	192.168.4.149	60540	122.1.240.204	443	F6NAbK127LhNBaEe5c	-	-	tcp	SSL::Certificate_Expires_Soon	Certificate CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP is going to expire at 2014-03-14-23:59:59.000000000	-	192.168.4.149	122.1.240.204	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-#close	2016-07-13-16-17-27
+1394745603.293028	CHhAvVGS1DHFjwGM9	192.168.4.149	60539	87.98.220.10	443	F1fX1R2cDOzbvg17ye	-	-	tcp	SSL::Certificate_Expired	Certificate CN=www.spidh.org,OU=COMODO SSL,OU=Domain Control Validated expired at 2014-03-04-23:59:59.000000000	-	192.168.4.149	87.98.220.10	443	-	-	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1394745619.197766	ClEkJM2Vm5giqnMf4h	192.168.4.149	60540	122.1.240.204	443	F6NAbK127LhNBaEe5c	-	-	tcp	SSL::Certificate_Expires_Soon	Certificate CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP is going to expire at 2014-03-14-23:59:59.000000000	-	192.168.4.149	122.1.240.204	443	-	-	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+#close	2017-12-21-02-30-08
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log
index 3d38c0e4e1..dc1f0239e2 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2016-07-13-16-17-30
+#open	2017-12-21-02-30-25
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1398954957.074664	CHhAvVGS1DHFjwGM9	192.168.4.149	54233	162.219.2.166	4443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1	-	192.168.4.149	162.219.2.166	4443	32	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-1398954957.074664	CHhAvVGS1DHFjwGM9	192.168.4.149	54233	162.219.2.166	4443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Odd_Length	Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/	-	192.168.4.149	162.219.2.166	4443	32	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-1398954957.145535	CHhAvVGS1DHFjwGM9	192.168.4.149	54233	162.219.2.166	4443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 48. Time: 0.351035	-	192.168.4.149	162.219.2.166	4443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2016-07-13-16-17-30
+1398954957.074664	CHhAvVGS1DHFjwGM9	192.168.4.149	54233	162.219.2.166	4443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1	-	192.168.4.149	162.219.2.166	4443	32	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1398954957.074664	CHhAvVGS1DHFjwGM9	192.168.4.149	54233	162.219.2.166	4443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Odd_Length	Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/	-	192.168.4.149	162.219.2.166	4443	32	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1398954957.145535	CHhAvVGS1DHFjwGM9	192.168.4.149	54233	162.219.2.166	4443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 48. Time: 0.351035	-	192.168.4.149	162.219.2.166	4443	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2017-12-21-02-30-25
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log
index 2277c081e1..8a104974c4 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log
@@ -3,10 +3,10 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2016-07-13-16-17-29
+#open	2017-12-21-02-30-24
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1397169549.882425	CHhAvVGS1DHFjwGM9	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1	-	192.168.4.149	107.170.241.107	443	32	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-1397169549.882425	CHhAvVGS1DHFjwGM9	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Odd_Length	Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/	-	192.168.4.149	107.170.241.107	443	32	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-1397169549.895057	CHhAvVGS1DHFjwGM9	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 16416. Time: 0.035413	-	192.168.4.149	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2016-07-13-16-17-29
+1397169549.882425	CHhAvVGS1DHFjwGM9	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1	-	192.168.4.149	107.170.241.107	443	32	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1397169549.882425	CHhAvVGS1DHFjwGM9	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Odd_Length	Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/	-	192.168.4.149	107.170.241.107	443	32	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1397169549.895057	CHhAvVGS1DHFjwGM9	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 16416. Time: 0.035413	-	192.168.4.149	107.170.241.107	443	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2017-12-21-02-30-24
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
index 26e4b37722..0d56fcba8d 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2016-07-13-16-17-29
+#open	2017-12-21-02-30-23
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1400106542.810248	CHhAvVGS1DHFjwGM9	54.221.166.250	56323	162.219.2.166	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	Heartbeat before ciphertext. Probable attack or scan. Length: 86, is_orig: 1	-	54.221.166.250	162.219.2.166	443	86	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2016-07-13-16-17-29
+1400106542.810248	CHhAvVGS1DHFjwGM9	54.221.166.250	56323	162.219.2.166	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	Heartbeat before ciphertext. Probable attack or scan. Length: 86, is_orig: 1	-	54.221.166.250	162.219.2.166	443	86	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2017-12-21-02-30-23
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log
index f5ef4dd565..4828b15af2 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2016-07-13-16-17-28
+#open	2017-12-21-02-30-22
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1396976220.863714	CHhAvVGS1DHFjwGM9	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	An TLS heartbleed attack was detected! Record length 16368. Payload length 16365	-	173.203.79.216	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-1396976220.918017	CHhAvVGS1DHFjwGM9	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An TLS heartbleed attack detected before was probably exploited. Message length: 16384. Payload length: 16365	-	173.203.79.216	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2016-07-13-16-17-28
+1396976220.863714	CHhAvVGS1DHFjwGM9	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	An TLS heartbleed attack was detected! Record length 16368. Payload length 16365	-	173.203.79.216	107.170.241.107	443	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1396976220.918017	CHhAvVGS1DHFjwGM9	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An TLS heartbleed attack detected before was probably exploited. Message length: 16384. Payload length: 16365	-	173.203.79.216	107.170.241.107	443	-	-	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2017-12-21-02-30-22
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/.stdout b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/.stdout
new file mode 100644
index 0000000000..ec22e1c01b
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/.stdout
@@ -0,0 +1,17 @@
+[[version=0, logid=\xa4\xb9\x09\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\x0a<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\x0d\xdc\x10, timestamp=1406997753366, sig_alg=3, hash_alg=4, signature=0D\x02 \x1cK\x82]\x95ng[\xdb\x04\x95K\xf6\xce\xf42>\x86zz2\xab\x18`t\xde\x08\xda\x05\x91L/\x02 sT\x1bn\x7f\xa1\xb0}\x11\xbc\xe6\xf3\x85/\x97f\x1a\xf7\x8a\xe4\x10%\x8f\x12\xf4o9\x0f\xd2\x9e\x18\xf0, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=h\xf6\x98\xf8\x1fd\x82\xbe:\x8c\xee\xb9(\x1dL\xfcqQ]g\x93\xd4D\xd1\x0ag\xac\xbbOO\xfb\xc4, timestamp=1407002457456, sig_alg=3, hash_alg=4, signature=0E\x02 2!\x148\x06\xd8r.\x000d\x1a\xe2\xe8mNZ\xe1\xd9B\x1e\x82K\x96%\x89\xd5&\x13\xd3\x9c\xfa\x02!\x00\x8f\x12(dQOD\xd5\x8c\x18b#\xb2C\x933\x05\xf3CU\xa1\xd9\xee\xcd\xc5q5\x91\xddI\xd1\x0b, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xeeK\xbd\xb7u\xce`\xba\xe1Bi\x1f\xab\xe1\x9ef\xa3\x0f~_\xb0r\xd8\x83\x00\xc4{\x89z\xa8\xfd\xcb, timestamp=1410299366023, sig_alg=3, hash_alg=4, signature=0E\x02 )\x89\xd6\xb0S\xd3\xd2\xe9\x91\xbc\xf1\xb5@\xbe\x1e.\xe7\\xb4t'\xed\x8f\x9b\x02\xe9\xfa\xc2L\xba\xa2\xbe\x02!\x00\xafCdRq\x15)X@\x91\xc7\x08\x16\x96\x03\xa8s\xa5e\xa0l\xb8HVZ\xb6)\x83dm*\x9d, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xa4\xb9\x09\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\x0a<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\x0d\xdc\x10, timestamp=1406997753366, sig_alg=3, hash_alg=4, signature=0D\x02 \x1cK\x82]\x95ng[\xdb\x04\x95K\xf6\xce\xf42>\x86zz2\xab\x18`t\xde\x08\xda\x05\x91L/\x02 sT\x1bn\x7f\xa1\xb0}\x11\xbc\xe6\xf3\x85/\x97f\x1a\xf7\x8a\xe4\x10%\x8f\x12\xf4o9\x0f\xd2\x9e\x18\xf0, source=SSL::SCT_OCSP_EXT, valid=T], [version=0, logid=h\xf6\x98\xf8\x1fd\x82\xbe:\x8c\xee\xb9(\x1dL\xfcqQ]g\x93\xd4D\xd1\x0ag\xac\xbbOO\xfb\xc4, timestamp=1407002457456, sig_alg=3, hash_alg=4, signature=0E\x02 2!\x148\x06\xd8r.\x000d\x1a\xe2\xe8mNZ\xe1\xd9B\x1e\x82K\x96%\x89\xd5&\x13\xd3\x9c\xfa\x02!\x00\x8f\x12(dQOD\xd5\x8c\x18b#\xb2C\x933\x05\xf3CU\xa1\xd9\xee\xcd\xc5q5\x91\xddI\xd1\x0b, source=SSL::SCT_OCSP_EXT, valid=T]]
+Google 'Pilot' log, T
+Google 'Aviator' log, T
+Google 'Rocketeer' log, T
+Google 'Pilot' log, T
+Google 'Aviator' log, T
+[[version=0, logid=\xa4\xb9\x09\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\x0a<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\x0d\xdc\x10, timestamp=1487726002208, sig_alg=3, hash_alg=4, signature=0F\x02!\x00\x89\x82s\x17\xd9\xcbo\xcf\xc3\xba\x91{\xeb\xe8\xf1\xbe\xc8)\x97\x1e\xe8A\x99P\x00\xaa\xb4\x15\xd97\x93\xca\x02!\x00\xca\xcd\xec\x9e\x12\xeed/v\xf5\xc32\xba\x92S\xe0 }\x85k\xe7\xd4TRp\xe8\x8d~\xba\x9d\x12\x16, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xac;\x9a\xed\x7f\xa9gGW\x15\x9em}WVr\xf9\xd9\x81\x00\x94\x1e\x9b\xde\xff\xec\xa11;ux-, timestamp=1487726003188, sig_alg=1, hash_alg=4, signature=\x04\xed\x08\xca\x8e\x1b\x8ba$\xe5\xe8{Y\x96'+\x06\x86\x87o\x1a=i5\x91\xc3\xfd\xf6\xbe\xeao;\xc8\x1c\x01j\xc0\x14\xea\x06\xd3\xe3#w,\x07\x06\xc3\xd0\xdc\xf2L:\xb0{\xfd.\x00\xdf\xc2\xb8w(\xaak\xfe^\xa0\x05\xe1\x84\xad\x1a!\xf2@/J\xcc\xcb8\xbb\xfa`;CF\<e\x17\xdafE/zX\xeb\xd0y\x15[\xd5\xe2\xee\xaf\xf8k\xeeX\x92\xa48\x0c\xab\x15v\xa6\xa4\x00\xc5Sjo\xe9\xbcL\xde\x11\x1d\x93\x7f\x9b\xbe\xb1\x13\xfb\xf1\xcb\xfb4\x85\xf2j\xc1t\xb0\x82g;*\x05i\x99*h\xe1\xcc\x07\xd2u\xc8L\xd3\x97\xb9\x81[-\xd1\xff\x1e\xc0\xa4\x80^vv\xb8+\xc5q\xec\xc0\xe7\x90\x00\x11{\xfdY\xb4fk'{\xa4T\xf4HO\xfd\x1d\xf6\xce\xbe=\x08G\x91\xd54\x0a\x90\xe7\xd5\xeda\x8c\xeb|"\xc1r!\xd9\xfb\xbd~\xf8\xc1\x01\xb5@9|\x9e\x0ej\xd1S\x97\xa3\x0a\xf9h\x15\xd7}\x05\x8a\x1b+j\x13\xf5, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\x03\x01\x9d\xf3\xfd\x85\xa6\x9a\x8e\xbd\x1f\xac\xc6\xda\x9b\xa7>F\x97t\xfew\xf5y\xfcZ\x08\xb82\x8c\x1dk, timestamp=1487726024253, sig_alg=3, hash_alg=4, signature=0F\x02!\x00\x99\x8c\xa5+u\xe1t\x08\x0a\xa9!\xed)\x9b\xb6\xccx\x8d0VN,RZ2\xd93\xdc\xa7 \xa5\xd3\x02!\x00\xc8\xde\x96\x8d\x02\xd6\xfcx\xdbM \x06\x1cq\xe5\x10\xe3 \x18B\\x1d1\x88\xb0\xeb\xf3\xf2\x9b\x99X\xb4, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=V\x14\x06\x9a/\xd7\xc2\xec\xd3\xf5\xe1\xbdD\xb2>\xc7Fv\xb9\xbc\x99\x11\\xc0\xef\x94\x98U\xd6\x89\xd0\xdd, timestamp=1487726001197, sig_alg=3, hash_alg=4, signature=0E\x02 F\xc2\xfb\x02\xfd\xa3RNy_\x16^\xb54-S\x90\xdbK\x97\x87\x00\x93\xa1\x0d'\xc0<\xbeu\xc4\xab\x02!\x00\xb4\x93\xbb\xe2\xee\x14X\xd4\xcf\xa4\xc1\xd8\xcf\xdaAoaD\xf0\xbbM7\xdb\xb0\xec\xca\x0f\x18\xcbe\x8d\xe9, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xeeK\xbd\xb7u\xce`\xba\xe1Bi\x1f\xab\xe1\x9ef\xa3\x0f~_\xb0r\xd8\x83\x00\xc4{\x89z\xa8\xfd\xcb, timestamp=1487726002855, sig_alg=3, hash_alg=4, signature=0D\x02 I\x06\xb4\x84Zo\xf49\x85\xd2\xbb\xc8\x8bb\x9b\xac\xbd\x84\x00\xf2f\xd0\x14\x0cV\x15_\xc7\x09&\xc1\x9f\x02 M\x0c\x05\x01ab\xe5\x97\xf9\xf8'\x02\xf4\x198\x97\xd2>xa\xc2\xda\xc1saw\xd8]\xc8\x97\xd6], source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xbb\xd9\xdf\xbc\x1f\x8aq\xb5\x93\x94#\x97\xaa\x92{G8W\x95\x0a\xabR\xe8\x1a\x90\x96d6\x8e\x1e\xd1\x85, timestamp=1487726000774, sig_alg=3, hash_alg=4, signature=0E\x02!\x00\xb1\x1atJ4\x80\xbd\xc5\x97\x7f(\xae^N\xe3WE-AO\x14X\x0aB\x1e\xc4\xb36\x00TVg\x02 o1hk\xec\x9fFG\xa4\xd2&\x97>E\x87\x7f\xcf\x1c\xc8\xdb>j\xc9\xde\xf5\x1e\x97\xf8\xc3e\xcc\x11, source=SSL::SCT_TLS_EXT, valid=T], [version=0, logid=\xa4\xb9\x09\x90\xb4\x18X\x14\x87\xbb\x13\xa2\xccgp\x0a<5\x98\x04\xf9\x1b\xdf\xb8\xe3w\xcd\x0e\xc8\x0d\xdc\x10, timestamp=1487725321667, sig_alg=3, hash_alg=4, signature=0E\x02 S\xc6N8\xf0\x84\xe5\xc8\xf5C\x87\xf6\xedU\x10\x0b}u2\xd2\x08+\x04\xbbS\xf6a\xc1\xb0\x94\x04\xc3\x02!\x00\xf4\xa2g\xa5!_\xee\x13\xd5\x0f\xd1\xb2\xe8o\x99\x10m\xa9\x0f\xd7W\xd5IH\xaa\x89\xdews\xe3=\x95, source=SSL::SCT_X509_EXT, valid=T], [version=0, logid=V\x14\x06\x9a/\xd7\xc2\xec\xd3\xf5\xe1\xbdD\xb2>\xc7Fv\xb9\xbc\x99\x11\\xc0\xef\x94\x98U\xd6\x89\xd0\xdd, timestamp=1487725322003, sig_alg=3, hash_alg=4, signature=0D\x02 \x04\x9d.\x13Q\xed\xed\xf1l\x9f\xa1\x94\x9dd\xfe\x9c0V|\xb6\xa8|9L5/\xaa\x19\xc7*\xed\xcf\x02 0\x0e+\xe3\xa4S\xfe\x85\xa6X\xcc\x06\xf2\x13\xe9\x0a\x87\xa0I\xdf\x8dr\x13xb\x12\x8c\xe6\xdd\x8f\xa8\xde, source=SSL::SCT_X509_EXT, valid=T], [version=0, logid=\xeeK\xbd\xb7u\xce`\xba\xe1Bi\x1f\xab\xe1\x9ef\xa3\x0f~_\xb0r\xd8\x83\x00\xc4{\x89z\xa8\xfd\xcb, timestamp=1487725322768, sig_alg=3, hash_alg=4, signature=0F\x02!\x00\xd37.:`\x98\x08\xb8\xf8\xc0\xad\xb1z\xe2]\x00\xb8\x08"\x97\xc8P\xeb1\x97\x16\x95!\xd0T\xb5\xd6\x02!\x00\xfe\xb8\xa3\xbf\x12\xb6%\x97\x9b\x0f\x0f\x9fc\xccP\xa0\x07\x0c\xe9\xf2\xda\xe9\\x0a\x8e\xeag\x8a\x131\x96?, source=SSL::SCT_X509_EXT, valid=T], [version=0, logid=\xbb\xd9\xdf\xbc\x1f\x8aq\xb5\x93\x94#\x97\xaa\x92{G8W\x95\x0a\xabR\xe8\x1a\x90\x96d6\x8e\x1e\xd1\x85, timestamp=1487725321891, sig_alg=3, hash_alg=4, signature=0F\x02!\x00\xe7\x14'\xc8\x03?\xfc\xf1\xc6\x86\xe4g\xb6s\x034<\xf0\x96\xf0\xe0\x1a\xb8\x953\xe0\xf8U\x1d\x1c\xbf\xe6\x02!\x00\xcag\xf24\xcc\x86\x1aYd\xfb{\x82N\xeb,\xa3\xecu\xf1i\x01\xbc\xd4b\x1a\x9e\xa8\xc4\xca\x8f\x01\x8b, source=SSL::SCT_X509_EXT, valid=T]]
+Google 'Pilot' log, T
+Venafi log, T
+Venafi Gen2 CT log, T
+DigiCert Log Server, T
+Google 'Rocketeer' log, T
+Google 'Skydiver' log, T
+Google 'Pilot' log, T
+DigiCert Log Server, T
+Google 'Rocketeer' log, T
+Google 'Skydiver' log, T
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/ssl-all.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/ssl-all.log
new file mode 100644
index 0000000000..0696d31ffe
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.validate-sct/ssl-all.log
@@ -0,0 +1,20 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-03-22-01-52-35
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	validation_status	valid_ct_logs	valid_ct_operators
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	count	count
+1484228945.191472	CHhAvVGS1DHFjwGM9	192.168.178.73	60640	97.107.139.108	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	secp256r1	ritter.vg	F	-	http/1.1	T	FDWgotac24NQJKrRi,FUHPFD4bNbAmVvzf99,FL5BECVkzTuWWefyh	(empty)	CN=ritter.vg,OU=PositiveSSL,OU=Domain Control Validated	CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	-	-	ok	3	1
+#close	2017-03-22-01-52-35
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2017-03-22-01-52-36
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer	validation_status	valid_ct_logs	valid_ct_operators
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string	string	count	count
+1490146178.647622	CHhAvVGS1DHFjwGM9	192.168.17.58	51995	97.107.139.108	443	TLSv12	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	secp256r1	ritter.vg	F	-	h2	T	Fui6LM65IdSB9LD25,FIwxeCtbWPXg98zO1	(empty)	CN=ritter.vg,O=Tom Ritter\\, LLC,L=Urbana,ST=Illinois,C=US,serialNumber=0600438893,jurisdictionST=New Jersey,jurisdictionC=US,businessCategory=Private Organization	CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US	-	-	ok	6	3
+#close	2017-03-22-01-52-36
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log
index 42b62fc875..dddb66427d 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.weak-keys/notice-out.log
@@ -3,31 +3,31 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2016-07-13-16-17-36
+#open	2017-12-21-02-31-09
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1398558136.430417	CHhAvVGS1DHFjwGM9	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak DH parameters with 1024 key bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-1398558136.430417	CHhAvVGS1DHFjwGM9	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	DH key length of 1024 bits is smaller certificate key length of 2048 bits	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-1398558136.542637	CHhAvVGS1DHFjwGM9	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak certificate with 2048 bit key	-	192.168.18.50	162.219.2.166	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-#close	2016-07-13-16-17-36
+1398558136.430417	CHhAvVGS1DHFjwGM9	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak DH parameters with 1024 key bits	-	192.168.18.50	162.219.2.166	443	-	-	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1398558136.430417	CHhAvVGS1DHFjwGM9	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	DH key length of 1024 bits is smaller certificate key length of 2048 bits	-	192.168.18.50	162.219.2.166	443	-	-	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1398558136.542637	CHhAvVGS1DHFjwGM9	192.168.18.50	62277	162.219.2.166	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak certificate with 2048 bit key	-	192.168.18.50	162.219.2.166	443	-	-	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+#close	2017-12-21-02-31-09
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2016-07-13-16-17-36
+#open	2017-12-21-02-31-10
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1397165496.713940	CHhAvVGS1DHFjwGM9	192.168.4.149	59062	91.227.4.92	443	-	-	-	tcp	SSL::Old_Version	Host uses protocol version SSLv2 which is lower than the safe minimum TLSv10	-	192.168.4.149	91.227.4.92	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-#close	2016-07-13-16-17-36
+1397165496.713940	CHhAvVGS1DHFjwGM9	192.168.4.149	59062	91.227.4.92	443	-	-	-	tcp	SSL::Old_Version	Host uses protocol version SSLv2 which is lower than the safe minimum TLSv10	-	192.168.4.149	91.227.4.92	443	-	-	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+#close	2017-12-21-02-31-10
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2016-07-13-16-17-37
+#open	2017-12-21-02-31-11
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1170717505.734145	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	-	-	-	tcp	SSL::Weak_Cipher	Host established connection using unsafe ciper suite TLS_RSA_WITH_RC4_128_MD5	-	192.150.187.164	194.127.84.106	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-1170717505.934612	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak certificate with 1024 bit key	-	192.150.187.164	194.127.84.106	443	-	bro	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
-#close	2016-07-13-16-17-37
+1170717505.734145	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	-	-	-	tcp	SSL::Weak_Cipher	Host established connection using unsafe ciper suite TLS_RSA_WITH_RC4_128_MD5	-	192.150.187.164	194.127.84.106	443	-	-	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+1170717505.934612	CHhAvVGS1DHFjwGM9	192.150.187.164	58868	194.127.84.106	443	-	-	-	tcp	SSL::Weak_Key	Host uses weak certificate with 1024 bit key	-	192.150.187.164	194.127.84.106	443	-	-	Notice::ACTION_LOG	86400.000000	F	-	-	-	-	-
+#close	2017-12-21-02-31-11
diff --git a/testing/btest/Baseline/signatures.eval-condition-no-return-value/.stderr b/testing/btest/Baseline/signatures.eval-condition-no-return-value/.stderr
new file mode 100644
index 0000000000..a5c39c9247
--- /dev/null
+++ b/testing/btest/Baseline/signatures.eval-condition-no-return-value/.stderr
@@ -0,0 +1,3 @@
+1329843162.083353 warning: non-void function returns without a value: mark_conn
+1329843164.920456 warning: non-void function returns without a value: mark_conn
+1329843200.079930 warning: non-void function returns without a value: mark_conn
diff --git a/testing/btest/Baseline/signatures.eval-condition-no-return-value/.stdout b/testing/btest/Baseline/signatures.eval-condition-no-return-value/.stdout
new file mode 100644
index 0000000000..9f4b814adb
--- /dev/null
+++ b/testing/btest/Baseline/signatures.eval-condition-no-return-value/.stdout
@@ -0,0 +1,3 @@
+Called
+Called
+Called
diff --git a/testing/btest/Baseline/signatures.eval-condition/conn.log b/testing/btest/Baseline/signatures.eval-condition/conn.log
index 3350f2d588..ff4e18c846 100644
--- a/testing/btest/Baseline/signatures.eval-condition/conn.log
+++ b/testing/btest/Baseline/signatures.eval-condition/conn.log
@@ -6,9 +6,9 @@
 #open	2016-07-13-16-17-38
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1329843175.736107	ClEkJM2Vm5giqnMf4h	141.142.220.235	37604	199.233.217.249	56666	tcp	ftp-data	0.112432	0	342	SF	-	-	0	ShAdfFa	4	216	4	562	(empty)
-1329843179.871641	C4J4Th3PJpwUYZZ6gc	141.142.220.235	59378	199.233.217.249	56667	tcp	ftp-data	0.111218	0	77	SF	-	-	0	ShAdfFa	4	216	4	297	(empty)
-1329843194.151526	CtPZjS20MLrsMUOJi2	199.233.217.249	61920	141.142.220.235	33582	tcp	ftp-data	0.056211	342	0	SF	-	-	0	ShADaFf	5	614	3	164	(empty)
-1329843197.783443	CUM0KZ3MLUfNB0cl11	199.233.217.249	61918	141.142.220.235	37835	tcp	ftp-data	0.056005	77	0	SF	-	-	0	ShADaFf	5	349	3	164	(empty)
-1329843161.968492	CHhAvVGS1DHFjwGM9	141.142.220.235	50003	199.233.217.249	21	tcp	ftp,blah	38.055625	180	3146	SF	-	-	0	ShAdDfFa	38	2164	25	4458	(empty)
+1329843175.736107	ClEkJM2Vm5giqnMf4h	141.142.220.235	37604	199.233.217.249	56666	tcp	ftp-data	0.112432	0	342	SF	-	-	0	ShAdfFa	4	216	4	562	-
+1329843179.871641	C4J4Th3PJpwUYZZ6gc	141.142.220.235	59378	199.233.217.249	56667	tcp	ftp-data	0.111218	0	77	SF	-	-	0	ShAdfFa	4	216	4	297	-
+1329843194.151526	CtPZjS20MLrsMUOJi2	199.233.217.249	61920	141.142.220.235	33582	tcp	ftp-data	0.056211	342	0	SF	-	-	0	ShADaFf	5	614	3	164	-
+1329843197.783443	CUM0KZ3MLUfNB0cl11	199.233.217.249	61918	141.142.220.235	37835	tcp	ftp-data	0.056005	77	0	SF	-	-	0	ShADaFf	5	349	3	164	-
+1329843161.968492	CHhAvVGS1DHFjwGM9	141.142.220.235	50003	199.233.217.249	21	tcp	ftp,blah	38.055625	180	3146	SF	-	-	0	ShAdDfFa	38	2164	25	4458	-
 #close	2016-07-13-16-17-38
diff --git a/testing/btest/Baseline/signatures.load-sigs/output b/testing/btest/Baseline/signatures.load-sigs/output
index 52e0eeb92c..d58d0c0a39 100644
--- a/testing/btest/Baseline/signatures.load-sigs/output
+++ b/testing/btest/Baseline/signatures.load-sigs/output
@@ -1,3 +1,3 @@
 [orig_h=141.142.220.118, orig_p=35642/tcp, resp_h=208.80.152.2, resp_p=80/tcp]
 works
-GET /images/wikimedia-button.png HTTP/1.1\x0d\x0aHost: meta.wikimedia.org\x0d\x0aUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Geck...
+GET /images/wikimedia-button.png HTTP/1.1\x0d\x0aHost: meta.wikimedia.org\x0d\x0aUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15\x0d\x0aAccept: image/png,image/*;q=0.8,*/*;q=0.5\x0d\x0aAccept-Language: en-us,en;q=0.5\x0d\x0aAccept-Encoding: gzip,deflate\x0d\x0aAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\x0d\x0aKeep-Alive: 115\x0d\x0aConnection: keep-alive\x0d\x0aReferer: http://www.wikipedia.org/\x0d\x0aIf-Modified-Since: Fri, 05 Nov 2010 16:00:03 GMT\x0d\x0aIf-None-Match: "97a-494505e0c46c0"\x0d\x0aCache-Control: max-age=0\x0d\x0a\x0d\x0a
diff --git a/testing/btest/Makefile b/testing/btest/Makefile
index 56bf8f0a7e..c6f2438ad1 100644
--- a/testing/btest/Makefile
+++ b/testing/btest/Makefile
@@ -1,6 +1,7 @@
 
 DIAG=diag.log
 BTEST=../../aux/btest/btest
+SCRIPT_COV=.tmp/script-coverage
 
 all: cleanup btest-verbose coverage
 
@@ -15,11 +16,12 @@ btest-brief:
 	@$(BTEST) -j -b -f $(DIAG)
 
 coverage:
-	@../scripts/coverage-calc ".tmp/script-coverage*" coverage.log `pwd`/../../scripts
+	@../scripts/coverage-calc "$(SCRIPT_COV)/*" coverage.log `pwd`/../../scripts
 
 cleanup:
 	@rm -f $(DIAG)
-	@rm -f .tmp/script-coverage*
+	@rm -rf $(SCRIPT_COV)*
+	@find ../../ -name "*.gcda" -exec rm {} \;
 
 distclean: cleanup
 	@rm -rf .btest.failed.dat \
diff --git a/testing/btest/Traces/arp-leak.pcap b/testing/btest/Traces/arp-leak.pcap
new file mode 100644
index 0000000000..a49919258d
Binary files /dev/null and b/testing/btest/Traces/arp-leak.pcap differ
diff --git a/testing/btest/Traces/arp-who-has-radiotap.pcap b/testing/btest/Traces/arp-who-has-radiotap.pcap
new file mode 100644
index 0000000000..4f53210919
Binary files /dev/null and b/testing/btest/Traces/arp-who-has-radiotap.pcap differ
diff --git a/testing/btest/Traces/arp-who-has-wlanmon.pcap b/testing/btest/Traces/arp-who-has-wlanmon.pcap
new file mode 100644
index 0000000000..7d54788f2a
Binary files /dev/null and b/testing/btest/Traces/arp-who-has-wlanmon.pcap differ
diff --git a/testing/btest/Traces/cisco-fabric-path.pcap b/testing/btest/Traces/cisco-fabric-path.pcap
new file mode 100644
index 0000000000..f238a0600d
Binary files /dev/null and b/testing/btest/Traces/cisco-fabric-path.pcap differ
diff --git a/testing/btest/Traces/contentline-irc-5k-line.pcap b/testing/btest/Traces/contentline-irc-5k-line.pcap
new file mode 100644
index 0000000000..94c8815af2
Binary files /dev/null and b/testing/btest/Traces/contentline-irc-5k-line.pcap differ
diff --git a/testing/btest/Traces/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace b/testing/btest/Traces/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace
new file mode 100644
index 0000000000..b5e72d4735
Binary files /dev/null and b/testing/btest/Traces/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace differ
diff --git a/testing/btest/Traces/dhcp/dhcp_discover_param_req_and_client_id.trace b/testing/btest/Traces/dhcp/dhcp_discover_param_req_and_client_id.trace
new file mode 100644
index 0000000000..bfdbb54c01
Binary files /dev/null and b/testing/btest/Traces/dhcp/dhcp_discover_param_req_and_client_id.trace differ
diff --git a/testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap b/testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap
index 79881f62e7..f9e6078f51 100755
Binary files a/testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap and b/testing/btest/Traces/dnp3/dnp3_udp_en_spon.pcap differ
diff --git a/testing/btest/Traces/dnp3/dnp3_udp_read.pcap b/testing/btest/Traces/dnp3/dnp3_udp_read.pcap
index 7bc9d4add2..f089d12f51 100755
Binary files a/testing/btest/Traces/dnp3/dnp3_udp_read.pcap and b/testing/btest/Traces/dnp3/dnp3_udp_read.pcap differ
diff --git a/testing/btest/Traces/dnp3/dnp3_udp_select_operate.pcap b/testing/btest/Traces/dnp3/dnp3_udp_select_operate.pcap
index 384b5137d6..70b0e2cde4 100755
Binary files a/testing/btest/Traces/dnp3/dnp3_udp_select_operate.pcap and b/testing/btest/Traces/dnp3/dnp3_udp_select_operate.pcap differ
diff --git a/testing/btest/Traces/dnp3/dnp3_udp_write.pcap b/testing/btest/Traces/dnp3/dnp3_udp_write.pcap
index a2dd31b3b7..dc9125f691 100755
Binary files a/testing/btest/Traces/dnp3/dnp3_udp_write.pcap and b/testing/btest/Traces/dnp3/dnp3_udp_write.pcap differ
diff --git a/testing/btest/Traces/dns-huge-ttl.pcap b/testing/btest/Traces/dns-huge-ttl.pcap
index 27849b904b..5e9afdaf96 100644
Binary files a/testing/btest/Traces/dns-huge-ttl.pcap and b/testing/btest/Traces/dns-huge-ttl.pcap differ
diff --git a/testing/btest/Traces/erspan.trace b/testing/btest/Traces/erspan.trace
new file mode 100644
index 0000000000..64382645ec
Binary files /dev/null and b/testing/btest/Traces/erspan.trace differ
diff --git a/testing/btest/Traces/http/content-range-less-than-len.pcap b/testing/btest/Traces/http/content-range-less-than-len.pcap
new file mode 100755
index 0000000000..53ca520e83
Binary files /dev/null and b/testing/btest/Traces/http/content-range-less-than-len.pcap differ
diff --git a/testing/btest/Traces/http/fake-content-length.pcap b/testing/btest/Traces/http/fake-content-length.pcap
new file mode 100755
index 0000000000..fc1ac91c1c
Binary files /dev/null and b/testing/btest/Traces/http/fake-content-length.pcap differ
diff --git a/testing/btest/Traces/http/percent-end-of-line.pcap b/testing/btest/Traces/http/percent-end-of-line.pcap
new file mode 100644
index 0000000000..4d3854241a
Binary files /dev/null and b/testing/btest/Traces/http/percent-end-of-line.pcap differ
diff --git a/testing/btest/Traces/http/websocket.pcap b/testing/btest/Traces/http/websocket.pcap
new file mode 100644
index 0000000000..0a71c8a77d
Binary files /dev/null and b/testing/btest/Traces/http/websocket.pcap differ
diff --git a/testing/btest/Traces/http/x-gzip.pcap b/testing/btest/Traces/http/x-gzip.pcap
new file mode 100755
index 0000000000..7c89026cc5
Binary files /dev/null and b/testing/btest/Traces/http/x-gzip.pcap differ
diff --git a/testing/btest/Traces/krb/smb2_krb.keytab b/testing/btest/Traces/krb/smb2_krb.keytab
new file mode 100644
index 0000000000..0f637c1ef0
Binary files /dev/null and b/testing/btest/Traces/krb/smb2_krb.keytab differ
diff --git a/testing/btest/Traces/krb/smb2_krb.pcap b/testing/btest/Traces/krb/smb2_krb.pcap
new file mode 100755
index 0000000000..0f726f45d7
Binary files /dev/null and b/testing/btest/Traces/krb/smb2_krb.pcap differ
diff --git a/testing/btest/Traces/krb/smb_gssapi.trace b/testing/btest/Traces/krb/smb_gssapi.trace
new file mode 100755
index 0000000000..140ce3a914
Binary files /dev/null and b/testing/btest/Traces/krb/smb_gssapi.trace differ
diff --git a/testing/btest/Traces/modbus/4SICS-GeekLounge-151022-min.pcap b/testing/btest/Traces/modbus/4SICS-GeekLounge-151022-min.pcap
new file mode 100755
index 0000000000..71a8ae1579
Binary files /dev/null and b/testing/btest/Traces/modbus/4SICS-GeekLounge-151022-min.pcap differ
diff --git a/testing/btest/Traces/mount/mount_base.pcap b/testing/btest/Traces/mount/mount_base.pcap
new file mode 100644
index 0000000000..0d71878424
Binary files /dev/null and b/testing/btest/Traces/mount/mount_base.pcap differ
diff --git a/testing/btest/Traces/ncp.pcap b/testing/btest/Traces/ncp.pcap
new file mode 100644
index 0000000000..d8c61b3683
Binary files /dev/null and b/testing/btest/Traces/ncp.pcap differ
diff --git a/testing/btest/Traces/nfs/nfs_base.pcap b/testing/btest/Traces/nfs/nfs_base.pcap
new file mode 100644
index 0000000000..0d71878424
Binary files /dev/null and b/testing/btest/Traces/nfs/nfs_base.pcap differ
diff --git a/testing/btest/Traces/pppoe-over-qinq.pcap b/testing/btest/Traces/pppoe-over-qinq.pcap
new file mode 100644
index 0000000000..10e1429d0c
Binary files /dev/null and b/testing/btest/Traces/pppoe-over-qinq.pcap differ
diff --git a/testing/btest/Traces/radius/radius_localhost.pcapng b/testing/btest/Traces/radius/radius_localhost.pcapng
new file mode 100644
index 0000000000..0de5c46dcd
Binary files /dev/null and b/testing/btest/Traces/radius/radius_localhost.pcapng differ
diff --git a/testing/btest/Traces/smb/smb1_transaction2_request.pcap b/testing/btest/Traces/smb/smb1_transaction2_request.pcap
new file mode 100644
index 0000000000..564579597e
Binary files /dev/null and b/testing/btest/Traces/smb/smb1_transaction2_request.pcap differ
diff --git a/testing/btest/Traces/smb/smb1_transaction2_secondary_request.pcap b/testing/btest/Traces/smb/smb1_transaction2_secondary_request.pcap
new file mode 100644
index 0000000000..923b9e0bbc
Binary files /dev/null and b/testing/btest/Traces/smb/smb1_transaction2_secondary_request.pcap differ
diff --git a/testing/btest/Traces/smb/smb1_transaction_request.pcap b/testing/btest/Traces/smb/smb1_transaction_request.pcap
new file mode 100644
index 0000000000..e234ec4e76
Binary files /dev/null and b/testing/btest/Traces/smb/smb1_transaction_request.pcap differ
diff --git a/testing/btest/Traces/smb/smb1_transaction_response.pcap b/testing/btest/Traces/smb/smb1_transaction_response.pcap
new file mode 100644
index 0000000000..c28689b76c
Binary files /dev/null and b/testing/btest/Traces/smb/smb1_transaction_response.pcap differ
diff --git a/testing/btest/Traces/smb/smb1_transaction_secondary_request.pcap b/testing/btest/Traces/smb/smb1_transaction_secondary_request.pcap
new file mode 100644
index 0000000000..4236b140d5
Binary files /dev/null and b/testing/btest/Traces/smb/smb1_transaction_secondary_request.pcap differ
diff --git a/testing/btest/Traces/ssh/ssh_kex_curve25519.pcap b/testing/btest/Traces/ssh/ssh_kex_curve25519.pcap
new file mode 100644
index 0000000000..ed31228eec
Binary files /dev/null and b/testing/btest/Traces/ssh/ssh_kex_curve25519.pcap differ
diff --git a/testing/btest/Traces/tls/certificate-with-sct.pcap b/testing/btest/Traces/tls/certificate-with-sct.pcap
new file mode 100644
index 0000000000..0b6c1b166e
Binary files /dev/null and b/testing/btest/Traces/tls/certificate-with-sct.pcap differ
diff --git a/testing/btest/Traces/tls/chrome-63.0.3211.0-canary-tls_experiment.pcap b/testing/btest/Traces/tls/chrome-63.0.3211.0-canary-tls_experiment.pcap
new file mode 100644
index 0000000000..2b8040b109
Binary files /dev/null and b/testing/btest/Traces/tls/chrome-63.0.3211.0-canary-tls_experiment.pcap differ
diff --git a/testing/btest/Traces/tls/dtls-openssl.pcap b/testing/btest/Traces/tls/dtls1_0.pcap
similarity index 100%
rename from testing/btest/Traces/tls/dtls-openssl.pcap
rename to testing/btest/Traces/tls/dtls1_0.pcap
diff --git a/testing/btest/Traces/tls/dtls1_2.pcap b/testing/btest/Traces/tls/dtls1_2.pcap
new file mode 100644
index 0000000000..a8ce0f92d5
Binary files /dev/null and b/testing/btest/Traces/tls/dtls1_2.pcap differ
diff --git a/testing/btest/Traces/tls/ocsp-http-get.pcap b/testing/btest/Traces/tls/ocsp-http-get.pcap
new file mode 100644
index 0000000000..e264d59f2b
Binary files /dev/null and b/testing/btest/Traces/tls/ocsp-http-get.pcap differ
diff --git a/testing/btest/Traces/tls/ocsp-request-only.pcap b/testing/btest/Traces/tls/ocsp-request-only.pcap
new file mode 100644
index 0000000000..1d4e85da07
Binary files /dev/null and b/testing/btest/Traces/tls/ocsp-request-only.pcap differ
diff --git a/testing/btest/Traces/tls/ocsp-request-response.pcap b/testing/btest/Traces/tls/ocsp-request-response.pcap
new file mode 100644
index 0000000000..77306ea190
Binary files /dev/null and b/testing/btest/Traces/tls/ocsp-request-response.pcap differ
diff --git a/testing/btest/Traces/tls/ocsp-response-only.pcap b/testing/btest/Traces/tls/ocsp-response-only.pcap
new file mode 100644
index 0000000000..63fbdde25a
Binary files /dev/null and b/testing/btest/Traces/tls/ocsp-response-only.pcap differ
diff --git a/testing/btest/Traces/tls/ocsp-revoked.pcap b/testing/btest/Traces/tls/ocsp-revoked.pcap
new file mode 100644
index 0000000000..a2cd4509ad
Binary files /dev/null and b/testing/btest/Traces/tls/ocsp-revoked.pcap differ
diff --git a/testing/btest/Traces/tls/signed_certificate_timestamp-2.pcap b/testing/btest/Traces/tls/signed_certificate_timestamp-2.pcap
new file mode 100644
index 0000000000..6d19d32049
Binary files /dev/null and b/testing/btest/Traces/tls/signed_certificate_timestamp-2.pcap differ
diff --git a/testing/btest/Traces/tls/signed_certificate_timestamp.pcap b/testing/btest/Traces/tls/signed_certificate_timestamp.pcap
new file mode 100644
index 0000000000..50efed9cea
Binary files /dev/null and b/testing/btest/Traces/tls/signed_certificate_timestamp.pcap differ
diff --git a/testing/btest/Traces/tls/signed_certificate_timestamp_tls1_0.pcap b/testing/btest/Traces/tls/signed_certificate_timestamp_tls1_0.pcap
new file mode 100644
index 0000000000..4cd9fdcd5b
Binary files /dev/null and b/testing/btest/Traces/tls/signed_certificate_timestamp_tls1_0.pcap differ
diff --git a/testing/btest/Traces/tls/tls-13draft19-early-data.pcap b/testing/btest/Traces/tls/tls-13draft19-early-data.pcap
new file mode 100644
index 0000000000..042ca6aaf6
Binary files /dev/null and b/testing/btest/Traces/tls/tls-13draft19-early-data.pcap differ
diff --git a/testing/btest/Traces/tls/tls13draft23-chrome67.0.3368.0-canary.pcap b/testing/btest/Traces/tls/tls13draft23-chrome67.0.3368.0-canary.pcap
new file mode 100644
index 0000000000..15c80ef849
Binary files /dev/null and b/testing/btest/Traces/tls/tls13draft23-chrome67.0.3368.0-canary.pcap differ
diff --git a/testing/btest/Traces/tls/tls1_1.pcap b/testing/btest/Traces/tls/tls1_1.pcap
new file mode 100644
index 0000000000..36ad52c664
Binary files /dev/null and b/testing/btest/Traces/tls/tls1_1.pcap differ
diff --git a/testing/btest/Traces/trunc/ipv4-internally-truncated-header.pcap b/testing/btest/Traces/trunc/ipv4-internally-truncated-header.pcap
new file mode 100644
index 0000000000..b7ba9f11f8
Binary files /dev/null and b/testing/btest/Traces/trunc/ipv4-internally-truncated-header.pcap differ
diff --git a/testing/btest/Traces/trunc/ipv4-truncated-broken-header.pcap b/testing/btest/Traces/trunc/ipv4-truncated-broken-header.pcap
new file mode 100644
index 0000000000..8dba9bb46c
Binary files /dev/null and b/testing/btest/Traces/trunc/ipv4-truncated-broken-header.pcap differ
diff --git a/testing/btest/Traces/trunc/mpls-6in6-6in6-4in6-trunc.pcap b/testing/btest/Traces/trunc/mpls-6in6-6in6-4in6-trunc.pcap
new file mode 100644
index 0000000000..afd07cbf6b
Binary files /dev/null and b/testing/btest/Traces/trunc/mpls-6in6-6in6-4in6-trunc.pcap differ
diff --git a/testing/btest/Traces/trunc/mpls-6in6-broken.pcap.gz b/testing/btest/Traces/trunc/mpls-6in6-broken.pcap.gz
new file mode 100644
index 0000000000..af717b19c4
Binary files /dev/null and b/testing/btest/Traces/trunc/mpls-6in6-broken.pcap.gz differ
diff --git a/testing/btest/Traces/trunc/trunc-hdr.pcap b/testing/btest/Traces/trunc/trunc-hdr.pcap
index 0ab12ee6c7..689128f2bb 100644
Binary files a/testing/btest/Traces/trunc/trunc-hdr.pcap and b/testing/btest/Traces/trunc/trunc-hdr.pcap differ
diff --git a/testing/btest/Traces/tunnels/gre-pptp.pcap b/testing/btest/Traces/tunnels/gre-pptp.pcap
new file mode 100644
index 0000000000..45216c7f7a
Binary files /dev/null and b/testing/btest/Traces/tunnels/gre-pptp.pcap differ
diff --git a/testing/btest/Traces/tunnels/mpls-6in6-6in6-4in6-invalid-version-4.pcap b/testing/btest/Traces/tunnels/mpls-6in6-6in6-4in6-invalid-version-4.pcap
new file mode 100644
index 0000000000..a71c0453c2
Binary files /dev/null and b/testing/btest/Traces/tunnels/mpls-6in6-6in6-4in6-invalid-version-4.pcap differ
diff --git a/testing/btest/Traces/tunnels/mpls-6in6-6in6-invalid-version-6.pcap b/testing/btest/Traces/tunnels/mpls-6in6-6in6-invalid-version-6.pcap
new file mode 100644
index 0000000000..5588092588
Binary files /dev/null and b/testing/btest/Traces/tunnels/mpls-6in6-6in6-invalid-version-6.pcap differ
diff --git a/testing/btest/Traces/wlanmon.pcap b/testing/btest/Traces/wlanmon.pcap
new file mode 100644
index 0000000000..a940ea1046
Binary files /dev/null and b/testing/btest/Traces/wlanmon.pcap differ
diff --git a/testing/btest/bifs/directory_operations.bro b/testing/btest/bifs/directory_operations.bro
new file mode 100644
index 0000000000..9db34511b2
--- /dev/null
+++ b/testing/btest/bifs/directory_operations.bro
@@ -0,0 +1,24 @@
+#
+# @TEST-EXEC: bro -b %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event bro_init()
+	{
+	# Test succesful operations...
+	print mkdir("testdir");
+	print mkdir("testdir");
+	local a = open("testdir/testfile");
+	close(a);
+	print rename("testdir/testfile", "testdir/testfile2");
+	print rename("testdir", "testdir2");
+	print unlink("testdir2/testfile2");
+	print rmdir("testdir2");
+
+
+	print unlink("nonexisting");
+	print rename("a", "b");
+	print rmdir("nonexisting");
+	a = open("testfile");
+	close(a);
+	print mkdir("testfile");
+	}
diff --git a/testing/btest/bifs/dump_current_packet.bro b/testing/btest/bifs/dump_current_packet.bro
new file mode 100644
index 0000000000..61c96384e4
--- /dev/null
+++ b/testing/btest/bifs/dump_current_packet.bro
@@ -0,0 +1,13 @@
+# @TEST-EXEC: bro -b -r $TRACES/wikipedia.trace %INPUT
+# @TEST-EXEC: btest-diff 1.pcap
+# @TEST-EXEC: btest-diff 2.pcap
+
+global i: count = 0;
+
+event new_packet(c: connection, p: pkt_hdr)
+	{
+	++i;
+	dump_current_packet(cat(i, ".pcap"));
+	if ( i >= 3 )
+		terminate();
+	}
diff --git a/testing/btest/bifs/hll_large_estimate.bro b/testing/btest/bifs/hll_large_estimate.bro
index 6a8c0f6e08..b17b50678d 100644
--- a/testing/btest/bifs/hll_large_estimate.bro
+++ b/testing/btest/bifs/hll_large_estimate.bro
@@ -1,14 +1,14 @@
 #
 # Test the quality of HLL once by checking adding a large number of IP entries.
 #
-# @TEST-EXEC: bro %INPUT > out
-# @TEST-EXEC: BRO_SEED_FILE="" bro %INPUT > out2
+# @TEST-EXEC: bro -b %INPUT > out
+# @TEST-EXEC: BRO_SEED_FILE="" bro -b %INPUT > out2
 # @TEST-EXEC: head -n1 out2 >> out
 # @TEST-EXEC: btest-diff out
 
 event bro_init()
 	{
-	local cp: opaque of cardinality = hll_cardinality_init(0.1, 0.99);
+	local cp: opaque of cardinality = hll_cardinality_init(0.1, 1.0);
 	local base: count = 2130706432; # 127.0.0.0
 	local i: count = 0;
 	while ( ++i < 170000 )
@@ -17,7 +17,7 @@ event bro_init()
 		}
 
 	local res: int = double_to_count(hll_cardinality_estimate(cp));
-	if ( |res - 170000| > 15000 )
+	if ( |res - 170000| > 17000 )
 		print "Big error";
 	else
 		print "Ok error";
diff --git a/testing/btest/bifs/order.bro b/testing/btest/bifs/order.bro
index 9e59caa827..cb4b050686 100644
--- a/testing/btest/bifs/order.bro
+++ b/testing/btest/bifs/order.bro
@@ -46,4 +46,10 @@ event bro_init()
 	local d2 = order(c2, myfunc2);
 	print c2;
 	print d2;
+
+	# Tests with large numbers
+
+	local l1 = vector(2304, 1156, 13, 42, 4294967296);
+	print l1;
+	print order(l1);
 	}
diff --git a/testing/btest/bifs/sort.bro b/testing/btest/bifs/sort.bro
index 7b4ac9ba63..2ddb44b8be 100644
--- a/testing/btest/bifs/sort.bro
+++ b/testing/btest/bifs/sort.bro
@@ -67,4 +67,9 @@ event bro_init()
 	local d2 = sort(c2, myfunc2);
 	print c2;
 	print d2;
+
+	# Testing large numbers
+	local l1 = vector(2304, 1156, 11, 42, 4294967296);
+	print l1;
+	print sort(l1);
 	}
diff --git a/testing/btest/bifs/to_int.bro b/testing/btest/bifs/to_int.bro
index 0562209cd0..e65a555cc4 100644
--- a/testing/btest/bifs/to_int.bro
+++ b/testing/btest/bifs/to_int.bro
@@ -6,5 +6,6 @@ event bro_init()
 	{
 	print to_int("1");
 	print to_int("-1");
+	print to_int("4294967296");
 	print to_int("not an int");
 	}
diff --git a/testing/btest/bifs/x509_verify.bro b/testing/btest/bifs/x509_verify.bro
index 59939180c8..2afc735172 100644
--- a/testing/btest/bifs/x509_verify.bro
+++ b/testing/btest/bifs/x509_verify.bro
@@ -1,5 +1,14 @@
 # @TEST-EXEC: bro -r $TRACES/tls/tls-expired-cert.trace %INPUT
-# @TEST-EXEC: btest-diff .stdout
+
+# This is a hack: the results of OpenSSL 1.1's vs 1.0's
+# X509_verify_cert() -> X509_STORE_CTX_get1_chain() calls
+# differ.  Word seems to be that OpenSSL 1.1's cert-chain-building
+# code is significantly different/rewritten so may be the reason...
+
+# @TEST-EXEC: cp .stdout stdout-openssl-1.0
+# @TEST-EXEC: cp .stdout stdout-openssl-1.1
+
+# @TEST-EXEC: grep -q "BRO_HAVE_OPENSSL_1_1" $BUILD/CMakeCache.txt && btest-diff stdout-openssl-1.1 || btest-diff stdout-openssl-1.0
 
 redef SSL::root_certs += {
 	["OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US"] = "\x30\x82\x02\x3C\x30\x82\x01\xA5\x02\x10\x70\xBA\xE4\x1D\x10\xD9\x29\x34\xB6\x38\xCA\x7B\x03\xCC\xBA\xBF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x1E\x17\x0D\x39\x36\x30\x31\x32\x39\x30\x30\x30\x30\x30\x30\x5A\x17\x0D\x32\x38\x30\x38\x30\x31\x32\x33\x35\x39\x35\x39\x5A\x30\x5F\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x17\x30\x15\x06\x03\x55\x04\x0A\x13\x0E\x56\x65\x72\x69\x53\x69\x67\x6E\x2C\x20\x49\x6E\x63\x2E\x31\x37\x30\x35\x06\x03\x55\x04\x0B\x13\x2E\x43\x6C\x61\x73\x73\x20\x33\x20\x50\x75\x62\x6C\x69\x63\x20\x50\x72\x69\x6D\x61\x72\x79\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x30\x81\x9F\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x81\x8D\x00\x30\x81\x89\x02\x81\x81\x00\xC9\x5C\x59\x9E\xF2\x1B\x8A\x01\x14\xB4\x10\xDF\x04\x40\xDB\xE3\x57\xAF\x6A\x45\x40\x8F\x84\x0C\x0B\xD1\x33\xD9\xD9\x11\xCF\xEE\x02\x58\x1F\x25\xF7\x2A\xA8\x44\x05\xAA\xEC\x03\x1F\x78\x7F\x9E\x93\xB9\x9A\x00\xAA\x23\x7D\xD6\xAC\x85\xA2\x63\x45\xC7\x72\x27\xCC\xF4\x4C\xC6\x75\x71\xD2\x39\xEF\x4F\x42\xF0\x75\xDF\x0A\x90\xC6\x8E\x20\x6F\x98\x0F\xF8\xAC\x23\x5F\x70\x29\x36\xA4\xC9\x86\xE7\xB1\x9A\x20\xCB\x53\xA5\x85\xE7\x3D\xBE\x7D\x9A\xFE\x24\x45\x33\xDC\x76\x15\xED\x0F\xA2\x71\x64\x4C\x65\x2E\x81\x68\x45\xA7\x02\x03\x01\x00\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x02\x05\x00\x03\x81\x81\x00\xBB\x4C\x12\x2B\xCF\x2C\x26\x00\x4F\x14\x13\xDD\xA6\xFB\xFC\x0A\x11\x84\x8C\xF3\x28\x1C\x67\x92\x2F\x7C\xB6\xC5\xFA\xDF\xF0\xE8\x95\xBC\x1D\x8F\x6C\x2C\xA8\x51\xCC\x73\xD8\xA4\xC0\x53\xF0\x4E\xD6\x26\xC0\x76\x01\x57\x81\x92\x5E\x21\xF1\xD1\xB1\xFF\xE7\xD0\x21\x58\xCD\x69\x17\xE3\x44\x1C\x9C\x19\x44\x39\x89\x5C\xDC\x9C\x00\x0F\x56\x8D\x02\x99\xED\xA2\x90\x45\x4C\xE4\xBB\x10\xA4\x3D\xF0\x32\x03\x0E\xF1\xCE\xF8\xE8\xC9\x51\x8C\xE6\x62\x9F\xE6\x9F\xC0\x7D\xB7\x72\x9C\xC9\x36\x3A\x6B\x9F\x4E\xA8\xFF\x64\x0D\x64"
diff --git a/testing/btest/broker/clone_store.bro b/testing/btest/broker/clone_store.bro
deleted file mode 100644
index 1ed35826dc..0000000000
--- a/testing/btest/broker/clone_store.bro
+++ /dev/null
@@ -1,125 +0,0 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-
-# @TEST-EXEC: btest-bg-run clone "bro -b ../clone.bro broker_port=$BROKER_PORT >clone.out"
-# @TEST-EXEC: btest-bg-run master "bro -b ../master.bro broker_port=$BROKER_PORT >master.out"
-
-# @TEST-EXEC: btest-bg-wait 60
-# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff clone/clone.out
-# @TEST-EXEC: btest-diff master/master.out
-
-@TEST-START-FILE clone.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-global h: opaque of Broker::Handle;
-global expected_key_count = 4;
-global key_count = 0;
-
-global query_timeout = 30sec;
-
-function do_lookup(key: string)
-	{
-	when ( local res = Broker::lookup(h, Broker::data(key)) )
-		{
-		++key_count;
-		print "lookup", key, res;
-
-		if ( key_count == expected_key_count )
-			terminate();
-		}
-	timeout query_timeout
-		{
-		print "clone lookup query timeout";
-		terminate();
-		}
-	}
-
-event ready()
-	{
-	h = Broker::create_clone("mystore");
-
-	when ( local res = Broker::keys(h) )
-		{
-		print "clone keys", res;
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 0)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 1)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 2)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 3)));
-		}
-	timeout query_timeout
-		{
-		print "clone keys query timeout";
-		terminate();
-		}
-	}
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/ready");
-	Broker::listen(broker_port, "127.0.0.1");
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE master.bro
-
-global query_timeout = 15sec;
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-global h: opaque of Broker::Handle;
-
-function dv(d: Broker::Data): Broker::DataVector
-	{
-	local rval: Broker::DataVector;
-	rval[0] = d;
-	return rval;
-	}
-
-global ready: event();
-
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-	{
-	terminate();
-	}
-
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	local myset: set[string] = {"a", "b", "c"};
-	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	h = Broker::create_master("mystore");
-	Broker::insert(h, Broker::data("one"), Broker::data(110));
-	Broker::insert(h, Broker::data("two"), Broker::data(223));
-	Broker::insert(h, Broker::data("myset"), Broker::data(myset));
-	Broker::insert(h, Broker::data("myvec"), Broker::data(myvec));
-	Broker::increment(h, Broker::data("one"));
-	Broker::decrement(h, Broker::data("two"));
-	Broker::add_to_set(h, Broker::data("myset"), Broker::data("d"));
-	Broker::remove_from_set(h, Broker::data("myset"), Broker::data("b"));
-	Broker::push_left(h, Broker::data("myvec"), dv(Broker::data("delta")));
-	Broker::push_right(h, Broker::data("myvec"), dv(Broker::data("omega")));
-
-	when ( local res = Broker::size(h) )
-		{ event ready(); }
-	timeout query_timeout
-		{
-		print "master size query timeout";
-		terminate();
-		}
-	}
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::auto_event("bro/event/ready", ready);
-	Broker::connect("127.0.0.1", broker_port, 1secs);
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/broker/connect-on-retry.bro b/testing/btest/broker/connect-on-retry.bro
new file mode 100644
index 0000000000..13cb2d629a
--- /dev/null
+++ b/testing/btest/broker/connect-on-retry.bro
@@ -0,0 +1,100 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out"
+#
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+@TEST-START-FILE send.bro
+
+# Using btest's environment settings for connect/listen retry of 1sec.
+redef exit_only_after_terminate = T;
+
+global event_count = 0;
+
+global ping: event(msg: string, c: count);
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/my_topic");
+    Broker::auto_publish("bro/event/my_topic", ping);
+    Broker::peer("127.0.0.1");
+    }
+
+function send_event()
+    {
+    event ping("my-message", ++event_count);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    send_event();
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    terminate();
+    }
+
+event pong(msg: string, n: count)
+    {
+    print fmt("sender got pong: %s, %s", msg, n);
+    send_event();
+    }
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE recv.bro
+
+redef exit_only_after_terminate = T;
+
+const events_to_recv = 5;
+
+global handler: event(msg: string, c: count);
+global auto_handler: event(msg: string, c: count);
+
+global pong: event(msg: string, c: count);
+
+event delayed_listen()
+	{
+        Broker::listen("127.0.0.1");
+	}
+
+event bro_init()
+        {
+        Broker::subscribe("bro/event/my_topic");
+	Broker::auto_publish("bro/event/my_topic", pong);
+	schedule 5secs { delayed_listen() };
+        }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver added peer: endpoint=%s msg=%s",
+        endpoint$network$address, msg);
+        }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver lost peer: endpoint=%s msg=%s",
+        endpoint$network$address, msg);
+        }
+
+event ping(msg: string, n: count)
+        {
+        print fmt("receiver got ping: %s, %s", msg, n);
+
+        if ( n == events_to_recv )
+                {
+                terminate();
+                return;
+                }
+
+	event pong(msg, n);
+        }
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/connection_updates.bro b/testing/btest/broker/connection_updates.bro
deleted file mode 100644
index d431a59dbe..0000000000
--- a/testing/btest/broker/connection_updates.bro
+++ /dev/null
@@ -1,57 +0,0 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-
-# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro broker_port=$BROKER_PORT >send.out"
-
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: btest-diff recv/recv.out
-# @TEST-EXEC: btest-diff send/send.out
-
-@TEST-START-FILE recv.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::listen(broker_port, "127.0.0.1");
-	}
-
-event Broker::incoming_connection_established(peer_name: string)
-	{
-	print "Broker::incoming_connection_established", peer_name;
-	}
-
-event Broker::incoming_connection_broken(peer_name: string)
-	{
-	print "Broker::incoming_connection_broken", peer_name;
-	terminate();
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE send.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1sec);
-	}
-
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	print "Broker::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;
-	terminate();
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/broker/data.bro b/testing/btest/broker/data.bro
deleted file mode 100644
index 49474e3a5a..0000000000
--- a/testing/btest/broker/data.bro
+++ /dev/null
@@ -1,255 +0,0 @@
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-
-# @TEST-EXEC: bro -b %INPUT >out
-# @TEST-EXEC: btest-diff out
-
-type bro_set: set[string];
-type bro_table: table[string] of count;
-type bro_vector: vector of string;
-
-type bro_record : record {
-	a: string &optional;
-	b: string &default = "bee";
-	c: count;
-};
-
-function broker_to_bro_record_recurse(it: opaque of Broker::RecordIterator,
-                                           rval: bro_record,
-                                           idx: count): bro_record
-	{
-	if ( Broker::record_iterator_last(it) )
-		return rval;
-
-	local field_value = Broker::record_iterator_value(it);
-
-	if ( field_value?$d )
-		switch ( idx ) {
-		case 0:
-			rval$a = Broker::refine_to_string(field_value);
-			break;
-		case 1:
-			rval$b = Broker::refine_to_string(field_value);
-			break;
-		case 2:
-			rval$c = Broker::refine_to_count(field_value);
-			break;
-		};
-
-	++idx;
-	Broker::record_iterator_next(it);
-	return broker_to_bro_record_recurse(it, rval, idx);
-	}
-
-function broker_to_bro_record(d: Broker::Data): bro_record
-	{
-	return broker_to_bro_record_recurse(Broker::record_iterator(d),
-	                                         bro_record($c = 0), 0);
-	}
-
-function
-broker_to_bro_set_recurse(it: opaque of Broker::SetIterator,
-                            rval: bro_set): bro_set
-	{
-	if ( Broker::set_iterator_last(it) )
-		return rval;
-
-	add rval[Broker::refine_to_string(Broker::set_iterator_value(it))];
-	Broker::set_iterator_next(it);
-	return broker_to_bro_set_recurse(it, rval);
-	}
-
-
-function broker_to_bro_set(d: Broker::Data): bro_set
-	{
-	return broker_to_bro_set_recurse(Broker::set_iterator(d), bro_set());
-	}
-
-function
-broker_to_bro_table_recurse(it: opaque of Broker::TableIterator,
-                                rval: bro_table): bro_table
-	{
-	if ( Broker::table_iterator_last(it) )
-		return rval;
-
-	local item = Broker::table_iterator_value(it);
-	rval[Broker::refine_to_string(item$key)] = Broker::refine_to_count(item$val);
-	Broker::table_iterator_next(it);
-	return broker_to_bro_table_recurse(it, rval);
-	}
-
-function broker_to_bro_table(d: Broker::Data): bro_table
-	{
-	return broker_to_bro_table_recurse(Broker::table_iterator(d),
-	                                       bro_table());
-	}
-
-function broker_to_bro_vector_recurse(it: opaque of Broker::VectorIterator,
-                                           rval: bro_vector): bro_vector
-	{
-	if ( Broker::vector_iterator_last(it) )
-		return rval;
-
-	rval[|rval|] = Broker::refine_to_string(Broker::vector_iterator_value(it));
-	Broker::vector_iterator_next(it);
-	return broker_to_bro_vector_recurse(it, rval);
-	}
-
-function broker_to_bro_vector(d: Broker::Data): bro_vector
-	{
-	return broker_to_bro_vector_recurse(Broker::vector_iterator(d),
-	                                         bro_vector());
-	}
-
-event bro_init()
-{
-Broker::enable();
-
-### Print every broker data type
-
-print Broker::data_type(Broker::data(T));
-print Broker::data_type(Broker::data(+1));
-print Broker::data_type(Broker::data(1));
-print Broker::data_type(Broker::data(1.1));
-print Broker::data_type(Broker::data("1 (how creative)"));
-print Broker::data_type(Broker::data(1.1.1.1));
-print Broker::data_type(Broker::data(1.1.1.1/1));
-print Broker::data_type(Broker::data(1/udp));
-print Broker::data_type(Broker::data(double_to_time(1)));
-print Broker::data_type(Broker::data(1sec));
-print Broker::data_type(Broker::data(Broker::BOOL));
-local s: bro_set = bro_set("one", "two", "three");
-local t: bro_table = bro_table(["one"] = 1, ["two"] = 2, ["three"] = 3);
-local v: bro_vector = bro_vector("zero", "one", "two");
-local r: bro_record = bro_record($c = 1);
-print Broker::data_type(Broker::data(s));
-print Broker::data_type(Broker::data(t));
-print Broker::data_type(Broker::data(v));
-print Broker::data_type(Broker::data(r));
-
-print "***************************";
-
-### Convert a Bro value to a broker value, then print the result
-
-print Broker::refine_to_bool(Broker::data(T));
-print Broker::refine_to_bool(Broker::data(F));
-print Broker::refine_to_int(Broker::data(+1));
-print Broker::refine_to_int(Broker::data(+0));
-print Broker::refine_to_int(Broker::data(-1));
-print Broker::refine_to_count(Broker::data(1));
-print Broker::refine_to_count(Broker::data(0));
-print Broker::refine_to_double(Broker::data(1.1));
-print Broker::refine_to_double(Broker::data(-11.1));
-print Broker::refine_to_string(Broker::data("hello"));
-print Broker::refine_to_addr(Broker::data(1.2.3.4));
-print Broker::refine_to_subnet(Broker::data(192.168.1.1/16));
-print Broker::refine_to_port(Broker::data(22/tcp));
-print Broker::refine_to_time(Broker::data(double_to_time(42)));
-print Broker::refine_to_interval(Broker::data(3min));
-print Broker::refine_to_enum_name(Broker::data(Broker::BOOL));
-
-local cs = Broker::data(s);
-print broker_to_bro_set(cs);
-
-local ct = Broker::data(t);
-print broker_to_bro_table(ct);
-
-local cv = Broker::data(v);
-print broker_to_bro_vector(cv);
-
-local cr = Broker::data(r);
-print broker_to_bro_record(cr);
-
-r$a = "test";
-cr = Broker::data(r);
-print broker_to_bro_record(cr);
-
-r$b = "testagain";
-cr = Broker::data(r);
-print broker_to_bro_record(cr);
-
-print "***************************";
-
-### Test the broker set BIFs
-
-cs = Broker::set_create();
-print Broker::set_size(cs);
-print Broker::set_insert(cs, Broker::data("hi"));
-print Broker::set_size(cs);
-print Broker::set_contains(cs, Broker::data("hi"));
-print Broker::set_contains(cs, Broker::data("bye"));
-print Broker::set_insert(cs, Broker::data("bye"));
-print Broker::set_size(cs);
-print Broker::set_insert(cs, Broker::data("bye"));
-print Broker::set_size(cs);
-print Broker::set_remove(cs, Broker::data("hi"));
-print Broker::set_size(cs);
-print Broker::set_remove(cs, Broker::data("hi"));
-print broker_to_bro_set(cs);
-print Broker::set_clear(cs);
-print Broker::set_size(cs);
-print broker_to_bro_set(cs);
-
-print "***************************";
-
-### Test the broker table BIFs
-
-ct = Broker::table_create();
-print Broker::table_size(ct);
-print Broker::table_insert(ct, Broker::data("hi"), Broker::data(42));
-print Broker::table_size(ct);
-print Broker::table_contains(ct, Broker::data("hi"));
-print Broker::refine_to_count(Broker::table_lookup(ct, Broker::data("hi")));
-print Broker::table_contains(ct, Broker::data("bye"));
-print Broker::table_insert(ct, Broker::data("bye"), Broker::data(7));
-print Broker::table_size(ct);
-print Broker::table_insert(ct, Broker::data("bye"), Broker::data(37));
-print Broker::table_size(ct);
-print Broker::refine_to_count(Broker::table_lookup(ct, Broker::data("bye")));
-print Broker::table_remove(ct, Broker::data("hi"));
-print Broker::table_size(ct);
-print Broker::table_remove(ct, Broker::data("hi"));
-print Broker::table_size(ct);
-print Broker::table_clear(ct);
-print Broker::table_size(ct);
-print broker_to_bro_table(ct);
-
-print "***************************";
-
-### Test the broker vector BIFs
-
-cv = Broker::vector_create();
-print Broker::vector_size(cv);
-print Broker::vector_insert(cv, Broker::data("hi"), 0);
-print Broker::vector_insert(cv, Broker::data("hello"), 1);
-print Broker::vector_insert(cv, Broker::data("greetings"), 2);
-print Broker::vector_insert(cv, Broker::data("salutations"), 1);
-print broker_to_bro_vector(cv);
-print Broker::vector_size(cv);
-print Broker::vector_replace(cv, Broker::data("bah"), 2);
-print Broker::vector_lookup(cv, 2);
-print Broker::vector_lookup(cv, 0);
-print broker_to_bro_vector(cv);
-print Broker::vector_remove(cv, 2);
-print broker_to_bro_vector(cv);
-print Broker::vector_size(cv);
-print Broker::vector_clear(cv);
-print Broker::vector_size(cv);
-print broker_to_bro_vector(cv);
-
-print "***************************";
-
-### Test the broker record BIFs
-
-cr = Broker::record_create(3);
-print Broker::record_size(cr);
-print Broker::record_assign(cr, Broker::data("hi"), 0);
-print Broker::record_assign(cr, Broker::data("hello"), 1);
-print Broker::record_assign(cr, Broker::data(37), 2);
-print Broker::record_lookup(cr, 0);
-print Broker::record_lookup(cr, 1);
-print Broker::record_lookup(cr, 2);
-print Broker::record_size(cr);
-print Broker::record_assign(cr, Broker::data("goodbye"), 1);
-print Broker::record_size(cr);
-print Broker::record_lookup(cr, 1);
-}
diff --git a/testing/btest/broker/disconnect.bro b/testing/btest/broker/disconnect.bro
new file mode 100644
index 0000000000..3daed6a6b7
--- /dev/null
+++ b/testing/btest/broker/disconnect.bro
@@ -0,0 +1,87 @@
+# @TEST-SERIALIZE: comm
+
+# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out"
+
+# @TEST-EXEC: $SCRIPTS/wait-for-file recv/got-event 30 || (btest-bg-wait -k 1 && false)
+# @TEST-EXEC: kill $(cat recv/.pid)
+# @TEST-EXEC: $SCRIPTS/wait-for-pid $(cat recv/.pid) 10 || (btest-bg-wait -k 1 && false)
+# @TEST-EXEC: echo 0 >recv/.exitcode
+
+# @TEST-EXEC: btest-bg-run recv2 "bro -B broker -b ../recv.bro >recv2.out"
+# @TEST-EXEC: btest-bg-wait 30
+
+# @TEST-EXEC: btest-diff send/send.out
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff recv2/recv2.out
+
+@TEST-START-FILE send.bro
+
+redef exit_only_after_terminate = T;
+
+global peers = 0;
+const test_topic = "bro/test/my_topic";
+
+event my_event(i: count)
+	{
+	print "sender got event", i;
+	}
+
+event bro_init()
+	{
+	Broker::subscribe(test_topic);
+	Broker::peer("127.0.0.1");
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer lost", msg;
+
+	if ( peers == 2 )
+		terminate();
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	++peers;
+	print "peer added", msg;
+	Broker::publish(test_topic, my_event, peers);
+	}
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE recv.bro
+
+redef exit_only_after_terminate = T;
+
+const test_topic = "bro/test/my_topic";
+
+event my_event(i: count)
+	{
+	print "receiver got event", i;
+
+	if ( i == 1 )
+		# In the first case, terminate via `kill` from btest command.
+		system("touch got-event");
+	else
+		terminate();
+	}
+
+event bro_init()
+	{
+	Broker::subscribe(test_topic);
+	Broker::listen("127.0.0.1");
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer added", msg;
+	}
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/enable-and-exit.bro b/testing/btest/broker/enable-and-exit.bro
deleted file mode 100644
index 78800b31b0..0000000000
--- a/testing/btest/broker/enable-and-exit.bro
+++ /dev/null
@@ -1,19 +0,0 @@
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-
-# @TEST-EXEC: bro -b %INPUT >output
-# @TEST-EXEC: btest-diff output
-
-redef exit_only_after_terminate = T;
-
-event terminate_me() {
-        print "terminating";
-        terminate();
-}
-
-event bro_init() {
-        Broker::enable();
-
-        print "1";
-        schedule 1sec { terminate_me() };
-        print "2";
-}
diff --git a/testing/btest/broker/error.bro b/testing/btest/broker/error.bro
new file mode 100644
index 0000000000..af94e28019
--- /dev/null
+++ b/testing/btest/broker/error.bro
@@ -0,0 +1,42 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: bro -B main-loop,broker -b send.bro >send.out
+# @TEST-EXEC: btest-diff send.out
+# 
+
+@TEST-START-FILE send.bro
+
+redef exit_only_after_terminate = T;
+
+event do_terminate()
+    {
+    terminate();
+    }
+
+event do_something()
+    {
+    # Will fail and generate an error.
+    Broker::unpeer("1.2.3.4", 1947/tcp);
+    }
+
+event Broker::status(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print "status", endpoint, endpoint$network, msg;
+    }
+
+event Broker::error(code: Broker::ErrorCode, msg: string)
+    {
+    print "error", code, msg;
+    }
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/my_topic");
+    
+    schedule 2secs { do_something() };
+    schedule 4secs { do_terminate() };
+    }
+
+
+@TEST-END-FILE
+
diff --git a/testing/btest/broker/master_store.bro b/testing/btest/broker/master_store.bro
deleted file mode 100644
index 09f0f82880..0000000000
--- a/testing/btest/broker/master_store.bro
+++ /dev/null
@@ -1,181 +0,0 @@
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-
-# @TEST-EXEC: btest-bg-run master "bro -b %INPUT >out"
-# @TEST-EXEC: btest-bg-wait 60
-# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out
-
-redef exit_only_after_terminate = T;
-
-global h: opaque of Broker::Handle;
-global lookup_count = 0;
-const lookup_expect_count = 5;
-global exists_count = 0;
-const exists_expect_count = 4;
-global pop_count = 0;
-const pop_expect_count = 2;
-
-global test_size: event(where: string &default = "");
-
-global query_timeout = 30sec;
-
-event test_clear()
-	{
-	Broker::clear(h);
-	event test_size("after clear");
-	}
-
-event test_size(where: string)
-	{
-	when ( local res = Broker::size(h) )
-		{
-		if ( where == "" )
-			{
-			print fmt("size: %s", res);
-			event test_clear();
-			}
-		else
-			{
-			print fmt("size (%s): %s", where, res);
-			terminate();
-			}
-		}
-	timeout query_timeout
-		{
-		print "'size' query timeout";
-
-		if ( where == "" )
-			event test_clear();
-		else
-			terminate();
-		}
-	}
-
-event test_keys()
-	{
-	when ( local res = Broker::keys(h) )
-		{
-		print fmt("keys: %s", res);
-		event test_size();
-		}
-	timeout query_timeout
-		{
-		print "'keys' query timeout";
-		event test_size();
-		}
-	}
-
-event test_pop(key: string)
-	{
-	when ( local lres = Broker::pop_left(h, Broker::data(key)) )
-		{
-		print fmt("pop_left(%s): %s", key, lres);
-		++pop_count;
-
-		if ( pop_count == pop_expect_count )
-			event test_keys();
-		}
-	timeout query_timeout
-		{
-		print "'pop_left' timeout";
-		++pop_count;
-
-		if ( pop_count == pop_expect_count )
-			event test_keys();
-		}
-
-	when ( local rres = Broker::pop_right(h, Broker::data(key)) )
-		{
-		print fmt("pop_right(%s): %s", key, rres);
-		++pop_count;
-
-		if ( pop_count == pop_expect_count )
-			event test_keys();
-		}
-	timeout query_timeout
-		{
-		print "'pop_right' timeout";
-		++pop_count;
-
-		if ( pop_count == pop_expect_count )
-			event test_keys();
-		}
-	}
-
-function do_exists(key: string)
-	{
-	when ( local res = Broker::exists(h, Broker::data(key)) )
-		{
-		print fmt("exists(%s): %s", key, res);
-		++exists_count;
-
-		if ( exists_count == exists_expect_count )
-			event test_pop("myvec");
-		}
-	timeout query_timeout
-		{
-		print "'exists' query timeout";
-		++exists_count;
-
-		if ( exists_count == exists_expect_count )
-			event test_pop("myvec");
-		}
-	}
-
-event test_erase()
-	{
-	Broker::erase(h, Broker::data("two"));
-	do_exists("one");
-	do_exists("two");
-	do_exists("myset");
-	do_exists("four");
-	}
-
-function do_lookup(key: string)
-	{
-	when ( local res = Broker::lookup(h, Broker::data(key)) )
-		{
-		print fmt("lookup(%s): %s", key, res);
-		++lookup_count;
-
-		if ( lookup_count == lookup_expect_count )
-			event test_erase();
-		}
-	timeout query_timeout
-		{
-		print "'lookup' query timeout";
-		++lookup_count;
-
-		if ( lookup_count == lookup_expect_count )
-			event test_erase();
-		}
-	}
-
-function dv(d: Broker::Data): Broker::DataVector
-	{
-	local rval: Broker::DataVector;
-	rval[0] = d;
-	return rval;
-	}
-
-event bro_init()
-	{
-	Broker::enable();
-	local myset: set[string] = {"a", "b", "c"};
-	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	h = Broker::create_master("master");
-	Broker::insert(h, Broker::data("one"), Broker::data(110));
-	Broker::insert(h, Broker::data("two"), Broker::data(223));
-	Broker::insert(h, Broker::data("myset"), Broker::data(myset));
-	Broker::insert(h, Broker::data("myvec"), Broker::data(myvec));
-	Broker::increment(h, Broker::data("one"));
-	Broker::decrement(h, Broker::data("two"));
-	Broker::add_to_set(h, Broker::data("myset"), Broker::data("d"));
-	Broker::remove_from_set(h, Broker::data("myset"), Broker::data("b"));
-	Broker::push_left(h, Broker::data("myvec"), dv(Broker::data("delta")));
-	Broker::push_right(h, Broker::data("myvec"), dv(Broker::data("omega")));
-	do_lookup("one");
-	do_lookup("two");
-	do_lookup("myset");
-	do_lookup("four");
-	do_lookup("myvec");
-	}
diff --git a/testing/btest/broker/remote_event.bro b/testing/btest/broker/remote_event.bro
new file mode 100644
index 0000000000..c5f072c16c
--- /dev/null
+++ b/testing/btest/broker/remote_event.bro
@@ -0,0 +1,99 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out"
+#
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+@TEST-START-FILE send.bro
+
+redef exit_only_after_terminate = T;
+
+global event_count = 0;
+
+global ping: event(msg: string, c: count);
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/my_topic");
+    Broker::peer("127.0.0.1");
+    print "is_remote should be F, and is", is_remote_event();
+    }
+
+function send_event()
+    {
+    ++event_count;
+    local e = Broker::make_event(ping, "my-message", event_count);
+    Broker::publish("bro/event/my_topic", e);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender added peer: endpoint=%s msg=%s",
+    endpoint$network$address, msg);
+    send_event();
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender lost peer: endpoint=%s msg=%s",
+    endpoint$network$address, msg);
+    terminate();
+    }
+
+event pong(msg: string, n: count)
+    {
+    print "is_remote should be T, and is", is_remote_event();
+    print fmt("sender got pong: %s, %s", msg, n);
+    send_event();
+    }
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE recv.bro
+
+redef exit_only_after_terminate = T;
+
+const events_to_recv = 5;
+
+global handler: event(msg: string, c: count);
+global auto_handler: event(msg: string, c: count);
+
+global pong: event(msg: string, c: count);
+
+event bro_init()
+        {
+        Broker::subscribe("bro/event/my_topic");
+        Broker::listen("127.0.0.1");
+        }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+        }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+        }
+
+event ping(msg: string, n: count)
+        {
+	print "is_remote should be T, and is", is_remote_event();
+        print fmt("receiver got ping: %s, %s", msg, n);
+
+        if ( n == events_to_recv )
+                {
+		print get_broker_stats();
+                terminate();
+                return;
+                }
+
+        local e = Broker::make_event(pong, msg, n);
+        Broker::publish("bro/event/my_topic", e);
+        }
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/remote_event.test b/testing/btest/broker/remote_event.test
deleted file mode 100644
index 5118f1a5e8..0000000000
--- a/testing/btest/broker/remote_event.test
+++ /dev/null
@@ -1,94 +0,0 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-
-# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro broker_port=$BROKER_PORT >send.out"
-
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: btest-diff recv/recv.out
-# @TEST-EXEC: btest-diff send/send.out
-
-@TEST-START-FILE recv.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-global event_handler: event(msg: string, c: count);
-global auto_event_handler: event(msg: string, c: count);
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/");
-	Broker::auto_event("bro/event/my_topic", auto_event_handler);
-	Broker::listen(broker_port, "127.0.0.1");
-	}
-
-global event_count = 0;
-global events_to_recv = 6;
-
-event event_handler(msg: string, n: count)
-	{
-	++event_count;
-	print "got event msg", msg, n;
-
-	if ( event_count == events_to_recv )
-		{
-		terminate();
-		return;
-		}
-
-	event auto_event_handler(msg, n);
-	local args = Broker::event_args(event_handler, "pong", n);
-	Broker::send_event("bro/event/my_topic", args);
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE send.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-global event_handler: event(msg: string, c: count);
-global auto_event_handler: event(msg: string, c: count);
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/my_topic");
-	Broker::connect("127.0.0.1", broker_port, 1secs);
-	}
-
-global event_count = 0;
-
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	print "Broker::outgoing_connection_established", peer_address, peer_port;
-	local args = Broker::event_args(event_handler, "ping", event_count);
-	Broker::send_event("bro/event/hi", args);
-	++event_count;
-	}
-
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-	{
-	terminate();
-	}
-
-event event_handler(msg: string, n: count)
-	{
-	print "got event msg", msg, n;
-	local args = Broker::event_args(event_handler, "ping", event_count);
-    Broker::send_event("bro/event/hi", args);
-	++event_count;
-	}
-
-event auto_event_handler(msg: string, n: count)
-	{
-	print "got auto event msg", msg, n;
-	}
-	
-@TEST-END-FILE
diff --git a/testing/btest/broker/remote_event_any.bro b/testing/btest/broker/remote_event_any.bro
new file mode 100644
index 0000000000..7053a8b4c7
--- /dev/null
+++ b/testing/btest/broker/remote_event_any.bro
@@ -0,0 +1,107 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out"
+#
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+@TEST-START-FILE send.bro
+
+redef exit_only_after_terminate = T;
+
+global event_count = 0;
+
+global ping: event(msg: string, c: any);
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/my_topic");
+    Broker::peer("127.0.0.1");
+    print "is_remote should be F, and is", is_remote_event();
+    }
+
+function send_event()
+    {
+    ++event_count;
+    local e = Broker::make_event(ping, "my-message", event_count);
+    Broker::publish("bro/event/my_topic", e);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender added peer: endpoint=%s msg=%s",
+    endpoint$network$address, msg);
+    send_event();
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender lost peer: endpoint=%s msg=%s",
+    endpoint$network$address, msg);
+    terminate();
+    }
+
+event pong(msg: string, n: any)
+    {
+    print "is_remote should be T, and is", is_remote_event();
+
+    if ( n is count )
+        print fmt("sender got pong: %s, %s", msg, n as count);
+
+    send_event();
+    }
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE recv.bro
+
+redef exit_only_after_terminate = T;
+
+const events_to_recv = 5;
+
+global handler: event(msg: string, c: count);
+global auto_handler: event(msg: string, c: count);
+
+global pong: event(msg: string, c: any);
+
+event bro_init()
+        {
+        Broker::subscribe("bro/event/my_topic");
+        Broker::listen("127.0.0.1");
+        }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+        }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+        }
+
+event ping(msg: string, n: any)
+        {
+        print "is_remote should be T, and is", is_remote_event();
+
+        if ( n is count )
+        	print fmt("receiver got ping: %s, %s", msg, n as count);
+
+        if ( (n as count) == events_to_recv )
+                {
+		print get_broker_stats();
+                terminate();
+                return;
+                }
+
+		if ( (n as count) % 2 == 0 )
+			Broker::publish("bro/event/my_topic", pong, msg, n as count);
+		else
+			# internals should not wrap n into another Broker::Data record
+			Broker::publish("bro/event/my_topic", pong, msg, n);
+        }
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/remote_event_auto.bro b/testing/btest/broker/remote_event_auto.bro
new file mode 100644
index 0000000000..c209d6dbe3
--- /dev/null
+++ b/testing/btest/broker/remote_event_auto.bro
@@ -0,0 +1,94 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out"
+#
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+@TEST-START-FILE send.bro
+
+redef exit_only_after_terminate = T;
+
+global event_count = 0;
+
+global ping: event(msg: string, c: count);
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/my_topic");
+    Broker::auto_publish("bro/event/my_topic", ping);
+    Broker::peer("127.0.0.1");
+    }
+
+function send_event()
+    {
+    event ping("my-message", ++event_count);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    send_event();
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    terminate();
+    }
+
+event pong(msg: string, n: count)
+    {
+    print fmt("sender got pong: %s, %s", msg, n);
+    send_event();
+    }
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE recv.bro
+
+redef exit_only_after_terminate = T;
+
+const events_to_recv = 5;
+
+global handler: event(msg: string, c: count);
+global auto_handler: event(msg: string, c: count);
+
+global pong: event(msg: string, c: count);
+
+event bro_init()
+        {
+        Broker::subscribe("bro/event/my_topic");
+	Broker::auto_publish("bro/event/my_topic", pong);
+        Broker::listen("127.0.0.1");
+        }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver added peer: endpoint=%s msg=%s",
+        endpoint$network$address, msg);
+        }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver lost peer: endpoint=%s msg=%s",
+        endpoint$network$address, msg);
+        }
+
+event ping(msg: string, n: count)
+        {
+        print fmt("receiver got ping: %s, %s", msg, n);
+
+        if ( n == events_to_recv )
+                {
+                terminate();
+                return;
+                }
+
+	event pong(msg, n);
+        }
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/remote_event_ssl_auth.bro b/testing/btest/broker/remote_event_ssl_auth.bro
new file mode 100644
index 0000000000..4a62ff2259
--- /dev/null
+++ b/testing/btest/broker/remote_event_ssl_auth.bro
@@ -0,0 +1,259 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out"
+#
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+
+@TEST-START-FILE cert.1.pem
+-----BEGIN CERTIFICATE-----
+MIIDOjCCAiICCQDz7oMOR7Wm7jANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCQ0ExETAPBgNVBAcMCEJlcmtlbGV5MSMwIQYDVQQKDBpBQ01F
+IFNpZ25pbmcgQXV0aG9yaXR5IEluYzEQMA4GA1UEAwwHZm9vLmJhcjAgFw0xNzA0
+MjEyMzI2MzhaGA80NzU1MDMxOTIzMjYzOFowWDELMAkGA1UEBhMCVVMxCzAJBgNV
+BAgMAkNBMREwDwYDVQQHDAhCZXJrZWxleTEVMBMGA1UECgwMQUNNRSBTZXJ2aWNl
+MRIwEAYDVQQDDAkxLmZvby5iYXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDHobccAQQqbZANdOdx852W/nUzGcwpurOi8zbh9yCxMwnFMogW9AsqKEnd
+sypV6Ah/cIz45PAgCdEg+1pc2DG7+E0+QlV4ChNwCDuk+FSWB6pqMTCdZcLeIwlA
+GPp6Ow9v40dW7IFpDetFKXEo6kqEzR5P58Q0a6KpCtpsSMqhk57Py83wB9gPA1vp
+s77kN7D5CI3oay86TA5j5nfFMT1X/77Hs24csW6CLnW/OD4f1RK79UgPd/kpPKQ1
+jNq+hsR7NZTcfrAF1hcfScxnKaznO7WopSt1k75NqLdnSN1GIci2GpiXYKtXZ9l5
+TErv2Oucpw/u+a/wjKlXjrgLL9lfAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKuW
+yKA2uuiNc9MKU+yVbNaP8kPaMb/wMvVaFG8FFFpCTZ0MFMLsqRpeqtj7gMK/gaJC
+CQm4EyadjzfWFYDLkHzm6b7gI8digvvhjr/C2RJ5Qxr2P0iFP1buGq0CqnF20XgQ
+Q+ecS43CZ77CfKfS6ZLPmAZMAwgFLImVyo5mkaTECo3+9oCnjDYBapvXLJqCJRhk
+NosoTmGCV0HecWN4l38ojnXd44aSktQIND9iCLus3S6++nFnX5DHGZiv6/SnSO/6
++Op7nV0A6zKVcMOYQ0SGZPD8UQs5wDJgrR9LY29Ox5QBwu/5NqyvNSrMQaTop5vb
+wkMInaq5lLxEYQDSLBc=
+-----END CERTIFICATE-----
+@TEST-END-FILE
+
+@TEST-START-FILE cert.2.pem
+-----BEGIN CERTIFICATE-----
+MIIDOjCCAiICCQDz7oMOR7Wm7TANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCQ0ExETAPBgNVBAcMCEJlcmtlbGV5MSMwIQYDVQQKDBpBQ01F
+IFNpZ25pbmcgQXV0aG9yaXR5IEluYzEQMA4GA1UEAwwHZm9vLmJhcjAgFw0xNzA0
+MjEyMzI2MzNaGA80NzU1MDMxOTIzMjYzM1owWDELMAkGA1UEBhMCVVMxCzAJBgNV
+BAgMAkNBMREwDwYDVQQHDAhCZXJrZWxleTEVMBMGA1UECgwMQUNNRSBTZXJ2aWNl
+MRIwEAYDVQQDDAkyLmZvby5iYXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDG9fAvW9qnhjGRmLpA++RvOHaesu7NiUQvxf2F6gF2rLJV0/+DSA/PztEv
+1WJaGhgJSaEqUjaHk3HY2EKlbGXEPh1mxqgPZD5plGlu4ddTwutxCxxQiFIBH+3N
+MYRjJvDN7ozJoi4uRiK0QQdDWAqWJs5hMOJqeWd6MCgmVXSP6pj5/omGROktbHzD
+9jJhAW9fnYFg6k+7cGN5kLmjqqnGhJkNtgom6uW9j73S9OpU/9Er2aZme6/PrujI
+qYFBV81TJK2vmonWUITxfQjk9JVJYhBdHamGTxUqVBbuRcbAqdImV9yx4LoGh55u
+L6xnsW4i0n1o1k+bh03NgwPz12O3AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJmN
+yCdInFIeEwomE6m+Su82BWBzkztOfMG9iRE+1aGuC8EQ8kju5NNMmWQcuKetNh0s
+hJVdY6LXh27O0ZUllhQ/ig9c+dYFh6AHoZU7WjiNKIyWuyl4IAOkQ4IEdsBvst+l
+0rafcdJjUpqNOMWeyg6x1s+gUD5o+ZLCZGCdkCW3fZbKgF52L+vmsSRiJg2JkYZW
+8BPNNsroHZw2UXnLvRqUXCMf1hnOrlx/B0a0Q46hD4NQvl+OzlKaxfR2L2USmJ8M
+XZvT6+i8fWvkGv18iunm23Yu+8Zf08wTXnbqXvmMda5upAYLmwD0YKIVYC3ycihh
+mkYCYI6PVeH63a2/zxw=
+-----END CERTIFICATE-----
+@TEST-END-FILE
+
+@TEST-START-FILE key.1.pem
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAx6G3HAEEKm2QDXTncfOdlv51MxnMKbqzovM24fcgsTMJxTKI
+FvQLKihJ3bMqVegIf3CM+OTwIAnRIPtaXNgxu/hNPkJVeAoTcAg7pPhUlgeqajEw
+nWXC3iMJQBj6ejsPb+NHVuyBaQ3rRSlxKOpKhM0eT+fENGuiqQrabEjKoZOez8vN
+8AfYDwNb6bO+5Dew+QiN6GsvOkwOY+Z3xTE9V/++x7NuHLFugi51vzg+H9USu/VI
+D3f5KTykNYzavobEezWU3H6wBdYXH0nMZyms5zu1qKUrdZO+Tai3Z0jdRiHIthqY
+l2CrV2fZeUxK79jrnKcP7vmv8IypV464Cy/ZXwIDAQABAoIBAC0Y7jmoTR2clJ9F
+modWhnI215kMqd9/atdT5EEVx8/f/MQMj0vII8GJSm6H6/duLIVFksMjTM+gCBtQ
+TPCOcmXJSQHYkGBGvm9fnMG+y7T81FWa+SWFeIkgFxXgzqzQLMOU72fGk9F8sHp2
+Szb3/o+TmtZoQB2rdxqC9ibiJsxrG5IBVKkzlSPv3POkPXwSb1HcETqrTwefuioj
+WMuMrqtm5Y3HddJ5l4JEF5VA3KrsfXWl3JLHH0UViemVahiNjXQAVTKAXIL1PHAV
+J2MCEvlpA7sIgXREbmvPvZUTkt3pIqhVjZVJ7tHiSnSecqNTbuxcocnhKhZrHNtC
+v2zYKHkCgYEA6cAIhz0qOGDycZ1lf9RSWw0RO1hO8frATMQNVoFVuJJCVL22u96u
+0FvJ0JGyYbjthULnlOKyRe7DUL5HRLVS4D7vvKCrgwDmsJp1VFxMdASUdaBfq6aX
+oKLUW4q7kC2lQcmK/PVRYwp2GQSx8bodWe+DtXUY/GcN03znY8mhSB0CgYEA2qJK
+1GSZsm6kFbDek3BiMMHfO+X819owB2FmXiH+GQckyIZu9xA3HWrkOWTqwglEvzfO
+qzFF96E9iEEtseAxhcM8gPvfFuXiUj9t2nH/7SzMnVGikhtYi0p6jrgHmscc4NBx
+AOUA15kYEFOGqpZfl2uuKqgHidrHdGkJzzSUBqsCgYAVCjb6TVQejQNlnKBFOExN
+a8iwScuZVlO21TLKJYwct/WGgSkQkgO0N37b6jFfQHEIvLPxn9IiH1KvUuFBWvzh
+uGiF1wR5HzykitKizEgJbVwbllrmLXGagO2Sa9NkL+efG1AKYt53hrqIl/aYZoM7
+1CZL0AV2uqPw9F4zijOdNQKBgH1WmvWGMsKjQTgaLI9z1ybCjjqlj70jHXOtt+Tx
+Md2hRcobn5PN3PrlY68vlpHkhF/nG3jzB3x+GGt7ijm2IE3h7la3jl5vLb8fE9gu
+kJykmSz7Nurx+GHqMbaN8/Ycfga4GIB9yGzRHIWHjOVQzb5eAfv8Vk4GeV/YM8Jx
+Dwd/AoGAILn8pVC9dIFac2BDOFU5y9ZvMmZAvwRxh9vEWewNvkzg27vdYc+rCHNm
+I7H0S/RqfqVeo0ApE5PQ8Sll6RvxN/mbSQo9YeCDGQ1r1rNe4Vs12GAYXAbE4ipf
+BTdqMbieumB/zL97iK5baHUFEJ4VRtLQhh/SOXgew/BF8ccpilI=
+-----END RSA PRIVATE KEY-----
+@TEST-END-FILE
+
+@TEST-START-FILE key.2.pem
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAxvXwL1vap4YxkZi6QPvkbzh2nrLuzYlEL8X9heoBdqyyVdP/
+g0gPz87RL9ViWhoYCUmhKlI2h5Nx2NhCpWxlxD4dZsaoD2Q+aZRpbuHXU8LrcQsc
+UIhSAR/tzTGEYybwze6MyaIuLkYitEEHQ1gKlibOYTDianlnejAoJlV0j+qY+f6J
+hkTpLWx8w/YyYQFvX52BYOpPu3BjeZC5o6qpxoSZDbYKJurlvY+90vTqVP/RK9mm
+Znuvz67oyKmBQVfNUyStr5qJ1lCE8X0I5PSVSWIQXR2phk8VKlQW7kXGwKnSJlfc
+seC6Boeebi+sZ7FuItJ9aNZPm4dNzYMD89djtwIDAQABAoIBAQDDaWquGRl40GR/
+C/JjQQPr+RkIZdYGKXu/MEcA8ATf+l5tzfp3hp+BCzCKOpqOxHI3LQoN9xF3t2lq
+AX3z27NYO2nFN/h4pYxnRk0Hiulia1+zd6YnsrxYPnPhxXCxsd1xZYsBvzh8WoZb
+ZEMt8Zr0PskUzF6VFQh9Ci9k9ym07ooo/KqP4wjXsm/JK1ueOCTpRtabrBI1icrV
+iTaw1JEGqlTAQ92vg3pXqSG5yy69Krt7miZZtiOA5mJ90VrHtlNSgp31AOcVv/Ve
+/LMIwJp9EzTN+4ipT7AKPeJAoeVqpFjQk+2cW44zJ7xyzw73pTs5ErxkEIhQOp4M
+ak2iMg4BAoGBAOivDZSaOcTxEB3oKxYvN/jL9eU2Io9wdZwAZdYQpkgc8lkM9elW
+2rbHIwifkDxQnZbl3rXM8xmjA4c5PSCUYdPnLvx6nsUJrWTG0RjakHRliSLthNEC
+LpL9MR1aQblyz1D/ulWTFOCNvHU7m3XI3RVJEQWu3qQ5pCndzT56wXjnAoGBANrl
+zKvR9o2SONU8SDIcMzXrO2647Z8yXn4Kz1WhWojhRQQ1V3VOLm8gBwv8bPtc7LmE
+MSX5MIcxRoHu7D98d53hd+K/ZGYV2h/638qaIEgZDf2oa8QylBgvoGljoy1DH8nN
+KKOgksqWK0AAEkP0+S4IFugTxHVanw8JUkV0gVSxAoGBANIRUGJrxmHt/M3zUArs
+QE0G3o28DQGQ1y0rEsVrLKQINid9UvoBpt3C9PcRD2fUpCGakDFzwbnQeRv46h3i
+uFtV6Q6aKYLcFMXZ1ObqU+Yx0NhOtUz4+lFL8q58UL/7Tf3jkjc13XBJpe31DYoN
++MMBvzNxR6HeRD5j96tDqi3bAoGAT57SqZS/l5MeNQGuSPvU7MHZZlbBp+xMTpBk
+BgOgyLUXw4Ybf8GmRiliJsv0YCHWwUwCDIvtSN91hAGB0T3WzIiccM+pFzDPnF5G
+VI1nPJJQcnl2aXD0SS/ZqzvguK/3uhFzvMDFZAbnSGo+OpW6pTGwE05NYVpLDM8Z
+K8ZK3KECgYEApNoI5Mr5tmtjq4sbZrgQq6cMlfkIj9gUubOzFCryUb6NaB38Xqkp
+2N3/jqdkR+5ZiKOYhsYj+Iy6U3jyqiEl9VySYTfEIfP/ky1CD0a8/EVC9HR4iG8J
+im6G7/osaSBYAZctryLqVJXObTelgEy/EFwW9jW8HVph/G+ljmHOmuQ=
+-----END RSA PRIVATE KEY-----
+@TEST-END-FILE
+
+@TEST-START-FILE cert.2.pem
+-----BEGIN CERTIFICATE-----
+MIIDOjCCAiICCQDz7oMOR7Wm7TANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCQ0ExETAPBgNVBAcMCEJlcmtlbGV5MSMwIQYDVQQKDBpBQ01F
+IFNpZ25pbmcgQXV0aG9yaXR5IEluYzEQMA4GA1UEAwwHZm9vLmJhcjAgFw0xNzA0
+MjEyMzI2MzNaGA80NzU1MDMxOTIzMjYzM1owWDELMAkGA1UEBhMCVVMxCzAJBgNV
+BAgMAkNBMREwDwYDVQQHDAhCZXJrZWxleTEVMBMGA1UECgwMQUNNRSBTZXJ2aWNl
+MRIwEAYDVQQDDAkyLmZvby5iYXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDG9fAvW9qnhjGRmLpA++RvOHaesu7NiUQvxf2F6gF2rLJV0/+DSA/PztEv
+1WJaGhgJSaEqUjaHk3HY2EKlbGXEPh1mxqgPZD5plGlu4ddTwutxCxxQiFIBH+3N
+MYRjJvDN7ozJoi4uRiK0QQdDWAqWJs5hMOJqeWd6MCgmVXSP6pj5/omGROktbHzD
+9jJhAW9fnYFg6k+7cGN5kLmjqqnGhJkNtgom6uW9j73S9OpU/9Er2aZme6/PrujI
+qYFBV81TJK2vmonWUITxfQjk9JVJYhBdHamGTxUqVBbuRcbAqdImV9yx4LoGh55u
+L6xnsW4i0n1o1k+bh03NgwPz12O3AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJmN
+yCdInFIeEwomE6m+Su82BWBzkztOfMG9iRE+1aGuC8EQ8kju5NNMmWQcuKetNh0s
+hJVdY6LXh27O0ZUllhQ/ig9c+dYFh6AHoZU7WjiNKIyWuyl4IAOkQ4IEdsBvst+l
+0rafcdJjUpqNOMWeyg6x1s+gUD5o+ZLCZGCdkCW3fZbKgF52L+vmsSRiJg2JkYZW
+8BPNNsroHZw2UXnLvRqUXCMf1hnOrlx/B0a0Q46hD4NQvl+OzlKaxfR2L2USmJ8M
+XZvT6+i8fWvkGv18iunm23Yu+8Zf08wTXnbqXvmMda5upAYLmwD0YKIVYC3ycihh
+mkYCYI6PVeH63a2/zxw=
+-----END CERTIFICATE-----
+@TEST-END-FILE
+
+@TEST-START-FILE ca.pem
+-----BEGIN CERTIFICATE-----
+MIIDmzCCAoOgAwIBAgIJAPLZ3e3WR0LLMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTERMA8GA1UEBwwIQmVya2VsZXkxIzAhBgNVBAoM
+GkFDTUUgU2lnbmluZyBBdXRob3JpdHkgSW5jMRAwDgYDVQQDDAdmb28uYmFyMB4X
+DTE3MDQyMTIzMjM0OFoXDTQyMDQyMTIzMjM0OFowZDELMAkGA1UEBhMCVVMxCzAJ
+BgNVBAgMAkNBMREwDwYDVQQHDAhCZXJrZWxleTEjMCEGA1UECgwaQUNNRSBTaWdu
+aW5nIEF1dGhvcml0eSBJbmMxEDAOBgNVBAMMB2Zvby5iYXIwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6ah79JvrN3LtcPzc9bX5THdzfidWncSmowotG
+SZA3gcIhlsYD3P3RCaUR9g+f2Z/l0l7ciKgWetpNtN9hRBbg5/9tFzSpCb/Y0SSG
+mwtHHovEqN2MWV+Od/MUcYSlL6MmPjSDc8Ls5NSniTr9OBE9J1jm72AsuzHasjPQ
+D84TlWeTSs0HW3H5VxDb15xWYFnmgBo0JylDWj0+VWI+G41Xr7Ubu9699lWSFYF9
+FCtdjzM5e1CGZOMvqUbUBus38BhUAdQ4fE7Dwnn8seKh+7HpJ70omIgqG87e4DBo
+HbnMAkZaekk8+LBl0Hfu8c66Utw9mNoMIlFf/AMlJyLDIpNxAgMBAAGjUDBOMB0G
+A1UdDgQWBBRc6Cbyshtny6jFWZtd/cEUUfMQ3DAfBgNVHSMEGDAWgBRc6Cbyshtn
+y6jFWZtd/cEUUfMQ3DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCY
+numHau9XYH5h4R2CoMdnKPMGk6V7UZZdbidLLcE4roQrYhnBdyhT69b/ySJK2Ee4
+mt8T+E0wcg3k8Pr3aJEJA8eYYaJTqZvvv+TwuMBPjmE2rYSIpgMZv2tRD3XWMaQu
+duLbwkclfejQHDD26xNXsxuU+WNB5kuvtNAg0oKFyFdNKElLQEcjyYzfxmCF4YX5
+WmElijr1Tzuzd59rWPqC/tVIsh42vQ+P6g8Y1PDmo8eTUFveZ+wcr/eEPW6IOMrg
+OW7tATcrgzNuXZ1umiuGgAPuIVqPfr9ssZHBqi9UOK9L/8MQrnOxecNUpPohcTFR
+vq+Zqu15QV9T4BVWKHv0
+-----END CERTIFICATE-----
+@TEST-END-FILE
+
+@TEST-START-FILE send.bro
+
+redef exit_only_after_terminate = T;
+
+redef Broker::ssl_cafile = "../ca.pem";
+redef Broker::ssl_keyfile = "../key.1.pem";
+redef Broker::ssl_certificate = "../cert.1.pem";
+
+global event_count = 0;
+
+global ping: event(msg: string, c: count);
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/my_topic");
+    Broker::peer("127.0.0.1");
+    }
+
+function send_event()
+    {
+    ++event_count;
+    local e = Broker::make_event(ping, "my-message", event_count);
+    Broker::publish("bro/event/my_topic", e);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender added peer: endpoint=%s msg=%s",
+    endpoint$network$address, msg);
+    send_event();
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender lost peer: endpoint=%s msg=%s",
+    endpoint$network$address, msg);
+    terminate();
+    }
+
+event pong(msg: string, n: count)
+    {
+    print fmt("sender got pong: %s, %s", msg, n);
+    send_event();
+    }
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE recv.bro
+
+redef exit_only_after_terminate = T;
+
+redef Broker::ssl_cafile = "../ca.pem";
+redef Broker::ssl_keyfile = "../key.2.pem";
+redef Broker::ssl_certificate = "../cert.2.pem";
+
+const events_to_recv = 5;
+
+global handler: event(msg: string, c: count);
+global auto_handler: event(msg: string, c: count);
+
+global pong: event(msg: string, c: count);
+
+event bro_init()
+        {
+        Broker::subscribe("bro/event/my_topic");
+        Broker::listen("127.0.0.1");
+        }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+        }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+        }
+
+event ping(msg: string, n: count)
+        {
+        print fmt("receiver got ping: %s, %s", msg, n);
+
+        if ( n == events_to_recv )
+                {
+		print get_broker_stats();
+                terminate();
+                return;
+                }
+
+        local e = Broker::make_event(pong, msg, n);
+        Broker::publish("bro/event/my_topic", e);
+        }
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/remote_id.bro b/testing/btest/broker/remote_id.bro
new file mode 100644
index 0000000000..2748f4a061
--- /dev/null
+++ b/testing/btest/broker/remote_id.bro
@@ -0,0 +1,55 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro test_var=newval >send.out"
+#
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+
+@TEST-START-FILE send.bro
+
+const test_var = "init" &redef;
+
+event bro_init()
+	{
+	Broker::peer("127.0.0.1");
+	}
+
+event die()
+	{
+	terminate();
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer added";
+	Broker::publish_id("bro/ids/test", "test_var");
+	schedule 1sec { die() };
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE recv.bro
+
+const test_var = "init" &redef;
+
+event bro_init()
+	{
+	print "intial val", test_var;
+	Broker::subscribe("bro/ids");
+	Broker::listen();
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer added";
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer lost";
+	print "updated val", test_var;
+	terminate();
+	}
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/remote_log.bro b/testing/btest/broker/remote_log.bro
new file mode 100644
index 0000000000..2b784bc5f2
--- /dev/null
+++ b/testing/btest/broker/remote_log.bro
@@ -0,0 +1,98 @@
+# @TEST-SERIALIZE: comm
+
+# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out"
+
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff recv/test.log
+# @TEST-EXEC: btest-diff send/send.out
+# @TEST-EXEC: btest-diff send/test.log
+
+@TEST-START-FILE common.bro
+
+redef exit_only_after_terminate = T;
+
+module Test;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		msg: string &log;
+		nolog: string &default="no";
+		num: count &log;
+	};
+}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Test::LOG, [$columns=Test::Info]);
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    terminate();
+    }
+
+@TEST-END-FILE
+
+@TEST-START-FILE recv.bro
+
+
+@load ./common.bro
+
+event bro_init()
+	{
+	Broker::subscribe("bro/");
+	Broker::listen("127.0.0.1");
+	}
+
+event Broker::peer_removed(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE send.bro
+
+
+
+@load ./common.bro
+
+event bro_init()
+	{
+	Broker::peer("127.0.0.1");
+	}
+
+global n = 0;
+
+event die()
+	{
+	terminate();
+	}
+
+event do_write()
+	{
+	if ( n == 6 )
+		{
+		Broker::flush_logs();
+		schedule 1sec { die() };
+		}
+	else
+		{
+		Log::write(Test::LOG, [$msg = "ping", $num = n]);
+		++n;
+		schedule 0.1secs { do_write() };
+		}
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print "Broker::peer_added", endpoint$network$address;
+    event do_write();
+    }
+
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/remote_log.test b/testing/btest/broker/remote_log.test
deleted file mode 100644
index 5881ad6d92..0000000000
--- a/testing/btest/broker/remote_log.test
+++ /dev/null
@@ -1,97 +0,0 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-
-# @TEST-EXEC: btest-bg-run recv "bro -b ../common.bro ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b ../common.bro ../send.bro broker_port=$BROKER_PORT >send.out"
-
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: btest-diff recv/recv.out
-# @TEST-EXEC: btest-diff recv/test.log
-# @TEST-EXEC: btest-diff send/send.out
-# @TEST-EXEC: btest-diff send/test.log
-
-@TEST-START-FILE common.bro
-
-module Test;
-
-export {
-	redef enum Log::ID += { LOG };
-
-	type Info: record {
-		msg: string &log;
-		nolog: string &default="no";
-		num: count &log;
-	};
-
-	global log_test: event(rec: Test::Info);
-}
-
-event bro_init() &priority=5
-	{
-	Broker::enable();
-	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]);
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE recv.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-event bro_init()
-	{
-	Broker::subscribe_to_logs("bro/log/");
-	Broker::listen(broker_port, "127.0.0.1");
-	}
-
-event Test::log_test(rec: Test::Info)
-	{
-	print "wrote log", rec;
-
-	if ( rec$num == 5 )
-		terminate();
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE send.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-event bro_init()
-	{
-	Broker::enable_remote_logs(Test::LOG);
-	Broker::connect("127.0.0.1", broker_port, 1secs);
-	}
-
-global n = 0;
-
-event do_write()
-	{
-	if ( n == 6 )
-		return;
-	else
-		{
-		Log::write(Test::LOG, [$msg = "ping", $num = n]);
-		++n;
-		event do_write();
-		}
-	}
-
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	print "Broker::outgoing_connection_established", peer_address, peer_port;
-	event do_write();
-	}
-
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/broker/remote_log_late_join.bro b/testing/btest/broker/remote_log_late_join.bro
new file mode 100644
index 0000000000..c8ca0285a1
--- /dev/null
+++ b/testing/btest/broker/remote_log_late_join.bro
@@ -0,0 +1,105 @@
+# @TEST-SERIALIZE: comm
+
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out"
+
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff recv/test.log
+# @TEST-EXEC: btest-diff send/send.out
+# @TEST-EXEC: btest-diff send/test.log
+
+@TEST-START-FILE common.bro
+
+redef exit_only_after_terminate = T;
+
+module Test;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		msg: string &log;
+		nolog: string &default="no";
+		num: count &log;
+	};
+}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Test::LOG, [$columns=Test::Info]);
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    terminate();
+    }
+
+@TEST-END-FILE
+
+@TEST-START-FILE recv.bro
+
+
+@load ./common.bro
+
+event bro_init()
+	{
+	Broker::subscribe("bro/");
+	Broker::listen("127.0.0.1");
+	}
+
+event Broker::peer_removed(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE send.bro
+
+
+
+@load ./common.bro
+
+event doconnect()
+	{
+	Broker::peer("127.0.0.1");
+	}
+
+global n = 0;
+
+event bro_init()
+	{
+	schedule 2secs { doconnect() };
+	Log::write(Test::LOG, [$msg = "ping", $num = n]);
+	++n;
+	}
+
+event die()
+	{
+	terminate();
+	}
+
+event do_write()
+	{
+	if ( n == 6 )
+		{
+		Broker::flush_logs();
+		schedule 1sec { die() };
+		}
+	else
+		{
+		Log::write(Test::LOG, [$msg = "ping", $num = n]);
+		++n;
+		schedule 0.1secs { do_write() };
+		}
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print "Broker::peer_added", endpoint$network$address;
+    event do_write();
+    }
+
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/remote_log_types.bro b/testing/btest/broker/remote_log_types.bro
new file mode 100644
index 0000000000..f514c7f86d
--- /dev/null
+++ b/testing/btest/broker/remote_log_types.bro
@@ -0,0 +1,131 @@
+# @TEST-SERIALIZE: comm
+
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out"
+
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff recv/test.log
+# @TEST-EXEC: btest-diff send/send.out
+# @TEST-EXEC: btest-diff send/test.log
+# @TEST-EXEC: cat send/test.log | grep -v '#close' >send/test.log.filtered
+# @TEST-EXEC: cat recv/test.log | grep -v '#close' >recv/test.log.filtered
+# @TEST-EXEC: diff -u send/test.log.filtered recv/test.log.filtered
+
+@TEST-START-FILE common.bro
+
+redef exit_only_after_terminate = T;
+
+global quit_receiver: event();
+global quit_sender: event();
+
+
+module Test;
+
+export {
+        redef enum Log::ID += { LOG };
+
+	type Info: record {
+		b: bool;
+		i: int;
+		e: Log::ID;
+		c: count;
+		p: port;
+		sn: subnet;
+		a: addr;
+		d: double;
+		t: time;
+		iv: interval;
+		s: string;
+		sc: set[count];
+		ss: set[string];
+		se: set[string];
+		vc: vector of count;
+		ve: vector of string;
+		f: function(i: count) : string;
+	} &log;
+
+}
+
+event bro_init() &priority=5
+        {
+        Log::create_stream(Test::LOG, [$columns=Test::Info]);
+        }
+
+@TEST-END-FILE
+
+@TEST-START-FILE recv.bro
+
+@load ./common.bro
+
+event bro_init()
+	{
+	Broker::subscribe("bro/");
+	Broker::listen("127.0.0.1");
+	}
+
+event quit_receiver()
+	{
+	terminate();
+	}
+
+@TEST-END-FILE
+
+@TEST-START-FILE send.bro
+
+
+
+@load ./common.bro
+
+event bro_init()
+	{
+	Broker::peer("127.0.0.1");
+	}
+
+event quit_sender()
+	{
+	terminate();
+	}
+
+function foo(i : count) : string
+	{
+	if ( i > 0 )
+		return "Foo";
+	else
+		return "Bar";
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "Broker::peer_added", endpoint$network$address;
+
+	local empty_set: set[string];
+	local empty_vector: vector of string;
+	
+	Log::write(Test::LOG, [
+		$b=T,
+		$i=-42,
+		$e=Test::LOG,
+		$c=21,
+		$p=123/tcp,
+		$sn=10.0.0.1/24,
+		$a=1.2.3.4,
+		$d=3.14,
+		$t=network_time(),
+		$iv=100secs,
+		$s="hurz",
+		$sc=set(1), # set(1,2,3,4),  # Output not stable for multi-element sets.
+		$ss=set("AA"), # set("AA", "BB", "CC") # Output not stable for multi-element sets.
+		$se=empty_set,
+		$vc=vector(10, 20, 30),
+		$ve=empty_vector,
+		$f=foo
+		]);
+
+	local e = Broker::make_event(quit_receiver);
+	Broker::publish("bro/", e);
+	schedule 1sec { quit_sender() };
+        }
+
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/remote_print.test b/testing/btest/broker/remote_print.test
deleted file mode 100644
index c64e70fedc..0000000000
--- a/testing/btest/broker/remote_print.test
+++ /dev/null
@@ -1,83 +0,0 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-
-# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro broker_port=$BROKER_PORT >send.out"
-
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: btest-diff recv/recv.out
-# @TEST-EXEC: btest-diff send/send.out
-
-@TEST-START-FILE recv.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_prints("bro/print/");
-	Broker::listen(broker_port, "127.0.0.1");
-	}
-
-global messages_to_recv = 6;
-global messages_sent = 0;
-global messages_recv = 0;
-
-event Broker::print_handler(msg: string)
-	{
-	++messages_recv;
-	print "got print msg", msg;
-
-	if ( messages_to_recv == messages_recv )
-		{
-		terminate();
-		return;
-		}
-
-	Broker::send_print("bro/print/my_topic", fmt("pong %d", messages_sent));
-	++messages_sent;
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE send.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_prints("bro/print/my_topic");
-	Broker::connect("127.0.0.1", broker_port, 1secs);
-	}
-
-global messages_sent = 0;
-global messages_recv = 0;
-global peer_disconnected = F;
-
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	print "Broker::outgoing_connection_established", peer_address, peer_port;
-	Broker::send_print("bro/print/hi", fmt("ping %d", messages_sent));
-	++messages_sent;
-	}
-
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-	{
-	terminate();
-	}
-
-event Broker::print_handler(msg: string)
-	{
-	++messages_recv;
-	print "got print msg", msg;
-	Broker::send_print("bro/print/hi", fmt("ping %d", messages_sent));
-	++messages_sent;
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/broker/remote_publish_and_relay_event.bro b/testing/btest/broker/remote_publish_and_relay_event.bro
new file mode 100644
index 0000000000..444b454f80
--- /dev/null
+++ b/testing/btest/broker/remote_publish_and_relay_event.bro
@@ -0,0 +1,119 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run three "bro -B broker -b ../three.bro >three.out"
+# @TEST-EXEC: btest-bg-run two "bro -B broker -b ../two.bro >two.out"
+# @TEST-EXEC: btest-bg-run one "bro -B broker -b ../one.bro >one.out"
+#
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff one/one.out
+# @TEST-EXEC: btest-diff two/two.out
+# @TEST-EXEC: btest-diff three/three.out
+
+@TEST-START-FILE one.bro
+
+redef exit_only_after_terminate = T;
+
+event my_event(s: string)
+	{
+	print "got my_event", s;
+	}
+
+event ready_event()
+	{
+	print "got ready event";
+
+	Broker::publish_and_relay("bro/event/pre-relay", "bro/event/post-relay",
+	                          my_event, "hello world");
+	}
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/ready");
+    Broker::peer("127.0.0.1", 10000/tcp);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender added peer: endpoint=%s msg=%s",
+    		  endpoint$network$address, msg);
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender lost peer: endpoint=%s msg=%s",
+    		  endpoint$network$address, msg);
+    terminate();
+    }
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE two.bro
+
+redef exit_only_after_terminate = T;
+
+global peers_added = 0;
+
+event my_event(s: string)
+	{
+	print "got my_event", s;
+	}
+
+event ready_event()
+	{
+	}
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/pre-relay");
+    Broker::listen("127.0.0.1", 10000/tcp);
+	Broker::peer("127.0.0.1", 9999/tcp);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    ++peers_added;
+
+    if ( peers_added == 2 )
+    	{
+		print "sending ready event";
+        Broker::publish("bro/event/ready", ready_event);
+    	}
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    terminate();
+    }
+
+@TEST-END-FILE
+
+@TEST-START-FILE three.bro
+
+redef exit_only_after_terminate = T;
+
+event my_event(s: string)
+	{
+	print "got my_event", s;
+	terminate();
+	}
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/post-relay");
+    Broker::listen("127.0.0.1", 9999/tcp);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    }
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/remote_relay_event.bro b/testing/btest/broker/remote_relay_event.bro
new file mode 100644
index 0000000000..c65265bdb5
--- /dev/null
+++ b/testing/btest/broker/remote_relay_event.bro
@@ -0,0 +1,120 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run three "bro -B broker -b ../three.bro >three.out"
+# @TEST-EXEC: btest-bg-run two "bro -B broker -b ../two.bro >two.out"
+# @TEST-EXEC: btest-bg-run one "bro -B broker -b ../one.bro >one.out"
+#
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff one/one.out
+# @TEST-EXEC: btest-diff two/two.out
+# @TEST-EXEC: btest-diff three/three.out
+
+@TEST-START-FILE one.bro
+
+redef exit_only_after_terminate = T;
+
+event my_event(s: string)
+	{
+	print "got my_event", s;
+	}
+
+event ready_event()
+	{
+	print "got ready event";
+
+	Broker::relay("bro/event/pre-relay", "bro/event/post-relay", my_event,
+				  "hello world");
+	}
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/ready");
+    Broker::peer("127.0.0.1", 10000/tcp);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender added peer: endpoint=%s msg=%s",
+    		  endpoint$network$address, msg);
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender lost peer: endpoint=%s msg=%s",
+    		  endpoint$network$address, msg);
+    terminate();
+    }
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE two.bro
+
+redef exit_only_after_terminate = T;
+
+global peers_added = 0;
+
+event my_event(s: string)
+	{
+	print "got my_event", s;
+	terminate();
+	}
+
+event ready_event()
+	{
+	}
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/pre-relay");
+    Broker::listen("127.0.0.1", 10000/tcp);
+	Broker::peer("127.0.0.1", 9999/tcp);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    ++peers_added;
+
+    if ( peers_added == 2 )
+    	{
+		print "sending ready event";
+        Broker::publish("bro/event/ready", ready_event);
+    	}
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    terminate();
+    }
+
+@TEST-END-FILE
+
+@TEST-START-FILE three.bro
+
+redef exit_only_after_terminate = T;
+
+event my_event(s: string)
+	{
+	print "got my_event", s;
+	terminate();
+	}
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/post-relay");
+    Broker::listen("127.0.0.1", 9999/tcp);
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    }
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/ssl_auth_failure.bro b/testing/btest/broker/ssl_auth_failure.bro
new file mode 100644
index 0000000000..03b14aaab3
--- /dev/null
+++ b/testing/btest/broker/ssl_auth_failure.bro
@@ -0,0 +1,164 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run recv "bro -B broker -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -B broker -b ../send.bro >send.out"
+#
+# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+
+@TEST-START-FILE ca.pem
+-----BEGIN CERTIFICATE-----
+MIIDmzCCAoOgAwIBAgIJAPLZ3e3WR0LLMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJDQTERMA8GA1UEBwwIQmVya2VsZXkxIzAhBgNVBAoM
+GkFDTUUgU2lnbmluZyBBdXRob3JpdHkgSW5jMRAwDgYDVQQDDAdmb28uYmFyMB4X
+DTE3MDQyMTIzMjM0OFoXDTQyMDQyMTIzMjM0OFowZDELMAkGA1UEBhMCVVMxCzAJ
+BgNVBAgMAkNBMREwDwYDVQQHDAhCZXJrZWxleTEjMCEGA1UECgwaQUNNRSBTaWdu
+aW5nIEF1dGhvcml0eSBJbmMxEDAOBgNVBAMMB2Zvby5iYXIwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQC6ah79JvrN3LtcPzc9bX5THdzfidWncSmowotG
+SZA3gcIhlsYD3P3RCaUR9g+f2Z/l0l7ciKgWetpNtN9hRBbg5/9tFzSpCb/Y0SSG
+mwtHHovEqN2MWV+Od/MUcYSlL6MmPjSDc8Ls5NSniTr9OBE9J1jm72AsuzHasjPQ
+D84TlWeTSs0HW3H5VxDb15xWYFnmgBo0JylDWj0+VWI+G41Xr7Ubu9699lWSFYF9
+FCtdjzM5e1CGZOMvqUbUBus38BhUAdQ4fE7Dwnn8seKh+7HpJ70omIgqG87e4DBo
+HbnMAkZaekk8+LBl0Hfu8c66Utw9mNoMIlFf/AMlJyLDIpNxAgMBAAGjUDBOMB0G
+A1UdDgQWBBRc6Cbyshtny6jFWZtd/cEUUfMQ3DAfBgNVHSMEGDAWgBRc6Cbyshtn
+y6jFWZtd/cEUUfMQ3DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCY
+numHau9XYH5h4R2CoMdnKPMGk6V7UZZdbidLLcE4roQrYhnBdyhT69b/ySJK2Ee4
+mt8T+E0wcg3k8Pr3aJEJA8eYYaJTqZvvv+TwuMBPjmE2rYSIpgMZv2tRD3XWMaQu
+duLbwkclfejQHDD26xNXsxuU+WNB5kuvtNAg0oKFyFdNKElLQEcjyYzfxmCF4YX5
+WmElijr1Tzuzd59rWPqC/tVIsh42vQ+P6g8Y1PDmo8eTUFveZ+wcr/eEPW6IOMrg
+OW7tATcrgzNuXZ1umiuGgAPuIVqPfr9ssZHBqi9UOK9L/8MQrnOxecNUpPohcTFR
+vq+Zqu15QV9T4BVWKHv0
+-----END CERTIFICATE-----
+@TEST-END-FILE
+
+
+@TEST-START-FILE cert.1.pem
+-----BEGIN CERTIFICATE-----
+MIIDOjCCAiICCQDz7oMOR7Wm7jANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCQ0ExETAPBgNVBAcMCEJlcmtlbGV5MSMwIQYDVQQKDBpBQ01F
+IFNpZ25pbmcgQXV0aG9yaXR5IEluYzEQMA4GA1UEAwwHZm9vLmJhcjAgFw0xNzA0
+MjEyMzI2MzhaGA80NzU1MDMxOTIzMjYzOFowWDELMAkGA1UEBhMCVVMxCzAJBgNV
+BAgMAkNBMREwDwYDVQQHDAhCZXJrZWxleTEVMBMGA1UECgwMQUNNRSBTZXJ2aWNl
+MRIwEAYDVQQDDAkxLmZvby5iYXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDHobccAQQqbZANdOdx852W/nUzGcwpurOi8zbh9yCxMwnFMogW9AsqKEnd
+sypV6Ah/cIz45PAgCdEg+1pc2DG7+E0+QlV4ChNwCDuk+FSWB6pqMTCdZcLeIwlA
+GPp6Ow9v40dW7IFpDetFKXEo6kqEzR5P58Q0a6KpCtpsSMqhk57Py83wB9gPA1vp
+s77kN7D5CI3oay86TA5j5nfFMT1X/77Hs24csW6CLnW/OD4f1RK79UgPd/kpPKQ1
+jNq+hsR7NZTcfrAF1hcfScxnKaznO7WopSt1k75NqLdnSN1GIci2GpiXYKtXZ9l5
+TErv2Oucpw/u+a/wjKlXjrgLL9lfAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKuW
+yKA2uuiNc9MKU+yVbNaP8kPaMb/wMvVaFG8FFFpCTZ0MFMLsqRpeqtj7gMK/gaJC
+CQm4EyadjzfWFYDLkHzm6b7gI8digvvhjr/C2RJ5Qxr2P0iFP1buGq0CqnF20XgQ
+Q+ecS43CZ77CfKfS6ZLPmAZMAwgFLImVyo5mkaTECo3+9oCnjDYBapvXLJqCJRhk
+NosoTmGCV0HecWN4l38ojnXd44aSktQIND9iCLus3S6++nFnX5DHGZiv6/SnSO/6
++Op7nV0A6zKVcMOYQ0SGZPD8UQs5wDJgrR9LY29Ox5QBwu/5NqyvNSrMQaTop5vb
+wkMInaq5lLxEYQDSLBc=
+-----END CERTIFICATE-----
+@TEST-END-FILE
+
+@TEST-START-FILE key.1.pem
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAx6G3HAEEKm2QDXTncfOdlv51MxnMKbqzovM24fcgsTMJxTKI
+FvQLKihJ3bMqVegIf3CM+OTwIAnRIPtaXNgxu/hNPkJVeAoTcAg7pPhUlgeqajEw
+nWXC3iMJQBj6ejsPb+NHVuyBaQ3rRSlxKOpKhM0eT+fENGuiqQrabEjKoZOez8vN
+8AfYDwNb6bO+5Dew+QiN6GsvOkwOY+Z3xTE9V/++x7NuHLFugi51vzg+H9USu/VI
+D3f5KTykNYzavobEezWU3H6wBdYXH0nMZyms5zu1qKUrdZO+Tai3Z0jdRiHIthqY
+l2CrV2fZeUxK79jrnKcP7vmv8IypV464Cy/ZXwIDAQABAoIBAC0Y7jmoTR2clJ9F
+modWhnI215kMqd9/atdT5EEVx8/f/MQMj0vII8GJSm6H6/duLIVFksMjTM+gCBtQ
+TPCOcmXJSQHYkGBGvm9fnMG+y7T81FWa+SWFeIkgFxXgzqzQLMOU72fGk9F8sHp2
+Szb3/o+TmtZoQB2rdxqC9ibiJsxrG5IBVKkzlSPv3POkPXwSb1HcETqrTwefuioj
+WMuMrqtm5Y3HddJ5l4JEF5VA3KrsfXWl3JLHH0UViemVahiNjXQAVTKAXIL1PHAV
+J2MCEvlpA7sIgXREbmvPvZUTkt3pIqhVjZVJ7tHiSnSecqNTbuxcocnhKhZrHNtC
+v2zYKHkCgYEA6cAIhz0qOGDycZ1lf9RSWw0RO1hO8frATMQNVoFVuJJCVL22u96u
+0FvJ0JGyYbjthULnlOKyRe7DUL5HRLVS4D7vvKCrgwDmsJp1VFxMdASUdaBfq6aX
+oKLUW4q7kC2lQcmK/PVRYwp2GQSx8bodWe+DtXUY/GcN03znY8mhSB0CgYEA2qJK
+1GSZsm6kFbDek3BiMMHfO+X819owB2FmXiH+GQckyIZu9xA3HWrkOWTqwglEvzfO
+qzFF96E9iEEtseAxhcM8gPvfFuXiUj9t2nH/7SzMnVGikhtYi0p6jrgHmscc4NBx
+AOUA15kYEFOGqpZfl2uuKqgHidrHdGkJzzSUBqsCgYAVCjb6TVQejQNlnKBFOExN
+a8iwScuZVlO21TLKJYwct/WGgSkQkgO0N37b6jFfQHEIvLPxn9IiH1KvUuFBWvzh
+uGiF1wR5HzykitKizEgJbVwbllrmLXGagO2Sa9NkL+efG1AKYt53hrqIl/aYZoM7
+1CZL0AV2uqPw9F4zijOdNQKBgH1WmvWGMsKjQTgaLI9z1ybCjjqlj70jHXOtt+Tx
+Md2hRcobn5PN3PrlY68vlpHkhF/nG3jzB3x+GGt7ijm2IE3h7la3jl5vLb8fE9gu
+kJykmSz7Nurx+GHqMbaN8/Ycfga4GIB9yGzRHIWHjOVQzb5eAfv8Vk4GeV/YM8Jx
+Dwd/AoGAILn8pVC9dIFac2BDOFU5y9ZvMmZAvwRxh9vEWewNvkzg27vdYc+rCHNm
+I7H0S/RqfqVeo0ApE5PQ8Sll6RvxN/mbSQo9YeCDGQ1r1rNe4Vs12GAYXAbE4ipf
+BTdqMbieumB/zL97iK5baHUFEJ4VRtLQhh/SOXgew/BF8ccpilI=
+-----END RSA PRIVATE KEY-----
+@TEST-END-FILE
+
+@TEST-START-FILE send.bro
+
+redef exit_only_after_terminate = T;
+
+redef Broker::ssl_cafile = "../ca.pem";
+redef Broker::ssl_keyfile = "../key.1.pem";
+redef Broker::ssl_certificate = "../cert.1.pem";
+
+global event_count = 0;
+
+global ping: event(msg: string, c: count);
+
+event do_terminate()
+	{
+	terminate();
+	}
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/my_topic");
+    Broker::peer("127.0.0.1");
+    schedule 5secs { do_terminate()   };
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    print fmt("sender lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+    terminate();
+    }
+
+event Broker::error(code: Broker::ErrorCode, msg: string)
+    {
+    print fmt("sender error: code=%s msg=%s", code, msg);
+    terminate();
+    }
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE recv.bro
+
+redef exit_only_after_terminate = T;
+
+# No cert here.
+# 
+# redef Broker::ssl_cafile = "../ca.pem";
+# redef Broker::ssl_keyfile = "../key.2.pem";
+# redef Broker::ssl_certificate = "../cert.2.pem";
+
+event do_terminate()
+	{
+	terminate();
+	}
+
+event bro_init()
+        {
+        Broker::listen("127.0.0.1");
+        schedule 10secs { do_terminate()   };
+        }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver added peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+        }
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+        {
+        print fmt("receiver lost peer: endpoint=%s msg=%s", endpoint$network$address, msg);
+        }
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/store/clone.bro b/testing/btest/broker/store/clone.bro
new file mode 100644
index 0000000000..4f04189fe2
--- /dev/null
+++ b/testing/btest/broker/store/clone.bro
@@ -0,0 +1,145 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run clone "bro -B broker -b  ../clone-main.bro >clone.out"
+# @TEST-EXEC: btest-bg-run master "bro -B broker -b  ../master-main.bro >master.out"
+#
+# @TEST-EXEC: btest-bg-wait 25
+# @TEST-EXEC: btest-diff clone/clone.out
+# @TEST-EXEC: btest-diff master/master.out
+
+@TEST-START-FILE master-main.bro
+
+redef exit_only_after_terminate = T;
+global query_timeout = 1sec;
+
+global ready: event();
+
+global h: opaque of Broker::Store;
+
+function print_index(k: any)
+        {
+        when ( local r = Broker::get(h, k) )
+                {
+                print "master", k, r$status, r$result;
+                }
+        timeout query_timeout
+                {
+                print "master", fmt("clone <timeout for %s>", k);
+                }
+        }
+
+event done()
+	{
+	terminate();
+	}
+
+event inserted()
+	{
+	Broker::erase(h, "four");
+	
+	print("----");
+	print_index("one");
+	print_index("two");
+	print_index(vector(1,2));
+	print_index("three");
+	print_index("four");
+	print_index("five");
+	print_index("six");
+	schedule 6secs { done() };
+	}
+
+event bro_init()
+	{
+	Broker::auto_publish("bro/events", done);
+	Broker::subscribe("bro/");
+
+	h = Broker::create_master("test");
+	Broker::put(h, "one", "110");
+	Broker::put(h, "two", 223);
+	Broker::put(h, vector(1,2), 1947/tcp);
+	
+	Broker::peer("127.0.0.1");
+	}
+
+event insert_more()
+	{
+	Broker::put(h, "three", 3.14);
+	Broker::put(h, "four", 1.2.3.4);
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+    schedule 4secs { insert_more() };
+	}
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE clone-main.bro
+
+redef exit_only_after_terminate = T;
+
+global query_timeout = 1sec;
+
+global h: opaque of Broker::Store;
+
+
+global inserted: event();
+
+function print_index(k: any)
+        {
+        when ( local r = Broker::get(h, k) )
+                {
+                print "clone", k, r$status, r$result;
+                }
+        timeout query_timeout
+                {
+                print "clone", fmt("clone <timeout for %s>", k);
+                }
+        }
+
+event done()
+	{
+	terminate();
+	}
+
+event lookup(stage: count)
+	{
+	print("----");
+	print_index("one");
+	print_index("two");
+	print_index(vector(1,2));
+	print_index("three");
+	print_index("four");
+	print_index("five");
+	print_index("six");
+	
+	if ( stage == 1 )
+		schedule 4secs { lookup(2) };
+
+	if ( stage == 2 )
+		{
+		Broker::put(h, "five", "555");
+		Broker::put(h, "six", "666");
+		schedule 4sec { inserted() };
+		schedule 8secs { lookup(3) };
+		}
+
+	if ( stage == 3 )
+		schedule 4sec { done() };
+	}
+
+event bro_init()
+	{
+	Broker::auto_publish("bro/events", inserted);
+	Broker::subscribe("bro/");
+	Broker::listen("127.0.0.1");
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	h = Broker::create_clone("test");
+	schedule 2secs { lookup(1) };
+	}
+
+@TEST-END-FILE
diff --git a/testing/btest/broker/store/local.bro b/testing/btest/broker/store/local.bro
new file mode 100644
index 0000000000..b352df93f2
--- /dev/null
+++ b/testing/btest/broker/store/local.bro
@@ -0,0 +1,43 @@
+# @TEST-EXEC: btest-bg-run master "bro -b %INPUT >out"
+# @TEST-EXEC: btest-bg-wait 60
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out
+
+redef exit_only_after_terminate = T;
+
+global query_timeout = 1sec;
+
+global h: opaque of Broker::Store;
+
+event done()
+	{
+	terminate();
+	}
+
+event bro_init()
+	{
+	h = Broker::create_master("master");
+	Broker::put(h, "one", "110");
+	Broker::put(h, "two", 223);
+
+	when ( local res1 = Broker::get(h, "one") )
+		{
+		local s = (res1$result as string);
+		print "string", s;
+		}
+	timeout query_timeout 
+		{
+		print "timeout";
+		}
+
+	when ( local res2 = Broker::get(h, "two") )
+		{
+		local c = (res2$result as count);
+		print "count", c;
+		}
+	timeout query_timeout 
+		{
+		print "timeout";
+		}
+	
+        schedule 2secs { done() };
+	}
diff --git a/testing/btest/broker/store/ops.bro b/testing/btest/broker/store/ops.bro
new file mode 100644
index 0000000000..070a0f2ed3
--- /dev/null
+++ b/testing/btest/broker/store/ops.bro
@@ -0,0 +1,145 @@
+# @TEST-EXEC: btest-bg-run master "bro -B broker -b %INPUT >out"
+# @TEST-EXEC: btest-bg-wait 60
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out
+
+redef exit_only_after_terminate = T;
+
+global query_timeout = 1sec;
+
+global h: opaque of Broker::Store;
+
+global step: count = 0;
+
+function print_index(k: any)
+	{
+	when ( local r = Broker::get(h, k) )
+		{
+		step += 1;
+		print fmt("[%d]", step), k, r$status, r$result;
+		}
+	timeout query_timeout
+		{
+		step += 1;
+		print fmt("[%d] <timeout for %s>", step, k);
+		}
+	}
+
+function print_exists(k: any)
+	{
+	when ( local r = Broker::exists(h, k) )
+		{
+		step += 1;
+		print fmt("[%d]", step), k, r;
+		}
+	timeout query_timeout
+		{
+		step += 1;
+		print fmt("[%d] <timeout for %s>", step, k);
+		}
+	}
+
+function print_index_from_value(k: any, i: any)
+	{
+	when ( local r = Broker::get_index_from_value(h, k, i) )
+		{
+		step += 1;
+		print fmt("[%d]", step), k, r$status, r$result;
+		}
+	timeout query_timeout
+		{
+		step += 1;
+		print fmt("[%d] <timeout for %s>", step, k);
+		}
+	}
+
+function print_keys()
+	{
+	when ( local s = Broker::keys(h) )
+		{
+		step += 1;
+		print "keys", s;
+		}
+	timeout query_timeout
+		{
+		step += 1;
+		print fmt("[%d] <timeout for print keys>", step);
+		}
+	}
+
+event done()
+	{
+	terminate();
+	}
+
+event pk2()
+	{
+	print_keys();
+	}
+
+event pk1()
+	{
+	print_keys();
+	Broker::clear(h);
+	schedule 1sec { pk2() };
+	}
+
+event bro_init()
+	{
+	h = Broker::create_master("master");
+	Broker::put(h, "one", "110");
+	Broker::put(h, "two", 220);
+	Broker::put(h, "three", 330);
+	Broker::put(h, "four", set(1, 2,3));
+	Broker::put(h, set("x", "y"), vector(1/tcp, 2/tcp, 3/tcp));
+
+	Broker::put(h, "str", "foo");
+	Broker::put(h, "vec", vector(1, 2,3));
+	Broker::put(h, "set", set("A", "B"));
+	Broker::put(h, "table", table(["a"] = 1, ["b"] = 2));
+	
+	print_index("one");
+	print_index("two");
+	print_index("three");
+	print_index("four");
+	print_index("five");
+	print_index(set("x", "y"));
+
+	when ( step == 6 )
+		{
+		Broker::increment(h, "two");
+		Broker::increment(h, "two", 9);
+		Broker::decrement(h, "three");
+		Broker::decrement(h, "three", 9);
+		print_index("two");
+		print_index("three");
+		print_index("four");
+		print_keys();
+		Broker::erase(h, "four");
+
+		Broker::append(h, "str", "bar");
+		Broker::insert_into_set(h, "set", "C");
+		Broker::insert_into_table(h, "table", "c", 3);
+		Broker::remove_from(h, "set", 2);
+		Broker::remove_from(h, "table", "b");
+		Broker::push(h, "vec", 4);
+		Broker::push(h, "vec", 5);
+		Broker::pop(h, "vec");
+
+		print_index("str");
+		print_index("set");
+		print_index("table");
+		print_index("vec");
+
+		print_exists("one");
+		print_exists("NOPE");
+	
+        	print_index_from_value("vec", 1);
+        	print_index_from_value("set", "A");
+    	        print_index_from_value("table", "a");
+    	        print_index_from_value("table", "X");
+		
+		schedule 1sec { pk1() };
+		}
+
+        schedule 4secs { done() };
+	}
diff --git a/testing/btest/broker/store/record.bro b/testing/btest/broker/store/record.bro
new file mode 100644
index 0000000000..ab862012a6
--- /dev/null
+++ b/testing/btest/broker/store/record.bro
@@ -0,0 +1,38 @@
+# @TEST-EXEC: btest-bg-run master "bro -b %INPUT >out"
+# @TEST-EXEC: btest-bg-wait 60
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out
+
+type R: record  {
+    s1: string;
+    s2: string;
+    c: count;
+};
+
+event bro_init()
+	{
+	local cr = Broker::record_create(3);
+	print Broker::record_size(cr);
+	print Broker::record_assign(cr, 0, "hi");
+	print Broker::record_assign(cr, 1, "hello");
+	print Broker::record_assign(cr, 2, 37);
+	print cr, (cr as R);
+	print "";
+	
+	print Broker::record_lookup(cr, 0);
+	print Broker::record_lookup(cr, 1);
+	print Broker::record_lookup(cr, 2);
+	print Broker::record_size(cr);
+	print Broker::record_assign(cr, 1, "goodbye");
+	print Broker::record_size(cr);
+	print Broker::record_lookup(cr, 1);
+	print cr, (cr as R);
+	print "";
+
+	local i = Broker::record_iterator(cr);
+	while ( ! Broker::record_iterator_last(i) )
+		{
+		print fmt("| %s", Broker::record_iterator_value(i));
+		Broker::record_iterator_next(i);
+		}
+	print "";
+	}
diff --git a/testing/btest/broker/store/set.bro b/testing/btest/broker/store/set.bro
new file mode 100644
index 0000000000..056b46e221
--- /dev/null
+++ b/testing/btest/broker/store/set.bro
@@ -0,0 +1,39 @@
+# @TEST-EXEC: btest-bg-run master "bro -b %INPUT >out"
+# @TEST-EXEC: btest-bg-wait 60
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out
+
+
+event bro_init()
+	{
+	local cs = Broker::set_create();
+	
+	print Broker::set_size(cs);
+	print Broker::set_insert(cs, "hi");
+	print Broker::set_size(cs);
+	print Broker::set_contains(cs, "hi");
+	print Broker::set_contains(cs, "bye");
+	print Broker::set_insert(cs, "bye");
+
+	print cs, (cs as set[string]);
+	local i = Broker::set_iterator(cs);
+ 	while ( ! Broker::set_iterator_last(i) )
+		{
+		print fmt("| %s", Broker::set_iterator_value(i));
+		Broker::set_iterator_next(i);
+		}
+	print "";
+	
+	print Broker::set_size(cs);
+	print Broker::set_insert(cs, "bye");
+	print Broker::set_size(cs);
+	print Broker::set_remove(cs, "hi");
+	print Broker::set_size(cs);
+	print Broker::set_remove(cs, "hi");
+	print cs, (cs as set[string]);
+	print "";
+	
+	print Broker::set_clear(cs);
+	print Broker::set_size(cs);
+	print cs, (cs as set[string]);
+	print "";
+	}
diff --git a/testing/btest/broker/store/sqlite.bro b/testing/btest/broker/store/sqlite.bro
new file mode 100644
index 0000000000..fbce1a693a
--- /dev/null
+++ b/testing/btest/broker/store/sqlite.bro
@@ -0,0 +1,59 @@
+# @TEST-EXEC: bro -b %INPUT RUN=1 >out
+# @TEST-EXEC: bro -b %INPUT RUN=2 >>out
+# @TEST-EXEC: btest-diff out
+
+global RUN = 0 &redef;
+
+redef exit_only_after_terminate = T;
+
+global query_timeout = 1sec;
+
+global h: opaque of Broker::Store;
+
+function print_index(k: any)
+	{
+	when ( local r = Broker::get(h, k) )
+		{
+		print k, r$status, r$result;
+		}
+	timeout query_timeout
+		{
+		print fmt("<timeout for %s>", k);
+		}
+	}
+
+event done()
+	{
+	terminate();
+	}
+
+event bro_init()
+	{
+	h = Broker::create_master("master", Broker::SQLITE);
+
+	print "Run", RUN;
+	
+	if ( RUN == 1 ) 
+		{
+		print "Inserting";
+		Broker::put(h, "one", "110");
+		Broker::put(h, "two", 220);
+		Broker::put(h, "three", 330);
+		Broker::put(h, "four", set(1, 2,3));
+		Broker::put(h, set("x", "y"), vector(1/tcp, 2/tcp, 3/tcp));
+		terminate();
+		}
+
+	if ( RUN == 2 )
+		{
+		print "Retrieving";
+		print_index("one");
+		print_index("two");
+		print_index("three");
+		print_index("four");
+		print_index("five");
+		print_index(set("x", "y"));
+		}
+
+        schedule 2secs { done() };
+	}
diff --git a/testing/btest/broker/store/table.bro b/testing/btest/broker/store/table.bro
new file mode 100644
index 0000000000..11bd00028b
--- /dev/null
+++ b/testing/btest/broker/store/table.bro
@@ -0,0 +1,42 @@
+# @TEST-EXEC: btest-bg-run master "bro -b %INPUT >out"
+# @TEST-EXEC: btest-bg-wait 60
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out
+
+
+event bro_init()
+	{
+	local ct = Broker::table_create();
+
+	print Broker::table_size(ct);
+	print Broker::table_insert(ct, "hi", 42);
+	print Broker::table_size(ct);
+	print Broker::table_contains(ct, "hi");
+	print (Broker::table_lookup(ct, "hi") as count);
+	print Broker::table_contains(ct, "bye");
+	print Broker::table_insert(ct, "bye", 7);
+	print Broker::table_size(ct);
+
+	print ct, (ct as table[string] of count);
+	local i = Broker::table_iterator(ct);
+ 	while ( ! Broker::table_iterator_last(i) )
+		{
+		print fmt("| %s", Broker::table_iterator_value(i));
+		Broker::table_iterator_next(i);
+		}
+	print "";
+
+	print Broker::table_insert(ct, "bye", 37);
+	print ct, (ct as table[string] of count);
+	print "";
+	
+	print Broker::table_size(ct);
+	print (Broker::table_lookup(ct, "bye") as count);
+	print Broker::table_remove(ct, "hi");
+	print Broker::table_size(ct);
+	print Broker::table_remove(ct, "hi");
+	print Broker::table_size(ct);
+	print Broker::table_clear(ct);
+	print Broker::table_size(ct);
+	print ct, (ct as table[string] of count);
+	print "";
+	}
diff --git a/testing/btest/broker/store/type-conversion.bro b/testing/btest/broker/store/type-conversion.bro
new file mode 100644
index 0000000000..916c3f349d
--- /dev/null
+++ b/testing/btest/broker/store/type-conversion.bro
@@ -0,0 +1,66 @@
+# @TEST-EXEC: btest-bg-run master "bro -b %INPUT >out"
+# @TEST-EXEC: btest-bg-wait 60
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out
+
+type R1: record {
+    s: string;
+};
+
+type R2: record {
+    c: count;
+    r1: R1;
+};
+
+event bro_init()
+	{
+	### Print every broker data type
+	print Broker::data_type(Broker::data(T));
+	print Broker::data_type(Broker::data(+1));
+	print Broker::data_type(Broker::data(1));
+	print Broker::data_type(Broker::data(1.1));
+	print Broker::data_type(Broker::data("1 (how creative)"));
+	print Broker::data_type(Broker::data(1.1.1.1));
+	print Broker::data_type(Broker::data(1.1.1.1/1));
+	print Broker::data_type(Broker::data(1/udp));
+	print Broker::data_type(Broker::data(double_to_time(1)));
+	print Broker::data_type(Broker::data(1sec));
+	print Broker::data_type(Broker::data(Broker::BOOL));
+	print Broker::data_type(Broker::data(set("one", "two", "three")));
+	print Broker::data_type(Broker::data(table(["one"] = 1, ["two"] = 2, ["three"] = 3)));
+	print Broker::data_type(Broker::data(vector("zero", "one", "two")));
+	print Broker::data_type(Broker::data(R1($s="abc")));
+	print Broker::data_type(Broker::data(R2($c=123, $r1=R1($s="xyz"))));
+
+	print "***************************";
+
+        ### Convert a Bro value to a broker value, then print the result
+
+	print (Broker::data(T) as bool);
+	print (Broker::data(F) as bool);
+	print (Broker::data(+1) as int);
+	print (Broker::data(+0) as int);
+	print (Broker::data(-1) as int);
+	print (Broker::data(1) as count);
+	print (Broker::data(0) as count);
+	print (Broker::data(1.1) as double);
+	print (Broker::data(-11.1) as double);
+	print (Broker::data("hello") as string);
+	print (Broker::data(1.2.3.4) as addr);
+	print (Broker::data(192.168.1.1/16) as subnet);
+	print (Broker::data(22/tcp) as port);
+	print (Broker::data(double_to_time(42)) as time);
+	print (Broker::data(3min) as interval);
+	print (Broker::data(Broker::BOOL) as Broker::DataType);
+	print (Broker::data(set("one", "two", "three")) as set[string]);
+	print (Broker::data(table(["one"] = 1, ["two"] = 2, ["three"] = 3)) as table[string] of count);
+	print (Broker::data(vector("zero", "one", "two")) as vector of string);
+	print (Broker::data(R1($s="abc")) as R1);
+	print (Broker::data(R2($c=123, $r1=R1($s="xyz"))) as R2);
+
+	local h1 = sha256_hash_init();
+	sha256_hash_update(h1, "abc");
+	local h2 = (Broker::data(h1) as opaque of sha256);
+	local s1 = sha256_hash_finish(h1);
+	local s2 = sha256_hash_finish(h2);
+	print "opaque of sha256", s1 == s2;
+	}
diff --git a/testing/btest/broker/store/vector.bro b/testing/btest/broker/store/vector.bro
new file mode 100644
index 0000000000..7edc4ba050
--- /dev/null
+++ b/testing/btest/broker/store/vector.bro
@@ -0,0 +1,42 @@
+# @TEST-EXEC: btest-bg-run master "bro -b %INPUT >out"
+# @TEST-EXEC: btest-bg-wait 60
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff master/out
+
+
+event bro_init()
+	{
+	local cv = Broker::vector_create();
+	print Broker::vector_size(cv);
+	print Broker::vector_insert(cv, 0, "hi");
+	print Broker::vector_insert(cv, 1, "hello");
+	print Broker::vector_insert(cv, 2, "greetings");
+	print Broker::vector_insert(cv, 1, "salutations");
+	print Broker::vector_size(cv);
+	print cv, (cv as vector of string);
+	local i = Broker::vector_iterator(cv);
+	while ( ! Broker::vector_iterator_last(i) )
+		{
+		print fmt("| %s", Broker::vector_iterator_value(i));
+		Broker::vector_iterator_next(i);
+		}
+	print "";
+	
+	print Broker::vector_replace(cv, 2, "bah");
+	print cv, (cv as vector of string);
+	print "";
+	
+	print Broker::vector_lookup(cv, 2);
+	print Broker::vector_lookup(cv, 0);
+	print cv, (cv as vector of string);
+	print "";
+	
+	print Broker::vector_remove(cv, 2);
+	print cv, (cv as vector of string);
+	print "";
+	
+	print Broker::vector_size(cv);
+	print Broker::vector_clear(cv);
+	print Broker::vector_size(cv);
+	print cv, (cv as vector of string);
+	print "";
+	}
diff --git a/testing/btest/broker/unpeer.bro b/testing/btest/broker/unpeer.bro
new file mode 100644
index 0000000000..541bc824d9
--- /dev/null
+++ b/testing/btest/broker/unpeer.bro
@@ -0,0 +1,76 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b ../send.bro >send.out"
+#
+# @TEST-EXEC: btest-bg-wait 20
+# @TEST-EXEC: btest-diff recv/recv.out
+# @TEST-EXEC: btest-diff send/send.out
+# 
+# @TEST-EXEC: cat recv/broker.log | awk '/Broker::STATUS/ { $5="XXX"; print; }' >recv/broker.filtered.log
+# @TEST-EXEC: cat send/broker.log | awk '/Broker::STATUS/ { $5="XXX"; print; }' >send/broker.filtered.log
+# @TEST-EXEC: btest-diff recv/broker.filtered.log
+# @TEST-EXEC: btest-diff send/broker.filtered.log
+
+@TEST-START-FILE send.bro
+
+redef exit_only_after_terminate = T;
+
+event do_terminate()
+    {
+    terminate();
+    }
+
+event print_something(i: int)
+    {
+    print "Something sender", i;
+    }
+
+event unpeer(endpoint: Broker::EndpointInfo)
+    {
+    print "unpeering";
+    Broker::unpeer("127.0.0.1", endpoint$network$bound_port);
+    schedule 2secs { print_something(2) };
+    schedule 4secs { do_terminate() };
+    }
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/my_topic");
+    Broker::auto_publish("bro/event/my_topic", print_something);
+    Broker::peer("127.0.0.1");
+    }
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+    {
+    schedule 2secs { print_something(1) };
+    schedule 4secs { unpeer(endpoint) };
+    }
+
+
+@TEST-END-FILE
+
+
+@TEST-START-FILE recv.bro
+
+redef exit_only_after_terminate = T;
+
+event do_terminate()
+    {
+    terminate();
+    }
+
+event print_something(i: int)
+    {
+    print "Something receiver", i;
+    }
+
+event bro_init()
+    {
+    Broker::subscribe("bro/event/my_topic");
+    Broker::listen("127.0.0.1");
+    schedule 10secs { do_terminate() };
+    }
+
+
+@TEST-END-FILE
diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg
index cfddb92899..1c93c9cb6b 100644
--- a/testing/btest/btest.cfg
+++ b/testing/btest/btest.cfg
@@ -1,5 +1,5 @@
 [btest]
-TestDirs    = doc bifs language core scripts istate coverage signatures plugins broker
+TestDirs    = doc bifs language core scripts coverage signatures plugins broker
 TmpDir      = %(testbase)s/.tmp
 BaselineDir = %(testbase)s/Baseline
 IgnoreDirs  = .svn CVS .tmp
@@ -22,7 +22,10 @@ DIST=%(testbase)s/../..
 BUILD=%(testbase)s/../../build
 TEST_DIFF_CANONIFIER=%(testbase)s/../scripts/diff-canonifier
 TMPDIR=%(testbase)s/.tmp
-BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage.XXXXXX
+BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage/XXXXXX
 BTEST_RST_FILTER=$SCRIPTS/rst-filter
 BRO_DNS_FAKE=1
-BROKER_PORT=9999/tcp
+BRO_DEFAULT_LISTEN_ADDRESS=127.0.0.1
+BRO_DEFAULT_LISTEN_RETRY=1
+BRO_DEFAULT_CONNECT_RETRY=1
+BRO_DISABLE_BROXYGEN=1
diff --git a/testing/btest/core/cisco-fabric-path.bro b/testing/btest/core/cisco-fabric-path.bro
new file mode 100644
index 0000000000..ff7fa298e3
--- /dev/null
+++ b/testing/btest/core/cisco-fabric-path.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -C -r $TRACES/cisco-fabric-path.pcap
+# @TEST-EXEC: btest-diff conn.log
diff --git a/testing/btest/core/embedded-null.bro b/testing/btest/core/embedded-null.bro
new file mode 100644
index 0000000000..95a4c965a9
--- /dev/null
+++ b/testing/btest/core/embedded-null.bro
@@ -0,0 +1,8 @@
+# @TEST-EXEC: bro -b %INPUT 2>&1
+# @TEST-EXEC: btest-diff .stdout
+
+event bro_init()
+	{
+	local a = "hi\x00there";
+	unique_id(a);
+	}
diff --git a/testing/btest/core/erspan.bro b/testing/btest/core/erspan.bro
new file mode 100644
index 0000000000..eb05cdcf5a
--- /dev/null
+++ b/testing/btest/core/erspan.bro
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -C -b -r $TRACES/erspan.trace %INPUT 
+# @TEST-EXEC: btest-diff tunnel.log
+
+@load base/frameworks/tunnels
diff --git a/testing/btest/core/event-arg-reuse.bro b/testing/btest/core/event-arg-reuse.bro
new file mode 100644
index 0000000000..ba8e0f0677
--- /dev/null
+++ b/testing/btest/core/event-arg-reuse.bro
@@ -0,0 +1,20 @@
+# @TEST-DOC: Check that assignment to event parameters isn't visible to other handlers.
+#
+# @TEST-EXEC: bro -b %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+event f(a: int) &priority=5
+	{
+	a = 2;
+	print "f1", a;
+	}
+
+event f(a: int) &priority=-5
+	{
+	print "f2", a;
+	}
+
+event bro_init()
+	{
+	event f(1);
+	}
diff --git a/testing/btest/core/history-flip.bro b/testing/btest/core/history-flip.bro
index f34767eee8..e9769d99b5 100644
--- a/testing/btest/core/history-flip.bro
+++ b/testing/btest/core/history-flip.bro
@@ -1,2 +1,4 @@
 # @TEST-EXEC: bro -C -r $TRACES/tcp/missing-syn.pcap %INPUT
 # @TEST-EXEC: btest-diff conn.log
+
+@load policy/protocols/conn/mac-logging
diff --git a/testing/btest/core/ip-broken-header.bro b/testing/btest/core/ip-broken-header.bro
new file mode 100644
index 0000000000..426e7a7bc0
--- /dev/null
+++ b/testing/btest/core/ip-broken-header.bro
@@ -0,0 +1,7 @@
+# This test has a trace that was generated from fuzzing which used to cause
+# OOB reads in Bro. It has a number of packets broken in weird ways.
+#
+# @TEST-EXEC: gunzip -c $TRACES/trunc/mpls-6in6-broken.pcap.gz | bro -C -b -r - %INPUT
+# @TEST-EXEC: btest-diff weird.log
+
+@load base/frameworks/notice/weird.bro
diff --git a/testing/btest/core/leaks/ascii-log-rotation.bro b/testing/btest/core/leaks/ascii-log-rotation.bro
deleted file mode 100644
index a84f80ea90..0000000000
--- a/testing/btest/core/leaks/ascii-log-rotation.bro
+++ /dev/null
@@ -1,75 +0,0 @@
-# Needs perftools support.
-#
-# @TEST-SERIALIZE: comm
-# @TEST-GROUP: leaks
-#
-# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
-#
-# @TEST-EXEC: btest-bg-run receiver HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -b -m ../receiver.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run sender HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -b -m ../sender.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-wait 60
-
-@TEST-START-FILE sender.bro
-
-@load base/frameworks/communication
-@load base/protocols/dns
-
-redef Communication::nodes += {
-    ["foo"] = [$host = 127.0.0.1, $connect=T]
-};
-
-global write_count: count = 0;
-
-event do_write()
-	{
-	print "do_write";
-	local cid: conn_id = conn_id($orig_h=1.2.3.4,$orig_p=1/tcp,
-	                             $resp_h=5.6.7.8,$resp_p=2/tcp);
-	local dns_info_dummy = DNS::Info($ts=network_time(), $uid="FAKE",
-	                                 $id=cid, $proto=tcp);
-	Log::write(DNS::LOG, dns_info_dummy);
-	schedule .1sec { do_write() };
-	++write_count;
-
-	if ( write_count == 200 )
-		terminate();
-	}
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	print "remote_connection_handshake_done", p;
-	schedule .1sec { do_write() };
-	}
-
-event remote_connection_closed(p: event_peer)
-	{
-	print "remote_connection_closed", p;
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE receiver.bro
-
-@load frameworks/communication/listen
-@load base/protocols/dns
-
-redef Communication::nodes += {
-	["foo"] = [$host = 127.0.0.1, $connect=F, $request_logs=T]
-};
-
-redef Log::default_rotation_interval = 2sec;
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	print "remote_connection_handshake_done", p;
-	}
-
-event remote_connection_closed(p: event_peer)
-	{
-	print "remote_connection_closed", p;
-	terminate();
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/core/leaks/basic-cluster.bro b/testing/btest/core/leaks/basic-cluster.bro
index 7c9df36b9a..57552c54af 100644
--- a/testing/btest/core/leaks/basic-cluster.bro
+++ b/testing/btest/core/leaks/basic-cluster.bro
@@ -6,14 +6,13 @@
 # @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
 #
 # @TEST-EXEC: btest-bg-run manager-1 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro -m %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro -m %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro -m %INPUT
 # @TEST-EXEC: btest-bg-wait 60
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
 	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
 };
@@ -40,13 +39,17 @@ event bro_init() &priority=5
 	                  	}]);
 	}
 
-event remote_connection_closed(p: event_peer)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
 
 global ready_for_data: event();
-redef Cluster::manager2worker_events += /^ready_for_data$/;
+
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::worker_topic, ready_for_data);
+	}
 
 event ready_for_data()
 	{
@@ -75,7 +78,7 @@ event ready_for_data()
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
 
 global peer_count = 0;
-event remote_connection_handshake_done(p: event_peer) &priority=-5
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	++peer_count;
 	if ( peer_count == 2 )
diff --git a/testing/btest/core/leaks/broker/clone_store.bro b/testing/btest/core/leaks/broker/clone_store.bro
index c3b11a7a0d..2cd728c631 100644
--- a/testing/btest/core/leaks/broker/clone_store.bro
+++ b/testing/btest/core/leaks/broker/clone_store.bro
@@ -1,113 +1,144 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
+# @TEST-SERIALIZE: comm
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
-# @TEST-GROUP: leak
+# @TEST-GROUP: leaks
 
-# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run clone "bro -m -b ../clone.bro broker_port=$BROKER_PORT >clone.out"
-# @TEST-EXEC: btest-bg-run master "bro -b ../master.bro broker_port=$BROKER_PORT >master.out"
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run clone "bro -m -b ../clone.bro >clone.out"
+# @TEST-EXEC: btest-bg-run master "bro -b ../master.bro >master.out"
 
 # @TEST-EXEC: btest-bg-wait 45
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff clone/clone.out
 
-@TEST-START-FILE clone.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-global h: opaque of Broker::Handle;
-global expected_key_count = 4;
-global key_count = 0;
-
-function do_lookup(key: string)
-	{
-	when ( local res = Broker::lookup(h, Broker::data(key)) )
-		{
-		++key_count;
-		print "lookup", key, res;
-
-		if ( key_count == expected_key_count )
-			terminate();
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
-event ready()
-	{
-	h = Broker::create_clone("mystore");
-
-	when ( local res = Broker::keys(h) )
-		{
-		print "clone keys", res;
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 0)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 1)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 2)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 3)));
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/ready");
-	Broker::listen(broker_port, "127.0.0.1");
-	}
-
-@TEST-END-FILE
-
 @TEST-START-FILE master.bro
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
-
-global h: opaque of Broker::Handle;
-
-function dv(d: Broker::Data): Broker::DataVector
-	{
-	local rval: Broker::DataVector;
-	rval[0] = d;
-	return rval;
-	}
+global query_timeout = 1sec;
 
 global ready: event();
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+global h: opaque of Broker::Store;
+
+function print_index(k: any)
+        {
+        when ( local r = Broker::get(h, k) )
+                {
+                print "master", k, r$status, r$result;
+                }
+        timeout query_timeout
+                {
+                print "master", fmt("clone <timeout for %s>", k);
+                }
+        }
+
+event done()
 	{
 	terminate();
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event inserted()
 	{
-	local myset: set[string] = {"a", "b", "c"};
-	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	Broker::insert(h, Broker::data("one"), Broker::data(110));
-	Broker::insert(h, Broker::data("two"), Broker::data(223));
-	Broker::insert(h, Broker::data("myset"), Broker::data(myset));
-	Broker::insert(h, Broker::data("myvec"), Broker::data(myvec));
-	Broker::increment(h, Broker::data("one"));
-	Broker::decrement(h, Broker::data("two"));
-	Broker::add_to_set(h, Broker::data("myset"), Broker::data("d"));
-	Broker::remove_from_set(h, Broker::data("myset"), Broker::data("b"));
-	Broker::push_left(h, Broker::data("myvec"), dv(Broker::data("delta")));
-	Broker::push_right(h, Broker::data("myvec"), dv(Broker::data("omega")));
-
-	when ( local res = Broker::size(h) )
-		{ event ready(); }
-	timeout 10sec
-		{ print "timeout"; }
+	Broker::erase(h, "four");
+	
+	print("----");
+	print_index("one");
+	print_index("two");
+	print_index(vector(1,2));
+	print_index("three");
+	print_index("four");
+	print_index("five");
+	print_index("six");
+        schedule 2secs { done() };
 	}
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::auto_event("bro/event/ready", ready);
-	h = Broker::create_master("mystore");
-	Broker::connect("127.0.0.1", broker_port, 1secs);
+	Broker::auto_publish("bro/events", done);
+	Broker::subscribe("bro/");
+
+	h = Broker::create_master("test");
+	Broker::put(h, "one", "110");
+	Broker::put(h, "two", 223);
+	Broker::put(h, vector(1,2), 1947/tcp);
+	
+	Broker::peer("127.0.0.1");
+	}
+
+event insert_more()
+	{
+	Broker::put(h, "three", 3.14);
+	Broker::put(h, "four", 1.2.3.4);
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+        schedule 4secs { insert_more() };
 	}
 
 @TEST-END-FILE
+
+
+@TEST-START-FILE clone.bro
+
+redef exit_only_after_terminate = T;
+
+global query_timeout = 1sec;
+
+global h: opaque of Broker::Store;
+
+
+global inserted: event();
+
+function print_index(k: any)
+        {
+        when ( local r = Broker::get(h, k) )
+                {
+                print "clone", k, r$status, r$result;
+                }
+        timeout query_timeout
+                {
+                print "clone", fmt("clone <timeout for %s>", k);
+                }
+        }
+
+event lookup(stage: count)
+	{
+	print("----");
+	print_index("one");
+	print_index("two");
+	print_index(vector(1,2));
+	print_index("three");
+	print_index("four");
+	print_index("five");
+	print_index("six");
+	
+	if ( stage == 1 )
+		schedule 4secs { lookup(2) };
+
+	if ( stage == 2 )
+		{
+		Broker::put(h, "five", "555");
+		Broker::put(h, "six", "666");
+		event inserted();
+		schedule 2secs { lookup(3) };
+		}
+	}
+
+event done()
+	{
+	terminate();
+	}
+
+event bro_init()
+	{
+	Broker::auto_publish("bro/events", inserted);
+	Broker::subscribe("bro/");
+	Broker::listen("127.0.0.1");
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	h = Broker::create_clone("test");
+	schedule 2secs { lookup(1) };
+	}
+
+@TEST-END-FILE
+
diff --git a/testing/btest/core/leaks/broker/data.bro b/testing/btest/core/leaks/broker/data.bro
index d67c879fbf..590d041ff1 100644
--- a/testing/btest/core/leaks/broker/data.bro
+++ b/testing/btest/core/leaks/broker/data.bro
@@ -1,4 +1,3 @@
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
 # @TEST-GROUP: leaks
 
@@ -17,24 +16,24 @@ type bro_record : record {
 };
 
 function broker_to_bro_record_recurse(it: opaque of Broker::RecordIterator,
-                                           rval: bro_record,
-                                           idx: count): bro_record
+                                      rval: bro_record,
+                                      idx: count): bro_record
 	{
 	if ( Broker::record_iterator_last(it) )
 		return rval;
 
 	local field_value = Broker::record_iterator_value(it);
 
-	if ( field_value?$d )
+	if ( field_value?$data )
 		switch ( idx ) {
 		case 0:
-			rval$a = Broker::refine_to_string(field_value);
+			rval$a = field_value as string;
 			break;
 		case 1:
-			rval$b = Broker::refine_to_string(field_value);
+			rval$b = field_value as string;
 			break;
 		case 2:
-			rval$c = Broker::refine_to_count(field_value);
+			rval$c = field_value as count;
 			break;
 		};
 
@@ -46,7 +45,7 @@ function broker_to_bro_record_recurse(it: opaque of Broker::RecordIterator,
 function broker_to_bro_record(d: Broker::Data): bro_record
 	{
 	return broker_to_bro_record_recurse(Broker::record_iterator(d),
-	                                         bro_record($c = 0), 0);
+	                                    bro_record($c = 0), 0);
 	}
 
 function
@@ -56,7 +55,7 @@ broker_to_bro_set_recurse(it: opaque of Broker::SetIterator,
 	if ( Broker::set_iterator_last(it) )
 		return rval;
 
-	add rval[Broker::refine_to_string(Broker::set_iterator_value(it))];
+	add rval[Broker::set_iterator_value(it) as string];
 	Broker::set_iterator_next(it);
 	return broker_to_bro_set_recurse(it, rval);
 	}
@@ -75,7 +74,7 @@ broker_to_bro_table_recurse(it: opaque of Broker::TableIterator,
 		return rval;
 
 	local item = Broker::table_iterator_value(it);
-	rval[Broker::refine_to_string(item$key)] = Broker::refine_to_count(item$val);
+	rval[item$key as string] = item$val as count;
 	Broker::table_iterator_next(it);
 	return broker_to_bro_table_recurse(it, rval);
 	}
@@ -83,16 +82,16 @@ broker_to_bro_table_recurse(it: opaque of Broker::TableIterator,
 function broker_to_bro_table(d: Broker::Data): bro_table
 	{
 	return broker_to_bro_table_recurse(Broker::table_iterator(d),
-	                                       bro_table());
+	                                   bro_table());
 	}
 
 function broker_to_bro_vector_recurse(it: opaque of Broker::VectorIterator,
-                                           rval: bro_vector): bro_vector
+                                      rval: bro_vector): bro_vector
 	{
 	if ( Broker::vector_iterator_last(it) )
 		return rval;
 
-	rval[|rval|] = Broker::refine_to_string(Broker::vector_iterator_value(it));
+	rval += Broker::vector_iterator_value(it) as string;
 	Broker::vector_iterator_next(it);
 	return broker_to_bro_vector_recurse(it, rval);
 	}
@@ -100,19 +99,15 @@ function broker_to_bro_vector_recurse(it: opaque of Broker::VectorIterator,
 function broker_to_bro_vector(d: Broker::Data): bro_vector
 	{
 	return broker_to_bro_vector_recurse(Broker::vector_iterator(d),
-	                                         bro_vector());
+	                                    bro_vector());
 	}
 
-event bro_init()
-{
-Broker::enable();
-}
-
 global did_it = F;
 
 event new_connection(c: connection)
 {
 if ( did_it ) return;
+
 did_it = T;
 
 ### Print every broker data type
@@ -141,22 +136,22 @@ print "***************************";
 
 ### Convert a Bro value to a broker value, then print the result
 
-print Broker::refine_to_bool(Broker::data(T));
-print Broker::refine_to_bool(Broker::data(F));
-print Broker::refine_to_int(Broker::data(+1));
-print Broker::refine_to_int(Broker::data(+0));
-print Broker::refine_to_int(Broker::data(-1));
-print Broker::refine_to_count(Broker::data(1));
-print Broker::refine_to_count(Broker::data(0));
-print Broker::refine_to_double(Broker::data(1.1));
-print Broker::refine_to_double(Broker::data(-11.1));
-print Broker::refine_to_string(Broker::data("hello"));
-print Broker::refine_to_addr(Broker::data(1.2.3.4));
-print Broker::refine_to_subnet(Broker::data(192.168.1.1/16));
-print Broker::refine_to_port(Broker::data(22/tcp));
-print Broker::refine_to_time(Broker::data(double_to_time(42)));
-print Broker::refine_to_interval(Broker::data(3min));
-print Broker::refine_to_enum_name(Broker::data(Broker::BOOL));
+print (Broker::data(T)) as bool;
+print (Broker::data(F)) as bool;
+print (Broker::data(+1)) as int;
+print (Broker::data(+0)) as int;
+print (Broker::data(-1)) as int;
+print (Broker::data(1)) as count;
+print (Broker::data(0)) as count;
+print (Broker::data(1.1)) as double;
+print (Broker::data(-11.1)) as double;
+print (Broker::data("hello")) as string;
+print (Broker::data(1.2.3.4)) as addr;
+print (Broker::data(192.168.1.1/16)) as subnet;
+print (Broker::data(22/tcp)) as port;
+print (Broker::data(double_to_time(42))) as time;
+print (Broker::data(3min)) as interval;
+print (Broker::data(Broker::BOOL)) as Broker::DataType;
 
 local cs = Broker::data(s);
 print broker_to_bro_set(cs);
@@ -184,17 +179,17 @@ print "***************************";
 
 cs = Broker::set_create();
 print Broker::set_size(cs);
-print Broker::set_insert(cs, Broker::data("hi"));
+print Broker::set_insert(cs, ("hi"));
 print Broker::set_size(cs);
-print Broker::set_contains(cs, Broker::data("hi"));
-print Broker::set_contains(cs, Broker::data("bye"));
-print Broker::set_insert(cs, Broker::data("bye"));
+print Broker::set_contains(cs, ("hi"));
+print Broker::set_contains(cs, ("bye"));
+print Broker::set_insert(cs, ("bye"));
 print Broker::set_size(cs);
-print Broker::set_insert(cs, Broker::data("bye"));
+print Broker::set_insert(cs, ("bye"));
 print Broker::set_size(cs);
-print Broker::set_remove(cs, Broker::data("hi"));
+print Broker::set_remove(cs, ("hi"));
 print Broker::set_size(cs);
-print Broker::set_remove(cs, Broker::data("hi"));
+print Broker::set_remove(cs, ("hi"));
 print broker_to_bro_set(cs);
 print Broker::set_clear(cs);
 print Broker::set_size(cs);
@@ -206,19 +201,19 @@ print "***************************";
 
 ct = Broker::table_create();
 print Broker::table_size(ct);
-print Broker::table_insert(ct, Broker::data("hi"), Broker::data(42));
+print Broker::table_insert(ct, ("hi"), (42));
 print Broker::table_size(ct);
-print Broker::table_contains(ct, Broker::data("hi"));
-print Broker::refine_to_count(Broker::table_lookup(ct, Broker::data("hi")));
-print Broker::table_contains(ct, Broker::data("bye"));
-print Broker::table_insert(ct, Broker::data("bye"), Broker::data(7));
+print Broker::table_contains(ct, ("hi"));
+print (Broker::table_lookup(ct, ("hi"))) as count;
+print Broker::table_contains(ct, ("bye"));
+print Broker::table_insert(ct, ("bye"), (7));
 print Broker::table_size(ct);
-print Broker::table_insert(ct, Broker::data("bye"), Broker::data(37));
+print Broker::table_insert(ct, ("bye"), (37));
 print Broker::table_size(ct);
-print Broker::refine_to_count(Broker::table_lookup(ct, Broker::data("bye")));
-print Broker::table_remove(ct, Broker::data("hi"));
+print (Broker::table_lookup(ct, ("bye"))) as count;
+print Broker::table_remove(ct, ("hi"));
 print Broker::table_size(ct);
-print Broker::table_remove(ct, Broker::data("hi"));
+print Broker::table_remove(ct, ("hi"));
 print Broker::table_size(ct);
 print Broker::table_clear(ct);
 print Broker::table_size(ct);
@@ -230,13 +225,13 @@ print "***************************";
 
 cv = Broker::vector_create();
 print Broker::vector_size(cv);
-print Broker::vector_insert(cv, Broker::data("hi"), 0);
-print Broker::vector_insert(cv, Broker::data("hello"), 1);
-print Broker::vector_insert(cv, Broker::data("greetings"), 2);
-print Broker::vector_insert(cv, Broker::data("salutations"), 1);
+print Broker::vector_insert(cv, 0, ("hi"));
+print Broker::vector_insert(cv, 1, ("hello"));
+print Broker::vector_insert(cv, 2, ("greetings"));
+print Broker::vector_insert(cv, 1, ("salutations"));
 print broker_to_bro_vector(cv);
 print Broker::vector_size(cv);
-print Broker::vector_replace(cv, Broker::data("bah"), 2);
+print Broker::vector_replace(cv, 2, ("bah"));
 print Broker::vector_lookup(cv, 2);
 print Broker::vector_lookup(cv, 0);
 print broker_to_bro_vector(cv);
@@ -253,14 +248,14 @@ print "***************************";
 
 cr = Broker::record_create(3);
 print Broker::record_size(cr);
-print Broker::record_assign(cr, Broker::data("hi"), 0);
-print Broker::record_assign(cr, Broker::data("hello"), 1);
-print Broker::record_assign(cr, Broker::data(37), 2);
+print Broker::record_assign(cr, 0, ("hi"));
+print Broker::record_assign(cr, 1, ("hello"));
+print Broker::record_assign(cr, 2, (37));
 print Broker::record_lookup(cr, 0);
 print Broker::record_lookup(cr, 1);
 print Broker::record_lookup(cr, 2);
 print Broker::record_size(cr);
-print Broker::record_assign(cr, Broker::data("goodbye"), 1);
+print Broker::record_assign(cr, 1, ("goodbye"));
 print Broker::record_size(cr);
 print Broker::record_lookup(cr, 1);
 }
diff --git a/testing/btest/core/leaks/broker/master_store.bro b/testing/btest/core/leaks/broker/master_store.bro
index 11f32b49ae..583f80413b 100644
--- a/testing/btest/core/leaks/broker/master_store.bro
+++ b/testing/btest/core/leaks/broker/master_store.bro
@@ -1,155 +1,149 @@
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
 # @TEST-GROUP: leaks
 
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b -r $TRACES/http/get.trace %INPUT
 # @TEST-EXEC: btest-bg-wait 45
-# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff bro/.stdout
 
 redef exit_only_after_terminate = T;
 
-global h: opaque of Broker::Handle;
-global lookup_count = 0;
-const lookup_expect_count = 5;
-global exists_count = 0;
-const exists_expect_count = 4;
-global pop_count = 0;
-const pop_expect_count = 2;
+global query_timeout = 45sec;
 
-global test_size: event(where: string &default = "");
+global h: opaque of Broker::Store;
 
-event test_clear()
+global step: count = 0;
+
+function print_index(k: any)
 	{
+	when ( local r = Broker::get(h, k) )
+		{
+		step += 1;
+		print fmt("[%d]", step), k, r$status, r$result;
+		}
+	timeout query_timeout
+		{
+		step += 1;
+		print fmt("[%d] <timeout for %s>", step, k);
+		}
+	}
+
+function print_exists(k: any)
+	{
+	when ( local r = Broker::exists(h, k) )
+		{
+		step += 1;
+		print fmt("[%d]", step), k, r;
+		}
+	timeout query_timeout
+		{
+		step += 1;
+		print fmt("[%d] <timeout for %s>", step, k);
+		}
+	}
+
+function print_index_from_value(k: any, i: any)
+	{
+	when ( local r = Broker::get_index_from_value(h, k, i) )
+		{
+		step += 1;
+		print fmt("[%d]", step), k, r$status, r$result;
+		}
+	timeout query_timeout
+		{
+		step += 1;
+		print fmt("[%d] <timeout for %s>", step, k);
+		}
+	}
+
+function print_keys()
+	{
+	when ( local s = Broker::keys(h) )
+		{
+		step += 1;
+		print "keys", s;
+		}
+	timeout query_timeout
+		{
+		step += 1;
+		print fmt("[%d] <timeout for print keys>", step);
+		}
+	}
+
+event done()
+	{
+	terminate();
+	}
+
+event pk2()
+	{
+	print_keys();
+	}
+
+event pk1()
+	{
+	print_keys();
 	Broker::clear(h);
-	event test_size("after clear");
+	schedule 1sec { pk2() };
 	}
 
-event test_size(where: string)
-	{
-	when ( local res = Broker::size(h) )
-		{
-		if ( where == "" )
-			{
-			print fmt("size: %s", res);
-			event test_clear();
-			}
-		else
-			{
-			print fmt("size (%s): %s", where, res);
-			terminate();
-			}
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
-event test_keys()
-	{
-	when ( local res = Broker::keys(h) )
-		{
-		print fmt("keys: %s", res);
-		event test_size();
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
-event test_pop(key: string)
-	{
-	when ( local lres = Broker::pop_left(h, Broker::data(key)) )
-		{
-		print fmt("pop_left(%s): %s", key, lres);
-		++pop_count;
-
-		if ( pop_count == pop_expect_count )
-			event test_keys();
-		}
-	timeout 10sec
-		{ print "timeout"; }
-
-	when ( local rres = Broker::pop_right(h, Broker::data(key)) )
-		{
-		print fmt("pop_right(%s): %s", key, rres);
-		++pop_count;
-
-		if ( pop_count == pop_expect_count )
-			event test_keys();
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
-function do_exists(key: string)
-	{
-	when ( local res = Broker::exists(h, Broker::data(key)) )
-		{
-		print fmt("exists(%s): %s", key, res);
-		++exists_count;
-
-		if ( exists_count == exists_expect_count )
-			event test_pop("myvec");
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
-event test_erase()
-	{
-	Broker::erase(h, Broker::data("two"));
-	do_exists("one");
-	do_exists("two");
-	do_exists("myset");
-	do_exists("four");
-	}
-
-function do_lookup(key: string)
-	{
-	when ( local res = Broker::lookup(h, Broker::data(key)) )
-		{
-		print fmt("lookup(%s): %s", key, res);
-		++lookup_count;
-
-		if ( lookup_count == lookup_expect_count )
-			event test_erase();
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
-function dv(d: Broker::Data): Broker::DataVector
-	{
-	local rval: Broker::DataVector;
-	rval[0] = d;
-	return rval;
-	}
-
-global did_it = F;
-
 event bro_init()
 	{
-	Broker::enable();
 	h = Broker::create_master("master");
+	Broker::put(h, "one", "110");
+	Broker::put(h, "two", 220);
+	Broker::put(h, "three", 330);
+	Broker::put(h, "four", set(1, 2,3));
+	Broker::put(h, set("x", "y"), vector(1/tcp, 2/tcp, 3/tcp));
+
+	Broker::put(h, "str", "foo");
+	Broker::put(h, "vec", vector(1, 2,3));
+	Broker::put(h, "set", set("A", "B"));
+	Broker::put(h, "table", table(["a"] = 1, ["b"] = 2));
+	
+	print_index("one");
+	print_index("two");
+	print_index("three");
+	print_index("four");
+	print_index("five");
+	print_index(set("x", "y"));
+
+	when ( step == 6 )
+		{
+		Broker::increment(h, "two");
+		Broker::increment(h, "two", 9);
+		Broker::decrement(h, "three");
+		Broker::decrement(h, "three", 9);
+		print_index("two");
+		print_index("three");
+		print_index("four");
+		print_keys();
+		Broker::erase(h, "four");
+
+		Broker::append(h, "str", "bar");
+		Broker::insert_into_set(h, "set", "C");
+		Broker::insert_into_table(h, "table", "c", 3);
+		Broker::remove_from(h, "set", 2);
+		Broker::remove_from(h, "table", "b");
+		Broker::push(h, "vec", 4);
+		Broker::push(h, "vec", 5);
+		Broker::pop(h, "vec");
+
+		print_index("str");
+		print_index("set");
+		print_index("table");
+		print_index("vec");
+
+		print_exists("one");
+		print_exists("NOPE");
+	
+        	print_index_from_value("vec", 1);
+        	print_index_from_value("set", "A");
+    	        print_index_from_value("table", "a");
+    	        print_index_from_value("table", "X");
+		
+		schedule 1sec { pk1() };
+		}
+
+        schedule 15secs { done() };
 	}
 
-event new_connection(c: connection)
-	{
-	if ( did_it ) return;
-	did_it = T;
-	local myset: set[string] = {"a", "b", "c"};
-	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	Broker::insert(h, Broker::data("one"), Broker::data(110));
-	Broker::insert(h, Broker::data("two"), Broker::data(223));
-	Broker::insert(h, Broker::data("myset"), Broker::data(myset));
-	Broker::insert(h, Broker::data("myvec"), Broker::data(myvec));
-	Broker::increment(h, Broker::data("one"));
-	Broker::decrement(h, Broker::data("two"));
-	Broker::add_to_set(h, Broker::data("myset"), Broker::data("d"));
-	Broker::remove_from_set(h, Broker::data("myset"), Broker::data("b"));
-	Broker::push_left(h, Broker::data("myvec"), dv(Broker::data("delta")));
-	Broker::push_right(h, Broker::data("myvec"), dv(Broker::data("omega")));
-	do_lookup("one");
-	do_lookup("two");
-	do_lookup("myset");
-	do_lookup("four");
-	do_lookup("myvec");
-	}
+
diff --git a/testing/btest/core/leaks/broker/remote_event.test b/testing/btest/core/leaks/broker/remote_event.test
index 3f63fcba76..b788f3ee79 100644
--- a/testing/btest/core/leaks/broker/remote_event.test
+++ b/testing/btest/core/leaks/broker/remote_event.test
@@ -1,10 +1,9 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
+# @TEST-SERIALIZE: comm
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
-# @TEST-GROUP: leak
+# @TEST-GROUP: leaks
 
-# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.bro broker_port=$BROKER_PORT >send.out"
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.bro >recv.out"
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.bro >send.out"
 
 # @TEST-EXEC: btest-bg-wait 45
 # @TEST-EXEC: btest-diff recv/recv.out
@@ -12,7 +11,6 @@
 
 @TEST-START-FILE recv.bro
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 global event_handler: event(msg: string, c: count);
@@ -20,10 +18,9 @@ global auto_event_handler: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/");
-	Broker::auto_event("bro/event/my_topic", auto_event_handler);
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/event/");
+	Broker::auto_publish("bro/event/my_topic", auto_event_handler);
+	Broker::listen("127.0.0.1");
 	}
 
 global event_count = 0;
@@ -41,15 +38,13 @@ event event_handler(msg: string, n: count)
 		}
 
 	event auto_event_handler(msg, n);
-	local args = Broker::event_args(event_handler, "pong", n);
-	Broker::send_event("bro/event/my_topic", args);
+	Broker::publish("bro/event/my_topic", event_handler, "pong", n);
 	}
 
 @TEST-END-FILE
 
 @TEST-START-FILE send.bro
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 global event_handler: event(msg: string, c: count);
@@ -57,25 +52,20 @@ global auto_event_handler: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/my_topic");
-	Broker::connect("127.0.0.1", broker_port, 1secs);
+	Broker::subscribe("bro/event/my_topic");
+	Broker::peer("127.0.0.1", Broker::default_port, 1secs);
 	}
 
 global event_count = 0;
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established", peer_address, peer_port;
-	local args = Broker::event_args(event_handler, "ping", event_count);
-	Broker::send_event("bro/event/hi", args);
+	print "Broker peer added", endpoint$network;
+	Broker::publish("bro/event/hi", event_handler, "ping", event_count);
 	++event_count;
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
@@ -83,8 +73,7 @@ event Broker::outgoing_connection_broken(peer_address: string,
 event event_handler(msg: string, n: count)
 	{
 	print "got event msg", msg, n;
-	local args = Broker::event_args(event_handler, "ping", event_count);
-	Broker::send_event("bro/event/hi", args);
+	Broker::publish("bro/event/hi", event_handler, "ping", event_count);
 	++event_count;
 	}
 
diff --git a/testing/btest/core/leaks/broker/remote_log.test b/testing/btest/core/leaks/broker/remote_log.test
index baeab906f1..a2b1d8793e 100644
--- a/testing/btest/core/leaks/broker/remote_log.test
+++ b/testing/btest/core/leaks/broker/remote_log.test
@@ -1,10 +1,9 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
+# @TEST-SERIALIZE: comm
 # @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
-# @TEST-GROUP: leak
+# @TEST-GROUP: leaks
 
-# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../common.bro ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../common.bro ../send.bro broker_port=$BROKER_PORT >send.out"
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.bro >recv.out"
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.bro >send.out"
 
 # @TEST-EXEC: btest-bg-wait 45
 # @TEST-EXEC: btest-diff recv/recv.out
@@ -14,6 +13,8 @@
 
 @TEST-START-FILE common.bro
 
+redef exit_only_after_terminate = T;
+
 module Test;
 
 export {
@@ -21,50 +22,47 @@ export {
 
 	type Info: record {
 		msg: string &log;
+		nolog: string &default="no";
 		num: count &log;
 	};
-
-	global log_test: event(rec: Test::Info);
 }
 
 event bro_init() &priority=5
 	{
-	Broker::enable();
-	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test]);
+	Log::create_stream(Test::LOG, [$columns=Test::Info]);
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
 	}
 
 @TEST-END-FILE
 
 @TEST-START-FILE recv.bro
 
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
+@load ./common.bro
 
 event bro_init()
 	{
-	Broker::subscribe_to_logs("bro/log/");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/");
+	Broker::listen("127.0.0.1");
 	}
 
-event Test::log_test(rec: Test::Info)
+event Broker::peer_removed(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "wrote log", rec;
-
-	if ( rec$num == 5 )
-		terminate();
+	terminate();
 	}
 
 @TEST-END-FILE
 
 @TEST-START-FILE send.bro
 
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
+@load ./common.bro
 
 event bro_init()
 	{
-	Broker::enable_remote_logs(Test::LOG);
-	Broker::connect("127.0.0.1", broker_port, 1secs);
+	Broker::peer("127.0.0.1");
 	}
 
 global n = 0;
@@ -72,27 +70,19 @@ global n = 0;
 event do_write()
 	{
 	if ( n == 6 )
-		return;
+		terminate();
 	else
 		{
 		Log::write(Test::LOG, [$msg = "ping", $num = n]);
 		++n;
-		event do_write();
+		schedule 0.1secs { do_write() };
 		}
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established", peer_address, peer_port;
+	print "Broker peer added", endpoint$network;
 	event do_write();
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-	{
-	terminate();
-	}
-
 @TEST-END-FILE
diff --git a/testing/btest/core/leaks/broker/remote_print.test b/testing/btest/core/leaks/broker/remote_print.test
deleted file mode 100644
index 26e6317034..0000000000
--- a/testing/btest/core/leaks/broker/remote_print.test
+++ /dev/null
@@ -1,85 +0,0 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
-# @TEST-GROUP: leak
-
-# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run recv "bro -m -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run send "bro -m -b ../send.bro broker_port=$BROKER_PORT >send.out"
-
-# @TEST-EXEC: btest-bg-wait 45
-# @TEST-EXEC: btest-diff recv/recv.out
-# @TEST-EXEC: btest-diff send/send.out
-
-@TEST-START-FILE recv.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_prints("bro/print/");
-	Broker::listen(broker_port, "127.0.0.1");
-	}
-
-global messages_to_recv = 6;
-global messages_sent = 0;
-global messages_recv = 0;
-
-event Broker::print_handler(msg: string)
-	{
-	++messages_recv;
-	print "got print msg", msg;
-
-	if ( messages_to_recv == messages_recv )
-		{
-		terminate();
-		return;
-		}
-
-	Broker::send_print("bro/print/my_topic", fmt("pong %d", messages_sent));
-	++messages_sent;
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE send.bro
-
-const broker_port: port &redef;
-redef exit_only_after_terminate = T;
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_prints("bro/print/my_topic");
-	Broker::connect("127.0.0.1", broker_port, 1secs);
-	}
-
-global messages_sent = 0;
-global messages_recv = 0;
-global peer_disconnected = F;
-
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	print "Broker::outgoing_connection_established", peer_address, peer_port;
-	Broker::send_print("bro/print/hi", fmt("ping %d", messages_sent));
-	++messages_sent;
-	}
-
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-	{
-	terminate();
-	}
-
-event Broker::print_handler(msg: string)
-	{
-	++messages_recv;
-	print "got print msg", msg;
-	Broker::send_print("bro/print/hi", fmt("ping %d", messages_sent));
-	++messages_sent;
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/core/leaks/dns-txt.bro b/testing/btest/core/leaks/dns-txt.bro
index e47e19f9c9..c04e5df6ea 100644
--- a/testing/btest/core/leaks/dns-txt.bro
+++ b/testing/btest/core/leaks/dns-txt.bro
@@ -7,7 +7,6 @@
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/wikipedia.trace %INPUT
 # @TEST-EXEC: btest-bg-wait 60
 
-@load base/frameworks/communication # keep network time running
 redef exit_only_after_terminate = T;
 
 global n1 = 0;
diff --git a/testing/btest/core/leaks/dns.bro b/testing/btest/core/leaks/dns.bro
index 570c66cf56..f16a4ca3bb 100644
--- a/testing/btest/core/leaks/dns.bro
+++ b/testing/btest/core/leaks/dns.bro
@@ -7,7 +7,6 @@
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/wikipedia.trace %INPUT
 # @TEST-EXEC: btest-bg-wait 60
 
-@load base/frameworks/communication # keep network time running
 redef exit_only_after_terminate = T;
 
 const foo: set[addr] = {
diff --git a/testing/btest/core/leaks/dtls.bro b/testing/btest/core/leaks/dtls.bro
index 57b5479fac..e7f75a530e 100644
--- a/testing/btest/core/leaks/dtls.bro
+++ b/testing/btest/core/leaks/dtls.bro
@@ -4,7 +4,7 @@
 #
 # @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
 #
-# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/tls/dtls-openssl.pcap %INPUT
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/tls/dtls1_0.pcap %INPUT
 # @TEST-EXEC: btest-bg-wait 60
 
 @load base/protocols/ssl
diff --git a/testing/btest/core/leaks/exec.test b/testing/btest/core/leaks/exec.test
index 8ae054cf63..4cc8240012 100644
--- a/testing/btest/core/leaks/exec.test
+++ b/testing/btest/core/leaks/exec.test
@@ -10,7 +10,6 @@
 @TEST-START-FILE exectest.bro
 
 @load base/utils/exec
-@load base/frameworks/communication # let network-time run. otherwise there are no heartbeats...
 redef exit_only_after_terminate = T;
 
 global c: count = 0;
diff --git a/testing/btest/core/leaks/hll_cluster.bro b/testing/btest/core/leaks/hll_cluster.bro
index 3ba46005e1..8b96c991b3 100644
--- a/testing/btest/core/leaks/hll_cluster.bro
+++ b/testing/btest/core/leaks/hll_cluster.bro
@@ -5,11 +5,10 @@
 #
 # @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
 #
-# @TEST-EXEC: bro %INPUT>out
-# @TEST-EXEC: btest-bg-run manager-1 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
-# @TEST-EXEC: sleep 2
-# @TEST-EXEC: btest-bg-run worker-1 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro runnumber=1 %INPUT
-# @TEST-EXEC: btest-bg-run worker-2 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro runnumber=2 %INPUT
+# @TEST-EXEC: bro -m %INPUT>out
+# @TEST-EXEC: btest-bg-run manager-1 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro -m %INPUT
+# @TEST-EXEC: btest-bg-run worker-1 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro -m runnumber=1 %INPUT
+# @TEST-EXEC: btest-bg-run worker-2 HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro -m runnumber=2 %INPUT
 # @TEST-EXEC: btest-bg-wait 60
 #
 # @TEST-EXEC: btest-diff manager-1/.stdout
@@ -18,7 +17,7 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1"],
 	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1"],
 };
@@ -28,13 +27,16 @@ redef Log::default_rotation_interval = 0secs;
 
 global hll_data: event(data: opaque of cardinality);
 
-redef Cluster::worker2manager_events += /hll_data/;
-
 @if ( Cluster::local_node_type() == Cluster::WORKER )
 
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::manager_topic, hll_data);
+	}
+
 global runnumber: count &redef; # differentiate runs
 
-event remote_connection_handshake_done(p: event_peer)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	local c = hll_cardinality_init(0.01, 0.95);
 
diff --git a/testing/btest/core/leaks/input-raw.bro b/testing/btest/core/leaks/input-raw.bro
index cec50682fb..1a7315bc2a 100644
--- a/testing/btest/core/leaks/input-raw.bro
+++ b/testing/btest/core/leaks/input-raw.bro
@@ -6,9 +6,9 @@
 #
 # @TEST-EXEC: cp input1.log input.log
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b %INPUT 
-# @TEST-EXEC: sleep 5
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got2 8 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cat input2.log >> input.log
-# @TEST-EXEC: sleep 5
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got6 8 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cat input3.log >> input.log
 # @TEST-EXEC: btest-bg-wait 60
 
@@ -31,7 +31,6 @@ sdf
 3rw43wRRERLlL#RWERERERE.
 @TEST-END-FILE
 
-@load base/frameworks/communication  # let network-time run
 
 module A;
 
@@ -49,7 +48,12 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string)
 	print outfile, s;
 
 	try = try + 1;
-	if ( try == 16 )
+
+	if ( try == 2 )
+		system("touch got2");
+	else if ( try == 6 )
+		system("touch got6");
+	else if ( try == 16 )
 		{
 		print outfile, "done";
 		close(outfile);
diff --git a/testing/btest/core/leaks/input-reread.bro b/testing/btest/core/leaks/input-reread.bro
index f71873c776..8b6295c15d 100644
--- a/testing/btest/core/leaks/input-reread.bro
+++ b/testing/btest/core/leaks/input-reread.bro
@@ -6,15 +6,15 @@
 #
 # @TEST-EXEC: cp input1.log input.log
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b %INPUT
-# @TEST-EXEC: sleep 10
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got2 60 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input2.log input.log
-# @TEST-EXEC: sleep 10
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got4 10 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input3.log input.log
-# @TEST-EXEC: sleep 10
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got6 10 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input4.log input.log
-# @TEST-EXEC: sleep 10
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got8 10 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input5.log input.log
-# @TEST-EXEC: btest-bg-wait 60
+# @TEST-EXEC: btest-bg-wait 120
 
 @TEST-START-FILE input1.log
 #separator \x09
@@ -61,7 +61,6 @@ F	-48	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz
 @TEST-END-FILE
 
 @load base/protocols/ssh
-@load base/frameworks/communication  # let network-time run
 
 redef exit_only_after_terminate = T;
 redef InputAscii::empty_field = "EMPTY";
@@ -146,7 +145,16 @@ event Input::end_of_data(name: string, source: string)
 	}
 	
 	try = try + 1;
-	if ( try == 10 )
+
+	if ( try == 2 )
+		system("touch got2");
+	else if ( try == 4 )
+		system("touch got4");
+	else if ( try == 6 )
+		system("touch got6");
+	else if ( try == 8 )
+		system("touch got8");
+	else if ( try == 10 )
 		{
 		print outfile, "done";
 		close(outfile);
diff --git a/testing/btest/core/leaks/pattern.bro b/testing/btest/core/leaks/pattern.bro
new file mode 100644
index 0000000000..f48a8f28bd
--- /dev/null
+++ b/testing/btest/core/leaks/pattern.bro
@@ -0,0 +1,67 @@
+# @TEST-GROUP: leaks
+# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
+
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b -r $TRACES/http/get.trace %INPUT
+# @TEST-EXEC: btest-bg-wait 60
+
+function test_case(msg: string, expect: bool)
+    {
+    print fmt("%s (%s)", msg, expect ? "PASS" : "FAIL");
+    }
+
+event new_connection(c: connection)
+	{
+	print "new connection";
+
+	local p1: pattern = /foo|bar/; 
+	local p2: pattern = /oob/; 
+	local p3: pattern = /^oob/; 
+	local p4 = /foo/;
+
+	# Type inference tests
+
+	test_case( "type inference", type_name(p4) == "pattern" );
+
+	# Operator tests
+
+	test_case( "equality operator", "foo" == p1 );
+	test_case( "equality operator (order of operands)", p1 == "foo" );
+	test_case( "inequality operator", "foobar" != p1 );
+	test_case( "inequality operator (order of operands)", p1 != "foobar" );
+	test_case( "in operator", p1 in "foobar" );
+	test_case( "in operator", p2 in "foobar" );
+	test_case( "!in operator", p3 !in "foobar" );
+	test_case( "& operator", p1 & p2 in "baroob" );
+	test_case( "& operator", p2 & p1 in "baroob" );
+	test_case( "| operator", p1 | p2 in "lazybarlazy" );
+	test_case( "| operator", p3 | p4 in "xoob" );
+
+	test_case( "/i pattern modifier", /fOO/i in "xFoObar" );
+	test_case( "/i pattern modifier", /fOO/i == "Foo" );
+
+	test_case( "/i double-quote escape", /"fOO"/i in "xFoObar" );
+	test_case( "/i double-quote escape", /"fOO"/i in "xfOObar" );
+
+	test_case( "case-sensitive pattern", /fOO/ in "xFoObar" );
+	test_case( "case-sensitive pattern", /fOO/ == "Foo" );
+	test_case( "case-sensitive pattern", /fOO/ == "fOO" );
+
+	test_case( "/i pattern disjunction", /bar/i | /bez/ == "bez" );
+	test_case( "/i pattern disjunction", /bar/i | /bez/ == "bEz" );
+	test_case( "/i pattern disjunction", /bar/i | /bez/ == "bar" );
+	test_case( "/i pattern disjunction", /bar/i | /bez/ == "bAr" );
+
+	test_case( "/i pattern concatenation", /bar/i & /bez/ == "barbez" );
+	test_case( "/i pattern concatenation", /bar/i & /bez/ == "barbEz" );
+	test_case( "/i pattern concatenation", /BAR/i & /bez/ == "barbEz" );
+	test_case( "/i pattern concatenation", /bar/i & /bez/ == "bArbez" );
+	test_case( "/i pattern concatenation", /BAR/i & /bez/ == "bArbez" );
+	test_case( "/i pattern concatenation", /bar/i & /bez/ == "bArbEz" );
+
+	test_case( "/i pattern character class", /ba[0a-c99S-Z0]/i & /bEz/ == "bArbEz" );
+	test_case( "/i pattern character class", /ba[0a-c99M-S0]/i & /bEz/ == "bArbEz" );
+
+	test_case( "(?i:...) pattern construct", /foo|(?i:bar)/ in "xBAry" );
+	test_case( "(?i:...) pattern construct", /foo|(?i:bar)/ in "xFOoy" );
+	test_case( "(?i:...) pattern construct", /foo|(?i:bar)/ | /foo/i in "xFOoy" );
+	}
diff --git a/testing/btest/core/leaks/remote.bro b/testing/btest/core/leaks/remote.bro
deleted file mode 100644
index f9d412b8e9..0000000000
--- a/testing/btest/core/leaks/remote.bro
+++ /dev/null
@@ -1,97 +0,0 @@
-# Needs perftools support.
-#
-# @TEST-SERIALIZE: comm
-# @TEST-GROUP: leaks
-#
-# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
-#
-# @TEST-EXEC: btest-bg-run sender HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -b -m --pseudo-realtime %INPUT ../sender.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run receiver HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local bro -b -m --pseudo-realtime %INPUT ../receiver.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-wait 60
-# @TEST-EXEC: btest-diff sender/test.log
-# @TEST-EXEC: btest-diff sender/test.failure.log
-# @TEST-EXEC: btest-diff sender/test.success.log
-# @TEST-EXEC: ( cd sender && for i in *.log; do cat $i | $SCRIPTS/diff-remove-timestamps >c.$i; done )
-# @TEST-EXEC: ( cd receiver && for i in *.log; do cat $i | $SCRIPTS/diff-remove-timestamps >c.$i; done )
-# @TEST-EXEC: cmp receiver/c.test.log sender/c.test.log
-# @TEST-EXEC: cmp receiver/c.test.failure.log sender/c.test.failure.log
-# @TEST-EXEC: cmp receiver/c.test.success.log sender/c.test.success.log
-
-# This is the common part loaded by both sender and receiver.
-module Test;
-
-export {
-	# Create a new ID for our log stream
-	redef enum Log::ID += { LOG };
-
-	# Define a record with all the columns the log file can have.
-	# (I'm using a subset of fields from ssh-ext for demonstration.)
-	type Log: record {
-		t: time;
-		id: conn_id; # Will be rolled out into individual columns.
-		status: string &optional;
-		country: string &default="unknown";
-	} &log;
-}
-
-event bro_init()
-{
-	Log::create_stream(Test::LOG, [$columns=Log]);
-	Log::add_filter(Test::LOG, [$name="f1", $path="test.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]);
-}
-
-#####
-
-@TEST-START-FILE sender.bro
-
-@load frameworks/communication/listen
-
-module Test;
-
-function fail(rec: Log): bool
-	{
-	return rec$status != "success";
-	}
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	Log::add_filter(Test::LOG, [$name="f2", $path="test.failure", $pred=fail]);
-
-	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
-
-	local r: Log = [$t=network_time(), $id=cid, $status="success"];
-
-	# Log something.
-	Log::write(Test::LOG, r);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
-	disconnect(p);
-	}
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE receiver.bro
-
-#####
-
-@load base/frameworks/communication
-
-redef Communication::nodes += {
-    ["foo"] = [$host = 127.0.0.1, $connect=T, $request_logs=T]
-};
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/core/leaks/set.bro b/testing/btest/core/leaks/set.bro
new file mode 100644
index 0000000000..b3f2200d28
--- /dev/null
+++ b/testing/btest/core/leaks/set.bro
@@ -0,0 +1,194 @@
+# @TEST-GROUP: leaks
+# @TEST-REQUIRES: bro --help 2>&1 | grep -q mem-leaks
+
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -m -b -r $TRACES/http/get.trace %INPUT
+# @TEST-EXEC: btest-bg-wait 60
+
+function test_case(msg: string, expect: bool)
+    {
+    print fmt("%s (%s)", msg, expect ? "PASS" : "FAIL");
+    }
+
+# Note: only global sets can be initialized with curly braces
+global sg1: set[string] = { "curly", "braces" };
+global sg2: set[port, string, bool] = { [10/udp, "curly", F],
+		[11/udp, "braces", T] };
+global sg3 = { "more", "curly", "braces" };
+
+global did_once = F;
+
+event new_connection(cc: connection)
+	{
+	if ( did_once )
+		return;
+
+	did_once = T;
+
+	local s1: set[string] = set( "test", "example" );
+	local s2: set[string] = set();
+	local s3: set[string];
+	local s4 = set( "type inference" );
+	local s5: set[port, string, bool] = set( [1/tcp, "test", T],
+			 [2/tcp, "example", F] );
+	local s6: set[port, string, bool] = set();
+	local s7: set[port, string, bool];
+	local s8 = set( [8/tcp, "type inference", T] );
+
+	# Type inference tests
+
+	test_case( "type inference", type_name(s4) == "set[string]" );
+	test_case( "type inference", type_name(s8) == "set[port,string,bool]" );
+	test_case( "type inference", type_name(sg3) == "set[string]" );
+
+	# Test the size of each set
+
+	test_case( "cardinality", |s1| == 2 );
+	test_case( "cardinality", |s2| == 0 );
+	test_case( "cardinality", |s3| == 0 );
+	test_case( "cardinality", |s4| == 1 );
+	test_case( "cardinality", |s5| == 2 );
+	test_case( "cardinality", |s6| == 0 );
+	test_case( "cardinality", |s7| == 0 );
+	test_case( "cardinality", |s8| == 1 );
+	test_case( "cardinality", |sg1| == 2 );
+	test_case( "cardinality", |sg2| == 2 );
+	test_case( "cardinality", |sg3| == 3 );
+
+	# Test iterating over each set
+
+	local ct: count;
+	ct = 0;
+	for ( c in s1 )
+	{
+		if ( type_name(c) != "string" )
+			print "Error: wrong set element type";
+		++ct;
+	}
+	test_case( "iterate over set", ct == 2 );
+
+	ct = 0;
+	for ( c in s2 )
+	{
+		++ct;
+	}
+	test_case( "iterate over set", ct == 0 );
+
+	ct = 0;
+	for ( [c1,c2,c3] in s5 )
+	{
+		++ct;
+	}
+	test_case( "iterate over set", ct == 2 );
+
+	ct = 0;
+	for ( [c1,c2,c3] in sg2 )
+	{
+		++ct;
+	}
+	test_case( "iterate over set", ct == 2 );
+
+	# Test adding elements to each set (Note: cannot add elements to sets
+	# of multiple types)
+
+	add s1["added"];
+	add s1["added"];  # element already exists (nothing happens)
+	test_case( "add element", |s1| == 3 );
+	test_case( "in operator", "added" in s1 );
+
+	add s2["another"];
+	test_case( "add element", |s2| == 1 );
+	add s2["test"];
+	test_case( "add element", |s2| == 2 );
+	test_case( "in operator", "another" in s2 );
+	test_case( "in operator", "test" in s2 );
+
+	add s3["foo"];
+	test_case( "add element", |s3| == 1 );
+	test_case( "in operator", "foo" in s3 );
+
+	add s4["local"];
+	test_case( "add element", |s4| == 2 );
+	test_case( "in operator", "local" in s4 );
+
+	add sg1["global"];
+	test_case( "add element", |sg1| == 3 );
+	test_case( "in operator", "global" in sg1 );
+
+	add sg3["more global"];
+	test_case( "add element", |sg3| == 4 );
+	test_case( "in operator", "more global" in sg3 );
+
+	# Test removing elements from each set (Note: cannot remove elements
+	# from sets of multiple types)
+
+	delete s1["test"];
+	delete s1["foobar"];  # element does not exist (nothing happens)
+	test_case( "remove element", |s1| == 2 );
+	test_case( "!in operator", "test" !in s1 );
+
+	delete s2["test"];
+	test_case( "remove element", |s2| == 1 );
+	test_case( "!in operator", "test" !in s2 );
+
+	delete s3["foo"];
+	test_case( "remove element", |s3| == 0 );
+	test_case( "!in operator", "foo" !in s3 );
+
+	delete s4["type inference"];
+	test_case( "remove element", |s4| == 1 );
+	test_case( "!in operator", "type inference" !in s4 );
+
+	delete sg1["braces"];
+	test_case( "remove element", |sg1| == 2 );
+	test_case( "!in operator", "braces" !in sg1 );
+
+	delete sg3["curly"];
+	test_case( "remove element", |sg3| == 3 );
+	test_case( "!in operator", "curly" !in sg3 );
+
+
+	local a = set(1,5,7,9,8,14);
+	local b = set(1,7,9,2);
+
+	local a_plus_b = set(1,2,5,7,9,8,14);
+	local a_also_b = set(1,7,9);
+	local a_sans_b = set(5,8,14);
+	local b_sans_a = set(2);
+
+	local a_or_b = a | b;
+	local a_and_b = a & b;
+
+	test_case( "union", a_or_b == a_plus_b );
+	test_case( "intersection", a_and_b == a_plus_b );
+	test_case( "difference", a - b == a_sans_b );
+	test_case( "difference", b - a == b_sans_a );
+
+	test_case( "union/inter.", |b & set(1,7,9,2)| == |b | set(1,7,2,9)| );
+	test_case( "relational", |b & a_or_b| == |b| && |b| < |a_or_b| );
+	test_case( "relational", b < a_or_b && a < a_or_b && a_or_b > a_and_b );
+
+	test_case( "subset", b < a );
+	test_case( "subset", a < b );
+	test_case( "subset", b < (a | set(2)) );
+	test_case( "superset", b > a );
+	test_case( "superset", b > (a | set(2)) );
+	test_case( "superset", b | set(8, 14, 5) > (a | set(2)) );
+	test_case( "superset", b | set(8, 14, 99, 5) > (a | set(2)) );
+
+	test_case( "non-ordering", (a <= b) || (a >= b) );
+	test_case( "non-ordering", (a <= a_or_b) && (a_or_b >= b) );
+
+	test_case( "superset", (b | set(14, 5)) > a - set(8) );
+	test_case( "superset", (b | set(14)) > a - set(8) );
+	test_case( "superset", (b | set(14)) > a - set(8,5) );
+	test_case( "superset", b >= a - set(5,8,14) );
+	test_case( "superset", b > a - set(5,8,14) );
+	test_case( "superset", (b - set(2)) > a - set(5,8,14) );
+	test_case( "equality", a == a | set(5) );
+	test_case( "equality", a == a | set(5,11) );
+	test_case( "non-equality", a != a | set(5,11) );
+	test_case( "equality", a == a | set(5,11) );
+
+	test_case( "magnitude", |a_and_b| == |a_or_b|);
+	}
+
diff --git a/testing/btest/core/old_comm_usage.bro b/testing/btest/core/old_comm_usage.bro
new file mode 100644
index 0000000000..0e9ae2f1f6
--- /dev/null
+++ b/testing/btest/core/old_comm_usage.bro
@@ -0,0 +1,7 @@
+# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+event bro_init()
+	{
+	terminate_communication();
+	}
diff --git a/testing/btest/core/option-errors.bro b/testing/btest/core/option-errors.bro
new file mode 100644
index 0000000000..6a9a8f1db6
--- /dev/null
+++ b/testing/btest/core/option-errors.bro
@@ -0,0 +1,13 @@
+# @TEST-EXEC-FAIL: bro %INPUT
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
+
+option testbool;
+
+@TEST-START-NEXT
+
+option testbool : bool;
+
+@TEST-START-NEXT
+
+option testopt = 5;
+testopt = 6;
diff --git a/testing/btest/core/option-priorities.bro b/testing/btest/core/option-priorities.bro
new file mode 100644
index 0000000000..fd352a5459
--- /dev/null
+++ b/testing/btest/core/option-priorities.bro
@@ -0,0 +1,28 @@
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+export {
+	## Test some documentation here!
+	option testbool: bool = T;
+}
+
+function option_changed(ID: string, new_value: bool): bool {
+	print fmt("Value of %s changed from %s to %s", ID, testbool, new_value);
+	return new_value;
+}
+
+function option_changed_two(ID: string, new_value: bool, location: string): bool {
+	print fmt("Higher prio - Value of %s changed from %s to %s at location '%s'", ID, testbool, new_value, location);
+	return T;
+}
+
+event bro_init()
+	{
+	print "Old value", testbool;
+	Option::set_change_handler("testbool", option_changed);
+	Option::set_change_handler("testbool", option_changed_two, 99);
+	Option::set("testbool", F);
+	Option::set("testbool", F, "here");
+	print "New value", testbool;
+	}
+
diff --git a/testing/btest/core/option-redef.bro b/testing/btest/core/option-redef.bro
new file mode 100644
index 0000000000..3d67a9a755
--- /dev/null
+++ b/testing/btest/core/option-redef.bro
@@ -0,0 +1,16 @@
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+# options are allowed to be redef-able.
+# And they are even redef-able by default.
+
+option testopt = 5 &redef;
+redef testopt = 6;
+option anotheropt = 6;
+redef anotheropt = 7;
+
+event bro_init() {
+	print testopt;
+	print anotheropt;
+}
+
diff --git a/testing/btest/core/option-runtime-errors.bro b/testing/btest/core/option-runtime-errors.bro
new file mode 100644
index 0000000000..8ae4b9ca40
--- /dev/null
+++ b/testing/btest/core/option-runtime-errors.bro
@@ -0,0 +1,104 @@
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
+
+# Errors that happen during runtime. At least at the moment we are not checking these early enough
+# that Bro will bail out during startup. Perhaps we want to change this later.
+
+option A = 5;
+Option::set("B", 6);
+
+@TEST-START-NEXT
+
+option A = 5;
+Option::set("A", "hi");
+
+@TEST-START-NEXT
+
+const A = 5;
+Option::set("A", 6);
+
+@TEST-START-NEXT:
+
+option A = 5;
+
+function option_changed(ID: string, new_value: bool): bool {
+}
+
+Option::set_change_handler("A", option_changed);
+
+@TEST-START-NEXT:
+
+option A = 5;
+
+function option_changed(ID: string): bool {
+}
+
+Option::set_change_handler("A", option_changed);
+
+@TEST-START-NEXT:
+
+option A : count = 5;
+
+function option_changed(ID: string, new_value: count): bool {
+}
+
+Option::set_change_handler("A", option_changed);
+
+@TEST-START-NEXT:
+
+option A : count = 5;
+
+hook option_changed(ID: string, new_value: count) {
+}
+
+Option::set_change_handler("A", option_changed);
+
+@TEST-START-NEXT:
+
+option A : count = 5;
+
+event option_changed(ID: string, new_value: count) {
+}
+
+Option::set_change_handler("A", option_changed);
+
+@TEST-START-NEXT:
+
+function option_changed(ID: string, new_value: count) : count {
+}
+
+Option::set_change_handler("A", option_changed);
+
+
+@TEST-START-NEXT:
+
+const A : count = 5;
+
+function option_changed(ID: string, new_value: count) : count {
+}
+
+Option::set_change_handler("A", option_changed);
+
+@TEST-START-NEXT:
+
+option A : count = 5;
+
+Option::set_change_handler("A", A);
+
+@TEST-START-NEXT:
+
+option A : count = 5;
+
+function option_changed(ID: string, new_value: count, location: count) : count {
+}
+
+Option::set_change_handler("A", option_changed);
+
+@TEST-START-NEXT:
+
+option A : count = 5;
+
+function option_changed(ID: string, new_value: count, location: string, a: count) : count {
+}
+
+Option::set_change_handler("A", option_changed);
diff --git a/testing/btest/core/pppoe-over-qinq.bro b/testing/btest/core/pppoe-over-qinq.bro
new file mode 100644
index 0000000000..cdfd4607ae
--- /dev/null
+++ b/testing/btest/core/pppoe-over-qinq.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -C -r $TRACES/pppoe-over-qinq.pcap
+# @TEST-EXEC: btest-diff conn.log
diff --git a/testing/btest/core/recursive-event.bro b/testing/btest/core/recursive-event.bro
index 3bc4b51541..245e994cd6 100644
--- a/testing/btest/core/recursive-event.bro
+++ b/testing/btest/core/recursive-event.bro
@@ -4,8 +4,9 @@
 # In old version, the event would keep triggering endlessely, with the network
 # time not moving forward and Bro not terminating. 
 # 
-# Note that the output will be 10 (not 20) because we still execute two rounds
-# of events every time we drain.
+# Note that the output will not be 20 because we still execute two rounds
+# of events every time we drain and also at startup several (currently 3)
+# rounds of events drain with the same network_time.
 
 redef exit_only_after_terminate=T;
 
diff --git a/testing/btest/core/truncation.test b/testing/btest/core/truncation.test
index c0e4ee857a..d819ca1f88 100644
--- a/testing/btest/core/truncation.test
+++ b/testing/btest/core/truncation.test
@@ -25,4 +25,19 @@
 # @TEST-EXEC: bro -r $TRACES/trunc/trunc-hdr.pcap
 # @TEST-EXEC: cat weird.log >> output
 
+# Truncated packet where the length of the IP header is larger than the total
+# packet length
+# @TEST-EXEC: bro -C -r $TRACES/trunc/ipv4-truncated-broken-header.pcap
+# @TEST-EXEC: cat weird.log >> output
+
+# Truncated packet where the captured length is big enough for the ip header
+# struct, but not large enough to capture the full header length (with options)
+# @TEST-EXEC: bro -C -r $TRACES/trunc/ipv4-internally-truncated-header.pcap
+# @TEST-EXEC: cat weird.log >> output
+
+# Truncated packet where the length of the IP header is larger than the total
+# packet length inside several tunnels
+# @TEST-EXEC: bro -C -r $TRACES/trunc/mpls-6in6-6in6-4in6-trunc.pcap
+# @TEST-EXEC: cat weird.log >> output
+
 # @TEST-EXEC: btest-diff output
diff --git a/testing/btest/core/tunnels/gre-pptp.test b/testing/btest/core/tunnels/gre-pptp.test
new file mode 100644
index 0000000000..a5fa8c0d19
--- /dev/null
+++ b/testing/btest/core/tunnels/gre-pptp.test
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -r $TRACES/tunnels/gre-pptp.pcap
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff tunnel.log
+# @TEST-EXEC: btest-diff dns.log
diff --git a/testing/btest/core/tunnels/ip-in-ip-version.bro b/testing/btest/core/tunnels/ip-in-ip-version.bro
new file mode 100644
index 0000000000..35d633c8fe
--- /dev/null
+++ b/testing/btest/core/tunnels/ip-in-ip-version.bro
@@ -0,0 +1,14 @@
+# Trace in we have mpls->ip6->ip6->ip4 where the ip4 packet
+# has an invalid IP version.
+# @TEST-EXEC: bro -C -r $TRACES/tunnels/mpls-6in6-6in6-4in6-invalid-version-4.pcap
+# @TEST-EXEC: mv weird.log output
+
+# Trace in which we have mpls->ip6->ip6 where the ip6 packet
+# has an invalid IP version.
+# @TEST-EXEC: bro -C -r $TRACES/tunnels/mpls-6in6-6in6-invalid-version-6.pcap
+# @TEST-EXEC: cat weird.log >> output
+
+# @TEST-EXEC: btest-diff output
+
+@load base/frameworks/notice/weird.bro
+
diff --git a/testing/btest/core/vector-assignment.bro b/testing/btest/core/vector-assignment.bro
new file mode 100644
index 0000000000..d1f02c124f
--- /dev/null
+++ b/testing/btest/core/vector-assignment.bro
@@ -0,0 +1,19 @@
+# @TEST-EXEC: bro %INPUT
+
+# This regression test checks a special case in the vector code. In this case
+# UnaryExpr will be called with a Type() of any. Tests succeeds if it does not
+# crash Bro.
+
+type OptionCacheValue: record {
+	val: any;
+};
+
+function set_me(val: any) {
+	local a = OptionCacheValue($val=val);
+	print a;
+}
+
+event bro_init() {
+	local b: vector of count = {1, 2, 3};
+	set_me(b);
+}
diff --git a/testing/btest/core/when-interpreter-exceptions.bro b/testing/btest/core/when-interpreter-exceptions.bro
index 151d8d2f57..f259a46bda 100644
--- a/testing/btest/core/when-interpreter-exceptions.bro
+++ b/testing/btest/core/when-interpreter-exceptions.bro
@@ -5,7 +5,6 @@
 # interpreter exceptions in "when" blocks shouldn't cause termination
 
 @load base/utils/exec
-@load base/frameworks/communication # let network-time run. otherwise there are no heartbeats...
 redef exit_only_after_terminate = T;
 
 type MyRecord: record {
diff --git a/testing/btest/core/wlanmon.bro b/testing/btest/core/wlanmon.bro
new file mode 100644
index 0000000000..b227baf7eb
--- /dev/null
+++ b/testing/btest/core/wlanmon.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -C -r $TRACES/wlanmon.pcap
+# @TEST-EXEC: btest-diff conn.log
diff --git a/testing/btest/coverage/bare-load-baseline.test b/testing/btest/coverage/bare-load-baseline.test
index 52393afb7c..e518e703fb 100644
--- a/testing/btest/coverage/bare-load-baseline.test
+++ b/testing/btest/coverage/bare-load-baseline.test
@@ -10,5 +10,6 @@
 # @TEST-EXEC: bro -b misc/loaded-scripts
 # @TEST-EXEC: test -e loaded_scripts.log
 # @TEST-EXEC: cat loaded_scripts.log | egrep -v '#' | awk 'NR>0{print $1}' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix
-# @TEST-EXEC: cat loaded_scripts.log | sed "s#`cat prefix`##g" >canonified_loaded_scripts.log
+# @TEST-EXEC: (test -L $BUILD && basename $(readlink $BUILD) || basename $BUILD) >buildprefix
+# @TEST-EXEC: cat loaded_scripts.log | sed "s#`cat buildprefix`#build#g" | sed "s#`cat prefix`##g" >canonified_loaded_scripts.log
 # @TEST-EXEC: btest-diff canonified_loaded_scripts.log
diff --git a/testing/btest/coverage/default-load-baseline.test b/testing/btest/coverage/default-load-baseline.test
index 669b465083..076f26b770 100644
--- a/testing/btest/coverage/default-load-baseline.test
+++ b/testing/btest/coverage/default-load-baseline.test
@@ -10,5 +10,6 @@
 # @TEST-EXEC: bro misc/loaded-scripts
 # @TEST-EXEC: test -e loaded_scripts.log
 # @TEST-EXEC: cat loaded_scripts.log | egrep -v '#' | sed 's/ //g' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix
-# @TEST-EXEC: cat loaded_scripts.log | sed "s#`cat prefix`##g" >canonified_loaded_scripts.log
+# @TEST-EXEC: (test -L $BUILD && basename $(readlink $BUILD) || basename $BUILD) >buildprefix
+# @TEST-EXEC: cat loaded_scripts.log | sed "s#`cat buildprefix`#build#g" | sed "s#`cat prefix`##g" >canonified_loaded_scripts.log
 # @TEST-EXEC: btest-diff canonified_loaded_scripts.log
diff --git a/testing/btest/coverage/init-default.test b/testing/btest/coverage/init-default.test
index 6877159c62..537b5ca77d 100644
--- a/testing/btest/coverage/init-default.test
+++ b/testing/btest/coverage/init-default.test
@@ -11,7 +11,8 @@
 #@TEST-EXEC: test -e $DIST/scripts/base/init-default.bro
 #@TEST-EXEC: ( cd $DIST/scripts/base && find . -name '*.bro' ) | sort >"all scripts found"
 #@TEST-EXEC: bro misc/loaded-scripts
-#@TEST-EXEC: cat loaded_scripts.log | egrep -v '/build/|/loaded-scripts.bro|#' | sed 's#/./#/#g'  >loaded_scripts.log.tmp
+#@TEST-EXEC: (test -L $BUILD && basename $(readlink $BUILD) || basename $BUILD) >buildprefix
+#@TEST-EXEC: cat loaded_scripts.log | egrep -v "/build/scripts/|$(cat buildprefix)/scripts/|/loaded-scripts.bro|#" | sed 's#/./#/#g'  >loaded_scripts.log.tmp
 #@TEST-EXEC: cat loaded_scripts.log.tmp | sed 's/ //g' | sed -e ':a' -e '$!N' -e 's/^\(.*\).*\n\1.*/\1/' -e 'ta' >prefix
 #@TEST-EXEC: cat loaded_scripts.log.tmp | sed 's/ //g' | sed "s#`cat prefix`#./#g" | sort >init-default.bro
 #@TEST-EXEC: diff -u "all scripts found" init-default.bro | egrep "^-[^-]" > missing_loads
diff --git a/testing/btest/doc/broxygen/all_scripts.test b/testing/btest/doc/broxygen/all_scripts.test
index 61cead160b..dc009044da 100644
--- a/testing/btest/doc/broxygen/all_scripts.test
+++ b/testing/btest/doc/broxygen/all_scripts.test
@@ -5,9 +5,9 @@
 # listen.bro in order to document it.
 
 # @TEST-SERIALIZE: comm
-# @TEST-EXEC: bro -X broxygen.config broxygen DumpEvents::include=/NOTHING_MATCHES/
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -X broxygen.config broxygen DumpEvents::include=/NOTHING_MATCHES/
 # @TEST-EXEC: btest-diff .stdout
-# @TEST-EXEC: btest-diff .stderr
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
 
 @TEST-START-FILE broxygen.config
 script	*	scripts/
diff --git a/testing/btest/doc/broxygen/command_line.bro b/testing/btest/doc/broxygen/command_line.bro
index 95558f7461..d009667b7e 100644
--- a/testing/btest/doc/broxygen/command_line.bro
+++ b/testing/btest/doc/broxygen/command_line.bro
@@ -1,7 +1,7 @@
 # Shouldn't emit any warnings about not being able to document something
 # that's supplied via command line script.
 
-# @TEST-EXEC: bro %INPUT -e 'redef myvar=10; print myvar' >output 2>&1
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro %INPUT -e 'redef myvar=10; print myvar' >output 2>&1
 # @TEST-EXEC: btest-diff output
 
 const myvar = 5 &redef;
diff --git a/testing/btest/doc/broxygen/comment_retrieval_bifs.bro b/testing/btest/doc/broxygen/comment_retrieval_bifs.bro
index 77a6058d71..f3c1be6b14 100644
--- a/testing/btest/doc/broxygen/comment_retrieval_bifs.bro
+++ b/testing/btest/doc/broxygen/comment_retrieval_bifs.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b %INPUT >out
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b %INPUT >out
 # @TEST-EXEC: btest-diff out
 
 ##! This is a test script.
diff --git a/testing/btest/doc/broxygen/enums.bro b/testing/btest/doc/broxygen/enums.bro
index e8b4c741c2..8fbdb11ab6 100644
--- a/testing/btest/doc/broxygen/enums.bro
+++ b/testing/btest/doc/broxygen/enums.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff autogen-reST-enums.rst
 
 @TEST-START-FILE broxygen.config
diff --git a/testing/btest/doc/broxygen/example.bro b/testing/btest/doc/broxygen/example.bro
index e7212f3c5f..22a6fc7418 100644
--- a/testing/btest/doc/broxygen/example.bro
+++ b/testing/btest/doc/broxygen/example.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff example.rst
 
 @TEST-START-FILE broxygen.config
diff --git a/testing/btest/doc/broxygen/func-params.bro b/testing/btest/doc/broxygen/func-params.bro
index 42d1308151..e53ca475f1 100644
--- a/testing/btest/doc/broxygen/func-params.bro
+++ b/testing/btest/doc/broxygen/func-params.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff autogen-reST-func-params.rst
 
 @TEST-START-FILE broxygen.config
diff --git a/testing/btest/doc/broxygen/identifier.bro b/testing/btest/doc/broxygen/identifier.bro
index 3768b0c0c6..9225ab8db0 100644
--- a/testing/btest/doc/broxygen/identifier.bro
+++ b/testing/btest/doc/broxygen/identifier.bro
@@ -1,4 +1,5 @@
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-SERIALIZE: comm
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
 @TEST-START-FILE broxygen.config
diff --git a/testing/btest/doc/broxygen/package.bro b/testing/btest/doc/broxygen/package.bro
index 6857d5e646..0d8d790361 100644
--- a/testing/btest/doc/broxygen/package.bro
+++ b/testing/btest/doc/broxygen/package.bro
@@ -1,4 +1,5 @@
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-SERIALIZE: comm
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
 @TEST-START-FILE broxygen.config
diff --git a/testing/btest/doc/broxygen/package_index.bro b/testing/btest/doc/broxygen/package_index.bro
index e29479d49f..4b98290f20 100644
--- a/testing/btest/doc/broxygen/package_index.bro
+++ b/testing/btest/doc/broxygen/package_index.bro
@@ -1,4 +1,5 @@
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-SERIALIZE: comm
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
 @TEST-START-FILE broxygen.config
diff --git a/testing/btest/doc/broxygen/records.bro b/testing/btest/doc/broxygen/records.bro
index 0cc7d27500..fbaa957a9f 100644
--- a/testing/btest/doc/broxygen/records.bro
+++ b/testing/btest/doc/broxygen/records.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff autogen-reST-records.rst
 
 @TEST-START-FILE broxygen.config
diff --git a/testing/btest/doc/broxygen/script_index.bro b/testing/btest/doc/broxygen/script_index.bro
index 91bb4b756f..c987c005be 100644
--- a/testing/btest/doc/broxygen/script_index.bro
+++ b/testing/btest/doc/broxygen/script_index.bro
@@ -1,4 +1,5 @@
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-SERIALIZE: comm
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
 @TEST-START-FILE broxygen.config
diff --git a/testing/btest/doc/broxygen/script_summary.bro b/testing/btest/doc/broxygen/script_summary.bro
index 9d3cda012b..7fc89c3735 100644
--- a/testing/btest/doc/broxygen/script_summary.bro
+++ b/testing/btest/doc/broxygen/script_summary.bro
@@ -1,4 +1,5 @@
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-SERIALIZE: comm
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff test.rst
 
 @TEST-START-FILE broxygen.config
diff --git a/testing/btest/doc/broxygen/type-aliases.bro b/testing/btest/doc/broxygen/type-aliases.bro
index 28c2cc5568..0971327c2b 100644
--- a/testing/btest/doc/broxygen/type-aliases.bro
+++ b/testing/btest/doc/broxygen/type-aliases.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff autogen-reST-type-aliases.rst
 
 @TEST-START-FILE broxygen.config
diff --git a/testing/btest/doc/broxygen/vectors.bro b/testing/btest/doc/broxygen/vectors.bro
index 62fb31d436..7c18225357 100644
--- a/testing/btest/doc/broxygen/vectors.bro
+++ b/testing/btest/doc/broxygen/vectors.bro
@@ -1,4 +1,4 @@
-# @TEST-EXEC: bro -b -X broxygen.config %INPUT
+# @TEST-EXEC: unset BRO_DISABLE_BROXYGEN; bro -b -X broxygen.config %INPUT
 # @TEST-EXEC: btest-diff autogen-reST-vectors.rst
 
 @TEST-START-FILE broxygen.config
diff --git a/testing/btest/doc/sphinx/include-build_scripts_base_bif_plugins_Bro_DNS_events_bif_bro.btest b/testing/btest/doc/sphinx/include-build_scripts_base_bif_plugins_Bro_DNS_events_bif_bro.btest
new file mode 100644
index 0000000000..6e15ece5e0
--- /dev/null
+++ b/testing/btest/doc/sphinx/include-build_scripts_base_bif_plugins_Bro_DNS_events_bif_bro.btest
@@ -0,0 +1,30 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+Bro_DNS.events.bif.bro
+
+## Generated for DNS requests. For requests with multiple queries, this event
+## is raised once for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. Bro analyzes both UDP and TCP DNS
+## sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## query: The queried name.
+##
+## qtype: The queried resource record type.
+##
+## qclass: The queried resource record class.
+##
+## .. bro:see:: dns_AAAA_reply dns_A_reply dns_CNAME_reply dns_EDNS_addl
+##    dns_HINFO_reply dns_MX_reply dns_NS_reply dns_PTR_reply dns_SOA_reply
+##    dns_SRV_reply dns_TSIG_addl dns_TXT_reply dns_WKS_reply dns_end
+##    dns_full_request dns_mapping_altered dns_mapping_lost_name dns_mapping_new_name
+##    dns_mapping_unverified dns_mapping_valid dns_message dns_query_reply
+##    dns_rejected non_dns_request dns_max_queries dns_session_timeout dns_skip_addl
+##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
+global dns_request: event(c: connection , msg: dns_msg , query: string , qtype: count , qclass: count );
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest
index c4cbde045c..d2916a4c4f 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-connector_bro.btest
@@ -2,21 +2,15 @@
 
 connecting-connector.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1sec);
+	Broker::peer("127.0.0.1");
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established",
-		  peer_address, peer_port, peer_name;
+	print "peer added", endpoint;
 	terminate();
 	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest
index 8ea85569c9..b15bac75c0 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_connecting-listener_bro.btest
@@ -2,23 +2,20 @@
 
 connecting-listener.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established", peer_name;
+	print "peer added", endpoint;
 	}
 
-event Broker::incoming_connection_broken(peer_name: string)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_broken", peer_name;
+	print "peer lost", endpoint;
 	terminate();
 	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest
index d7a0e64be2..96616dbd3c 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-connector_bro.btest
@@ -2,34 +2,38 @@
 
 events-connector.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1sec);
-	Broker::auto_event("bro/event/my_auto_event", my_auto_event);
+	Broker::peer("127.0.0.1");
+	Broker::auto_publish("bro/event/my_auto_event", my_auto_event);
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;
-	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "hi", 0));
+	print "peer added", endpoint;
+	Broker::publish("bro/event/my_event", my_event, "hi", 0);
 	event my_auto_event("stuff", 88);
-	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "...", 1));
+	Broker::publish("bro/event/my_event", my_event, "...", 1);
 	event my_auto_event("more stuff", 51);
-	Broker::send_event("bro/event/my_event", Broker::event_args(my_event, "bye", 2));
+	local e = Broker::make_event(my_event, "bye", 2);
+	Broker::publish("bro/event/my_event", e);
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
+
+event my_event(msg: string, c: count)
+	{
+	print "got my_event", msg, c;
+	}
+
+event my_auto_event(msg: string, c: count)
+	{
+	print "got my_auto_event", msg, c;
+	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest
index 640722cac0..928ba60311 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_events-listener_bro.btest
@@ -2,23 +2,20 @@
 
 events-listener.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
 global msg_count = 0;
 global my_event: event(msg: string, c: count);
 global my_auto_event: event(msg: string, c: count);
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/event/");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established", peer_name;
+	print "peer added", endpoint;
 	}
 
 event my_event(msg: string, c: count)
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-connector_bro.btest
index 907d712c88..84d0a60391 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-connector_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-connector_bro.btest
@@ -4,18 +4,12 @@ logs-connector.bro
 
 @load ./testlog
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
-redef Log::enable_local_logging = F;
-redef Log::enable_remote_logging = F;
 global n = 0;
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::enable_remote_logs(Test::LOG);
-	Broker::connect("127.0.0.1", broker_port, 1sec);
+	Broker::peer("127.0.0.1");
 	}
 
 event do_write()
@@ -28,17 +22,19 @@ event do_write()
 	event do_write();
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;
+	print "peer added", endpoint;
 	event do_write();
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
+
+event Test::log_test(rec: Test::Info)
+	{
+	print "wrote log", rec;
+	Broker::publish("bro/logs/forward/test", Test::log_test, rec);
+	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-listener_bro.btest
index de6abbf5a0..359a88b476 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-listener_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_logs-listener_bro.btest
@@ -4,25 +4,22 @@ logs-listener.bro
 
 @load ./testlog
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_logs("bro/log/Test::LOG");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/logs");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established", peer_name;
+	print "peer added", endpoint;
 	}
 
 event Test::log_test(rec: Test::Info)
 	{
-	print "wrote log", rec;
+	print "got log event", rec;
 
 	if ( rec$num == 5 )
 		terminate();
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-connector_bro.btest
deleted file mode 100644
index 91ee179fe6..0000000000
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-connector_bro.btest
+++ /dev/null
@@ -1,30 +0,0 @@
-# @TEST-EXEC: cat %INPUT >output && btest-diff output
-
-printing-connector.bro
-
-const broker_port: port = 9999/tcp &redef;
-redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "connector";
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1sec);
-	}
-
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	print "Broker::outgoing_connection_established",
-	      peer_address, peer_port, peer_name;
-	Broker::send_print("bro/print/hi", "hello");
-	Broker::send_print("bro/print/stuff", "...");
-	Broker::send_print("bro/print/bye", "goodbye");
-	}
-
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-	{
-	terminate();
-	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-listener_bro.btest
deleted file mode 100644
index 37e4d0eae9..0000000000
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_printing-listener_bro.btest
+++ /dev/null
@@ -1,29 +0,0 @@
-# @TEST-EXEC: cat %INPUT >output && btest-diff output
-
-printing-listener.bro
-
-const broker_port: port = 9999/tcp &redef;
-redef exit_only_after_terminate = T;
-redef Broker::endpoint_name = "listener";
-global msg_count = 0;
-
-event bro_init()
-	{
-	Broker::enable();
-	Broker::subscribe_to_prints("bro/print/");
-	Broker::listen(broker_port, "127.0.0.1");
-	}
-
-event Broker::incoming_connection_established(peer_name: string)
-	{
-	print "Broker::incoming_connection_established", peer_name;
-	}
-
-event Broker::print_handler(msg: string)
-	{
-	++msg_count;
-	print "got print message", msg;
-
-	if ( msg_count == 3 )
-		terminate();
-	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-connector_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-connector_bro.btest
index 74b59467e7..8ef4dca1f5 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-connector_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-connector_bro.btest
@@ -2,56 +2,32 @@
 
 stores-connector.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of Broker::Handle;
-
-function dv(d: Broker::Data): Broker::DataVector
-	{
-	local rval: Broker::DataVector;
-	rval[0] = d;
-	return rval;
-	}
+global h: opaque of Broker::Store;
 
 global ready: event();
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
-	{
-	local myset: set[string] = {"a", "b", "c"};
-	local myvec: vector of string = {"alpha", "beta", "gamma"};
-	h = Broker::create_master("mystore");
-	Broker::insert(h, Broker::data("one"), Broker::data(110));
-	Broker::insert(h, Broker::data("two"), Broker::data(223));
-	Broker::insert(h, Broker::data("myset"), Broker::data(myset));
-	Broker::insert(h, Broker::data("myvec"), Broker::data(myvec));
-	Broker::increment(h, Broker::data("one"));
-	Broker::decrement(h, Broker::data("two"));
-	Broker::add_to_set(h, Broker::data("myset"), Broker::data("d"));
-	Broker::remove_from_set(h, Broker::data("myset"), Broker::data("b"));
-	Broker::push_left(h, Broker::data("myvec"), dv(Broker::data("delta")));
-	Broker::push_right(h, Broker::data("myvec"), dv(Broker::data("omega")));
-
-	when ( local res = Broker::size(h) )
-		{
-		print "master size", res;
-		event ready();
-		}
-	timeout 10sec
-		{ print "timeout"; }
-	}
-
 event bro_init()
 	{
-	Broker::enable();
-	Broker::connect("127.0.0.1", broker_port, 1secs);
-	Broker::auto_event("bro/event/ready", ready);
+	h = Broker::create_master("mystore");
+
+	local myset: set[string] = {"a", "b", "c"};
+	local myvec: vector of string = {"alpha", "beta", "gamma"};
+	Broker::put(h, "one", 110);
+	Broker::put(h, "two", 223);
+	Broker::put(h, "myset", myset);
+	Broker::put(h, "myvec", myvec);
+	Broker::increment(h, "one");
+	Broker::decrement(h, "two");
+	Broker::insert_into_set(h, "myset", "d");
+	Broker::remove_from(h, "myset", "b");
+	Broker::push(h, "myvec", "delta");
+
+	Broker::peer("127.0.0.1");
 	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-listener_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-listener_bro.btest
index 8dadbc803c..571ede2687 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-listener_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_stores-listener_bro.btest
@@ -2,46 +2,82 @@
 
 stores-listener.bro
 
-const broker_port: port = 9999/tcp &redef;
 redef exit_only_after_terminate = T;
 
-global h: opaque of Broker::Handle;
+global h: opaque of Broker::Store;
 global expected_key_count = 4;
 global key_count = 0;
 
+# Lookup a value in the store based on an arbitrary key string.
 function do_lookup(key: string)
 	{
-	when ( local res = Broker::lookup(h, Broker::data(key)) )
+	when ( local res = Broker::get(h, key) )
 		{
 		++key_count;
 		print "lookup", key, res;
 
-		if ( key_count == expected_key_count )
+		# End after we iterated over looking up each key in the store twice.
+		if ( key_count == expected_key_count * 2 )
 			terminate();
 		}
-	timeout 10sec
+	# All data store queries must specify a timeout
+	timeout 3sec
 		{ print "timeout", key; }
 	}
 
-event ready()
+event check_keys()
 	{
-	h = Broker::create_clone("mystore");
-
+	# Here we just query for the list of keys in the store, and show how to
+	# look up each one's value.
 	when ( local res = Broker::keys(h) )
 		{
 		print "clone keys", res;
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 0)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 1)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 2)));
-		do_lookup(Broker::refine_to_string(Broker::vector_lookup(res$result, 3)));
+
+		if ( res?$result )
+			{
+			# Since we know that the keys we are storing are all strings,
+			# we can conveniently cast the result of Broker::keys to
+			# a native Bro type, namely 'set[string]'.
+			for ( k in res$result as string_set )
+				do_lookup(k);
+
+			# Alternatively, we can use a generic iterator to iterate
+			# over the results (which we know is of the 'set' type because
+			# that's what Broker::keys() always returns).  If the keys
+			# we stored were not all of the same type, then you would
+			# likely want to use this method of inspecting the store's keys.
+			local i = Broker::set_iterator(res$result);
+
+			while ( ! Broker::set_iterator_last(i) )
+				{
+				do_lookup(Broker::set_iterator_value(i) as string);
+				Broker::set_iterator_next(i);
+				}
+			}
 		}
-	timeout 10sec
-		{ print "timeout"; }
+	# All data store queries must specify a timeout.
+	# You also might see timeouts on connecting/initializing a clone since
+	# it hasn't had time to get fully set up yet.
+	timeout 1sec
+		{
+		print "timeout";
+		schedule 1sec { check_keys() };
+		}
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "peer added";
+	# We could create a clone early, like in bro_init and it will periodically
+	# try to synchronize with its master once it connects, however, we just
+	# create it now since we know the peer w/ the master store has just
+	# connected.
+	h = Broker::create_clone("mystore");
+
+	event check_keys();
 	}
 
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/ready");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::listen("127.0.0.1");
 	}
diff --git a/testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest b/testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest
index d5a92417dc..8d779a1b92 100644
--- a/testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_broker_testlog_bro.btest
@@ -17,6 +17,5 @@ export {
 
 event bro_init() &priority=5
 	{
-	Broker::enable();
 	Log::create_stream(Test::LOG, [$columns=Test::Info, $ev=log_test, $path="test"]);
 	}
diff --git a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_vector_declaration_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_data_struct_vector_declaration_bro.btest
index 4f1260e4ed..22790f45fe 100644
--- a/testing/btest/doc/sphinx/include-doc_scripting_data_struct_vector_declaration_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_scripting_data_struct_vector_declaration_bro.btest
@@ -7,10 +7,10 @@ event bro_init()
     local v1: vector of count;
     local v2 = vector(1, 2, 3, 4);
     
-    v1[|v1|] = 1;
-    v1[|v1|] = 2;
-    v1[|v1|] = 3;
-    v1[|v1|] = 4;
+    v1 += 1;
+    v1 += 2;
+    v1 += 3;
+    v1 += 4;
     
     print fmt("contents of v1: %s", v1);
     print fmt("length of v1: %d", |v1|);
diff --git a/testing/btest/doc/sphinx/include-doc_scripting_framework_logging_factorial_03_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_framework_logging_factorial_03_bro.btest
index d5d1c23b2b..01ed659c75 100644
--- a/testing/btest/doc/sphinx/include-doc_scripting_framework_logging_factorial_03_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_scripting_framework_logging_factorial_03_bro.btest
@@ -2,6 +2,43 @@
 
 framework_logging_factorial_03.bro
 
+module Factor;
+
+export {
+    redef enum Log::ID += { LOG };
+
+    type Info: record {
+        num:           count &log;
+        factorial_num: count &log;
+        };
+    }
+
+function factorial(n: count): count
+    {
+    if ( n == 0 )
+        return 1;
+    
+    else
+        return (n * factorial(n - 1));
+    }
+
+event bro_done()
+    {
+    local numbers: vector of count = vector(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);    
+    for ( n in numbers )
+        Log::write( Factor::LOG, [$num=numbers[n],
+                                  $factorial_num=factorial(numbers[n])]);
+    }
+
+function mod5(id: Log::ID, path: string, rec: Factor::Info) : string    
+    {
+    if ( rec$factorial_num % 5 == 0 )
+        return "factor-mod5";
+    
+    else
+        return "factor-non5";
+    }
+
 event bro_init()
     {
     Log::create_stream(LOG, [$columns=Info, $path="factor"]);
diff --git a/testing/btest/doc/sphinx/include-scripts_policy_protocols_conn_known-hosts_bro.btest b/testing/btest/doc/sphinx/include-scripts_policy_protocols_conn_known-hosts_bro.btest
deleted file mode 100644
index 150de38f35..0000000000
--- a/testing/btest/doc/sphinx/include-scripts_policy_protocols_conn_known-hosts_bro.btest
+++ /dev/null
@@ -1,9 +0,0 @@
-# @TEST-EXEC: cat %INPUT >output && btest-diff output
-
-known-hosts.bro
-
-module Known;
-
-export {
-	global known_hosts: set[addr] &create_expire=1day &synchronized &redef;
-}
diff --git a/testing/btest/istate/bro-ipv6-socket.bro b/testing/btest/istate/bro-ipv6-socket.bro
deleted file mode 100644
index 305f32caab..0000000000
--- a/testing/btest/istate/bro-ipv6-socket.bro
+++ /dev/null
@@ -1,56 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-REQUIRES: ifconfig | grep -q -E "inet6 ::1|inet6 addr: ::1"
-#
-# @TEST-EXEC: btest-bg-run recv bro -b ../recv.bro
-# @TEST-EXEC: btest-bg-run send bro -b ../send.bro
-# @TEST-EXEC: btest-bg-wait 20
-#
-# @TEST-EXEC: btest-diff recv/.stdout
-# @TEST-EXEC: btest-diff send/.stdout
-
-@TEST-START-FILE send.bro
-
-@load base/frameworks/communication
-
-redef Communication::nodes += {
-    ["foo"] = [$host=[::1], $connect=T, $retry=1sec, $events=/my_event/]
-};
-
-global my_event: event(s: string);
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	print fmt("handshake done with peer: %s", p$host);
-	}
-
-event my_event(s: string)
-	{
-	print fmt("my_event: %s", s);
-	terminate();
-	}
-
-@TEST-END-FILE
-
-#############
-
-@TEST-START-FILE recv.bro
-
-@load frameworks/communication/listen
-
-redef Communication::listen_ipv6=T;
-
-global my_event: event(s: string);
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	print fmt("handshake done with peer: %s", p$host);
-	event my_event("hello world");
-	}
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/istate/broccoli-ipv6-socket.bro b/testing/btest/istate/broccoli-ipv6-socket.bro
deleted file mode 100644
index be6266fdec..0000000000
--- a/testing/btest/istate/broccoli-ipv6-socket.bro
+++ /dev/null
@@ -1,11 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
-# @TEST-REQUIRES: ifconfig | grep -q -E "inet6 ::1|inet6 addr: ::1"
-#
-# @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro "Communication::listen_ipv6=T"
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs -6 ::1
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: btest-diff bro/.stdout
-# @TEST-EXEC: btest-diff broccoli/.stdout
diff --git a/testing/btest/istate/broccoli-ipv6.bro b/testing/btest/istate/broccoli-ipv6.bro
deleted file mode 100644
index b4fdfb5fcf..0000000000
--- a/testing/btest/istate/broccoli-ipv6.bro
+++ /dev/null
@@ -1,10 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
-#
-# @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-v6addrs
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: btest-diff bro/.stdout
-# @TEST-EXEC: btest-diff broccoli/.stdout
diff --git a/testing/btest/istate/broccoli-ssl.bro b/testing/btest/istate/broccoli-ssl.bro
deleted file mode 100644
index dcbea93150..0000000000
--- a/testing/btest/istate/broccoli-ssl.bro
+++ /dev/null
@@ -1,69 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
-#
-# @TEST-EXEC: chmod 600 broccoli.conf
-# @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-v6addrs.bro "Communication::listen_ssl=T" "ssl_ca_certificate=../ca_cert.pem" "ssl_private_key=../bro.pem"
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run broccoli BROCCOLI_CONFIG_FILE=../broccoli.conf $BUILD/aux/broccoli/test/broccoli-v6addrs
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: btest-diff bro/.stdout
-# @TEST-EXEC: btest-diff broccoli/.stdout
-
-@TEST-START-FILE broccoli.conf
-/broccoli/use_ssl      yes
-/broccoli/ca_cert      ../ca_cert.pem
-/broccoli/host_cert    ../bro.pem
-/broccoli/host_key     ../bro.pem
-@TEST-END-FILE
-
-@TEST-START-FILE bro.pem
------BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQD17FE8UVaO224Y8UL2bH1okCYxr5dVytTQ93uE5J9caGADzPZe
-qYPuvtPt9ivhBtf2L9odK7unQU60v6RsO3bb9bQktQbEdh0FEjnso2UHe/nLreYn
-VyLCEp9Sh1OFQnMhJNYuzNwVzWOqH/TYNy3ODueZTS4YBsRyEkpEfgeoaQIDAQAB
-AoGAJ/S1Xi94+Mz+Hl9UmeUWmx6QlhIJbI7/9NPA5d6fZcwvjW6HuOmh3fBzTn5o
-sq8B96Xesk6gtpQNzaA1fsBKlzDSpGRDVg2odN9vIT3jd0Dub2F47JHdFCqtMUIV
-rCsO+fpGtavv1zJ/rzlJz7rx4cRP+/Gwd5YlH0q5cFuHhAECQQD9q328Ye4A7o2e
-cLOhzuWUZszqdIY7ZTgDtk06F57VrjLVERrZjrtAwbs77m+ybw4pDKKU7H5inhQQ
-03PU40ARAkEA+C6cCM6E4hRwuR+QyIqpNC4CzgPaKlF+VONZLYYvHEwFvx2/EPtX
-zOZdE4HdJwnXBYx7+AGFeq8uHhrN2Tq62QJBAMory2JAinejqKsGF6R2SPMlm1ug
-0vqziRksShBqkuSqmUjHASczYnoR7S+usMb9S8PblhgrA++FHWjrnf2lwIECQQCj
-+/AfpY2J8GWW/HNm/q/UiX5S75qskZI+tsXK3bmtIdI+OIJxzxFxktj3NbyRud+4
-i92xvhebO7rmK2HOYg7pAkEA2wrwY1E237twoYXuUInv9F9kShKLQs19nup/dfmF
-xfoVqYjJwidzPfgngowJZij7SoTaIBKv/fKp5Tq6xW3AEg==
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIICZDCCAc2gAwIBAgIJAKoxR9yFGsk8MA0GCSqGSIb3DQEBBQUAMCsxKTAnBgNV
-BAMTIEJybyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTExMDYxNTIx
-MjgxNVoYDzIxMTEwNTIyMjEyODE1WjArMSkwJwYDVQQDEyBCcm8gUm9vdCBDZXJ0
-aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
-9exRPFFWjttuGPFC9mx9aJAmMa+XVcrU0Pd7hOSfXGhgA8z2XqmD7r7T7fYr4QbX
-9i/aHSu7p0FOtL+kbDt22/W0JLUGxHYdBRI57KNlB3v5y63mJ1ciwhKfUodThUJz
-ISTWLszcFc1jqh/02Dctzg7nmU0uGAbEchJKRH4HqGkCAwEAAaOBjTCBijAdBgNV
-HQ4EFgQU2vIsKYuGhHP8c7GeJLfWAjbKCFgwWwYDVR0jBFQwUoAU2vIsKYuGhHP8
-c7GeJLfWAjbKCFihL6QtMCsxKTAnBgNVBAMTIEJybyBSb290IENlcnRpZmljYXRp
-b24gQXV0aG9yaXR5ggkAqjFH3IUayTwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
-AQUFAAOBgQAF2oceL61dA7WxA9lxcxsA/Fccr7+J6sO+pLXoZtx5tpknEuIUebkm
-UfMGAiyYIenHi8u0Sia8KrIfuCDc2dG3DYmfX7/faCEbtSx8KtNQFIs3aXr1zhsw
-3sX9fLS0gp/qHoPMuhbhlvTlMFSE/Mih3KDsZEGcifzI6ooLF0YP5A==
------END CERTIFICATE-----
-@TEST-END-FILE
-
-@TEST-START-FILE ca_cert.pem
------BEGIN CERTIFICATE-----
-MIICZDCCAc2gAwIBAgIJAKoxR9yFGsk8MA0GCSqGSIb3DQEBBQUAMCsxKTAnBgNV
-BAMTIEJybyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTExMDYxNTIx
-MjgxNVoYDzIxMTEwNTIyMjEyODE1WjArMSkwJwYDVQQDEyBCcm8gUm9vdCBDZXJ0
-aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
-9exRPFFWjttuGPFC9mx9aJAmMa+XVcrU0Pd7hOSfXGhgA8z2XqmD7r7T7fYr4QbX
-9i/aHSu7p0FOtL+kbDt22/W0JLUGxHYdBRI57KNlB3v5y63mJ1ciwhKfUodThUJz
-ISTWLszcFc1jqh/02Dctzg7nmU0uGAbEchJKRH4HqGkCAwEAAaOBjTCBijAdBgNV
-HQ4EFgQU2vIsKYuGhHP8c7GeJLfWAjbKCFgwWwYDVR0jBFQwUoAU2vIsKYuGhHP8
-c7GeJLfWAjbKCFihL6QtMCsxKTAnBgNVBAMTIEJybyBSb290IENlcnRpZmljYXRp
-b24gQXV0aG9yaXR5ggkAqjFH3IUayTwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
-AQUFAAOBgQAF2oceL61dA7WxA9lxcxsA/Fccr7+J6sO+pLXoZtx5tpknEuIUebkm
-UfMGAiyYIenHi8u0Sia8KrIfuCDc2dG3DYmfX7/faCEbtSx8KtNQFIs3aXr1zhsw
-3sX9fLS0gp/qHoPMuhbhlvTlMFSE/Mih3KDsZEGcifzI6ooLF0YP5A==
------END CERTIFICATE-----
-@TEST-END-FILE
diff --git a/testing/btest/istate/broccoli-vector.bro b/testing/btest/istate/broccoli-vector.bro
deleted file mode 100644
index ce107f45d3..0000000000
--- a/testing/btest/istate/broccoli-vector.bro
+++ /dev/null
@@ -1,10 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
-#
-# @TEST-EXEC: btest-bg-run bro bro $DIST/aux/broccoli/test/broccoli-vectors.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broccoli-vectors
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: btest-diff bro/.stdout
-# @TEST-EXEC: btest-diff broccoli/.stdout
diff --git a/testing/btest/istate/broccoli.bro b/testing/btest/istate/broccoli.bro
deleted file mode 100644
index 2fdd4cbda4..0000000000
--- a/testing/btest/istate/broccoli.bro
+++ /dev/null
@@ -1,18 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
-#
-# @TEST-EXEC: btest-bg-run bro bro %INPUT $DIST/aux/broccoli/test/broping-record.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run broccoli $BUILD/aux/broccoli/test/broping -r -c 3 127.0.0.1
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: cat bro/ping.log | sed 's/one-way.*//g' >bro.log
-# @TEST-EXEC: cat broccoli/.stdout | sed 's/time=.*//g' >broccoli.log
-# @TEST-EXEC: btest-diff bro.log
-# @TEST-EXEC: btest-diff broccoli.log
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
diff --git a/testing/btest/istate/events-ssl.bro b/testing/btest/istate/events-ssl.bro
deleted file mode 100644
index d227417c15..0000000000
--- a/testing/btest/istate/events-ssl.bro
+++ /dev/null
@@ -1,143 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-EXEC: btest-bg-run sender   bro -C -r $TRACES/web.trace --pseudo-realtime ../sender.bro
-# @TEST-EXEC: btest-bg-run receiver bro ../receiver.bro
-# @TEST-EXEC: btest-bg-wait 20
-# 
-# @TEST-EXEC: btest-diff sender/http.log
-# @TEST-EXEC: btest-diff receiver/http.log
-# 
-# @TEST-EXEC: cat sender/http.log   | $SCRIPTS/diff-remove-timestamps >sender.http.log
-# @TEST-EXEC: cat receiver/http.log | $SCRIPTS/diff-remove-timestamps >receiver.http.log
-# @TEST-EXEC: cmp sender.http.log receiver.http.log
-# 
-# @TEST-EXEC: bro -x sender/events.bst | sed 's/^event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g' | $SCRIPTS/diff-remove-timestamps >events.snd.log
-# @TEST-EXEC: bro -x receiver/events.bst | sed 's/^event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g' | $SCRIPTS/diff-remove-timestamps  >events.rec.log
-# @TEST-EXEC: btest-diff events.rec.log
-# @TEST-EXEC: btest-diff events.snd.log
-# @TEST-EXEC: cmp events.rec.log events.snd.log
-# 
-# We don't compare the transmitted event paramerters anymore. With the dynamic
-# state in there since 1.6, they don't match reliably.
-
-@TEST-START-FILE sender.bro
-
-@load frameworks/communication/listen
-redef Communication::listen_ssl=T;
-
-event bro_init()
-    {
-    capture_events("events.bst");
-    }
-
-redef peer_description = "events-send";
-
-# Make sure the HTTP connection really gets out.
-# (We still miss one final connection event because we shutdown before
-# it gets propagated but that's ok.)
-redef tcp_close_delay = 0secs;
-
-redef ssl_ca_certificate = "../ca_cert.pem";
-redef ssl_private_key = "../bro.pem";
-redef ssl_passphrase = "my-password";
-
-# Make sure the HTTP connection really gets out.
-# (We still miss one final connection event because we shutdown before
-# it gets propagated but that's ok.)
-redef tcp_close_delay = 0secs;
-
-# File-analysis fields in http.log won't get set on receiver side correctly,
-# one problem is with the way serialization may send a unique ID in place
-# of a full value and expect the remote side to associate that unique ID with
-# a value it received at an earlier time.  So sometimes modifications the sender# makes to the value aren't seen on the receiver.
-function myfh(c: connection, is_orig: bool): string
-	{
-	return "";
-	}
-
-event bro_init() 
-	{
-	# Ignore all http files.
-	Files::register_protocol(Analyzer::ANALYZER_HTTP,
-							 [$get_file_handle = myfh]);
-	}
-
-@TEST-END-FILE
-
-#############
-
-@TEST-START-FILE receiver.bro
-
-event bro_init()
-    {
-    capture_events("events.bst");
-    }
-
-redef peer_description = "events-rcv";
-
-redef Communication::nodes += {
-    ["foo"] = [$host = 127.0.0.1, $events = /http_.*|signature_match|file_.*/, $connect=T, $ssl=T, $retry=1sec]
-};
-
-redef ssl_ca_certificate = "../ca_cert.pem";
-redef ssl_private_key = "../bro.pem";
-redef ssl_passphrase = "my-password";
-                                                                                                                                    
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE bro.pem
------BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQD17FE8UVaO224Y8UL2bH1okCYxr5dVytTQ93uE5J9caGADzPZe
-qYPuvtPt9ivhBtf2L9odK7unQU60v6RsO3bb9bQktQbEdh0FEjnso2UHe/nLreYn
-VyLCEp9Sh1OFQnMhJNYuzNwVzWOqH/TYNy3ODueZTS4YBsRyEkpEfgeoaQIDAQAB
-AoGAJ/S1Xi94+Mz+Hl9UmeUWmx6QlhIJbI7/9NPA5d6fZcwvjW6HuOmh3fBzTn5o
-sq8B96Xesk6gtpQNzaA1fsBKlzDSpGRDVg2odN9vIT3jd0Dub2F47JHdFCqtMUIV
-rCsO+fpGtavv1zJ/rzlJz7rx4cRP+/Gwd5YlH0q5cFuHhAECQQD9q328Ye4A7o2e
-cLOhzuWUZszqdIY7ZTgDtk06F57VrjLVERrZjrtAwbs77m+ybw4pDKKU7H5inhQQ
-03PU40ARAkEA+C6cCM6E4hRwuR+QyIqpNC4CzgPaKlF+VONZLYYvHEwFvx2/EPtX
-zOZdE4HdJwnXBYx7+AGFeq8uHhrN2Tq62QJBAMory2JAinejqKsGF6R2SPMlm1ug
-0vqziRksShBqkuSqmUjHASczYnoR7S+usMb9S8PblhgrA++FHWjrnf2lwIECQQCj
-+/AfpY2J8GWW/HNm/q/UiX5S75qskZI+tsXK3bmtIdI+OIJxzxFxktj3NbyRud+4
-i92xvhebO7rmK2HOYg7pAkEA2wrwY1E237twoYXuUInv9F9kShKLQs19nup/dfmF
-xfoVqYjJwidzPfgngowJZij7SoTaIBKv/fKp5Tq6xW3AEg==
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIICZDCCAc2gAwIBAgIJAKoxR9yFGsk8MA0GCSqGSIb3DQEBBQUAMCsxKTAnBgNV
-BAMTIEJybyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTExMDYxNTIx
-MjgxNVoYDzIxMTEwNTIyMjEyODE1WjArMSkwJwYDVQQDEyBCcm8gUm9vdCBDZXJ0
-aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
-9exRPFFWjttuGPFC9mx9aJAmMa+XVcrU0Pd7hOSfXGhgA8z2XqmD7r7T7fYr4QbX
-9i/aHSu7p0FOtL+kbDt22/W0JLUGxHYdBRI57KNlB3v5y63mJ1ciwhKfUodThUJz
-ISTWLszcFc1jqh/02Dctzg7nmU0uGAbEchJKRH4HqGkCAwEAAaOBjTCBijAdBgNV
-HQ4EFgQU2vIsKYuGhHP8c7GeJLfWAjbKCFgwWwYDVR0jBFQwUoAU2vIsKYuGhHP8
-c7GeJLfWAjbKCFihL6QtMCsxKTAnBgNVBAMTIEJybyBSb290IENlcnRpZmljYXRp
-b24gQXV0aG9yaXR5ggkAqjFH3IUayTwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
-AQUFAAOBgQAF2oceL61dA7WxA9lxcxsA/Fccr7+J6sO+pLXoZtx5tpknEuIUebkm
-UfMGAiyYIenHi8u0Sia8KrIfuCDc2dG3DYmfX7/faCEbtSx8KtNQFIs3aXr1zhsw
-3sX9fLS0gp/qHoPMuhbhlvTlMFSE/Mih3KDsZEGcifzI6ooLF0YP5A==
------END CERTIFICATE-----
-@TEST-END-FILE
-
-@TEST-START-FILE ca_cert.pem
------BEGIN CERTIFICATE-----
-MIICZDCCAc2gAwIBAgIJAKoxR9yFGsk8MA0GCSqGSIb3DQEBBQUAMCsxKTAnBgNV
-BAMTIEJybyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTExMDYxNTIx
-MjgxNVoYDzIxMTEwNTIyMjEyODE1WjArMSkwJwYDVQQDEyBCcm8gUm9vdCBDZXJ0
-aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
-9exRPFFWjttuGPFC9mx9aJAmMa+XVcrU0Pd7hOSfXGhgA8z2XqmD7r7T7fYr4QbX
-9i/aHSu7p0FOtL+kbDt22/W0JLUGxHYdBRI57KNlB3v5y63mJ1ciwhKfUodThUJz
-ISTWLszcFc1jqh/02Dctzg7nmU0uGAbEchJKRH4HqGkCAwEAAaOBjTCBijAdBgNV
-HQ4EFgQU2vIsKYuGhHP8c7GeJLfWAjbKCFgwWwYDVR0jBFQwUoAU2vIsKYuGhHP8
-c7GeJLfWAjbKCFihL6QtMCsxKTAnBgNVBAMTIEJybyBSb290IENlcnRpZmljYXRp
-b24gQXV0aG9yaXR5ggkAqjFH3IUayTwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
-AQUFAAOBgQAF2oceL61dA7WxA9lxcxsA/Fccr7+J6sO+pLXoZtx5tpknEuIUebkm
-UfMGAiyYIenHi8u0Sia8KrIfuCDc2dG3DYmfX7/faCEbtSx8KtNQFIs3aXr1zhsw
-3sX9fLS0gp/qHoPMuhbhlvTlMFSE/Mih3KDsZEGcifzI6ooLF0YP5A==
------END CERTIFICATE-----
-@TEST-END-FILE
-
diff --git a/testing/btest/istate/events.bro b/testing/btest/istate/events.bro
deleted file mode 100644
index 1edf14fee7..0000000000
--- a/testing/btest/istate/events.bro
+++ /dev/null
@@ -1,77 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-EXEC: btest-bg-run sender   bro -Bthreading,logging,comm -C -r $TRACES/web.trace --pseudo-realtime ../sender.bro
-# @TEST-EXEC: btest-bg-run receiver bro -Bthreading,logging,comm  ../receiver.bro
-# @TEST-EXEC: btest-bg-wait 20
-# 
-# @TEST-EXEC: btest-diff sender/http.log
-# @TEST-EXEC: btest-diff receiver/http.log
-# 
-# @TEST-EXEC: cat sender/http.log   | $SCRIPTS/diff-remove-timestamps >sender.http.log
-# @TEST-EXEC: cat receiver/http.log | $SCRIPTS/diff-remove-timestamps >receiver.http.log
-# @TEST-EXEC: cmp sender.http.log receiver.http.log
-# 
-# @TEST-EXEC: bro -x sender/events.bst | sed 's/^event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g' | $SCRIPTS/diff-remove-timestamps >events.snd.log
-# @TEST-EXEC: bro -x receiver/events.bst | sed 's/^event \[[-0-9.]*\] //g' | grep '^http_' | grep -v http_stats | sed 's/(.*$//g' | $SCRIPTS/diff-remove-timestamps  >events.rec.log
-# @TEST-EXEC: btest-diff events.rec.log
-# @TEST-EXEC: btest-diff events.snd.log
-# @TEST-EXEC: cmp events.rec.log events.snd.log
-# 
-# We don't compare the transmitted event paramerters anymore. With the dynamic
-# state in there since 1.6, they don't match reliably.
-
-@TEST-START-FILE sender.bro
-
-@load frameworks/communication/listen
-
-event bro_init()
-    {
-    capture_events("events.bst");
-    }
-
-redef peer_description = "events-send";
-
-# Make sure the HTTP connection really gets out.
-# (We still miss one final connection event because we shutdown before
-# it gets propagated but that's ok.)
-redef tcp_close_delay = 0secs;
-
-# File-analysis fields in http.log won't get set on receiver side correctly,
-# one problem is with the way serialization may send a unique ID in place
-# of a full value and expect the remote side to associate that unique ID with
-# a value it received at an earlier time.  So sometimes modifications the sender# makes to the value aren't seen on the receiver.
-function myfh(c: connection, is_orig: bool): string
-	{
-	return "";
-	}
-
-event bro_init() 
-	{
-	# Ignore all http files.
-	Files::register_protocol(Analyzer::ANALYZER_HTTP,
-	                         [$get_file_handle = myfh]);
-	}
-
-@TEST-END-FILE
-
-#############
-
-@TEST-START-FILE receiver.bro
-
-event bro_init()
-    {
-    capture_events("events.bst");
-    }
-
-redef peer_description = "events-rcv";
-
-redef Communication::nodes += {
-    ["foo"] = [$host = 127.0.0.1, $events = /http_.*|signature_match|file_.*/, $connect=T, $retry=1sec]
-};
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/istate/hll.bro b/testing/btest/istate/hll.bro
deleted file mode 100644
index 511a892644..0000000000
--- a/testing/btest/istate/hll.bro
+++ /dev/null
@@ -1,40 +0,0 @@
-# @TEST-EXEC: bro -b %INPUT runnumber=1 >out
-# @TEST-EXEC: bro -b %INPUT runnumber=2 >>out
-# @TEST-EXEC: bro -b %INPUT runnumber=3 >>out
-# @TEST-EXEC: btest-diff out
-
-global runnumber: count &redef; # differentiate first and second run
-
-global card: opaque of cardinality &persistent;
-
-event bro_init()
-	{
-	print runnumber;
-
-	if ( runnumber == 1 )
-		{
-		card = hll_cardinality_init(0.01, 0.95);
-
-		hll_cardinality_add(card, "a");
-		hll_cardinality_add(card, "b");
-		hll_cardinality_add(card, "c");
-		hll_cardinality_add(card, "d");
-		hll_cardinality_add(card, "e");
-		hll_cardinality_add(card, "f");
-		hll_cardinality_add(card, "g");
-		hll_cardinality_add(card, "h");
-		hll_cardinality_add(card, "i");
-		hll_cardinality_add(card, "j");
-		}
-
-	print hll_cardinality_estimate(card);
-
-		if ( runnumber == 2 )
-		{
-		hll_cardinality_add(card, "a");
-		hll_cardinality_add(card, "b");
-		hll_cardinality_add(card, "c");
-		hll_cardinality_add(card, "aa");
-		}
-	}
-
diff --git a/testing/btest/istate/opaque.bro b/testing/btest/istate/opaque.bro
deleted file mode 100644
index b387f9d6bc..0000000000
--- a/testing/btest/istate/opaque.bro
+++ /dev/null
@@ -1,90 +0,0 @@
-#
-# @TEST-EXEC: bro -r $TRACES/empty.trace write.bro
-# @TEST-EXEC: bro read.bro
-# @TEST-EXEC: btest-diff expected.log
-# @TEST-EXEC: btest-diff output.log
-# @TEST-EXEC: cmp output.log expected.log
-
-@TEST-START-FILE read.bro
-
-global md5_handle: opaque of md5 &persistent &synchronized;
-global sha1_handle: opaque of sha1 &persistent &synchronized;
-global sha256_handle: opaque of sha256 &persistent &synchronized;
-global entropy_handle: opaque of entropy &persistent &synchronized;
-
-global bloomfilter_elements: set[string] &persistent &synchronized;
-global bloomfilter_handle: opaque of bloomfilter &persistent &synchronized;
-
-event bro_done()
-  {
-  local out = open("output.log");
-
-  # Finish incremental operations started by a previous Bro.
-  if ( md5_hash_update(md5_handle, "oo") )
-    print out, md5_hash_finish(md5_handle);
-  else
-    print out, "md5_hash_update() failed";
-
-  if ( sha1_hash_update(sha1_handle, "oo") )
-    print out, sha1_hash_finish(sha1_handle);
-  else
-    print out, "sha1_hash_update() failed";
-
-  if ( sha256_hash_update(sha256_handle, "oo") )
-    print out, sha256_hash_finish(sha256_handle);
-  else
-    print out, "sha256_hash_update() failed";
-
-  if ( entropy_test_add(entropy_handle, "oo") )
-    print out, entropy_test_finish(entropy_handle);
-  else
-    print out, "entropy_test_add() failed";
-
-  for ( e in bloomfilter_elements )
-    print bloomfilter_lookup(bloomfilter_handle, e);
-  }
-
-@TEST-END-FILE
-
-@TEST-START-FILE write.bro
-
-global md5_handle: opaque of md5 &persistent &synchronized;
-global sha1_handle: opaque of sha1 &persistent &synchronized;
-global sha256_handle: opaque of sha256 &persistent &synchronized;
-global entropy_handle: opaque of entropy &persistent &synchronized;
-
-global bloomfilter_elements = { "foo", "bar", "baz" } &persistent &synchronized;
-global bloomfilter_handle: opaque of bloomfilter &persistent &synchronized;
-
-event bro_init()
-  {
-	local out = open("expected.log");
-	print out, md5_hash("foo");
-	print out, sha1_hash("foo");
-	print out, sha256_hash("foo");
-	print out, find_entropy("foo");
-
-  # Begin incremental operations. Our goal is to feed the data string "foo" to
-  # the computation, but split into "f" and "oo" in two instances..
-  md5_handle = md5_hash_init();
-  if ( ! md5_hash_update(md5_handle, "f") )
-    print out, "md5_hash_update() failed";
-
-  sha1_handle = sha1_hash_init();
-  if ( ! sha1_hash_update(sha1_handle, "f") )
-    print out, "sha1_hash_update() failed";
-
-  sha256_handle = sha256_hash_init();
-  if ( ! sha256_hash_update(sha256_handle, "f") )
-    print out, "sha256_hash_update() failed";
-
-  entropy_handle = entropy_test_init();
-  if ( ! entropy_test_add(entropy_handle, "f") )
-    print out, "entropy_test_add() failed";
-
-  bloomfilter_handle = bloomfilter_basic_init(0.1, 100);
-  for ( e in bloomfilter_elements )
-    bloomfilter_add(bloomfilter_handle, e);
-  }
-
-@TEST-END-FILE
diff --git a/testing/btest/istate/persistence.bro b/testing/btest/istate/persistence.bro
deleted file mode 100644
index ea2a5368ba..0000000000
--- a/testing/btest/istate/persistence.bro
+++ /dev/null
@@ -1,110 +0,0 @@
-#
-# @TEST-EXEC: bro -r $TRACES/empty.trace write.bro %INPUT 
-# @TEST-EXEC: cp vars.log vars.write.log
-# @TEST-EXEC: bro read.bro %INPUT 
-# @TEST-EXEC: cp vars.log vars.read.log
-# @TEST-EXEC: btest-diff vars.read.log
-# @TEST-EXEC: btest-diff vars.write.log
-# @TEST-EXEC: cmp vars.read.log vars.write.log
-
-### Common code for reader and writer.
-
-event bro_done()
-	{
-	local out = open("vars.log");
-	print out, foo1;
-	print out, foo2;
-	print out, foo3;
-	print out, foo4;
-	print out, foo5;
-	print out, foo6;
-	print out, foo8;
-	print out, foo9;
-	print out, foo10;
-	print out, foo11;
-	print out, foo12;
-	print out, foo13;
-	print out, foo14;
-	print out, foo15;
-	print out, foo16;
-	print out, foo17;
-	}
-
-	
-	
-	
-
-@TEST-START-FILE read.bro
-
-global foo1: count &persistent &synchronized;
-global foo2: int &persistent &synchronized;
-global foo3: string &persistent &synchronized; 
-global foo4: addr &persistent &synchronized; 
-global foo5: subnet &persistent &synchronized; 
-global foo6: double &persistent &synchronized; 
-global foo8: interval &persistent &synchronized; 
-global foo9: table[count] of string &persistent &synchronized;
-global foo10: file &persistent &synchronized; 
-global foo11: pattern &persistent &synchronized; 
-global foo12: set[count] &persistent &synchronized; 
-global foo13: table[count, string] of count &persistent &synchronized;
-global foo14: table[count] of pattern &persistent &synchronized;
-global foo15: port &persistent &synchronized;
-global foo16: vector of count &persistent &synchronized;
-
-type type1: record {
-    a: string;
-    b: count &default=42;
-    c: double &optional;
-    };
-
-type type2: record {
-    a: string;
-    b: type1;
-    c: type1;
-    d: double;
-    };
-
-global foo17: type2  &persistent &synchronized;
-
-@TEST-END-FILE
-
-@TEST-START-FILE write.bro
-
-global foo1 = 42 &persistent &synchronized;
-global foo2 = -42 &persistent &synchronized;
-global foo3 = "Hallihallo" &persistent &synchronized; 
-global foo4 = 1.2.3.4 &persistent &synchronized; 
-global foo5 = 1.2.0.0/16 &persistent &synchronized; 
-global foo6 = 3.14 &persistent &synchronized; 
-global foo8 = 42 secs &persistent &synchronized; 
-global foo9 = { [1] = "qwerty", [2] = "uiop" } &persistent &synchronized;
-global foo10 = open("test") &persistent &synchronized; 
-global foo11 = /12345/ &persistent &synchronized; 
-global foo12 = { 1,2,3,4,5 } &persistent &synchronized; 
-global foo13  =  { [1,"ABC"] = 101, [2,"DEF"] = 102, [3,"GHI"] = 103 } &persistent &synchronized;
-global foo14  =  { [12345] = foo11, [12346] = foo11 } &persistent &synchronized;
-global foo15 = 42/udp &persistent &synchronized;
-global foo16: vector of count = [1,2,3] &persistent &synchronized;
- 
-type type1: record {
-    a: string;
-    b: count &default=42;
-    c: double &optional;
-    };
-
-type type2: record {
-    a: string;
-    b: type1;
-    c: type1;
-    d: double;
-    };
-
-global foo17: type2 = [
-	$a = "yuyuyu",
-    $b = [$a="rec1", $b=100, $c=1.24],
-    $c = [$a="rec2", $b=200, $c=2.24],
-   	$d = 7.77				   
-	] &persistent &synchronized;
-
-@TEST-END-FILE
diff --git a/testing/btest/istate/pybroccoli.py b/testing/btest/istate/pybroccoli.py
deleted file mode 100644
index 7600c2b7d4..0000000000
--- a/testing/btest/istate/pybroccoli.py
+++ /dev/null
@@ -1,19 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/src/libbroccoli.so || test -e $BUILD/aux/broccoli/src/libbroccoli.dylib
-# @TEST-REQUIRES: test -e $BUILD/aux/broccoli/bindings/broccoli-python/_broccoli_intern.so
-#
-# @TEST-EXEC: btest-bg-run bro    bro %INPUT $DIST/aux/broccoli/bindings/broccoli-python/tests/test.bro
-# @TEST-EXEC: btest-bg-run python PYTHONPATH=$DIST/aux/broccoli/bindings/broccoli-python/:$BUILD/aux/broccoli/bindings/broccoli-python python $DIST/aux/broccoli/bindings/broccoli-python/tests/test.py
-# @TEST-EXEC: btest-bg-wait -k 20
-# @TEST-EXEC: btest-diff bro/.stdout
-#
-# @TEST-EXEC: sed -e 's/instance at [^>]*>/instance at >/' -e 's/object at [^>]*>/instance at >/' <python/.stdout >python/.stdout.filtered
-# @TEST-EXEC: TEST_DIFF_CANONIFIER="sed -e 's/^\([-]*[0-9][0-9]*\)L/\1/' | $SCRIPTS/diff-remove-timestamps" btest-diff python/.stdout.filtered
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-
diff --git a/testing/btest/istate/sync.bro b/testing/btest/istate/sync.bro
deleted file mode 100644
index a297e8a50f..0000000000
--- a/testing/btest/istate/sync.bro
+++ /dev/null
@@ -1,171 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-EXEC: btest-bg-run sender   bro -b %INPUT ../sender.bro
-# @TEST-EXEC: btest-bg-run receiver bro -b %INPUT ../receiver.bro
-# @TEST-EXEC: btest-bg-wait 20
-#
-# @TEST-EXEC: btest-diff sender/vars.log
-# @TEST-EXEC: btest-diff receiver/vars.log
-# @TEST-EXEC: cmp sender/vars.log receiver/vars.log
-
-### Common code for sender and receiver.
-
-# Instantiate variables.
-
-global foo1 = 42 &persistent &synchronized;
-global foo2 = -42 &persistent &synchronized;
-global foo3 = "Hallihallo" &persistent &synchronized; 
-global foo4 = 1.2.3.4 &persistent &synchronized; 
-global foo5 = 1.2.0.0/16 &persistent &synchronized; 
-global foo6 = 3.14 &persistent &synchronized; 
-global foo8 = 42 secs &persistent &synchronized; 
-global foo9 = { [1] = "qwerty", [2] = "uiop" } &persistent &synchronized;
-global foo10 = open("test") &persistent &synchronized; 
-global foo11 = /12345/ &persistent &synchronized; 
-global foo12 = { 1,2,3,4,5 } &persistent &synchronized; 
-global foo13  =  { [1,"ABC"] = 101, [2,"DEF"] = 102, [3,"GHI"] = 103 } &persistent &synchronized;
-global foo14  =  { [12345] = foo11, [12346] = foo11 } &persistent &synchronized;
-global foo15 = 42/udp &persistent &synchronized;
-global foo16: vector of count = [1,2,3] &persistent &synchronized;
-global foo18: count &persistent &synchronized;  # not initialized
- 
-type type1: record {
-    a: string;
-    b: count &default=42;
-    c: double &optional;
-    };
-
-type type2: record {
-    a: string;
-    b: type1;
-    c: type1;
-    d: double;
-    e: double &optional;
-    };
-
-global foo17: type2 = [
-	$a = "yuyuyu",
-	$b = [$a="rec1", $b=100, $c=1.24],
-	$c = [$a="rec2", $b=200, $c=2.24],
-	$d = 7.77, $e=100.0
-	] &persistent &synchronized;
-
-# Print variables.
-
-event bro_done()
-	{
-	local out = open("vars.log");
-	print out, foo1;
-	print out, foo2;
-	print out, foo3;
-	print out, foo4;
-	print out, foo5;
-	print out, foo6;
-	print out, foo8;
-	print out, foo9;
-	print out, foo10;
-	print out, foo11;
-	print out, foo12;
-	print out, foo13;
-	print out, foo14;
-	print out, foo15;
-	print out, foo16;
-	print out, foo17;
-	print out, foo18;
-	}
-
-
-@TEST-START-FILE sender.bro
-
-# Perform modifications on variables.
-
-function modify()
-	{
-	foo1 = 420;
-	++foo1;
-	
-	--foo2;
-	
-	foo3 = "Jodel";
-	
-	foo4 = 4.3.2.1; 
-	
-	foo5 = 4.0.0.0/8; 
-	
-	foo6 = 21;
-	
-	foo9[3] = "asdfg1";
-	foo9[1] = "asdfg2";
-	delete foo9[2];
-	
-	foo10 = open("test2");
-	
-	foo11 = /abbcdefgh/;
-	
-	add foo12[6];
-	delete foo12[1];
-	
-	foo13[4,"JKL"] = 104;
-	delete foo13[1,"ABC"];
-	++foo13[2,"DEF"];
-	
-	foo14[6767] = /QWERTZ/;
-	
-	foo15 = 6667/tcp;
-	
-	foo16[3] = 4;
-	foo16[1] = 20;
-	++foo16[0];
-	
-	local x: type1;
-	x$a = "pop";
-	++x$b;
-	x$c = 9.999;
-	foo17$a = "zxzxzx";
-	foo17$b = x;
-	foo17$c$a = "IOIOI";
-	++foo17$c$b;
-	foo17$c$c = 612.2;
-	foo17$d = 6.6666;
-	delete foo17$e;
-	
-	foo2 = 1234567;
-	foo18 = 122112;
-	}
-
-@load frameworks/communication/listen
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	modify();
-	terminate_communication();
-	}
-			 
-redef Communication::nodes += {
-    ["foo"] = [$host = 127.0.0.1, $sync=T]
-};
-
-@TEST-END-FILE
-
-#############
-
-@TEST-START-FILE receiver.bro
-
-@load base/frameworks/communication
-
-event bro_init()
-    {
-    capture_events("events.bst");
-    }
-	
-redef Communication::nodes += {
-    ["foo"] = [$host = 127.0.0.1, $events = /.*/, $connect=T, $sync=T,
-               $retry=1sec]
-};
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/istate/topk.bro b/testing/btest/istate/topk.bro
deleted file mode 100644
index 4d599c2780..0000000000
--- a/testing/btest/istate/topk.bro
+++ /dev/null
@@ -1,74 +0,0 @@
-# @TEST-EXEC: bro -b %INPUT runnumber=1 >out
-# @TEST-EXEC: bro -b %INPUT runnumber=2 >>out
-# @TEST-EXEC: bro -b %INPUT runnumber=3 >>out
-# @TEST-EXEC: btest-diff out
-
-global runnumber: count &redef; # differentiate runs
-
-global k1: opaque of topk &persistent;
-global k2: opaque of topk &persistent;
-
-event bro_init() 
-	{
-
-	k2 = topk_init(20);
-
-	if ( runnumber == 1 )
-		{
-		k1 = topk_init(100);
-		
-		topk_add(k1, "a");
-		topk_add(k1, "b");
-		topk_add(k1, "b");
-		topk_add(k1, "c");
-		topk_add(k1, "c");
-		topk_add(k1, "c");
-		topk_add(k1, "c");
-		topk_add(k1, "c");
-		topk_add(k1, "c");
-		topk_add(k1, "d");
-		topk_add(k1, "d");
-		topk_add(k1, "d");
-		topk_add(k1, "d");
-		topk_add(k1, "e");
-		topk_add(k1, "e");
-		topk_add(k1, "e");
-		topk_add(k1, "e");
-		topk_add(k1, "e");
-		topk_add(k1, "f");
-		}
-
-	local s = topk_get_top(k1, 3);
-	print topk_count(k1, "a");
-	print topk_count(k1, "b");
-	print topk_count(k1, "c");
-	print topk_count(k1, "d");
-	print topk_count(k1, "e");
-	print topk_count(k1, "f");
-
-	if ( runnumber == 2 ) 
-		{
-		topk_add(k1, "a");
-		topk_add(k1, "b");
-		topk_add(k1, "b");
-		topk_add(k1, "c");
-		topk_add(k1, "c");
-		topk_add(k1, "c");
-		topk_add(k1, "c");
-		topk_add(k1, "c");
-		topk_add(k1, "c");
-		topk_add(k1, "d");
-		topk_add(k1, "d");
-		topk_add(k1, "d");
-		topk_add(k1, "d");
-		topk_add(k1, "e");
-		topk_add(k1, "e");
-		topk_add(k1, "e");
-		topk_add(k1, "e");
-		topk_add(k1, "e");
-		topk_add(k1, "f");
-		}
-
-	print s;
-
-	}
diff --git a/testing/btest/language/count.bro b/testing/btest/language/count.bro
index b0972e29fa..39a3786dfb 100644
--- a/testing/btest/language/count.bro
+++ b/testing/btest/language/count.bro
@@ -47,6 +47,17 @@ event bro_init()
 	test_case( "assignment operator", c2 == 8 );
 	c2 -= 2;
 	test_case( "assignment operator", c2 == 6 );
+	test_case( "bitwise and", c2 & 0x4 == 0x4 );
+	test_case( "bitwise and", c4 & 0x4 == 0x4 );
+	test_case( "bitwise and", c8 & 0x4 == 0x0 );
+	test_case( "bitwise or", c2 | 0x4 == c2 );
+	test_case( "bitwise or", c4 | 0x4 == c4 );
+	test_case( "bitwise or", c8 | 0x4 == c7 );
+	test_case( "bitwise xor", c7 ^ 0x4 == c8 );
+	test_case( "bitwise xor", c4 ^ 0x4 == 251 );
+	test_case( "bitwise xor", c8 ^ 0x4 == c7 );
+	test_case( "bitwise complement", ~c6 == 0 );
+	test_case( "bitwise complement", ~~c4 == c4 );
 
 	# Max. value tests
 
diff --git a/testing/btest/language/expire-expr-error.bro b/testing/btest/language/expire-expr-error.bro
index c355bd58ed..7c9a3aa318 100644
--- a/testing/btest/language/expire-expr-error.bro
+++ b/testing/btest/language/expire-expr-error.bro
@@ -1,13 +1,12 @@
-# @TEST-EXEC: btest-bg-run broproc bro %INPUT
-# @TEST-EXEC: btest-bg-wait -k 5
-# @TEST-EXEC: cat broproc/.stderr > output
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: cp .stderr output
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
 
+redef exit_only_after_terminate = T;
+
 global x: table[string] of interval;
 global data: table[int] of string &create_expire=x["kaputt"];
 
-@load frameworks/communication/listen
-
 global runs = 0;
 event do_it()
 	{
@@ -16,6 +15,8 @@ event do_it()
 	++runs;
 	if ( runs < 4 )
 		schedule 1sec { do_it() };
+	else
+		terminate();
 	}
 
 
@@ -24,6 +25,3 @@ event bro_init() &priority=-10
 	data[0] = "some data";
 	schedule 1sec { do_it() };
 	}
-
-
-
diff --git a/testing/btest/language/expire-redef.bro b/testing/btest/language/expire-redef.bro
index f08ac8d3f2..5cbb00f313 100644
--- a/testing/btest/language/expire-redef.bro
+++ b/testing/btest/language/expire-redef.bro
@@ -3,24 +3,22 @@
 
 redef exit_only_after_terminate = T;
 
-@load frameworks/communication/listen
-
 const exp_val = -1sec &redef;
 
 global expired: function(tbl: table[int] of string, idx: int): interval;
 global data: table[int] of string &write_expire=exp_val &expire_func=expired;
 
 redef table_expire_interval = 1sec;
-redef exp_val = 5sec;
+redef exp_val = 6sec;
 
 global runs = 0;
 event do_it()
 	{
+	++runs;
 	print fmt("Run %s", runs);
 
-	++runs;
-	if ( runs < 4 )
-		schedule 2sec { do_it() };
+	if ( runs < 2 )
+		schedule 4sec { do_it() };
 	else
 		terminate();
 	}
@@ -35,5 +33,5 @@ function expired(tbl: table[int] of string, idx: int): interval
 event bro_init() &priority=-10
 	{
 	data[0] = "some data";
-	schedule 2sec { do_it() };
+	schedule 4sec { do_it() };
 	}
diff --git a/testing/btest/language/ipv6-literals.bro b/testing/btest/language/ipv6-literals.bro
index 004d104c6e..bf888b29e1 100644
--- a/testing/btest/language/ipv6-literals.bro
+++ b/testing/btest/language/ipv6-literals.bro
@@ -3,30 +3,30 @@
 
 local v: vector of addr = vector();
 
-v[|v|] = [::1];
-v[|v|] = [::ffff];
-v[|v|] = [::ffff:ffff];
-v[|v|] = [::0a0a:ffff];
-v[|v|] = [1::1];
-v[|v|] = [1::a];
-v[|v|] = [1::1:1];
-v[|v|] = [1::1:a];
-v[|v|] = [a::a];
-v[|v|] = [a::1];
-v[|v|] = [a::a:a];
-v[|v|] = [a::a:1];
-v[|v|] = [a:a::a];
-v[|v|] = [aaaa:0::ffff];
-v[|v|] = [::ffff:192.168.1.100];
-v[|v|] = [ffff::192.168.1.100];
-v[|v|] = [::192.168.1.100];
-v[|v|] = [::ffff:0:192.168.1.100];
-v[|v|] = [805B:2D9D:DC28::FC57:212.200.31.255];
-v[|v|] = [0xaaaa::bbbb];
-v[|v|] = [aaaa:bbbb:cccc:dddd:eeee:ffff:1111:2222];
-v[|v|] = [aaaa:bbbb:cccc:dddd:eeee:ffff:1:2222];
-v[|v|] = [aaaa:bbbb:cccc:dddd:eeee:ffff:0:2222];
-v[|v|] = [aaaa:bbbb:cccc:dddd:eeee:0:0:2222];
+v += [::1];
+v += [::ffff];
+v += [::ffff:ffff];
+v += [::0a0a:ffff];
+v += [1::1];
+v += [1::a];
+v += [1::1:1];
+v += [1::1:a];
+v += [a::a];
+v += [a::1];
+v += [a::a:a];
+v += [a::a:1];
+v += [a:a::a];
+v += [aaaa:0::ffff];
+v += [::ffff:192.168.1.100];
+v += [ffff::192.168.1.100];
+v += [::192.168.1.100];
+v += [::ffff:0:192.168.1.100];
+v += [805B:2D9D:DC28::FC57:212.200.31.255];
+v += [0xaaaa::bbbb];
+v += [aaaa:bbbb:cccc:dddd:eeee:ffff:1111:2222];
+v += [aaaa:bbbb:cccc:dddd:eeee:ffff:1:2222];
+v += [aaaa:bbbb:cccc:dddd:eeee:ffff:0:2222];
+v += [aaaa:bbbb:cccc:dddd:eeee:0:0:2222];
 
 for (i in v)
     print v[i];
diff --git a/testing/btest/language/pattern.bro b/testing/btest/language/pattern.bro
index b904fe8737..e427b70e80 100644
--- a/testing/btest/language/pattern.bro
+++ b/testing/btest/language/pattern.bro
@@ -22,11 +22,47 @@ event bro_init()
 
 	test_case( "equality operator", "foo" == p1 );
 	test_case( "equality operator (order of operands)", p1 == "foo" );
+
 	test_case( "inequality operator", "foobar" != p1 );
 	test_case( "inequality operator (order of operands)", p1 != "foobar" );
+
 	test_case( "in operator", p1 in "foobar" );
 	test_case( "in operator", p2 in "foobar" );
 	test_case( "!in operator", p3 !in "foobar" );
 
-}
+	test_case( "& operator", p1 & p2 in "baroob" );
+	test_case( "& operator", p2 & p1 in "baroob" );
 
+	test_case( "| operator", p1 | p2 in "lazybarlazy" );
+	test_case( "| operator", p3 | p4 in "xoob" );
+
+	test_case( "/i pattern modifier", /fOO/i in "xFoObar" );
+	test_case( "/i pattern modifier", /fOO/i == "Foo" );
+
+	test_case( "/i double-quote escape", /"fOO"/i in "xFoObar" );
+	test_case( "/i double-quote escape", /"fOO"/i in "xfOObar" );
+
+	test_case( "case-sensitive pattern", /fOO/ in "xFoObar" );
+	test_case( "case-sensitive pattern", /fOO/ == "Foo" );
+	test_case( "case-sensitive pattern", /fOO/ == "fOO" );
+
+	test_case( "/i pattern disjunction", /bar/i | /bez/ == "bez" );
+	test_case( "/i pattern disjunction", /bar/i | /bez/ == "bEz" );
+	test_case( "/i pattern disjunction", /bar/i | /bez/ == "bar" );
+	test_case( "/i pattern disjunction", /bar/i | /bez/ == "bAr" );
+
+	test_case( "/i pattern concatenation", /bar/i & /bez/ == "barbez" );
+	test_case( "/i pattern concatenation", /bar/i & /bez/ == "barbEz" );
+	test_case( "/i pattern concatenation", /BAR/i & /bez/ == "barbEz" );
+	test_case( "/i pattern concatenation", /bar/i & /bez/ == "bArbez" );
+	test_case( "/i pattern concatenation", /BAR/i & /bez/ == "bArbez" );
+	test_case( "/i pattern concatenation", /bar/i & /bez/ == "bArbEz" );
+
+	test_case( "/i pattern character class", /ba[0a-c99S-Z0]/i & /bEz/ == "bArbEz" );
+	test_case( "/i pattern character class", /ba[0a-c99M-S0]/i & /bEz/ == "bArbEz" );
+
+	test_case( "(?i:...) pattern construct", /foo|(?i:bar)/ in "xBAry" );
+	test_case( "(?i:...) pattern construct", /foo|(?i:bar)/ in "xFOoy" );
+	test_case( "(?i:...) pattern construct", /foo|(?i:bar)/ | /foo/i in "xFOoy" );
+
+}
diff --git a/testing/btest/language/record-default-coercion.bro b/testing/btest/language/record-default-coercion.bro
index 822b845f65..9d8babf571 100644
--- a/testing/btest/language/record-default-coercion.bro
+++ b/testing/btest/language/record-default-coercion.bro
@@ -43,6 +43,6 @@ print_bar(bar6);
 local r: MyRecord = [$c=13];
 print r;
 print |r$v|;
-r$v[|r$v|] = "test";
+r$v += "test";
 print r;
 print |r$v|;
diff --git a/testing/btest/language/record-redef-after-init.bro b/testing/btest/language/record-redef-after-init.bro
new file mode 100644
index 0000000000..693d8bac76
--- /dev/null
+++ b/testing/btest/language/record-redef-after-init.bro
@@ -0,0 +1,52 @@
+# @TEST-EXEC: bro -b %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+type myrec: record {
+    a: string;
+};
+
+const mr = myrec($a = "init") &redef;
+
+redef mr = myrec($a = "redef");
+
+# Many fields may help ensure out-of-bounds reference failures
+redef record myrec += {
+    d: string &optional;
+    e: string &optional;
+    f: string &optional;
+    g: string &optional;
+    h: string &optional;
+    i: string &optional;
+    j: string &optional;
+    k: string &optional;
+    l: string &optional;
+    m: string &optional;
+    n: string &optional;
+    o: string &optional;
+    p: string &optional;
+    q: string &default="OPTQ";
+};
+
+print mr;                        # original 'myrec' type with updated a value
+print myrec($a = "runtime");     # check we get new defaults
+
+local mr2 = myrec($a = "local");
+print mr2;
+
+mr2 = mr;      # Copying should do the right thing
+print mr2;
+
+local mr3: myrec = mr; # Initializing should do the right thing
+print mr3;
+
+if ( mr?$q )    # the test that did not work properly
+    {
+    print mr$q; # accessed invalid memory location
+    }
+mr$p = "newp";  # Assignment updates mr as much as needed
+print mr$p;
+print mr;
+print mr$q;
+mr$q = "our value";
+print mr$q;
+print mr;
diff --git a/testing/btest/language/set.bro b/testing/btest/language/set.bro
index d1eef7e6f0..56cd649b49 100644
--- a/testing/btest/language/set.bro
+++ b/testing/btest/language/set.bro
@@ -136,5 +136,50 @@ event bro_init()
 	delete sg3["curly"];
 	test_case( "remove element", |sg3| == 3 );
 	test_case( "!in operator", "curly" !in sg3 );
+
+
+	local a = set(1,5,7,9,8,14);
+	local b = set(1,7,9,2);
+
+	local a_plus_b = set(1,2,5,7,9,8,14);
+	local a_also_b = set(1,7,9);
+	local a_sans_b = set(5,8,14);
+	local b_sans_a = set(2);
+
+	local a_or_b = a | b;
+	local a_and_b = a & b;
+
+	test_case( "union", a_or_b == a_plus_b );
+	test_case( "intersection", a_and_b == a_plus_b );
+	test_case( "difference", a - b == a_sans_b );
+	test_case( "difference", b - a == b_sans_a );
+
+	test_case( "union/inter.", |b & set(1,7,9,2)| == |b | set(1,7,2,9)| );
+	test_case( "relational", |b & a_or_b| == |b| && |b| < |a_or_b| );
+	test_case( "relational", b < a_or_b && a < a_or_b && a_or_b > a_and_b );
+
+	test_case( "subset", b < a );
+	test_case( "subset", a < b );
+	test_case( "subset", b < (a | set(2)) );
+	test_case( "superset", b > a );
+	test_case( "superset", b > (a | set(2)) );
+	test_case( "superset", b | set(8, 14, 5) > (a | set(2)) );
+	test_case( "superset", b | set(8, 14, 99, 5) > (a | set(2)) );
+
+	test_case( "non-ordering", (a <= b) || (a >= b) );
+	test_case( "non-ordering", (a <= a_or_b) && (a_or_b >= b) );
+
+	test_case( "superset", (b | set(14, 5)) > a - set(8) );
+	test_case( "superset", (b | set(14)) > a - set(8) );
+	test_case( "superset", (b | set(14)) > a - set(8,5) );
+	test_case( "superset", b >= a - set(5,8,14) );
+	test_case( "superset", b > a - set(5,8,14) );
+	test_case( "superset", (b - set(2)) > a - set(5,8,14) );
+	test_case( "equality", a == a | set(5) );
+	test_case( "equality", a == a | set(5,11) );
+	test_case( "non-equality", a != a | set(5,11) );
+	test_case( "equality", a == a | set(5,11) );
+
+	test_case( "magnitude", |a_and_b| == |a_or_b|);
 }
 
diff --git a/testing/btest/language/switch-error-mixed.bro b/testing/btest/language/switch-error-mixed.bro
new file mode 100644
index 0000000000..78c7a2091f
--- /dev/null
+++ b/testing/btest/language/switch-error-mixed.bro
@@ -0,0 +1,13 @@
+# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1
+# @TEST-EXEC:      TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+function switch_one(v: count): string
+	{
+	switch (v) {
+	case 42:
+		return "42!";
+	case type count:
+		return "Count!";
+	}
+	}
+
diff --git a/testing/btest/language/switch-types-error-duplicate.bro b/testing/btest/language/switch-types-error-duplicate.bro
new file mode 100644
index 0000000000..846d228be3
--- /dev/null
+++ b/testing/btest/language/switch-types-error-duplicate.bro
@@ -0,0 +1,18 @@
+# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1
+# @TEST-EXEC:      TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+function switch_one(v: any): string
+	{
+	switch (v) {
+	case type string:
+		return "String!";
+	case type count:
+		return "Count!";
+	case type bool, type count:
+		return "Bool or address!";
+	default:
+		return "Somethign else!";
+	}
+
+	}
+
diff --git a/testing/btest/language/switch-types-error-unsupported.bro b/testing/btest/language/switch-types-error-unsupported.bro
new file mode 100644
index 0000000000..d8b8d039df
--- /dev/null
+++ b/testing/btest/language/switch-types-error-unsupported.bro
@@ -0,0 +1,17 @@
+# @TEST-EXEC-FAIL: bro -b %INPUT >out 2>&1
+# @TEST-EXEC:      TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+function switch_one(v: string): string
+	{
+	switch (v) {
+	case type string:
+		return "String!";
+	case type count:
+		return "Count!";
+	case type bool, type addr:
+		return "Bool or address!";
+	default:
+		return "Somethign else!";
+	}
+	}
+
diff --git a/testing/btest/language/switch-types-vars.bro b/testing/btest/language/switch-types-vars.bro
new file mode 100644
index 0000000000..1b0ca5591b
--- /dev/null
+++ b/testing/btest/language/switch-types-vars.bro
@@ -0,0 +1,48 @@
+# @TEST-EXEC: bro -b %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+function switch_one(v: any)
+	{
+	switch (v) {
+	case type string as s:
+		print "string!", s;
+		break;
+	
+	case type count as c:
+		print "count!", c;
+		break;
+
+	case type int:
+		print "int!";
+		break;
+
+	case type double, type port:
+		print "double or port";
+		break;
+
+	case type bool as b, type addr as a:
+		print "Bool or address?";
+
+		if ( v is bool )
+			print "    bool", b;
+
+		if ( v is addr )
+			print "    addr", a;
+
+		break;
+	default:
+		print "Somethign else!";
+		break;
+	}
+	}
+
+event bro_init()
+	{
+	switch_one("My StrIng");
+	switch_one(42);
+	switch_one(1.2.3.4);
+	switch_one(T);
+	switch_one(-13);
+	switch_one(42/udp);
+	switch_one(3.1415926);
+	}
diff --git a/testing/btest/language/switch-types.bro b/testing/btest/language/switch-types.bro
new file mode 100644
index 0000000000..468ba93922
--- /dev/null
+++ b/testing/btest/language/switch-types.bro
@@ -0,0 +1,43 @@
+# @TEST-EXEC: bro -b %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+function switch_one(v: any): string
+	{
+	switch (v) {
+	case type string:
+		return "String!";
+	case type count:
+		return "Count!";
+	case type bool, type addr:
+		return "Bool or address!";
+	default:
+		return "Somethign else!";
+	}
+	}
+
+function switch_one_no_default(v: any): string
+	{
+	switch (v) {
+	case type string:
+		return "String!";
+	case type count:
+		return "Count!";
+	case type bool, type addr:
+		return "Bool or address!";
+	}
+
+	return "n/a";
+	}
+
+
+event bro_init()
+	{
+	print switch_one("string");
+	print switch_one(42);
+	print switch_one(T);
+	print switch_one(1947/tcp);
+	print "";
+	print switch_one_no_default(1.2.3.4);
+	print switch_one_no_default(1947/tcp);
+	
+	}
diff --git a/testing/btest/language/type-cast-any.bro b/testing/btest/language/type-cast-any.bro
new file mode 100644
index 0000000000..ddd4ea2dbe
--- /dev/null
+++ b/testing/btest/language/type-cast-any.bro
@@ -0,0 +1,45 @@
+# @TEST-EXEC: bro -b %INPUT >output 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+type X: record  {
+    a: addr;
+    b: port;
+};
+
+function cast_to_string(a: any, b: string)
+	{
+	local P = (a as string);
+	local Cmp = (P == b);
+	print a, P, P is string, fmt("%s==%s => %s", b, P, Cmp);
+	}
+
+function cast_to_count(a: any, b: count)
+	{
+	local P = (a as count);
+	local Cmp = (P == b);
+	print a, P, P is count, fmt("%s==%s => %s", b, P, Cmp);
+	}
+
+function cast_to_X(a: any, b: X)
+	{
+	local P = (a as X);
+	local Cmp = (P$a == b$a && P$b == b$b);
+	print a, P, P is X, fmt("%s==%s => %s", b, P, Cmp);
+	}
+
+event bro_init()
+	{
+	local x: X;
+	x = [$a = 1.2.3.4, $b=1947/tcp];
+	
+	cast_to_string("Foo", "Foo");
+	cast_to_string("Foo", "Bar");
+	
+	cast_to_count(42, 42);
+	cast_to_count(42, 21);
+
+	cast_to_X(x, [$a=1.2.3.4, $b=1947/tcp]);
+	cast_to_X(x, [$a=2.3.4.5, $b=1947/tcp]);
+	}
+
+
diff --git a/testing/btest/language/type-cast-error-dynamic.bro b/testing/btest/language/type-cast-error-dynamic.bro
new file mode 100644
index 0000000000..91fa212ce4
--- /dev/null
+++ b/testing/btest/language/type-cast-error-dynamic.bro
@@ -0,0 +1,25 @@
+# @TEST-EXEC: bro -b %INPUT >output 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+type X: record  {
+    a: addr;
+    b: port;
+};
+
+function cast_to_string(a: any)
+	{
+	print a as string;
+	}
+
+event bro_init()
+	{
+	local x: X;
+	x = [$a = 1.2.3.4, $b=1947/tcp];
+
+	cast_to_string(42);
+	cast_to_string(x);
+	cast_to_string(Broker::Data());
+	print "data is string", Broker::Data() is string;
+	}
+
+
diff --git a/testing/btest/language/type-cast-error-static.bro b/testing/btest/language/type-cast-error-static.bro
new file mode 100644
index 0000000000..3533fef3cb
--- /dev/null
+++ b/testing/btest/language/type-cast-error-static.bro
@@ -0,0 +1,18 @@
+# @TEST-EXEC-FAIL: bro -b %INPUT >output 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+type X: record  {
+    a: addr;
+    b: port;
+};
+
+event bro_init()
+	{
+	local x: X;
+	x = [$a = 1.2.3.4, $b=1947/tcp];
+
+	print "string" as count;
+	print "string" as X;
+	}
+
+
diff --git a/testing/btest/language/type-cast-same.bro b/testing/btest/language/type-cast-same.bro
new file mode 100644
index 0000000000..93c3b633fa
--- /dev/null
+++ b/testing/btest/language/type-cast-same.bro
@@ -0,0 +1,21 @@
+# @TEST-EXEC: bro -b %INPUT >output 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+type X: record  {
+    a: addr;
+    b: port;
+};
+
+event bro_init()
+	{
+	local x: X;
+	x = [$a = 1.2.3.4, $b=1947/tcp];
+
+	local s = "sTriNg" as string;
+	local y = x as X;
+
+	print s, s is string;
+	print y, y is X;
+	}
+
+
diff --git a/testing/btest/language/type-check-any.bro b/testing/btest/language/type-check-any.bro
new file mode 100644
index 0000000000..5d882c8997
--- /dev/null
+++ b/testing/btest/language/type-check-any.bro
@@ -0,0 +1,24 @@
+# @TEST-EXEC: bro -b %INPUT >output 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
+
+type X: record  {
+    a: addr;
+    b: port;
+};
+
+function check(a: any)
+	{
+	print a, a is string, a is count, a is X;
+	}
+
+event bro_init()
+	{
+	local x: X;
+	x = [$a = 1.2.3.4, $b=1947/tcp];
+
+	check("Foo");
+	check(1);
+	check(x);
+	}
+
+
diff --git a/testing/btest/language/uninitialized-local2.bro b/testing/btest/language/uninitialized-local2.bro
new file mode 100644
index 0000000000..f11a5fda10
--- /dev/null
+++ b/testing/btest/language/uninitialized-local2.bro
@@ -0,0 +1,25 @@
+# @TEST-EXEC: bro -b %INPUT >out 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+event test()
+	{
+	local var_a: string = "foo";
+	}
+
+event test()
+	{
+	if ( F )
+		{
+		local var_b: string = "bar";
+		}
+
+	local var_a: string = "baz";
+
+	print "var_a is", var_a;
+	print "var_b is", var_b;
+	}
+
+event bro_init()
+	{
+	event test();
+	}
diff --git a/testing/btest/language/vector.bro b/testing/btest/language/vector.bro
index 76fc8b69e3..85bed8eae2 100644
--- a/testing/btest/language/vector.bro
+++ b/testing/btest/language/vector.bro
@@ -163,5 +163,10 @@ event bro_init()
 	test_case( "&& operator", v14[0] == F && v14[1] == F && v14[2] == T );
 	test_case( "|| operator", v15[0] == T && v15[1] == F && v15[2] == T );
 
+	# Test += operator.
+	local v16 = v6;
+	v16 += 40;
+	test_case( "+= operator", all_set(v16 == vector( 10, 20, 30, 40 )) );
+
 }
 
diff --git a/testing/btest/language/when.bro b/testing/btest/language/when.bro
index d996d1c026..795552a422 100644
--- a/testing/btest/language/when.bro
+++ b/testing/btest/language/when.bro
@@ -4,7 +4,7 @@
 # @TEST-EXEC: mv test1/.stdout out
 # @TEST-EXEC: btest-diff out
 
-@load frameworks/communication/listen
+redef exit_only_after_terminate = T;
 
 event bro_init()
 {
diff --git a/testing/btest/plugins/api-version-mismatch.sh b/testing/btest/plugins/api-version-mismatch.sh
deleted file mode 100644
index 2483582359..0000000000
--- a/testing/btest/plugins/api-version-mismatch.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Demo Foo
-# @TEST-EXEC: bash %INPUT
-# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
-# @TEST-EXEC-FAIL: BRO_PLUGIN_PATH=`pwd` bro -NN Demo::Foo >tmp 2>&1
-# @TEST-EXEC: cat tmp | sed 's/Demo-Foo[-a-zA-Z0-9_.]*/XXX/' >>output
-# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff output
-
-( echo '#define BRO_PLUGIN_API_VERSION 42'; cat src/Plugin.cc; ) >src/Plugin.cc.tmp && mv src/Plugin.cc.tmp src/Plugin.cc
diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.cc b/testing/btest/plugins/hooks-plugin/src/Plugin.cc
index 407ad1c242..c5b8f4e981 100644
--- a/testing/btest/plugins/hooks-plugin/src/Plugin.cc
+++ b/testing/btest/plugins/hooks-plugin/src/Plugin.cc
@@ -3,6 +3,8 @@
 
 #include <Func.h>
 #include <Event.h>
+#include <Conn.h>
+#include <threading/Formatter.h>
 
 namespace plugin { namespace Demo_Hooks { Plugin plugin; } }
 
@@ -18,6 +20,9 @@ plugin::Configuration Plugin::Configure()
 	EnableHook(META_HOOK_PRE);
 	EnableHook(META_HOOK_POST);
 	EnableHook(HOOK_BRO_OBJ_DTOR);
+	EnableHook(HOOK_SETUP_ANALYZER_TREE);
+	EnableHook(HOOK_LOG_INIT);
+	EnableHook(HOOK_LOG_WRITE);
 
 	plugin::Configuration config;
 	config.name = "Demo::Hooks";
@@ -41,10 +46,10 @@ static void describe_hook_args(const plugin::HookArgumentList& args, ODesc* d)
 		}
 	}
 
-int Plugin::HookLoadFile(const std::string& file, const std::string& ext)
+int Plugin::HookLoadFile(const LoadType type, const std::string& file, const std::string& resolved)
 	{
-	fprintf(stderr, "%.6f %-15s %s/%s\n", network_time, "| HookLoadFile",
-		file.c_str(), ext.c_str());
+	fprintf(stderr, "%.6f %-15s %s %s\n", network_time, "| HookLoadFile",
+		file.c_str(), resolved.c_str());
 	return -1;
 	}
 
@@ -121,3 +126,134 @@ void Plugin::MetaHookPost(HookType hook, const HookArgumentList& args, HookArgum
 		hook_name(hook), d1.Description(),
 		d2.Description());
 	}
+
+void Plugin::HookSetupAnalyzerTree(Connection *conn)
+	{
+	ODesc d;
+	d.SetShort();
+	conn->Describe(&d);
+
+	fprintf(stderr, "%.6f %-15s %s\n", network_time, "| HookSetupAnalyzerTree", d.Description());
+	}
+
+void Plugin::HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields)
+	{
+	ODesc d;
+
+	d.Add("{");
+	for ( int i=0; i < num_fields; i++ )
+		{
+		const threading::Field* f = fields[i];
+
+		if ( i > 0 )
+			d.Add(", ");
+
+		d.Add(f->name);
+		d.Add(" (");
+		d.Add(f->TypeName());
+		d.Add(")");
+		}
+	d.Add("}");
+
+	fprintf(stderr, "%.6f %-15s %s %d/%d %s\n", network_time, "| HookLogInit", info.path, local, remote, d.Description());
+	}
+
+void Plugin::RenderVal(const threading::Value* val, ODesc &d) const
+	{
+		if ( ! val->present )
+			{
+			d.Add("<uninitialized>");
+			return;
+			}
+
+		switch ( val->type ) {
+
+			case TYPE_BOOL:
+				d.Add(val->val.int_val ? "T" : "F");
+				break;
+
+			case TYPE_INT:
+				d.Add(val->val.int_val);
+				break;
+
+			case TYPE_COUNT:
+			case TYPE_COUNTER:
+				d.Add(val->val.uint_val);
+				break;
+
+			case TYPE_PORT:
+				d.Add(val->val.port_val.port);
+				break;
+
+			case TYPE_SUBNET:
+				d.Add(threading::formatter::Formatter::Render(val->val.subnet_val));
+				break;
+
+			case TYPE_ADDR:
+				d.Add(threading::formatter::Formatter::Render(val->val.addr_val));
+				break;
+
+			case TYPE_DOUBLE:
+				d.Add(val->val.double_val, true);
+				break;
+
+			case TYPE_INTERVAL:
+			case TYPE_TIME:
+				d.Add(threading::formatter::Formatter::Render(val->val.double_val));
+				break;
+
+			case TYPE_ENUM:
+			case TYPE_STRING:
+			case TYPE_FILE:
+			case TYPE_FUNC:
+				d.AddN(val->val.string_val.data, val->val.string_val.length);
+				break;
+
+			case TYPE_TABLE:
+				for ( int j = 0; j < val->val.set_val.size; j++ )
+					{
+					if ( j > 0 )
+						d.Add(",");
+
+					RenderVal(val->val.set_val.vals[j], d);
+					}
+				break;
+
+			case TYPE_VECTOR:
+				for ( int j = 0; j < val->val.vector_val.size; j++ )
+					{
+					if ( j > 0 )
+						d.Add(",");
+
+					RenderVal(val->val.vector_val.vals[j], d);
+					}
+				break;
+
+			default:
+				assert(false);
+		}
+	}
+
+bool Plugin::HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals)
+	{
+	ODesc d;
+
+	d.Add("[");
+	for ( int i=0; i < num_fields; i++ )
+		{
+		const threading::Field* f = fields[i];
+		const threading::Value* val = vals[i];
+
+		if ( i > 0 )
+			d.Add(", ");
+
+		d.Add(f->name);
+		d.Add("=");
+
+		RenderVal(val, d);
+		}
+	d.Add("]");
+
+	fprintf(stderr, "%.6f %-15s %s %s\n", network_time, "| HookLogWrite", info.path, d.Description());
+	return true;
+	}
diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.h b/testing/btest/plugins/hooks-plugin/src/Plugin.h
index efbd25bc2d..1192304976 100644
--- a/testing/btest/plugins/hooks-plugin/src/Plugin.h
+++ b/testing/btest/plugins/hooks-plugin/src/Plugin.h
@@ -10,17 +10,22 @@ namespace Demo_Hooks {
 class Plugin : public ::plugin::Plugin
 {
 protected:
-	virtual int HookLoadFile(const std::string& file, const std::string& ext);
-	virtual std::pair<bool, Val*> HookCallFunction(const Func* func, Frame* frame, val_list* args);
-	virtual bool HookQueueEvent(Event* event);
-	virtual void HookDrainEvents();
-	virtual void HookUpdateNetworkTime(double network_time);
-	virtual void HookBroObjDtor(void* obj);
-	virtual void MetaHookPre(HookType hook, const HookArgumentList& args);
-	virtual void MetaHookPost(HookType hook, const HookArgumentList& args, HookArgument result);
+	int HookLoadFile(const LoadType type, const std::string& file, const std::string& resolved) override;
+	std::pair<bool, Val*> HookCallFunction(const Func* func, Frame* frame, val_list* args) override;
+	bool HookQueueEvent(Event* event) override;
+	void HookDrainEvents() override;
+	void HookUpdateNetworkTime(double network_time) override;
+	void HookBroObjDtor(void* obj) override;
+	void HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields) override;
+	bool HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals) override;
+	void HookSetupAnalyzerTree(Connection *conn) override;
+	void MetaHookPre(HookType hook, const HookArgumentList& args) override;
+	void MetaHookPost(HookType hook, const HookArgumentList& args, HookArgument result) override;
+
+	void RenderVal(const threading::Value* val, ODesc &d) const;
 
 	// Overridden from plugin::Plugin.
-	virtual plugin::Configuration Configure();
+	plugin::Configuration Configure() override;
 };
 
 extern Plugin plugin;
diff --git a/testing/btest/plugins/logging-hooks-plugin/.btest-ignore b/testing/btest/plugins/logging-hooks-plugin/.btest-ignore
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/plugins/logging-hooks-plugin/src/Plugin.cc b/testing/btest/plugins/logging-hooks-plugin/src/Plugin.cc
new file mode 100644
index 0000000000..32dd2b17b3
--- /dev/null
+++ b/testing/btest/plugins/logging-hooks-plugin/src/Plugin.cc
@@ -0,0 +1,60 @@
+
+#include "Plugin.h"
+
+#include <Func.h>
+#include <Event.h>
+#include <Conn.h>
+#include <threading/Formatter.h>
+
+namespace plugin { namespace Log_Hooks { Plugin plugin; } }
+
+using namespace plugin::Log_Hooks;
+
+plugin::Configuration Plugin::Configure()
+	{
+	round = 0;
+	EnableHook(HOOK_LOG_INIT);
+	EnableHook(HOOK_LOG_WRITE);
+
+	plugin::Configuration config;
+	config.name = "Log::Hooks";
+	config.description = "Exercises Log hooks";
+	config.version.major = 1;
+	config.version.minor = 0;
+	return config;
+	}
+
+void Plugin::HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields)
+	{
+	ODesc d;
+
+	d.Add("{");
+	for ( int i=0; i < num_fields; i++ )
+		{
+		const threading::Field* f = fields[i];
+
+		if ( i > 0 )
+			d.Add(", ");
+
+		d.Add(f->name);
+		d.Add(" (");
+		d.Add(f->TypeName());
+		d.Add(")");
+		}
+	d.Add("}");
+
+	fprintf(stderr, "%.6f %-15s %s %d/%d %s\n", network_time, "| HookLogInit", info.path, local, remote, d.Description());
+	}
+
+bool Plugin::HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals)
+	{
+	round++;
+	if ( round == 1 ) // do not output line
+		return false;
+	else if ( round == 2 )
+		vals[0]->val.int_val = 0;
+	else if ( round == 3 )
+		vals[1]->present = false;
+
+	return true;
+	}
diff --git a/testing/btest/plugins/logging-hooks-plugin/src/Plugin.h b/testing/btest/plugins/logging-hooks-plugin/src/Plugin.h
new file mode 100644
index 0000000000..12b821c22c
--- /dev/null
+++ b/testing/btest/plugins/logging-hooks-plugin/src/Plugin.h
@@ -0,0 +1,28 @@
+
+#ifndef BRO_PLUGIN_Log_Hooks
+#define BRO_PLUGIN_Log_Hooks
+
+#include <plugin/Plugin.h>
+
+namespace plugin {
+namespace Log_Hooks {
+
+class Plugin : public ::plugin::Plugin
+{
+protected:
+	void HookLogInit(const std::string& writer, const std::string& instantiating_filter, bool local, bool remote, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields) override;
+	bool HookLogWrite(const std::string& writer, const std::string& filter, const logging::WriterBackend::WriterInfo& info, int num_fields, const threading::Field* const* fields, threading::Value** vals) override;
+
+	// Overridden from plugin::Plugin.
+	plugin::Configuration Configure() override;
+
+private:
+	int round;
+};
+
+extern Plugin plugin;
+
+}
+}
+
+#endif
diff --git a/testing/btest/plugins/logging-hooks.bro b/testing/btest/plugins/logging-hooks.bro
new file mode 100644
index 0000000000..f2ca926c06
--- /dev/null
+++ b/testing/btest/plugins/logging-hooks.bro
@@ -0,0 +1,72 @@
+# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Log Hooks
+# @TEST-EXEC: cp -r %DIR/logging-hooks-plugin/* .
+# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC: BRO_PLUGIN_ACTIVATE="Log::Hooks" BRO_PLUGIN_PATH=`pwd` bro -b %INPUT 2>&1 | $SCRIPTS/diff-remove-abspath | sort | uniq  >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: btest-diff ssh.log
+
+redef LogAscii::empty_field = "EMPTY";
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		b: bool;
+		i: int &optional;
+		e: Log::ID;
+		c: count;
+		p: port;
+		sn: subnet;
+		a: addr;
+		d: double;
+		t: time;
+		iv: interval;
+		s: string;
+		sc: set[count];
+		ss: set[string];
+		se: set[string];
+		vc: vector of count;
+		ve: vector of string;
+		f: function(i: count) : string;
+	} &log;
+}
+
+function foo(i : count) : string
+	{
+	if ( i > 0 )
+		return "Foo";
+	else
+		return "Bar";
+	}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+
+	local empty_set: set[string];
+	local empty_vector: vector of string;
+
+	local i = 0;
+	while ( ++i < 4 )
+		Log::write(SSH::LOG, [
+			$b=T,
+			$i=-i,
+			$e=SSH::LOG,
+			$c=21,
+			$p=123/tcp,
+			$sn=10.0.0.1/24,
+			$a=1.2.3.4,
+			$d=3.14,
+			$t=network_time(),
+			$iv=100secs,
+			$s="hurz",
+			$sc=set(1,2,3,4),
+			$ss=set("AA", "BB", "CC"),
+			$se=empty_set,
+			$vc=vector(10, 20, 30),
+			$ve=empty_vector,
+			$f=foo
+			]);
+}
diff --git a/testing/btest/plugins/reporter-hook-plugin/.btest-ignore b/testing/btest/plugins/reporter-hook-plugin/.btest-ignore
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/plugins/reporter-hook-plugin/src/Plugin.cc b/testing/btest/plugins/reporter-hook-plugin/src/Plugin.cc
new file mode 100644
index 0000000000..9c8eee6ca8
--- /dev/null
+++ b/testing/btest/plugins/reporter-hook-plugin/src/Plugin.cc
@@ -0,0 +1,43 @@
+
+#include "Plugin.h"
+
+#include <Func.h>
+#include <Event.h>
+#include <Conn.h>
+#include <threading/Formatter.h>
+
+namespace plugin { namespace Reporter_Hook { Plugin plugin; } }
+
+using namespace plugin::Reporter_Hook;
+
+plugin::Configuration Plugin::Configure()
+	{
+	EnableHook(HOOK_REPORTER);
+
+	plugin::Configuration config;
+	config.name = "Reporter::Hook";
+	config.description = "Exercise Reporter Hook";
+	config.version.major = 1;
+	config.version.minor = 0;
+	return config;
+	}
+
+bool Plugin::HookReporter(const std::string& prefix, const EventHandlerPtr event,
+                          const Connection* conn, const val_list* addl, bool location,
+                          const Location* location1, const Location* location2,
+                          bool time, const std::string& message)
+	{
+	ODesc d;
+	if ( location1 )
+		location1->Describe(&d);
+	if ( location2 )
+		location2->Describe(&d);
+
+	fprintf(stderr, " | Hook %s %s %s\n", prefix.c_str(), message.c_str(), d.Description());
+
+	if ( message == "An Error that does not show up in the log" )
+		return false;
+
+	return true;
+	}
+
diff --git a/testing/btest/plugins/reporter-hook-plugin/src/Plugin.h b/testing/btest/plugins/reporter-hook-plugin/src/Plugin.h
new file mode 100644
index 0000000000..2e793aba08
--- /dev/null
+++ b/testing/btest/plugins/reporter-hook-plugin/src/Plugin.h
@@ -0,0 +1,27 @@
+
+#ifndef BRO_PLUGIN_Reporter_Hook
+#define BRO_PLUGIN_Reporter_Hook
+
+#include <plugin/Plugin.h>
+
+namespace plugin {
+namespace Reporter_Hook {
+
+class Plugin : public ::plugin::Plugin
+{
+protected:
+	bool HookReporter(const std::string& prefix, const EventHandlerPtr event,
+	                  const Connection* conn, const val_list* addl, bool location,
+	                  const Location* location1, const Location* location2,
+	                  bool time, const std::string& buffer) override;
+
+	// Overridden from plugin::Plugin.
+	plugin::Configuration Configure() override;
+};
+
+extern Plugin plugin;
+
+}
+}
+
+#endif
diff --git a/testing/btest/plugins/reporter-hook.bro b/testing/btest/plugins/reporter-hook.bro
new file mode 100644
index 0000000000..13e98fc76e
--- /dev/null
+++ b/testing/btest/plugins/reporter-hook.bro
@@ -0,0 +1,24 @@
+# @TEST-EXEC: ${DIST}/aux/bro-aux/plugin-support/init-plugin -u . Reporter Hook
+# @TEST-EXEC: cp -r %DIR/reporter-hook-plugin/* .
+# @TEST-EXEC: ./configure --bro-dist=${DIST} && make
+# @TEST-EXEC: BRO_PLUGIN_ACTIVATE="Reporter::Hook" BRO_PLUGIN_PATH=`pwd` bro -b %INPUT 2>&1 | $SCRIPTS/diff-remove-abspath | sort | uniq  >output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-remove-timestamps" btest-diff reporter.log
+
+@load base/frameworks/reporter
+
+type TestType: record {
+	a: bool &optional;
+};
+
+event bro_init()
+	{
+	Reporter::info("Some Info");
+	Reporter::warning("A warning");
+	Reporter::error("An Error");
+	Reporter::error("An Error that does not show up in the log");
+
+	# And just trigger a runtime problem.
+	local b = TestType();
+	print b$a;
+	}
diff --git a/testing/btest/scripts/base/files/data_event/basic.bro b/testing/btest/scripts/base/files/data_event/basic.bro
new file mode 100644
index 0000000000..2877155ebb
--- /dev/null
+++ b/testing/btest/scripts/base/files/data_event/basic.bro
@@ -0,0 +1,20 @@
+# Just a very basic test to check if ANALYZER_DATA_EVENT works.
+# Also check if "in" works with binary data.
+# @TEST-EXEC: bro -r $TRACES/pe/pe.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff .stderr
+
+event stream_data(f: fa_file, data: string)
+	{
+	if ( "Windows" in data )
+		{
+		print "Found";
+		}
+	}
+
+event file_new (f: fa_file)
+	{
+	Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT,
+		[$stream_event=stream_data]);
+	}
+
diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
new file mode 100644
index 0000000000..7ca60faf96
--- /dev/null
+++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
@@ -0,0 +1,67 @@
+# @TEST-EXEC: bro -r $TRACES/tls/certificate-with-sct.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+@load protocols/ssl/validate-certs
+
+redef SSL::ssl_store_valid_chain = T;
+
+# Test needs a certificate that has since been removed from root stores
+redef SSL::root_certs += {
+	["CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN"] = "\x30\x82\x05\x76\x30\x82\x03\x5E\xA0\x03\x02\x01\x02\x02\x10\x5E\x68\xD6\x11\x71\x94\x63\x50\x56\x00\x68\xF3\x3E\xC9\xC5\x91\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x55\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x13\x21\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x6F\x66\x20\x57\x6F\x53\x69\x67\x6E\x30\x1E\x17\x0D\x30\x39\x30\x38\x30\x38\x30\x31\x30\x30\x30\x31\x5A\x17\x0D\x33\x39\x30\x38\x30\x38\x30\x31\x30\x30\x30\x31\x5A\x30\x55\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x13\x21\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x6F\x66\x20\x57\x6F\x53\x69\x67\x6E\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xBD\xCA\x8D\xAC\xB8\x91\x15\x56\x97\x7B\x6B\x5C\x7A\xC2\xDE\x6B\xD9\xA1\xB0\xC3\x10\x23\xFA\xA7\xA1\xB2\xCC\x31\xFA\x3E\xD9\xA6\x29\x6F\x16\x3D\xE0\x6B\xF8\xB8\x40\x5F\xDB\x39\xA8\x00\x7A\x8B\xA0\x4D\x54\x7D\xC2\x22\x78\xFC\x8E\x09\xB8\xA8\x85\xD7\xCC\x95\x97\x4B\x74\xD8\x9E\x7E\xF0\x00\xE4\x0E\x89\xAE\x49\x28\x44\x1A\x10\x99\x32\x0F\x25\x88\x53\xA4\x0D\xB3\x0F\x12\x08\x16\x0B\x03\x71\x27\x1C\x7F\xE1\xDB\xD2\xFD\x67\x68\xC4\x05\x5D\x0A\x0E\x5D\x70\xD7\xD8\x97\xA0\xBC\x53\x41\x9A\x91\x8D\xF4\x9E\x36\x66\x7A\x7E\x56\xC1\x90\x5F\xE6\xB1\x68\x20\x36\xA4\x8C\x24\x2C\x2C\x47\x0B\x59\x76\x66\x30\xB5\xBE\xDE\xED\x8F\xF8\x9D\xD3\xBB\x01\x30\xE6\xF2\xF3\x0E\xE0\x2C\x92\x80\xF3\x85\xF9\x28\x8A\xB4\x54\x2E\x9A\xED\xF7\x76\xFC\x15\x68\x16\xEB\x4A\x6C\xEB\x2E\x12\x8F\xD4\xCF\xFE\x0C\xC7\x5C\x1D\x0B\x7E\x05\x32\xBE\x5E\xB0\x09\x2A\x42\xD5\xC9\x4E\x90\xB3\x59\x0D\xBB\x7A\x7E\xCD\xD5\x08\x5A\xB4\x7F\xD8\x1C\x69\x11\xF9\x27\x0F\x7B\x06\xAF\x54\x83\x18\x7B\xE1\xDD\x54\x7A\x51\x68\x6E\x77\xFC\xC6\xBF\x52\x4A\x66\x46\xA1\xB2\x67\x1A\xBB\xA3\x4F\x77\xA0\xBE\x5D\xFF\xFC\x56\x0B\x43\x72\x77\x90\xCA\x9E\xF9\xF2\x39\xF5\x0D\xA9\xF4\xEA\xD7\xE7\xB3\x10\x2F\x30\x42\x37\x21\xCC\x30\x70\xC9\x86\x98\x0F\xCC\x58\x4D\x83\xBB\x7D\xE5\x1A\xA5\x37\x8D\xB6\xAC\x32\x97\x00\x3A\x63\x71\x24\x1E\x9E\x37\xC4\xFF\x74\xD4\x37\xC0\xE2\xFE\x88\x46\x60\x11\xDD\x08\x3F\x50\x36\xAB\xB8\x7A\xA4\x95\x62\x6A\x6E\xB0\xCA\x6A\x21\x5A\x69\xF3\xF3\xFB\x1D\x70\x39\x95\xF3\xA7\x6E\xA6\x81\x89\xA1\x88\xC5\x3B\x71\xCA\xA3\x52\xEE\x83\xBB\xFD\xA0\x77\xF4\xE4\x6F\xE7\x42\xDB\x6D\x4A\x99\x8A\x34\x48\xBC\x17\xDC\xE4\x80\x08\x22\xB6\xF2\x31\xC0\x3F\x04\x3E\xEB\x9F\x20\x79\xD6\xB8\x06\x64\x64\x02\x31\xD7\xA9\xCD\x52\xFB\x84\x45\x69\x09\x00\x2A\xDC\x55\x8B\xC4\x06\x46\x4B\xC0\x4A\x1D\x09\x5B\x39\x28\xFD\xA9\xAB\xCE\x00\xF9\x2E\x48\x4B\x26\xE6\x30\x4C\xA5\x58\xCA\xB4\x44\x82\x4F\xE7\x91\x1E\x33\xC3\xB0\x93\xFF\x11\xFC\x81\xD2\xCA\x1F\x71\x29\xDD\x76\x4F\x92\x25\xAF\x1D\x81\xB7\x0F\x2F\x8C\xC3\x06\xCC\x2F\x27\xA3\x4A\xE4\x0E\x99\xBA\x7C\x1E\x45\x1F\x7F\xAA\x19\x45\x96\xFD\xFC\x3D\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE1\x66\xCF\x0E\xD1\xF1\xB3\x4B\xB7\x06\x20\x14\xFE\x87\x12\xD5\xF6\xFE\xFB\x3E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\xA8\xCB\x72\x40\xB2\x76\xC1\x7E\x7B\xFC\xAD\x64\xE3\x32\x7B\xCC\x3C\xB6\x5D\x46\xD3\xF5\x2C\xE2\x70\x5D\xC8\x2E\xD8\x06\x7D\x98\xD1\x0B\x21\xA0\x89\x59\x24\x01\x9D\xF9\xAF\x09\x7D\x0A\x23\x82\x34\xD5\xFC\x7C\x72\x99\xB9\xA3\xD7\x54\xF4\xEA\x52\x70\x0E\xC5\xF5\xD6\x3B\xE1\x3A\x09\x32\xE6\x21\x39\x93\xBD\xB3\x15\xEA\x4F\x6A\xF4\xF5\x8B\x3F\x2F\x7C\x8D\x58\x2E\xC5\xE1\x39\xA0\x3E\xC7\x3D\x4A\x73\x9E\x40\x7A\xC0\x2B\x61\xA9\x67\xC9\xF3\x24\xB9\xB3\x6D\x55\x2C\x5A\x1D\x9E\x25\x72\xCE\x0B\xAD\xAA\xC7\x55\x62\x0B\xBE\xFB\x63\xB3\x61\x44\x23\xA3\xCB\xE1\x1A\x0E\xF7\x9A\x06\x4D\xDE\xD4\x23\x4E\x21\x96\x5B\x39\x5B\x57\x1D\x2F\x5D\x08\x5E\x09\x79\xFF\x7C\x97\xB5\x4D\x83\xAE\x0D\xD6\xE6\xA3\x79\xE0\x33\xD0\x99\x96\x02\x30\xA7\x3E\xFF\xD2\xA3\x43\x3F\x05\x5A\x06\xEA\x44\x02\xDA\x7C\xF8\x48\xD0\x33\xA9\xF9\x07\xC7\x95\xE1\xF5\x3E\xF5\x5D\x71\xBA\xF2\x95\xA9\x74\x88\x61\x59\xE3\xBF\xCA\x5A\x13\xBA\x72\xB4\x8C\x5D\x36\x87\xE9\xA6\xC5\x3C\x13\xBF\xDE\xD0\x44\x26\xEE\xB7\xEC\x2E\x70\xFA\xD7\x9D\xB7\xAC\xE5\xC5\x40\x5A\xE6\xD7\x6C\x7B\x2C\xC3\x56\x9B\x47\xCD\x0B\xCE\xFA\x1B\xB4\x21\xD7\xB7\x66\xB8\xF4\x25\x30\x8B\x5C\x0D\xB9\xEA\x67\xB2\xF4\x6D\xAE\xD5\xA1\x9E\x4F\xD8\x9F\xE9\x27\x02\xB0\x1D\x06\xD6\x8F\xE3\xFB\x48\x12\x9F\x7F\x11\xA1\x10\x3E\x4C\x51\x3A\x96\xB0\xD1\x13\xF1\xC7\xD8\x26\xAE\x3A\xCA\x91\xC4\x69\x9D\xDF\x01\x29\x64\x51\x6F\x68\xDA\x14\xEC\x08\x41\x97\x90\x8D\xD0\xB2\x80\xF2\xCF\xC2\x3D\xBF\x91\x68\xC5\x80\x67\x1E\xC4\x60\x13\x55\xD5\x61\x99\x57\x7C\xBA\x95\x0F\x61\x49\x3A\xCA\x75\xBC\xC9\x0A\x93\x3F\x67\x0E\x12\xF2\x28\xE2\x31\x1B\xC0\x57\x16\xDF\x08\x7C\x19\xC1\x7E\x0F\x1F\x85\x1E\x0A\x36\x7C\x5B\x7E\x27\xBC\x7A\xBF\xE0\xDB\xF4\xDA\x52\xBD\xDE\x0C\x54\x70\x31\x91\x43\x95\xC8\xBC\xF0\x3E\xDD\x09\x7E\x30\x64\x50\xED\x7F\x01\xA4\x33\x67\x4D\x68\x4F\xBE\x15\xEF\xB0\xF6\x02\x11\xA2\x1B\x13\x25\x3A\xDC\xC2\x59\xF1\xE3\x5C\x46\xBB\x67\x2C\x02\x46\xEA\x1E\x48\xA6\xE6\x5B\xD9\xB5\xBC\x51\xA2\x92\x96\xDB\xAA\xC6\x37\x22\xA6\xFE\xCC\x20\x74\xA3\x2D\xA9\x2E\x6B\xCB\xC0\x82\x11\x21\xB5\x93\x79\xEE\x44\x86\xBE\xD7\x1E\xE4\x1E\xFB",
+};
+
+export {
+	type LogInfo: record {
+		version: count;
+		logid: string;
+		timestamp: count;
+		sig_alg: count;
+		hash_alg: count;
+		signature: string;
+	};
+}
+
+redef record SSL::Info += {
+	ct_proofs: vector of LogInfo &default=vector();
+};
+
+event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string)
+	{
+	print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), hash_algorithm, signature_algorithm;
+
+	if ( |f$conns| != 1 )
+		return;
+
+	for ( cid in f$conns )
+		{
+		if ( ! f$conns[cid]?$ssl )
+			return;
+
+		local c = f$conns[cid];
+		}
+
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	c$ssl$ct_proofs[|c$ssl$ct_proofs|] = LogInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature);
+	}
+
+event ssl_established(c: connection)
+	{
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	if ( |c$ssl$valid_chain| < 2 )
+		return;
+
+	local cert = c$ssl$cert_chain[0]$x509$handle;
+	local issuer_key_hash = x509_spki_hash(c$ssl$valid_chain[1], 4);
+
+	for ( i in c$ssl$ct_proofs )
+		{
+		local log = c$ssl$ct_proofs[i];
+
+		print "Verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp, log$hash_alg, issuer_key_hash);
+		print "Bad verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp+1, log$hash_alg, issuer_key_hash);
+		}
+	}
diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp_ocsp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp_ocsp.test
new file mode 100644
index 0000000000..01ed128541
--- /dev/null
+++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp_ocsp.test
@@ -0,0 +1,31 @@
+# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string)
+	{
+	print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), hash_algorithm, signature_algorithm;
+
+	if ( |f$conns| != 1 )
+		return;
+
+	for ( cid in f$conns )
+		{
+		if ( ! f$conns[cid]?$ssl )
+			return;
+
+		local c = f$conns[cid];
+		}
+
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	local cert = c$ssl$cert_chain[0]$x509$handle;
+
+	print "Verify of", SSL::ct_logs[logid]$description, sct_verify(cert, logid, SSL::ct_logs[logid]$key, signature, timestamp, hash_algorithm);
+	print "Bad verify of", SSL::ct_logs[logid]$description, sct_verify(cert, logid, SSL::ct_logs[logid]$key, signature, timestamp+1, hash_algorithm);
+	}
diff --git a/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.bro b/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.bro
new file mode 100644
index 0000000000..224b259e20
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/cluster/custom_pool_exclusivity.bro
@@ -0,0 +1,114 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-2   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait 30
+# @TEST-EXEC: btest-diff manager-1/.stdout
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1"],
+	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37759/tcp, $manager="manager-1"],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
+};
+@TEST-END-FILE
+
+global my_pool_spec: Cluster::PoolSpec =
+		Cluster::PoolSpec(
+			$topic = "bro/cluster/pool/my_pool",
+			$node_type = Cluster::PROXY
+			);
+
+global my_pool: Cluster::Pool;
+
+redef Cluster::proxy_pool_spec =
+		Cluster::PoolSpec(
+			$topic = "bro/cluster/pool/proxy",
+			$node_type = Cluster::PROXY,
+			$exclusive = T,
+			$max_nodes = 1 
+			);
+
+event bro_init()
+	{
+	my_pool = Cluster::register_pool(my_pool_spec);
+	}
+
+global proxy_count = 0;
+
+event go_away()
+	{
+	terminate();
+	}
+
+function print_stuff(heading: string)
+	{
+	print heading;
+
+	local v: vector of count = vector(0, 1, 2, 3, 13, 37, 42, 101);
+
+	for ( i in v )
+		{
+		print "hrw", v[i], Cluster::hrw_topic(Cluster::proxy_pool, v[i]);
+		print "hrw (custom pool)", v[i], Cluster::hrw_topic(my_pool, v[i]);
+		}
+
+	local rr_key = "test";
+
+	for ( i in v )
+		{
+		print "rr", Cluster::rr_topic(Cluster::proxy_pool, rr_key);
+		print "rr (custom pool)", Cluster::rr_topic(my_pool, rr_key);
+		}
+
+	# Just checking the same keys still map to same topic ...
+	for ( i in v )
+		{
+		print "hrw", v[i], Cluster::hrw_topic(Cluster::proxy_pool, v[i]);
+		print "hrw (custom pool)", v[i], Cluster::hrw_topic(my_pool, v[i]);
+		}
+	}
+
+event Cluster::node_up(name: string, id: string)
+	{
+	if ( Cluster::node != "manager-1" )
+		return;
+
+	if ( name == "proxy-1" || name == "proxy-2" )
+		++proxy_count;
+
+	if ( proxy_count == 2 )	
+		{
+		print_stuff("1st stuff");
+		local e = Broker::make_event(go_away);
+		Broker::publish(Cluster::node_topic("proxy-1"), e);
+		}
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( Cluster::node != "manager-1" )
+		return;
+
+	if ( name == "proxy-1" )
+		{
+		print_stuff("2nd stuff");
+		local e = Broker::make_event(go_away);
+		Broker::publish(Cluster::node_topic("proxy-2"), e);
+		}
+
+	if ( name == "proxy-2" )
+		{
+		print_stuff("no stuff");
+		terminate();
+		}
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( name == "manager-1" )
+		terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.bro b/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.bro
new file mode 100644
index 0000000000..f5a9fed5b3
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/cluster/custom_pool_limits.bro
@@ -0,0 +1,114 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-2   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait 30
+# @TEST-EXEC: btest-diff manager-1/.stdout
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1"],
+	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37759/tcp, $manager="manager-1"],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
+};
+@TEST-END-FILE
+
+global my_pool_spec: Cluster::PoolSpec =
+		Cluster::PoolSpec(
+			$topic = "bro/cluster/pool/my_pool",
+			$node_type = Cluster::PROXY
+			);
+
+global my_pool: Cluster::Pool;
+
+redef Cluster::proxy_pool_spec =
+		Cluster::PoolSpec(
+			$topic = "bro/cluster/pool/proxy",
+			$node_type = Cluster::PROXY,
+			$exclusive = F,
+			$max_nodes = 1 
+			);
+
+event bro_init()
+	{
+	my_pool = Cluster::register_pool(my_pool_spec);
+	}
+
+global proxy_count = 0;
+
+event go_away()
+	{
+	terminate();
+	}
+
+function print_stuff(heading: string)
+	{
+	print heading;
+
+	local v: vector of count = vector(0, 1, 2, 3, 13, 37, 42, 101);
+
+	for ( i in v )
+		{
+		print "hrw", v[i], Cluster::hrw_topic(Cluster::proxy_pool, v[i]);
+		print "hrw (custom pool)", v[i], Cluster::hrw_topic(my_pool, v[i]);
+		}
+
+	local rr_key = "test";
+
+	for ( i in v )
+		{
+		print "rr", Cluster::rr_topic(Cluster::proxy_pool, rr_key);
+		print "rr (custom pool)", Cluster::rr_topic(my_pool, rr_key);
+		}
+
+	# Just checking the same keys still map to same topic ...
+	for ( i in v )
+		{
+		print "hrw", v[i], Cluster::hrw_topic(Cluster::proxy_pool, v[i]);
+		print "hrw (custom pool)", v[i], Cluster::hrw_topic(my_pool, v[i]);
+		}
+	}
+
+event Cluster::node_up(name: string, id: string)
+	{
+	if ( Cluster::node != "manager-1" )
+		return;
+
+	if ( name == "proxy-1" || name == "proxy-2" )
+		++proxy_count;
+
+	if ( proxy_count == 2 )	
+		{
+		print_stuff("1st stuff");
+		local e = Broker::make_event(go_away);
+		Broker::publish(Cluster::node_topic("proxy-1"), e);
+		}
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( Cluster::node != "manager-1" )
+		return;
+
+	if ( name == "proxy-1" )
+		{
+		print_stuff("2nd stuff");
+		local e = Broker::make_event(go_away);
+		Broker::publish(Cluster::node_topic("proxy-2"), e);
+		}
+
+	if ( name == "proxy-2" )
+		{
+		print_stuff("no stuff");
+		terminate();
+		}
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( name == "manager-1" )
+		terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/cluster/log_distribution.bro b/testing/btest/scripts/base/frameworks/cluster/log_distribution.bro
new file mode 100644
index 0000000000..bfdddc9497
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/cluster/log_distribution.bro
@@ -0,0 +1,78 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run logger-1 BROPATH=$BROPATH:.. CLUSTER_NODE=logger-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run logger-2 BROPATH=$BROPATH:.. CLUSTER_NODE=logger-2 bro %INPUT
+# @TEST-EXEC: btest-bg-run manager BROPATH=$BROPATH:.. CLUSTER_NODE=manager bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
+# @TEST-EXEC: btest-bg-wait 30
+# @TEST-EXEC: btest-diff logger-1/test.log
+# @TEST-EXEC: btest-diff logger-2/test.log
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::manager_is_logger = F;
+
+redef Cluster::nodes = {
+    ["manager"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
+    ["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37760/tcp, $manager="manager", $interface="eth0"],
+    ["logger-1"] = [$node_type=Cluster::LOGGER,   $ip=127.0.0.1, $p=37762/tcp, $manager="manager"],
+    ["logger-2"] = [$node_type=Cluster::LOGGER,   $ip=127.0.0.1, $p=37763/tcp, $manager="manager"]
+};
+
+@TEST-END-FILE
+
+redef Log::default_rotation_interval = 0sec;
+
+module Test;
+redef enum Log::ID += { LOG };
+
+type Info: record {
+	num: count &log;
+};
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Test::LOG, [$columns=Info, $path="test"]);
+	}
+
+global peer_count = 0;
+global c = 0;
+
+event go_away()
+	{
+	terminate();
+	}
+
+event do_count()
+	{
+	Log::write(Test::LOG, [$num = ++c]);
+
+	if ( c == 100 )
+		{
+		Broker::flush_logs();
+		schedule 2sec { go_away() };
+		}
+	else
+		schedule 0.01sec { do_count() };
+	}
+
+event Cluster::node_up(name: string, id: string)
+	{
+	print "node_up", name;
+	++peer_count;
+
+	if ( Cluster::node == "worker-1" && peer_count == 3 )
+		{
+		Cluster::logger_pool$rr_key_seq["Cluster::rr_log_topic"] = 0;
+		schedule 0.25sec { do_count() };
+		}
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	print "node_down", name;
+	--peer_count;
+
+	if ( name == "worker-1" )
+		schedule 2sec { go_away() };
+	}
+
diff --git a/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro b/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro
index 97f3698f36..164eb0c1cb 100644
--- a/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro
+++ b/testing/btest/scripts/base/frameworks/cluster/start-it-up-logger.bro
@@ -1,16 +1,13 @@
 # @TEST-SERIALIZE: comm
 #
-# @TEST-EXEC: btest-bg-run logger-1  CLUSTER_NODE=logger-1 BROPATH=$BROPATH:.. bro %INPUT
-# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run logger-1  CLUSTER_NODE=logger-1  BROPATH=$BROPATH:.. bro %INPUT
 # @TEST-EXEC: btest-bg-run manager-1 CLUSTER_NODE=manager-1 BROPATH=$BROPATH:.. bro %INPUT
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run proxy-1   CLUSTER_NODE=proxy-1 BROPATH=$BROPATH:.. bro %INPUT
-# @TEST-EXEC: btest-bg-run proxy-2   CLUSTER_NODE=proxy-2 BROPATH=$BROPATH:.. bro %INPUT
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run worker-1  CLUSTER_NODE=worker-1 BROPATH=$BROPATH:.. bro %INPUT
-# @TEST-EXEC: btest-bg-run worker-2  CLUSTER_NODE=worker-2 BROPATH=$BROPATH:.. bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-1   CLUSTER_NODE=proxy-1   BROPATH=$BROPATH:.. bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-2   CLUSTER_NODE=proxy-2   BROPATH=$BROPATH:.. bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-1  CLUSTER_NODE=worker-1  BROPATH=$BROPATH:.. bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-2  CLUSTER_NODE=worker-2  BROPATH=$BROPATH:.. bro %INPUT
 # @TEST-EXEC: btest-bg-wait 30
-# @TEST-EXEC: btest-diff logger-1/.stdout
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff logger-1/.stdout
 # @TEST-EXEC: btest-diff manager-1/.stdout
 # @TEST-EXEC: btest-diff proxy-1/.stdout
 # @TEST-EXEC: btest-diff proxy-2/.stdout
@@ -21,56 +18,69 @@
 redef Cluster::manager_is_logger = F;
 redef Cluster::nodes = {
 	["logger-1"] = [$node_type=Cluster::LOGGER,   $ip=127.0.0.1, $p=37757/tcp],
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37758/tcp, $logger="logger-1", $workers=set("worker-1")],
-	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37759/tcp, $logger="logger-1", $manager="manager-1", $workers=set("worker-1")],
-	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37760/tcp, $logger="logger-1", $manager="manager-1", $workers=set("worker-2")],
-	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $logger="logger-1", $manager="manager-1", $proxy="proxy-1", $interface="eth0"],
-	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37762/tcp, $logger="logger-1", $manager="manager-1", $proxy="proxy-2", $interface="eth1"],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37758/tcp],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37759/tcp, $manager="manager-1"],
+	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1"],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth0"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37762/tcp, $manager="manager-1", $interface="eth1"],
 };
 @TEST-END-FILE
 
-global fully_connected: event();
-
 global peer_count = 0;
 
 global fully_connected_nodes = 0;
 
-event fully_connected()
+event fully_connected(n: string)
 	{
 	++fully_connected_nodes;
+
 	if ( Cluster::node == "logger-1" )
 		{
+		print "got fully_connected event from", n;
+
 		if ( peer_count == 5 && fully_connected_nodes == 5 )
-			terminate_communication();
+			{
+			print "termination condition met: shutting down";
+			terminate();
+			}
+		}
+	else
+		{
+		print "sent fully_connected event";
 		}
 	}
 
-redef Cluster::worker2logger_events += /fully_connected/;
-redef Cluster::proxy2logger_events += /fully_connected/;
-redef Cluster::manager2logger_events += /fully_connected/;
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::logger_topic, fully_connected);
+	}
 
-event remote_connection_handshake_done(p: event_peer)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	print "Connected to a peer";
 	++peer_count;
+
 	if ( Cluster::node == "logger-1" )
 		{
 		if ( peer_count == 5 && fully_connected_nodes == 5 )
-			terminate_communication();
+			{
+			print "termination condition met: shutting down";
+			terminate();
+			}
 		}
 	else if ( Cluster::node == "manager-1" )
 		{
 		if ( peer_count == 5 )
-			event fully_connected();
+			event fully_connected(Cluster::node);
 		}
 	else
 		{
-		if ( peer_count == 3 )
-			event fully_connected();
+		if ( peer_count == 4 )
+			event fully_connected(Cluster::node);
 		}
 	}
 
-event remote_connection_closed(p: event_peer)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
diff --git a/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro b/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro
index acb9c3676a..aa4bcb45e4 100644
--- a/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro
+++ b/testing/btest/scripts/base/frameworks/cluster/start-it-up.bro
@@ -1,14 +1,12 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run proxy-2   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-2 bro %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 30
-# @TEST-EXEC: btest-diff manager-1/.stdout
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
 # @TEST-EXEC: btest-diff proxy-1/.stdout
 # @TEST-EXEC: btest-diff proxy-2/.stdout
 # @TEST-EXEC: btest-diff worker-1/.stdout
@@ -16,11 +14,11 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1")],
-	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1", $workers=set("worker-1")],
-	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37759/tcp, $manager="manager-1", $workers=set("worker-2")],
-	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"],
-	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $proxy="proxy-2", $interface="eth1"],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1"],
+	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37759/tcp, $manager="manager-1"],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
 };
 @TEST-END-FILE
 
@@ -32,34 +30,42 @@ global fully_connected_nodes = 0;
 
 event fully_connected()
 	{
+	if ( ! is_remote_event() )
+		return;
+
+	print "Got fully_connected event";
 	fully_connected_nodes = fully_connected_nodes + 1;
+
 	if ( Cluster::node == "manager-1" )
 		{
 		if ( peer_count == 4 && fully_connected_nodes == 4 )
-			terminate_communication();
+			terminate();
 		}
 	}
 
-redef Cluster::worker2manager_events += /fully_connected/;
-redef Cluster::proxy2manager_events += /fully_connected/;
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::manager_topic, fully_connected);
+	}
 
-event remote_connection_handshake_done(p: event_peer)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	print "Connected to a peer";
 	peer_count = peer_count + 1;
+
 	if ( Cluster::node == "manager-1" )
 		{
 		if ( peer_count == 4 && fully_connected_nodes == 4 )
-			terminate_communication();
+			terminate();
 		}
 	else
 		{
-		if ( peer_count == 2 )
+		if ( peer_count == 3 )
 			event fully_connected();
 		}
 	}
 
-event remote_connection_closed(p: event_peer)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
diff --git a/testing/btest/scripts/base/frameworks/cluster/topic_distribution.bro b/testing/btest/scripts/base/frameworks/cluster/topic_distribution.bro
new file mode 100644
index 0000000000..0116d6c231
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/cluster/topic_distribution.bro
@@ -0,0 +1,84 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-2   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait 30
+# @TEST-EXEC: btest-diff manager-1/.stdout
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1"],
+	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37759/tcp, $manager="manager-1"],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
+};
+@TEST-END-FILE
+
+global proxy_count = 0;
+
+event go_away()
+	{
+	terminate();
+	}
+
+function print_stuff(heading: string)
+	{
+	print heading;
+
+	local v: vector of count = vector(0, 1, 2, 3, 13, 37, 42, 101);
+
+	for ( i in v )
+		print "hrw", v[i], Cluster::hrw_topic(Cluster::proxy_pool, v[i]);
+
+	local rr_key = "test";
+
+	for ( i in v )
+		print "rr", Cluster::rr_topic(Cluster::proxy_pool, rr_key);
+
+	# Just checking the same keys still map to same topic ...
+	for ( i in v )
+		print "hrw", v[i], Cluster::hrw_topic(Cluster::proxy_pool, v[i]);
+	}
+
+event Cluster::node_up(name: string, id: string)
+	{
+	if ( Cluster::node != "manager-1" )
+		return;
+
+	if ( name == "proxy-1" || name == "proxy-2" )
+		++proxy_count;
+
+	if ( proxy_count == 2 )	
+		{
+		print_stuff("1st stuff");
+		local e = Broker::make_event(go_away);
+		Broker::publish(Cluster::node_topic("proxy-1"), e);
+		}
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( Cluster::node != "manager-1" )
+		return;
+
+	if ( name == "proxy-1" )
+		{
+		print_stuff("2nd stuff");
+		local e = Broker::make_event(go_away);
+		Broker::publish(Cluster::node_topic("proxy-2"), e);
+		}
+
+	if ( name == "proxy-2" )
+		{
+		print_stuff("no stuff");
+		terminate();
+		}
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( name == "manager-1" )
+		terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.bro b/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.bro
new file mode 100644
index 0000000000..b9dd87e560
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/cluster/topic_distribution_bifs.bro
@@ -0,0 +1,95 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-2   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait 30
+# @TEST-EXEC: btest-diff manager-1/.stdout
+# @TEST-EXEC: btest-diff proxy-1/.stdout
+# @TEST-EXEC: btest-diff proxy-2/.stdout
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37758/tcp, $manager="manager-1"],
+	["proxy-2"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=37759/tcp, $manager="manager-1"],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
+};
+@TEST-END-FILE
+
+global proxy_count = 0;
+global q = 0;
+
+event go_away()
+	{
+	terminate();
+	}
+
+event distributed_event_hrw(c: count)
+	{
+	print "got distributed event hrw", c;
+	}
+
+event distributed_event_rr(c: count)
+	{
+	print "got distributed event rr", c;
+	}
+
+function send_stuff(heading: string)
+	{
+	print heading;
+
+	local v: vector of count = vector(0, 1, 2, 3, 13, 37, 42, 101);
+
+	for ( i in v )
+		print "hrw", v[i], Cluster::publish_hrw(Cluster::proxy_pool, v[i],
+												distributed_event_hrw, v[i]);
+
+	local rr_key = "test";
+
+	for ( i in v )
+		print "rr", Cluster::publish_rr(Cluster::proxy_pool, rr_key,
+										distributed_event_rr, v[i]);
+	}
+
+event Cluster::node_up(name: string, id: string)
+	{
+	if ( Cluster::node != "manager-1" )
+		return;
+
+	if ( name == "proxy-1" || name == "proxy-2" )
+		++proxy_count;
+
+	if ( proxy_count == 2 )	
+		{
+		send_stuff("1st stuff");
+		local e = Broker::make_event(go_away);
+		Broker::publish(Cluster::node_topic("proxy-1"), e);
+		}
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( Cluster::node != "manager-1" )
+		return;
+
+	if ( name == "proxy-1" )
+		{
+		send_stuff("2nd stuff");
+		local e = Broker::make_event(go_away);
+		Broker::publish(Cluster::node_topic("proxy-2"), e);
+		}
+
+	if ( name == "proxy-2" )
+		{
+		send_stuff("no stuff");
+		terminate();
+		}
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	if ( name == "manager-1" )
+		terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro b/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro
deleted file mode 100644
index 4a2ed735ef..0000000000
--- a/testing/btest/scripts/base/frameworks/communication/communication_log_baseline.bro
+++ /dev/null
@@ -1,42 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-EXEC: btest-bg-run receiver bro -b ../receiver.bro
-# @TEST-EXEC: btest-bg-run sender   bro -b ../sender.bro
-# @TEST-EXEC: btest-bg-wait -k 10
-#
-# Don't diff the receiver log just because port is always going to change
-# @TEST-EXEC: egrep -v 'CPU|bytes|pid|socket buffer size' sender/communication.log >send.log
-# @TEST-EXEC: btest-diff send.log
-
-@TEST-START-FILE sender.bro
-
-@load base/frameworks/communication/main
-
-redef Communication::nodes += {
-    ["foo"] = [$host = 127.0.0.1, $events = /NOTHING/, $connect=T]
-};
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	terminate_communication();
-	}
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
-
-#############
-
-@TEST-START-FILE receiver.bro
-
-@load frameworks/communication/listen
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/scripts/base/frameworks/config/basic.bro b/testing/btest/scripts/base/frameworks/config/basic.bro
new file mode 100644
index 0000000000..f5a02983fd
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/config/basic.bro
@@ -0,0 +1,57 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: btest-diff bro/config.log
+# @TEST-EXEC: btest-diff bro/.stderr
+
+@load base/frameworks/config
+@load base/protocols/conn
+
+redef exit_only_after_terminate = T;
+redef Config::config_files += {"../configfile"};
+
+@TEST-START-FILE configfile
+testbool F
+testcount    1
+testcount 2
+testcount 2
+testint		-1
+testenum Conn::LOG
+testport 45
+testporttcp 42/tcp
+testportudp 42/udp
+testaddr 127.0.0.1
+testaddr 2607:f8b0:4005:801::200e
+testinterval 60
+testtime 1507321987
+test_set a,b,c,d,erdbeerschnitzel
+test_vector 1,2,3,4,5,6
+test_set 
+test_set -
+@TEST-END-FILE
+
+@load base/protocols/ssh
+@load base/protocols/conn
+
+export {
+	option testbool: bool = T;
+	option testcount: count = 0;
+	option testint: int = 0;
+	option testenum = SSH::LOG;
+	option testport = 42/tcp;
+	option testporttcp = 40/udp;
+	option testportudp = 40/tcp;
+	option testaddr = 127.0.0.1;
+	option testtime = network_time();
+	option testinterval = 1sec;
+	option teststring = "a";
+	option test_set: set[string] = {};
+	option test_vector: vector of count = {};
+}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	if ( sub_bytes(name, 1,  7) != "config-" )
+		return;
+
+	terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/config/basic_cluster.bro b/testing/btest/scripts/base/frameworks/config/basic_cluster.bro
new file mode 100644
index 0000000000..6423773b26
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/config/basic_cluster.bro
@@ -0,0 +1,81 @@
+# @TEST-SERIALIZE: comm
+# 
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-diff manager-1/.stdout
+# @TEST-EXEC: btest-diff worker-1/.stdout
+# @TEST-EXEC: btest-diff worker-2/.stdout
+# @TEST-EXEC: btest-diff manager-1/config.log
+
+@load base/frameworks/config
+
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
+	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
+	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
+};
+@TEST-END-FILE
+
+redef Log::default_rotation_interval = 0secs;
+
+export {
+	option testport = 42/tcp;
+	option teststring = "a";
+}
+
+global n = 0;
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
+	}
+
+global ready_for_data: event();
+
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::worker_topic, ready_for_data);
+	}
+
+@if ( Cluster::node == "worker-1" )
+event ready_for_data()
+	{
+	Config::set_value("testport", 44/tcp);
+	Config::set_value("teststring", "b", "comment");
+	}
+@endif
+
+event die()
+	{
+	terminate();
+	}
+
+function option_changed(ID: string, new_value: any, location: string): any
+	{
+	print "option changed", ID, new_value, location;
+	schedule 5sec { die() };
+	return new_value;
+	}
+
+event bro_init() &priority=5
+	{
+	Option::set_change_handler("testport", option_changed, -100);
+	Option::set_change_handler("teststring", option_changed, -100);
+	}
+
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+
+global peer_count = 0;
+event Cluster::node_up(name: string, id: string)
+	{
+	++peer_count;
+	if ( peer_count == 2 )
+		event ready_for_data();
+	}
+
+@endif
diff --git a/testing/btest/scripts/base/frameworks/config/cluster_resend.bro b/testing/btest/scripts/base/frameworks/config/cluster_resend.bro
new file mode 100644
index 0000000000..e5c871a578
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/config/cluster_resend.bro
@@ -0,0 +1,107 @@
+# @TEST-SERIALIZE: comm
+# 
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
+# @TEST-EXEC: sleep 15
+# @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-diff manager-1/.stdout
+# @TEST-EXEC: btest-diff worker-1/.stdout
+# @TEST-EXEC: btest-diff worker-2/.stdout
+# @TEST-EXEC: btest-diff manager-1/config.log
+
+# In this test we check if values get updated on a worker, even if they were set before the
+# worker is present.
+
+@load base/frameworks/config
+
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
+	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
+	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
+};
+@TEST-END-FILE
+
+redef Log::default_rotation_interval = 0secs;
+
+export {
+	option testport = 42/tcp;
+	option teststring = "a";
+	option testcount: count = 0;
+}
+
+global n = 0;
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
+	}
+
+global ready_for_data: event();
+
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::worker_topic, ready_for_data);
+	}
+
+@if ( Cluster::node == "worker-1" )
+event ready_for_data()
+	{
+	Config::set_value("testport", 44/tcp);
+	Config::set_value("teststring", "b", "comment");
+	}
+@endif
+
+@if ( Cluster::node == "manager-1" )
+event ready_for_data()
+	{
+	Config::set_value("testcount", 1);
+	}
+@endif
+
+event die()
+	{
+	terminate();
+	}
+
+@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER )
+event Cluster::node_up(name: string, id: string)
+	{
+		print "Node up", name;
+		if ( name == "worker-2" )
+		schedule 5sec { die() };
+	}
+@endif
+
+function option_changed(ID: string, new_value: any, location: string): any
+	{
+	print "option changed", ID, new_value, location;
+	return new_value;
+	}
+
+event bro_init() &priority=5
+	{
+	Option::set_change_handler("testport", option_changed, -100);
+	Option::set_change_handler("teststring", option_changed, -100);
+	Option::set_change_handler("testcount", option_changed, -100);
+	}
+
+@if ( Cluster::local_node_type() == Cluster::MANAGER )
+
+global peer_count = 0;
+event Cluster::node_up(name: string, id: string) &priority=-5
+	{
+	++peer_count;
+	if ( peer_count == 1 )
+		event ready_for_data();
+	}
+
+@endif
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/config/read_config.bro b/testing/btest/scripts/base/frameworks/config/read_config.bro
new file mode 100644
index 0000000000..753186beab
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/config/read_config.bro
@@ -0,0 +1,57 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: btest-diff bro/config.log
+
+@load base/frameworks/config
+@load base/protocols/conn
+
+redef exit_only_after_terminate = T;
+redef InputConfig::empty_field = "(empty)";
+
+@TEST-START-FILE configfile
+testbool F
+testcount    1
+testcount 2
+testcount 2
+testint		-1
+testenum Conn::LOG
+testport 45
+testaddr 127.0.0.1
+testaddr 2607:f8b0:4005:801::200e
+testinterval 60
+testtime 1507321987
+test_set a,b,c,d,erdbeerschnitzel
+test_vector 1,2,3,4,5,6
+test_set (empty)
+test_set -
+@TEST-END-FILE
+
+@load base/protocols/ssh
+@load base/protocols/conn
+
+export {
+	option testbool: bool = T;
+	option testcount: count = 0;
+	option testint: int = 0;
+	option testenum = SSH::LOG;
+	option testport = 42/tcp;
+	option testaddr = 127.0.0.1;
+	option testtime = network_time();
+	option testinterval = 1sec;
+	option teststring = "a";
+	option test_set: set[string] = {};
+	option test_vector: vector of count = {};
+}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	if ( sub_bytes(name, 1,  7) != "config-" )
+		return;
+
+	terminate();
+	}
+
+event bro_init()
+	{
+	Config::read_config("../configfile");
+	}
diff --git a/testing/btest/scripts/base/frameworks/config/read_config_cluster.bro b/testing/btest/scripts/base/frameworks/config/read_config_cluster.bro
new file mode 100644
index 0000000000..ea806fc18c
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/config/read_config_cluster.bro
@@ -0,0 +1,104 @@
+# @TEST-SERIALIZE: comm
+# 
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: sleep 1
+# @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-diff manager-1/.stdout
+# @TEST-EXEC: btest-diff worker-1/.stdout
+# @TEST-EXEC: btest-diff worker-2/.stdout
+# @TEST-EXEC: btest-diff manager-1/config.log
+
+@load base/frameworks/config
+
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
+	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
+	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
+};
+@TEST-END-FILE
+
+@TEST-START-FILE configfile
+testbool F
+testcount    1
+testcount 2
+testcount 2
+testint		-1
+testenum Conn::LOG
+testport 45
+testaddr 127.0.0.1
+testaddr 2607:f8b0:4005:801::200e
+testinterval 60
+testtime 1507321987
+test_set a,b,c,d,erdbeerschnitzel
+test_vector 1,2,3,4,5,6
+test_set (empty)
+test_set -
+test_set_full 1,3,4,5,6,7
+@TEST-END-FILE
+
+redef Log::default_rotation_interval = 0secs;
+
+export {
+	option testbool: bool = T;
+	option testcount: count = 0;
+	option testint: int = 0;
+	option testenum = SSH::LOG;
+	option testport = 42/tcp;
+	option testaddr = 127.0.0.1;
+	option testtime = network_time();
+	option testinterval = 1sec;
+	option teststring = "a";
+	option test_set: set[string] = {};
+	option test_set_full: set[count] = {1, 2, 3, 7, 10, 15};
+	option test_vector: vector of count = {};
+}
+
+event bro_init()
+	{
+	Config::read_config("../configfile");
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
+	}
+
+function option_changed(ID: string, new_value: any, location: string): any
+	{
+	print "option changed", ID, new_value, location;
+	return new_value;
+	}
+
+event bro_init() &priority=5
+	{
+	Option::set_change_handler("testport", option_changed, -100);
+	Option::set_change_handler("teststring", option_changed, -100);
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
+	}
+
+@if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER )
+event die()
+	{
+	terminate();
+	}
+
+event Cluster::node_up(name: string, id: string)
+	{
+	schedule 10sec { die() };
+	}
+@endif
+
+module Config;
+
+event Config::cluster_set_option(ID: string, val: any, location: string) &priority=-10
+	{
+	print "cluster_set_option", ID, val, location;
+	}
diff --git a/testing/btest/scripts/base/frameworks/config/several-files.bro b/testing/btest/scripts/base/frameworks/config/several-files.bro
new file mode 100644
index 0000000000..c5ad563b4e
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/config/several-files.bro
@@ -0,0 +1,57 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-canonifier | grep -v ^# | $SCRIPTS/diff-sort" btest-diff bro/config.log
+
+@load base/frameworks/config
+@load base/protocols/conn
+
+redef exit_only_after_terminate = T;
+redef Config::config_files += {"../configfile1", "../configfile2"};
+
+@TEST-START-FILE configfile1
+testbool F
+testcount 2
+testint		-1
+testenum Conn::LOG
+test_set a,b,c,d,erdbeerschnitzel
+test_vector 1,2,3,4,5,6
+@TEST-END-FILE
+
+@TEST-START-FILE configfile2
+testport 45
+testaddr 127.0.0.1
+testinterval 60
+testtime 1507321987
+@TEST-END-FILE
+
+@load base/protocols/ssh
+@load base/protocols/conn
+
+export {
+	option testbool: bool = T;
+	option testcount: count = 0;
+	option testint: int = 0;
+	option testenum = SSH::LOG;
+	option testport = 42/tcp;
+	option testaddr = 127.0.0.1;
+	option testtime = network_time();
+	option testinterval = 1sec;
+	option teststring = "a";
+	option test_set: set[string] = {};
+	option test_vector: vector of count = {};
+}
+
+global ct = 0;
+
+event Input::end_of_data(name: string, source: string)
+	{
+	if ( sub_bytes(name, 1, 7) != "config-" )
+		return;
+
+	++ct;
+
+	# Exit after this event has been raised for each config file.
+	if ( ct == 2 )
+		terminate();
+
+	}
diff --git a/testing/btest/scripts/base/frameworks/config/updates.bro b/testing/btest/scripts/base/frameworks/config/updates.bro
new file mode 100644
index 0000000000..a4ee557e27
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/config/updates.bro
@@ -0,0 +1,114 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got1 10 || (btest-bg-wait -k 1 && false)
+# @TEST-EXEC: mv configfile2 configfile
+# @TEST-EXEC: touch configfile
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got2 10 || (btest-bg-wait -k 1 && false)
+# @TEST-EXEC: mv configfile3 configfile
+# @TEST-EXEC: touch configfile
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got3 10 || (btest-bg-wait -k 1 && false)
+# @TEST-EXEC: mv configfile4 configfile
+# @TEST-EXEC: touch configfile
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: btest-diff bro/config.log
+
+@load base/frameworks/config
+@load base/protocols/conn
+
+redef exit_only_after_terminate = T;
+redef Config::config_files += {"../configfile"};
+
+@TEST-START-FILE configfile
+testbool F
+testcount    1
+testcount 2
+testcount 2
+testint		-1
+testenum Conn::LOG
+testport 45
+testaddr 127.0.0.1
+testaddr 2607:f8b0:4005:801::200e
+testinterval 60
+testtime 1507321987
+test_set a,b,c,d,erdbeerschnitzel
+test_vector 1,2,3,4,5,6
+@TEST-END-FILE
+
+@TEST-START-FILE configfile2
+testbool F
+testcount    1
+testcount 2
+testcount 2
+testint		-1
+testenum Conn::LOG
+testport 45
+testaddr 127.0.0.1
+testaddr 2607:f8b0:4005:801::200e
+testinterval 60
+testtime 1507321987
+test_set a,b,c,d,erdbeerschnitzel
+test_vector 1,2,3,4,5,9
+@TEST-END-FILE
+
+@TEST-START-FILE configfile3
+testbool F
+testcount    2
+testcount 2
+testcount 2
+testint		-1
+testenum Conn::LOG
+testport 45
+testinterval 60
+testtime 1507321987
+test_set a,b,c,d,erdbeerschnitzel
+@TEST-END-FILE
+
+@TEST-START-FILE configfile4
+testbool F
+testcount    2
+testcount 2
+testcount 2
+testint		-1
+testenum Conn::LOG
+testport 45
+testinterval 60
+testtime 1507321987
+test_set a,b,c,d,erdbeerschnitzel
+test_vector 1,2,3,4,5,9
+@TEST-END-FILE
+
+@load base/protocols/ssh
+@load base/protocols/conn
+
+export {
+	option testbool: bool = T;
+	option testcount: count = 0;
+	option testint: int = 0;
+	option testenum = SSH::LOG;
+	option testport = 42/tcp;
+	option testaddr = 127.0.0.1;
+	option testtime = network_time();
+	option testinterval = 1sec;
+	option teststring = "a";
+	option test_set: set[string] = {};
+	option test_vector: vector of count = {};
+}
+
+global eolcount = 0;
+
+event Input::end_of_data(name: string, source:string)
+	{
+	print "eod";
+	if ( sub_bytes(name, 1,  7) != "config-" )
+		return;
+
+	eolcount += 1;
+
+	if ( eolcount == 1 )
+		system("touch got1");
+	else if ( eolcount == 2 )
+		system("touch got2");
+	else if ( eolcount == 3 )
+		system("touch got3");
+	else if ( eolcount == 4 )
+		terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/control/configuration_update.bro b/testing/btest/scripts/base/frameworks/control/configuration_update.bro
index d9e62efe08..d6f229d7a7 100644
--- a/testing/btest/scripts/base/frameworks/control/configuration_update.bro
+++ b/testing/btest/scripts/base/frameworks/control/configuration_update.bro
@@ -1,18 +1,10 @@
 # @TEST-SERIALIZE: comm
 #
-# @TEST-EXEC: btest-bg-run controllee  BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controllee Communication::listen_port=65531/tcp 
-# @TEST-EXEC: sleep 5
-# @TEST-EXEC: btest-bg-run controller  BROPATH=$BROPATH:.. bro %INPUT test-redef frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65531/tcp Control::cmd=configuration_update
-# @TEST-EXEC: sleep 5
-# @TEST-EXEC: btest-bg-run controller2 BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65531/tcp Control::cmd=shutdown
+# @TEST-EXEC: btest-bg-run controllee  BROPATH=$BROPATH:.. bro -Bbroker %INPUT frameworks/control/controllee Broker::default_port=65531/tcp
+# @TEST-EXEC: btest-bg-run controller  BROPATH=$BROPATH:.. bro -Bbroker %INPUT test-redef frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65531/tcp Control::cmd=configuration_update
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff controllee/.stdout
 
-redef Communication::nodes = {
-	# We're waiting for connections from this host for control.
-	["control"] = [$host=127.0.0.1, $class="control", $events=Control::controller_events],
-};
-
 const test_var = "ORIGINAL VALUE (this should be printed out first)" &redef;
 
 @TEST-START-FILE test-redef.bro
@@ -22,9 +14,26 @@ redef test_var = "NEW VALUE (this should be printed out second)";
 event bro_init()
 	{
 	print test_var;
+	Reporter::info("handle bro_init");
 	}
 	
 event bro_done()
 	{
 	print test_var;
+	Reporter::info("handle bro_done");
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
+	}
+
+event Control::configuration_update_request()
+	{
+	Reporter::info("handle Control::configuration_update_request");
+	}
+
+event Control::configuration_update_response()
+	{
+	Reporter::info("handle Control::configuration_update_response");
 	}
diff --git a/testing/btest/scripts/base/frameworks/control/id_value.bro b/testing/btest/scripts/base/frameworks/control/id_value.bro
index ffbb9a10cf..13cf1c5548 100644
--- a/testing/btest/scripts/base/frameworks/control/id_value.bro
+++ b/testing/btest/scripts/base/frameworks/control/id_value.bro
@@ -1,15 +1,10 @@
 # @TEST-SERIALIZE: comm
 #
-# @TEST-EXEC: btest-bg-run controllee  BROPATH=$BROPATH:.. bro %INPUT only-for-controllee frameworks/control/controllee Communication::listen_port=65532/tcp 
+# @TEST-EXEC: btest-bg-run controllee  BROPATH=$BROPATH:.. bro %INPUT only-for-controllee frameworks/control/controllee Broker::default_port=65532/tcp
 # @TEST-EXEC: btest-bg-run controller  BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65532/tcp Control::cmd=id_value Control::arg=test_var
 # @TEST-EXEC: btest-bg-wait -k 10
 # @TEST-EXEC: btest-diff controller/.stdout
 
-redef Communication::nodes = {
-	# We're waiting for connections from this host for control.
-	["control"] = [$host=127.0.0.1, $class="control", $events=Control::controller_events],
-};
-
 # This value shouldn't ever be printed to the controllers stdout.
 const test_var = "Original value" &redef;
 
@@ -19,8 +14,13 @@ const test_var = "Original value" &redef;
 redef test_var = "This is the value from the controllee";
 @TEST-END-FILE
 
+event die()
+	{
+	terminate();
+	}
+
 event Control::id_value_response(id: string, val: string)
 	{
 	print fmt("Got an id_value_response(%s, %s) event", id, val);
-	terminate();
+	schedule 2sec { die() };
 	}
diff --git a/testing/btest/scripts/base/frameworks/control/shutdown.bro b/testing/btest/scripts/base/frameworks/control/shutdown.bro
index 7b6e5713f8..cec965974a 100644
--- a/testing/btest/scripts/base/frameworks/control/shutdown.bro
+++ b/testing/btest/scripts/base/frameworks/control/shutdown.bro
@@ -1,10 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
-# @TEST-EXEC: btest-bg-run controllee BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controllee Communication::listen_port=65530/tcp 
+# @TEST-EXEC: btest-bg-run controllee BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controllee Broker::default_port=65530/tcp
 # @TEST-EXEC: btest-bg-run controller BROPATH=$BROPATH:.. bro %INPUT frameworks/control/controller Control::host=127.0.0.1 Control::host_port=65530/tcp Control::cmd=shutdown
 # @TEST-EXEC: btest-bg-wait 10
 
-redef Communication::nodes = {
-	# We're waiting for connections from this host for control.
-	["control"] = [$host=127.0.0.1, $class="control", $events=Control::controller_events],
-};
diff --git a/testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.bro b/testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.bro
new file mode 100644
index 0000000000..cba82bbfab
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/file-analysis/bifs/file_exists_lookup_file.bro
@@ -0,0 +1,21 @@
+# @TEST-EXEC: bro -r $TRACES/http/get.trace %INPUT 2>&1
+# @TEST-EXEC: btest-diff .stdout
+
+event bro_init()
+	{
+	print "This should fail but not crash";
+	print Files::lookup_file("asdf");
+
+	print "This should return F";
+	print Files::file_exists("asdf");
+	}
+
+event file_sniff(f: fa_file, meta: fa_metadata)
+	{
+	print "lookup fid: " + f$id;
+	local looked_up_file = Files::lookup_file(f$id);
+	print "We should have found the file id: " + looked_up_file$id ;
+
+	print "This should return T";
+	print Files::file_exists(f$id);
+	}
diff --git a/testing/btest/scripts/base/frameworks/input/basic.bro b/testing/btest/scripts/base/frameworks/input/basic.bro
index d52af7d6e2..356b87d70b 100644
--- a/testing/btest/scripts/base/frameworks/input/basic.bro
+++ b/testing/btest/scripts/base/frameworks/input/basic.bro
@@ -7,9 +7,9 @@ redef exit_only_after_terminate = T;
 @TEST-START-FILE input.log
 #separator \x09
 #path	ssh
-#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	ns
-#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	table	table	table	vector	vector	string
-T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	4242
+#fields	b	bt	i	e	c	p	pp	sn	a	d	t	iv	s	sc	ss	se	vc	ve	ns
+#types	bool	int	enum	count	port	port	subnet	addr	double	time	interval	string	table	table	table	vector	vector	string
+T	1	-42	SSH::LOG	21	123	5/icmp	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	4242
 @TEST-END-FILE
 
 @load base/protocols/ssh
@@ -26,9 +26,11 @@ type Idx: record {
 
 type Val: record {
 	b: bool;
+	bt: bool;
 	e: Log::ID;
 	c: count;
 	p: port;
+	pp: port;
 	sn: subnet;
 	a: addr;
 	d: double;
diff --git a/testing/btest/scripts/base/frameworks/input/config/basic.bro b/testing/btest/scripts/base/frameworks/input/config/basic.bro
new file mode 100644
index 0000000000..c8d68fc822
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/input/config/basic.bro
@@ -0,0 +1,75 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: btest-diff out
+
+redef exit_only_after_terminate = T;
+redef InputConfig::empty_field = "EMPTY";
+redef InputConfig::set_separator = "\t";
+
+@TEST-START-FILE configfile
+testbool F
+testcount    1
+testcount 2
+testcount 2
+testint		-1
+testenum Conn::LOG
+testport 45
+testportandproto 45/udp
+testaddr 127.0.0.1
+testaddr 2607:f8b0:4005:801::200e
+testinterval 60
+testtime 1507321987
+test_set a	b	c	d	erdbeerschnitzel
+test_vector 1	2	3	4	5	6
+test_set (empty)
+test_set EMPTY
+test_set -
+@TEST-END-FILE
+
+@load base/protocols/ssh
+@load base/protocols/conn
+
+global outfile: file;
+
+export {
+	option testbool: bool = T;
+	option testcount: count = 0;
+	option testint: int = 0;
+	option testenum = SSH::LOG;
+	option testport = 42/tcp;
+	option testportandproto = 42/tcp;
+	option testaddr = 127.0.0.1;
+	option testtime = network_time();
+	option testinterval = 1sec;
+	option teststring = "a";
+	option test_set: set[string] = {};
+	option test_vector: vector of count = {};
+}
+
+type Idx: record {
+	option_name: string;
+};
+
+type Val: record {
+	option_val: string;
+};
+
+global currconfig: table[string] of string = table();
+
+event InputConfig::new_value(name: string, source: string, id: string, value: any)
+	{
+	print outfile, id, value;
+	}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	close(outfile);
+	terminate();
+	}
+
+event bro_init()
+	{
+	outfile = open("../out");
+	Input::add_table([$reader=Input::READER_CONFIG, $source="../configfile", $name="configuration", $idx=Idx, $val=Val, $destination=currconfig, $want_record=F]);
+	}
+
diff --git a/testing/btest/scripts/base/frameworks/input/config/errors.bro b/testing/btest/scripts/base/frameworks/input/config/errors.bro
new file mode 100644
index 0000000000..4f398956dc
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/input/config/errors.bro
@@ -0,0 +1,66 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: tail -n +2 .stderr > errout
+# @TEST-EXEC: btest-diff errout
+
+redef exit_only_after_terminate = T;
+
+@TEST-START-FILE configfile
+testbool A
+testtesttesttesttesttest
+testbool A B
+testcount A
+testenum unknown
+testbooool T
+test_any F
+test_table whatever
+@TEST-END-FILE
+
+@load base/protocols/ssh
+@load base/protocols/conn
+
+global outfile: file;
+
+export {
+	option testbool: bool = T;
+	option testcount: count = 0;
+	option testint: int = 0;
+	option testenum = SSH::LOG;
+	option testport = 42/tcp;
+	option testaddr = 127.0.0.1;
+	option testtime = network_time();
+	option testinterval = 1sec;
+	option teststring = "a";
+	option test_set: set[string] = {};
+	option test_vector: vector of count = {};
+	option test_any: any = 5;
+	option test_table: table[string] of string = {};
+}
+
+type Idx: record {
+	option_name: string;
+};
+
+type Val: record {
+	option_val: string;
+};
+
+global currconfig: table[string] of string = table();
+
+event InputConfig::new_value(name: string, source: string, id: string, value: any)
+	{
+	print outfile, id, value;
+	}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	close(outfile);
+	terminate();
+	}
+
+event bro_init()
+	{
+	outfile = open("../out");
+	Input::add_table([$reader=Input::READER_CONFIG, $source="../configfile", $name="configuration", $idx=Idx, $val=Val, $destination=currconfig, $want_record=F]);
+	}
+
diff --git a/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro b/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro
index 44a15a29bc..f25c9bc3f6 100644
--- a/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro
+++ b/testing/btest/scripts/base/frameworks/input/empty-values-hashing.bro
@@ -1,6 +1,6 @@
 # @TEST-EXEC: cp input1.log input.log
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got1 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input2.log input.log
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff out
@@ -20,8 +20,6 @@
 2	TEST	TEST
 @TEST-END-FILE
 
-@load base/frameworks/communication  # let network-time run
-
 redef exit_only_after_terminate = T;
 
 module A;
@@ -77,7 +75,9 @@ event Input::end_of_data(name: string, source: string)
 	print outfile, servers;
 	
 	try = try + 1;
-	if ( try == 2 )
+	if ( try == 1 )
+		system("touch got1");
+	else if ( try == 2 )
 		{
 		print outfile, "done";
 		close(outfile);
diff --git a/testing/btest/scripts/base/frameworks/input/invalid-lines.bro b/testing/btest/scripts/base/frameworks/input/invalid-lines.bro
new file mode 100644
index 0000000000..83be1efd09
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/input/invalid-lines.bro
@@ -0,0 +1,67 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: btest-diff out
+
+redef exit_only_after_terminate = T;
+redef InputAscii::fail_on_invalid_lines = F;
+
+@TEST-START-FILE input.log
+#separator \x09
+#path	ssh
+#fields	b	i	e	c	p	sn	a	d	t	iv	s	sc	ss	se	vc	ve	ns
+#types	bool	int	enum	count	port	subnet	addr	double	time	interval	string	table	table	table	vector	vector	string
+T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30
+T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	4242
+T	-43	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	4242 HOHOHO
+T	-41
+@TEST-END-FILE
+
+@load base/protocols/ssh
+
+global outfile: file;
+
+redef InputAscii::empty_field = "EMPTY";
+
+module A;
+
+type Idx: record {
+	i: int;
+};
+
+type Val: record {
+	b: bool;
+	e: Log::ID;
+	c: count;
+	p: port;
+	sn: subnet;
+	a: addr;
+	d: double;
+	t: time;
+	iv: interval;
+	s: string;
+	ns: string;
+	sc: set[count];
+	ss: set[string];
+	se: set[string];
+	vc: vector of int;
+	ve: vector of int;
+};
+
+global servers: table[int] of Val = table();
+global servers2: table[int] of Val = table();
+
+event bro_init()
+	{
+	outfile = open("../out");
+	# first read in the old stuff into the table...
+	Input::add_table([$source="../input.log", $name="ssh", $idx=Idx, $val=Val, $destination=servers]);
+	Input::add_table([$source="../input.log", $name="ssh2", $idx=Idx, $val=Val, $destination=servers2, $config=table(["fail_on_invalid_lines"] = "T")]);
+	}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	print outfile, servers;
+	Input::remove("ssh");
+	close(outfile);
+	terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/input/invalidset.bro b/testing/btest/scripts/base/frameworks/input/invalidset.bro
new file mode 100644
index 0000000000..932060424e
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/input/invalidset.bro
@@ -0,0 +1,65 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff out
+# @TEST-EXEC: sed 1d .stderr > .stderrwithoutfirstline
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderrwithoutfirstline
+
+@TEST-START-FILE input.log
+#separator \x09
+#fields	i	s
+name	-
+name	127.0.0.1
+@TEST-END-FILE
+
+redef exit_only_after_terminate = T;
+redef InputAscii::fail_on_invalid_lines = T;
+
+global outfile: file;
+
+module A;
+
+type Idx: record {
+	i: string;
+};
+
+type Val: record {
+	s: set[subnet];
+};
+
+global endcount: count = 0;
+
+global servers: table[string] of Val = table();
+
+event handle_our_errors(desc: Input::TableDescription, msg: string, level: Reporter::Level)
+	{
+	print outfile, "TableErrorEvent", msg, level;
+	}
+
+event handle_our_errors_event(desc: Input::EventDescription, msg: string, level: Reporter::Level)
+	{
+	print outfile, "EventErrorEvent", msg, level;
+	}
+
+event line(description: Input::EventDescription, tpe: Input::Event, v: Val)
+	{
+	print outfile, "Event", v;
+	}
+
+event bro_init()
+	{
+	outfile = open("../out");
+	# first read in the old stuff into the table...
+	Input::add_table([$source="../input.log", $name="ssh", $error_ev=handle_our_errors, $idx=Idx, $val=Val, $destination=servers]);
+	Input::add_event([$source="../input.log", $name="sshevent", $error_ev=handle_our_errors_event, $fields=Val, $want_record=T, $ev=line]);
+	}
+
+event Input::end_of_data(name: string, source:string)
+	{
+	++endcount;
+
+	if ( endcount == 2 )
+		{
+		print outfile, servers;
+		terminate();
+		}
+	}
diff --git a/testing/btest/scripts/base/frameworks/input/invalidtext.bro b/testing/btest/scripts/base/frameworks/input/invalidtext.bro
index 1de4e96671..3f5b590dec 100644
--- a/testing/btest/scripts/base/frameworks/input/invalidtext.bro
+++ b/testing/btest/scripts/base/frameworks/input/invalidtext.bro
@@ -13,6 +13,7 @@
 @TEST-END-FILE
 
 redef exit_only_after_terminate = T;
+redef InputAscii::fail_on_invalid_lines = T;
 
 global outfile: file;
 
diff --git a/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro
new file mode 100644
index 0000000000..7c9f51994c
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/input/missing-file-initially.bro
@@ -0,0 +1,61 @@
+# This tests files that don't exist initially and then do later during
+# runtime to make sure the ascii reader is resilient to files missing.
+# It does a second test at the same time which configures the old
+# failing behavior.
+
+# @TEST-EXEC: btest-bg-run bro bro %INPUT
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/init 5 || (btest-bg-wait -k 1 && false)
+# @TEST-EXEC: mv does-exist.dat does-not-exist.dat
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/next 5 || (btest-bg-wait -k 1 && false)
+# @TEST-EXEC: mv does-not-exist.dat does-not-exist-again.dat
+# @TEST-EXEC: echo "3 streaming still works" >> does-not-exist-again.dat
+# @TEST-EXEC: btest-bg-wait 5
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff bro/.stdout
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff bro/.stderr
+
+@TEST-START-FILE does-exist.dat
+#separator \x09
+#fields	line
+#types	string
+1 now it does
+2 and more!
+@TEST-END-FILE
+
+redef exit_only_after_terminate = T;
+
+@load base/frameworks/input
+
+module A;
+
+type Val: record {
+	line: string;
+};
+
+global line_count = 0;
+
+event line(description: Input::EventDescription, tpe: Input::Event, v: Val)
+	{
+	print fmt("%s: %s", description$name, v$line);
+	++line_count;
+
+	if ( line_count == 4 )
+		system("touch next");
+	if ( line_count == 5 )
+		terminate();
+	}
+
+event line2(description: Input::EventDescription, tpe: Input::Event, v: Val)
+	{
+	print "DONT PRINT THIS LINE";
+	}
+
+
+event bro_init()
+	{
+	Input::add_event([$source="../does-not-exist.dat", $name="input", $reader=Input::READER_ASCII, $mode=Input::REREAD, $fields=Val, $ev=line, $want_record=T]);
+	Input::add_event([$source="../does-not-exist.dat", $name="inputstream", $reader=Input::READER_ASCII, $mode=Input::STREAM, $fields=Val, $ev=line, $want_record=T]);
+	Input::add_event([$source="../does-not-exist.dat", $name="inputmanual", $reader=Input::READER_ASCII, $mode=Input::MANUAL, $fields=Val, $ev=line, $want_record=T]);
+	Input::add_event([$source="../does-not-exist.dat", $name="input2", $reader=Input::READER_ASCII, $mode=Input::REREAD, $fields=Val, $ev=line2, $want_record=T,
+	                  $config=table(["fail_on_file_problem"] = "T")]);
+	system("touch init");
+	}
diff --git a/testing/btest/scripts/base/frameworks/input/missing-file.bro b/testing/btest/scripts/base/frameworks/input/missing-file.bro
index 08adfe2150..2ec3bb937f 100644
--- a/testing/btest/scripts/base/frameworks/input/missing-file.bro
+++ b/testing/btest/scripts/base/frameworks/input/missing-file.bro
@@ -3,6 +3,7 @@
 # @TEST-EXEC: btest-diff bro/.stderr
 
 redef exit_only_after_terminate = T;
+redef InputAscii::fail_on_file_problem = T;
 
 global outfile: file;
 global try: count;
diff --git a/testing/btest/scripts/base/frameworks/input/port-embedded.bro b/testing/btest/scripts/base/frameworks/input/port-embedded.bro
new file mode 100644
index 0000000000..8aab733069
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/input/port-embedded.bro
@@ -0,0 +1,44 @@
+# @TEST-EXEC: btest-bg-run bro bro -b %INPUT
+# @TEST-EXEC: btest-bg-wait 10
+# @TEST-EXEC: btest-diff bro/.stdout
+# @TEST-EXEC: btest-diff bro/.stderr
+
+@TEST-START-FILE input.log
+#fields	i	p
+1.2.3.4	80/tcp
+1.2.3.5	52/udp
+1.2.3.6	30/unknown
+1.2.3.7	50/trash
+@TEST-END-FILE
+
+redef exit_only_after_terminate = T;
+
+redef InputAscii::empty_field = "EMPTY";
+
+module A;
+
+type Idx: record {
+	i: addr;
+};
+
+type Val: record {
+	p: port;
+};
+
+global servers: table[addr] of Val = table();
+
+event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, right: Val)
+	{
+	print left, right;
+	}
+
+event bro_init()
+	{
+	Input::add_table([$source="../input.log", $name="input", $idx=Idx, $val=Val, $ev=line, $destination=servers]);
+	}
+
+event Input::end_of_data(name: string, source: string)
+	{
+	Input::remove("input");
+	terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro b/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro
index 33455314cd..0ac5f104d0 100644
--- a/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro
+++ b/testing/btest/scripts/base/frameworks/input/predicatemodifyandreread.bro
@@ -1,12 +1,12 @@
 # @TEST-EXEC: cp input1.log input.log
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got1 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input2.log input.log
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got2 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input3.log input.log
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got3 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input4.log input.log
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got4 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input5.log input.log
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff out
@@ -57,8 +57,6 @@
 
 redef exit_only_after_terminate = T;
 
-@load base/frameworks/communication  # let network-time run
-
 redef InputAscii::empty_field = "EMPTY";
 
 module A;
@@ -98,7 +96,15 @@ event Input::end_of_data(name: string, source: string)
 	try = try + 1;
 	print outfile, fmt("Update_finished for %s, try %d", name, try);
 	print outfile, servers;
-	
+
+	if ( try == 1 )
+		system("touch got1");
+	else if ( try == 2 )
+		system("touch got2");
+	else if ( try == 3 )
+		system("touch got3");
+	else if ( try == 4 )
+		system("touch got4");
 	if ( try == 5 )
 		{
 		close(outfile);
diff --git a/testing/btest/scripts/base/frameworks/input/raw/executestdin.bro b/testing/btest/scripts/base/frameworks/input/raw/executestdin.bro
index 16826873f4..b78dd4e0e3 100644
--- a/testing/btest/scripts/base/frameworks/input/raw/executestdin.bro
+++ b/testing/btest/scripts/base/frameworks/input/raw/executestdin.bro
@@ -4,10 +4,10 @@
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff out
 
 redef exit_only_after_terminate = T;
-@load base/frameworks/communication  # let network-time run. otherwise there are no heartbeats...
 
 global outfile: file;
 global processes_finished: count = 0;
+global lines_received: count = 0;
 global n: count = 0;
 global total_processes: count = 0;
 
@@ -21,10 +21,23 @@ type Val: record {
 	s: string;
 };
 
+global more_input: function(name_prefix: string);
+
+function check_terminate_condition()
+	{
+	if ( processes_finished != total_processes )
+		return;
+
+	if ( lines_received != (total_processes - 1) * 2 )
+		return;
+
+	terminate();
+	}
+
 event line(description: Input::EventDescription, tpe: Input::Event, s: string)
 	{
-	print outfile, tpe, description$source, description$name;
-	print outfile, s;
+	++lines_received;
+	print outfile, tpe, description$source, description$name, s;
 	}
 
 event InputRaw::process_finished(name: string, source:string, exit_code:count, signal_exit:bool)
@@ -32,10 +45,18 @@ event InputRaw::process_finished(name: string, source:string, exit_code:count, s
 	print "process_finished", name, source;
 	Input::remove(name);
 	++processes_finished;
-	if ( processes_finished == total_processes )
+	if ( processes_finished == 1 )
+		{
+		more_input("input");
+		more_input("input");
+		more_input("input");
+		more_input("input");
+		more_input("input");
+		}
+	else if ( processes_finished == total_processes )
 		{
 		close(outfile);
-		terminate();
+		check_terminate_condition();
 		}
 	}
 
@@ -60,9 +81,4 @@ event bro_init()
 	                  $reader=Input::READER_RAW, $mode=Input::STREAM,
 	                  $name="input", $fields=Val, $ev=line, $want_record=F,
 	                  $config=config_strings]);
-	more_input("input");
-	more_input("input");
-	more_input("input");
-	more_input("input");
-	more_input("input");
 	}
diff --git a/testing/btest/scripts/base/frameworks/input/raw/executestream.bro b/testing/btest/scripts/base/frameworks/input/raw/executestream.bro
index 9ce2688296..240761ee03 100644
--- a/testing/btest/scripts/base/frameworks/input/raw/executestream.bro
+++ b/testing/btest/scripts/base/frameworks/input/raw/executestream.bro
@@ -1,8 +1,8 @@
 # @TEST-EXEC: cp input1.log input.log
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT 
-# @TEST-EXEC: sleep 3
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got1 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cat input2.log >> input.log
-# @TEST-EXEC: sleep 3
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got3 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cat input3.log >> input.log
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff out
@@ -26,7 +26,6 @@ sdf
 3rw43wRRERLlL#RWERERERE.
 @TEST-END-FILE
 
-@load base/frameworks/communication  # let network-time run
 
 module A;
 
@@ -39,12 +38,16 @@ global outfile: file;
 
 event line(description: Input::EventDescription, tpe: Input::Event, s: string)
 	{
-	print outfile, description;
+	print outfile, description$source, description$reader, description$mode, description$name;
 	print outfile, tpe;
 	print outfile, s;
 
 	try = try + 1;
-	if ( try == 8 )
+	if ( try == 1 )
+		system("touch got1");
+	else if ( try == 3 )
+		system("touch got3");
+	else if ( try == 8 )
 		{
 		print outfile, "done";
 		close(outfile);
diff --git a/testing/btest/scripts/base/frameworks/input/raw/offset.bro b/testing/btest/scripts/base/frameworks/input/raw/offset.bro
index 5ab2d84655..f37fb9c28a 100644
--- a/testing/btest/scripts/base/frameworks/input/raw/offset.bro
+++ b/testing/btest/scripts/base/frameworks/input/raw/offset.bro
@@ -1,6 +1,6 @@
 # @TEST-EXEC: cp input.log input2.log
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got2 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: echo "hi" >> input2.log
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff out
@@ -10,7 +10,6 @@ sdfkh:KH;fdkncv;ISEUp34:Fkdj;YVpIODhfDF
 @TEST-END-FILE
 
 redef exit_only_after_terminate = T;
-@load base/frameworks/communication # keep network time running
 
 global outfile: file;
 global try: count;
@@ -25,7 +24,9 @@ event line(description: Input::EventDescription, tpe: Input::Event, s: string)
 	{
 	print outfile, s;
 	try = try + 1;
-	if ( try == 3 )
+	if ( try == 2 )
+		system("touch got2");
+	else if ( try == 3 )
 		{
 		close(outfile);
 		terminate();
diff --git a/testing/btest/scripts/base/frameworks/input/raw/stderr.bro b/testing/btest/scripts/base/frameworks/input/raw/stderr.bro
index 0eb312c3e6..8ff4cc7f1b 100644
--- a/testing/btest/scripts/base/frameworks/input/raw/stderr.bro
+++ b/testing/btest/scripts/base/frameworks/input/raw/stderr.bro
@@ -1,73 +1,68 @@
+# @TEST-EXEC: mkdir mydir && touch mydir/a && touch mydir/b && touch mydir/c
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT 
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff out
 
 redef exit_only_after_terminate = T;
-@load base/frameworks/communication  # let network-time run. otherwise there are no heartbeats...
 
 type Val: record {
 	s: string;
 	is_stderr: bool;
 };
 
-global try: count;
+global try = 0;
+global n = 0;
 global outfile: file;
 
 event line(description: Input::EventDescription, tpe: Input::Event, s: string, is_stderr: bool)
 	{
-	print outfile, tpe;
+	local line_output = fmt("%s line output (stderr=%s): ", tpe, is_stderr);
+
 	if ( is_stderr ) 
 		{
 		# work around localized error messages. and if some localization does not include the filename... well... that would be bad :)
 		if ( strstr(s, "nonexistant") > 0 ) 
-			{
-			print outfile, "stderr output contained nonexistant";
-			}
+			line_output += "<stderr output contained nonexistant>";
+		else
+			line_output += "<unexpected/weird error localization>";
 		}
 	else
-		{
-		print outfile, s;
-		}
-	print outfile, is_stderr;
+		line_output += s;
 
-	try = try + 1;
-	if ( try == 7 )
-		{
-		print outfile, "done";
-		Input::remove("input");
-		}
+	print outfile, line_output;
+	++try;
+
+	if ( n == 2 && try == 7 )
+		terminate();
 	}
 
-global n = 0;
-
 event Input::end_of_data(name: string, source:string)
 	{
-	print outfile, "End of Data event";
-	print outfile, name;
+	print outfile, "End of Data event", name;
 	++n;
-	if ( n == 2 )
+
+	if ( n == 2 && try == 7 )
 		terminate();
 	}
 
 event InputRaw::process_finished(name: string, source:string, exit_code:count, signal_exit:bool)
 	{
-	print outfile, "Process finished event";
-	print outfile, name;
-	if ( exit_code != 0 ) 
-		print outfile, "Exit code != 0";
+	print outfile, "Process finished event", name, exit_code != 0;
 	++n;
-	if ( n == 2 )
+
+	if ( n == 2 && try == 7 )
 		terminate();
 	}
 
 event bro_init()
 	{
-
 	local config_strings: table[string] of string = {
 		["read_stderr"] = "1"
 	};
 
 	outfile = open("../out");
-	try = 0;
-	Input::add_event([$source="ls .. ../nonexistant ../nonexistant2 ../nonexistant3 |", $reader=Input::READER_RAW, $name="input", $fields=Val, $ev=line, $want_record=F, $config=config_strings, $mode=Input::STREAM]);
+	Input::add_event([$source="ls ../mydir ../nonexistant ../nonexistant2 ../nonexistant3 |",
+	                 $reader=Input::READER_RAW, $name="input",
+	                 $fields=Val, $ev=line, $want_record=F,
+	                 $config=config_strings, $mode=Input::STREAM]);
 	}
diff --git a/testing/btest/scripts/base/frameworks/input/raw/streamraw.bro b/testing/btest/scripts/base/frameworks/input/raw/streamraw.bro
index 84dd74e23c..331db7eeb8 100644
--- a/testing/btest/scripts/base/frameworks/input/raw/streamraw.bro
+++ b/testing/btest/scripts/base/frameworks/input/raw/streamraw.bro
@@ -1,8 +1,8 @@
 # @TEST-EXEC: cp input1.log input.log
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT 
-# @TEST-EXEC: sleep 3
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got1 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cat input2.log >> input.log
-# @TEST-EXEC: sleep 3
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got3 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cat input3.log >> input.log
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff out
@@ -26,8 +26,6 @@ sdf
 3rw43wRRERLlL#RWERERERE.
 @TEST-END-FILE
 
-@load base/frameworks/communication  # let network-time run
-
 module A;
 
 type Val: record {
@@ -39,12 +37,17 @@ global outfile: file;
 
 event line(description: Input::EventDescription, tpe: Input::Event, s: string)
 	{
-	print outfile, description;
+	print outfile, description$source, description$reader, description$mode, description$name;
 	print outfile, tpe;
 	print outfile, s;
 
 	try = try + 1;
-	if ( try == 8 )
+
+	if ( try == 1 )
+		system("touch got1");
+	else if ( try == 3 )
+		system("touch got3");
+	else if ( try == 8 )
 		{
 		print outfile, "done";
 		close(outfile);
diff --git a/testing/btest/scripts/base/frameworks/input/reread.bro b/testing/btest/scripts/base/frameworks/input/reread.bro
index e55b4b4f0c..e4bb09df39 100644
--- a/testing/btest/scripts/base/frameworks/input/reread.bro
+++ b/testing/btest/scripts/base/frameworks/input/reread.bro
@@ -1,12 +1,12 @@
 # @TEST-EXEC: cp input1.log input.log
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got1 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input2.log input.log
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got2 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input3.log input.log
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got3 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input4.log input.log
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got4 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input5.log input.log
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff out
@@ -43,7 +43,7 @@ T	-42	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz
 F	-43	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
 F	-44	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
 F	-45	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
-F	-46	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
+0	-46	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
 F	-47	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
 F	-48	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
 @TEST-END-FILE
@@ -56,7 +56,6 @@ F	-48	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz
 @TEST-END-FILE
 
 @load base/protocols/ssh
-@load base/frameworks/communication  # let network-time run
 
 redef exit_only_after_terminate = T;
 redef InputAscii::empty_field = "EMPTY";
@@ -127,7 +126,16 @@ event Input::end_of_data(name: string, source: string)
 	print outfile, servers;
 	
 	try = try + 1;
-	if ( try == 5 )
+
+	if ( try == 1 )
+		system("touch got1");
+	else if ( try == 2 )
+		system("touch got2");
+	else if ( try == 3 )
+		system("touch got3");
+	else if ( try == 4 )
+		system("touch got4");
+	else if ( try == 5 )
 		{
 		print outfile, "done";
 		close(outfile);
diff --git a/testing/btest/scripts/base/frameworks/input/stream.bro b/testing/btest/scripts/base/frameworks/input/stream.bro
index 75228ee102..8ed498f074 100644
--- a/testing/btest/scripts/base/frameworks/input/stream.bro
+++ b/testing/btest/scripts/base/frameworks/input/stream.bro
@@ -1,8 +1,8 @@
 # @TEST-EXEC: cp input1.log input.log
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT
-# @TEST-EXEC: sleep 3
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got1 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cat input2.log >> input.log
-# @TEST-EXEC: sleep 3
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got2 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cat input3.log >> input.log
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff out
@@ -21,7 +21,6 @@ T	-43	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz
 F	-43	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
 @TEST-END-FILE
 
-@load base/frameworks/communication # keep network time running
 @load base/protocols/ssh
 redef exit_only_after_terminate = T;
 
@@ -67,8 +66,12 @@ event line(description: Input::TableDescription, tpe: Input::Event, left: Idx, r
 	print outfile, servers;
 
 	try = try + 1;
-	
-	if ( try == 3 )
+
+	if ( try == 1 )
+		system("touch got1");
+	else if ( try == 2 )
+		system("touch got2");
+	else if ( try == 3 )
 		{
 		print outfile, "done";
 		close(outfile);
diff --git a/testing/btest/scripts/base/frameworks/input/twotables.bro b/testing/btest/scripts/base/frameworks/input/twotables.bro
index 0e4436afa2..6f127ac4c2 100644
--- a/testing/btest/scripts/base/frameworks/input/twotables.bro
+++ b/testing/btest/scripts/base/frameworks/input/twotables.bro
@@ -1,6 +1,6 @@
 # @TEST-EXEC: cp input1.log input.log
 # @TEST-EXEC: btest-bg-run bro bro -b %INPUT
-# @TEST-EXEC: sleep 5
+# @TEST-EXEC: $SCRIPTS/wait-for-file bro/got2 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp input3.log input.log
 # @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff event.out
@@ -30,7 +30,6 @@ T	-43	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz
 F	-44	SSH::LOG	21	123	10.0.0.0/24	1.2.3.4	3.14	1315801931.273616	100.000000	hurz	2,4,1,3	CC,AA,BB	EMPTY	10,20,30	EMPTY	SSH::foo\x0a{ \x0aif (0 < SSH::i) \x0a\x09return (Foo);\x0aelse\x0a\x09return (Bar);\x0a\x0a}
 @TEST-END-FILE
 
-@load base/frameworks/communication # keep network time running
 @load base/protocols/ssh
 redef exit_only_after_terminate = T;
 
@@ -117,7 +116,9 @@ event Input::end_of_data(name: string, source: string)
 	#print fin_out, servers;
 	
 	try = try + 1;
-	if ( try == 3 )
+	if ( try == 2 )
+		system("touch got2");
+	else if ( try == 3 )
 		{
 		print fin_out, "done";
 		print fin_out, servers;
diff --git a/testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.bro b/testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.bro
new file mode 100644
index 0000000000..bf6ed644ed
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/intel/cluster-transparency-with-proxy.bro
@@ -0,0 +1,90 @@
+# @TEST-SERIALIZE: comm
+#
+# @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run proxy-1  BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
+# @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
+# @TEST-EXEC: btest-bg-wait -k 10
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff worker-1/.stdout
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff worker-2/.stdout
+# @TEST-EXEC: btest-diff manager-1/intel.log
+
+@TEST-START-FILE cluster-layout.bro
+redef Cluster::nodes = {
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
+	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1"],
+	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1"],
+	["proxy-1"]  = [$node_type=Cluster::PROXY,  $ip=127.0.0.1, $p=37762/tcp, $manager="manager-1"],
+};
+@TEST-END-FILE
+
+module Intel;
+
+redef Log::default_rotation_interval=0sec;
+
+event Cluster::node_up(name: string, id: string)
+	{
+	# Insert the data once both workers are connected.
+	if ( Cluster::local_node_type() == Cluster::MANAGER && Cluster::worker_count == 2 && Cluster::proxy_pool$alive_count == 1 )
+		{
+		Intel::insert([$indicator="1.2.3.4", $indicator_type=Intel::ADDR, $meta=[$source="manager"]]);
+		}
+	}
+
+global worker2_data = 0;
+global sent_data = F;
+# Watch for new indicators send to workers.
+event Intel::insert_indicator(item: Intel::Item)
+	{
+	print fmt("new_indicator: %s inserted by %s", item$indicator, item$meta$source);
+
+	if ( ! sent_data )
+		{
+		# We wait to insert data here because we can now be sure the 
+		# full cluster is constructed.
+		sent_data = T;
+		if ( Cluster::node == "worker-1" )
+			Intel::insert([$indicator="123.123.123.123", $indicator_type=Intel::ADDR, $meta=[$source="worker-1"]]);
+		if ( Cluster::node == "worker-2" )
+			Intel::insert([$indicator="4.3.2.1", $indicator_type=Intel::ADDR, $meta=[$source="worker-2"]]);
+		}
+
+	# We're forcing worker-2 to do a lookup when it has three intelligence items
+	# which were distributed over the cluster (data inserted locally is resent).
+	if ( Cluster::node == "worker-2" )
+		{
+		++worker2_data;
+		if ( worker2_data == 3 )
+			{
+			# Now that everything is inserted, see if we can match on the data inserted
+			# by worker-1.
+			print "Doing a lookup";
+			Intel::seen([$host=123.123.123.123, $where=Intel::IN_ANYWHERE]);
+			}
+		}
+	}
+
+# Watch for remote inserts sent to the manager.
+event Intel::insert_item(item: Intel::Item)
+	{
+	print fmt("insert_item: %s inserted by %s", item$indicator, item$meta$source);
+	}
+
+# Watch for new items.
+event Intel::new_item(item: Intel::Item)
+	{
+	print fmt("new_item triggered for %s by %s on %s", item$indicator,
+			item$meta$source, Cluster::node);
+	}
+
+event Intel::log_intel(rec: Intel::Info)
+	{
+	terminate();
+	}
+
+event Cluster::node_down(name: string, id: string)
+	{
+	# Cascading termination
+	terminate();
+	}
diff --git a/testing/btest/scripts/base/frameworks/intel/cluster-transparency.bro b/testing/btest/scripts/base/frameworks/intel/cluster-transparency.bro
index 5bedf752d2..62aabf6888 100644
--- a/testing/btest/scripts/base/frameworks/intel/cluster-transparency.bro
+++ b/testing/btest/scripts/base/frameworks/intel/cluster-transparency.bro
@@ -11,19 +11,17 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1"],
 	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1"],
 };
 @TEST-END-FILE
 
-@load base/frameworks/control
-
 module Intel;
 
 redef Log::default_rotation_interval=0sec;
 
-event remote_connection_handshake_done(p: event_peer)
+event Cluster::node_up(name: string, id: string)
 	{
 	# Insert the data once both workers are connected.
 	if ( Cluster::local_node_type() == Cluster::MANAGER && Cluster::worker_count == 2 )
@@ -34,12 +32,10 @@ event remote_connection_handshake_done(p: event_peer)
 
 global worker2_data = 0;
 global sent_data = F;
-event Intel::cluster_new_item(item: Intel::Item)
+# Watch for new indicators send to workers.
+event Intel::insert_indicator(item: Intel::Item)
 	{
-	if ( ! is_remote_event() )
-		return;
-
-	print fmt("cluster_new_item: %s inserted by %s (from peer: %s)", item$indicator, item$meta$source, get_event_peer()$descr);
+	print fmt("new_indicator: %s inserted by %s", item$indicator, item$meta$source);
 
 	if ( ! sent_data )
 		{
@@ -67,14 +63,26 @@ event Intel::cluster_new_item(item: Intel::Item)
 		}
 	}
 
-event Intel::log_intel(rec: Intel::Info)
+# Watch for remote inserts sent to the manager.
+event Intel::insert_item(item: Intel::Item)
 	{
-	event Control::shutdown_request();
+	print fmt("insert_item: %s inserted by %s", item$indicator, item$meta$source);
 	}
 
-event remote_connection_closed(p: event_peer)
+# Watch for new items.
+event Intel::new_item(item: Intel::Item)
+	{
+	print fmt("new_item triggered for %s by %s on %s", item$indicator,
+			item$meta$source, Cluster::node);
+	}
+
+event Intel::log_intel(rec: Intel::Info)
+	{
+	terminate();
+	}
+
+event Cluster::node_down(name: string, id: string)
 	{
 	# Cascading termination
-	#print fmt("disconnected from: %s", p);
-	terminate_communication();
+	terminate();
 	}
diff --git a/testing/btest/scripts/base/frameworks/intel/expire-item.bro b/testing/btest/scripts/base/frameworks/intel/expire-item.bro
index df9170b669..08d80714bc 100644
--- a/testing/btest/scripts/base/frameworks/intel/expire-item.bro
+++ b/testing/btest/scripts/base/frameworks/intel/expire-item.bro
@@ -7,11 +7,13 @@
 # @TEST-START-FILE intel.dat
 #fields	indicator	indicator_type	meta.source	meta.desc	meta.url
 1.2.3.4	Intel::ADDR	source1	this host is bad	http://some-data-distributor.com/1
+192.168.0.0/16	Intel::SUBNET	source1	this network is bad	http://some-data-distributor.com/2
 # @TEST-END-FILE
 
-@load frameworks/communication/listen
 @load frameworks/intel/do_expire
 
+redef exit_only_after_terminate = T;
+
 redef Intel::read_files += { "../intel.dat" };
 redef enum Intel::Where += { SOMEWHERE };
 redef Intel::item_expiration = 9sec;
@@ -20,13 +22,32 @@ redef table_expire_interval = 3sec;
 global runs = 0;
 event do_it()
 	{
+	++runs;
+	print fmt("-- Run %s --", runs);
+
 	print "Trigger: 1.2.3.4";
 	Intel::seen([$host=1.2.3.4,
 	             $where=SOMEWHERE]);
 
-	++runs;
+	if ( runs == 2 )
+		{
+		# Reinserting the indicator should reset the expiration
+		print "Reinsert: 1.2.3.4";
+		local item = [
+			$indicator="1.2.3.4",
+			$indicator_type=Intel::ADDR,
+			$meta=[
+				$source="source2",
+				$desc="this host is still bad",
+				$url="http://some-data-distributor.com/2"]
+			];
+		Intel::insert(item);
+		}
+
 	if ( runs < 6 )
 		schedule 3sec { do_it() };
+	else
+		terminate();
 	}
 
 event Intel::match(s: Intel::Seen, items: set[Intel::Item])
diff --git a/testing/btest/scripts/base/frameworks/intel/input-and-match.bro b/testing/btest/scripts/base/frameworks/intel/input-and-match.bro
index 7150d30993..8f74117201 100644
--- a/testing/btest/scripts/base/frameworks/intel/input-and-match.bro
+++ b/testing/btest/scripts/base/frameworks/intel/input-and-match.bro
@@ -1,4 +1,3 @@
-# @TEST-SERIALIZE: comm
 
 # @TEST-EXEC: btest-bg-run broproc bro %INPUT
 # @TEST-EXEC: btest-bg-wait -k 5
@@ -11,8 +10,7 @@
 e@mail.com	Intel::EMAIL	source1	Phishing email source	http://some-data-distributor.com/100000
 @TEST-END-FILE
 
-@load frameworks/communication/listen
-
+redef exit_only_after_terminate = T;
 redef Intel::read_files += { "../intel.dat" };
 redef enum Intel::Where += { SOMEWHERE };
 
diff --git a/testing/btest/scripts/base/frameworks/intel/match-subnet.bro b/testing/btest/scripts/base/frameworks/intel/match-subnet.bro
index 1e25868de1..8e3fe74116 100644
--- a/testing/btest/scripts/base/frameworks/intel/match-subnet.bro
+++ b/testing/btest/scripts/base/frameworks/intel/match-subnet.bro
@@ -14,7 +14,7 @@
 192.168.128.0/18	Intel::SUBNET	source1	this subnetwork might be baaad	http://some-data-distributor.com/5
 # @TEST-END-FILE
 
-@load frameworks/communication/listen
+redef exit_only_after_terminate = T;
 
 redef Intel::read_files += { "../intel.dat" };
 redef enum Intel::Where += { SOMEWHERE };
diff --git a/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro b/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro
index f336fe24b3..be1a526f1c 100644
--- a/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/intel/read-file-dist-cluster.bro
@@ -1,7 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
-# @TEST-EXEC: sleep 2
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
 # @TEST-EXEC: btest-bg-wait -k 10
@@ -12,7 +11,7 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1"],
 	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1"],
 };
diff --git a/testing/btest/scripts/base/frameworks/intel/remove-item-cluster.bro b/testing/btest/scripts/base/frameworks/intel/remove-item-cluster.bro
index d13536a015..6cc0fbdea0 100644
--- a/testing/btest/scripts/base/frameworks/intel/remove-item-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/intel/remove-item-cluster.bro
@@ -2,20 +2,18 @@
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
-# @TEST-EXEC: btest-bg-wait -k 10
+# @TEST-EXEC: btest-bg-wait -k 13
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff manager-1/.stdout
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-sort btest-diff worker-1/.stdout
 # @TEST-EXEC: btest-diff manager-1/intel.log
 
 # @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1"],
 };
 # @TEST-END-FILE
 
-@load base/frameworks/control
-
 module Intel;
 
 redef Log::default_rotation_interval=0sec;
@@ -37,7 +35,7 @@ event test_worker()
 	Intel::seen([$host=10.10.10.10, $where=Intel::IN_ANYWHERE]);
 	}
 
-event remote_connection_handshake_done(p: event_peer)
+event Cluster::node_up(name: string, id: string)
 	{
 	# Insert the data once all workers are connected.
 	if ( Cluster::local_node_type() == Cluster::MANAGER && Cluster::worker_count == 1 )
@@ -54,7 +52,7 @@ event remote_connection_handshake_done(p: event_peer)
 	}
 
 global worker_data = 0;
-event Intel::cluster_new_item(item: Intel::Item)
+event Intel::insert_indicator(item: Intel::Item)
 	{
 	# Run test on worker-1 when all items have been inserted
 	if ( Cluster::node == "worker-1" )
@@ -70,19 +68,24 @@ event Intel::remove_item(item: Item, purge_indicator: bool)
 	print fmt("Removing %s (source: %s).", item$indicator, item$meta$source);
 	}
 
-event purge_item(item: Item)
+event remove_indicator(item: Item)
 	{
 	print fmt("Purging %s.", item$indicator);
 	}
 
+event die()
+	{
+	terminate();
+	}
+
 event Intel::log_intel(rec: Intel::Info)
 	{
 	print "Logging intel hit!";
-	event Control::shutdown_request();
+	schedule 2sec { die() };
 	}
 
-event remote_connection_closed(p: event_peer)
+event Cluster::node_down(name: string, id: string)
 	{
 	# Cascading termination
-	terminate_communication();
+	schedule 2sec { die() };
 	}
diff --git a/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro b/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro
index 379d132834..1885f5bcf8 100644
--- a/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro
+++ b/testing/btest/scripts/base/frameworks/intel/remove-non-existing.bro
@@ -9,7 +9,7 @@
 192.168.1.1	Intel::ADDR	source1	this host is just plain baaad	http://some-data-distributor.com/1
 # @TEST-END-FILE
 
-@load frameworks/communication/listen
+redef exit_only_after_terminate = T;
 
 redef Intel::read_files += { "../intel.dat" };
 redef enum Intel::Where += { SOMEWHERE };
diff --git a/testing/btest/scripts/base/frameworks/intel/updated-match.bro b/testing/btest/scripts/base/frameworks/intel/updated-match.bro
index 75063d4b8f..5cace1741e 100644
--- a/testing/btest/scripts/base/frameworks/intel/updated-match.bro
+++ b/testing/btest/scripts/base/frameworks/intel/updated-match.bro
@@ -1,12 +1,10 @@
-# @TEST-SERIALIZE: comm
-
 # @TEST-EXEC: cp intel1.dat intel.dat
 # @TEST-EXEC: btest-bg-run broproc bro %INPUT
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file broproc/got1 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp intel2.dat intel.dat
-# @TEST-EXEC: sleep 2
+# @TEST-EXEC: $SCRIPTS/wait-for-file broproc/got2 5 || (btest-bg-wait -k 1 && false)
 # @TEST-EXEC: cp intel3.dat intel.dat
-# @TEST-EXEC: btest-bg-wait 6
+# @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: cat broproc/intel.log > output
 # @TEST-EXEC: cat broproc/notice.log >> output
 # @TEST-EXEC: btest-diff output
@@ -28,7 +26,6 @@
 4.3.2.1	Intel::ADDR	source2	this host might also be baaad	http://some-data-distributor.com/4321	T
 # @TEST-END-FILE
 
-@load base/frameworks/communication # let network-time run
 @load frameworks/intel/do_notice
 
 redef exit_only_after_terminate = T;
@@ -36,6 +33,8 @@ redef Intel::read_files += { "../intel.dat" };
 redef enum Intel::Where += { SOMEWHERE };
 
 global runs = 0;
+global entries_read = 0;
+
 event do_it()
 	{
 	Intel::seen([$host=1.2.3.4,
@@ -44,8 +43,11 @@ event do_it()
 	             $where=SOMEWHERE]);
 
 	++runs;
-	if ( runs < 3 )
-		schedule 3sec { do_it() };
+
+	if ( runs == 1 )
+		system("touch got1");
+	if ( runs == 2 )
+		system("touch got2");
 	}
 
 global log_lines = 0;
@@ -56,7 +58,17 @@ event Intel::log_intel(rec: Intel::Info)
 		terminate();
 	}
 
-event bro_init() &priority=-10
+module Intel;
+
+event Intel::read_entry(desc: Input::EventDescription, tpe: Input::Event, item: Intel::Item)
 	{
-	schedule 1sec { do_it() };
+	++entries_read;
+	print entries_read;
+
+	if ( entries_read == 1 )
+		event do_it();
+	else if ( entries_read == 3 )
+		event do_it();
+	else if ( entries_read == 5 )
+		event do_it();
 	}
diff --git a/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro b/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro
index 53cfdd1655..2db881deea 100644
--- a/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro
+++ b/testing/btest/scripts/base/frameworks/logging/adapt-filter.bro
@@ -27,7 +27,7 @@ event bro_init()
 	filter$path= "ssh-new-default";
 	Log::add_filter(SSH::LOG, filter);
 
-    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
 }
diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-double.bro b/testing/btest/scripts/base/frameworks/logging/ascii-double.bro
index e6d9a05e28..b824d93676 100644
--- a/testing/btest/scripts/base/frameworks/logging/ascii-double.bro
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-double.bro
@@ -1,6 +1,10 @@
+# @TEST-DOC: Test that the ASCII writer logs values of type "double" correctly.
 #
+# @TEST-EXEC: bro -b %INPUT test-json.bro
+# @TEST-EXEC: mv test.log json.log
 # @TEST-EXEC: bro -b %INPUT
 # @TEST-EXEC: btest-diff test.log
+# @TEST-EXEC: btest-diff json.log
 # 
 # Make sure  we do not write out scientific notation for doubles.
 
@@ -14,16 +18,68 @@ export {
 	};
 }
 
-event bro_init()
+function logwrite(val: double)
 {
-	Log::create_stream(Test::LOG, [$columns=Info]);
-	Log::write(Test::LOG, [$d=2153226000.0]);
-	Log::write(Test::LOG, [$d=2153226000.1]);
-	Log::write(Test::LOG, [$d=2153226000.123456789]);
-	Log::write(Test::LOG, [$d=1.0]);
-	Log::write(Test::LOG, [$d=1.1]);
-	Log::write(Test::LOG, [$d=1.123456789]);
-	Log::write(Test::LOG, [$d=1.1234]);
-	Log::write(Test::LOG, [$d=3.14e15]);
+	Log::write(Test::LOG, [$d=val]);
 }
 
+event bro_init()
+{
+	local d: double;
+	local dmax: double = 1.79e308;
+	local dmin: double = 2.23e-308;
+
+	Log::create_stream(Test::LOG, [$columns=Info]);
+
+	# relatively large values
+	logwrite(2153226000.0);
+	logwrite(2153226000.1);
+	logwrite(2153226000.123456789);
+
+	# relatively small values
+	logwrite(1.0);
+	logwrite(1.1);
+	logwrite(1.123456789);
+	logwrite(-1.123456789);
+	logwrite(1.1234);
+	logwrite(.1234);
+
+	# scientific notation (positive exponents)
+	logwrite(5e4);
+	logwrite(-5e4);
+	logwrite(3.14e15);
+	logwrite(-3.14e15);
+	logwrite(dmax);
+	logwrite(-dmax);
+
+	# scientific notation (negative exponents)
+	logwrite(1.23456789e-5);
+	logwrite(dmin);
+	logwrite(-dmin);
+
+	# inf
+	d = dmax;       # ok
+	d = d * 2.0;    # inf
+	logwrite(d);
+
+	# -inf
+	d = -dmax;      # ok
+	d = d * 2.0;    # -inf
+	logwrite(d);
+
+	# negative zero (compares equal to 0.0, but has different representation)
+	d = -0.0;
+	logwrite(d);
+
+	# nan
+	d = dmax;       # ok
+	d = d * 2.0;    # inf
+	d = d * 0.0;    # nan
+	logwrite(d);
+}
+
+# @TEST-START-FILE test-json.bro
+
+redef LogAscii::use_json = T;
+
+# @TEST-END-FILE
diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro b/testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro
new file mode 100644
index 0000000000..2a1c388322
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-gz-rotate.bro
@@ -0,0 +1,25 @@
+# Test that log rotation works with compressed logs.
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: gunzip test.*.log.gz
+#
+
+module Test;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		s: string;
+	} &log;
+}
+
+redef Log::default_rotation_interval = 1hr;
+redef LogAscii::gzip_level = 1;
+
+event bro_init()
+{
+	Log::create_stream(Test::LOG, [$columns=Log]);
+
+	Log::write(Test::LOG, [$s="testing"]);
+}
diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-gz.bro b/testing/btest/scripts/base/frameworks/logging/ascii-gz.bro
new file mode 100644
index 0000000000..9563f42c40
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-gz.bro
@@ -0,0 +1,75 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: gunzip ssh.log.gz
+# @TEST-EXEC: btest-diff ssh.log
+# @TEST-EXEC: btest-diff ssh-uncompressed.log
+#
+# Testing all possible types.
+
+redef LogAscii::gzip_level = 9;
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		b: bool;
+		i: int;
+		e: Log::ID;
+		c: count;
+		p: port;
+		sn: subnet;
+		a: addr;
+		d: double;
+		t: time;
+		iv: interval;
+		s: string;
+		sc: set[count];
+		ss: set[string];
+		se: set[string];
+		vc: vector of count;
+		ve: vector of string;
+		f: function(i: count) : string;
+	} &log;
+}
+
+function foo(i : count) : string
+	{
+	if ( i > 0 )
+		return "Foo";
+	else
+		return "Bar";
+	}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+	local filter = Log::Filter($name="ssh-uncompressed", $path="ssh-uncompressed",
+	                           $config = table(["gzip_level"] = "0"));
+	Log::add_filter(SSH::LOG, filter);
+
+	local empty_set: set[string];
+	local empty_vector: vector of string;
+
+	Log::write(SSH::LOG, [
+		$b=T,
+		$i=-42,
+		$e=SSH::LOG,
+		$c=21,
+		$p=123/tcp,
+		$sn=10.0.0.1/24,
+		$a=1.2.3.4,
+		$d=3.14,
+		$t=(strptime("%Y-%m-%dT%H:%M:%SZ", "2008-07-09T16:13:30Z") + 0.543210 secs),
+		$iv=100secs,
+		$s="hurz",
+		$sc=set(1,2,3,4),
+		$ss=set("AA", "BB", "CC"),
+		$se=empty_set,
+		$vc=vector(10, 20, 30),
+		$ve=empty_vector,
+		$f=foo
+		]);
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/disable-stream.bro b/testing/btest/scripts/base/frameworks/logging/disable-stream.bro
index 6799f7ca2f..c2f64da8e6 100644
--- a/testing/btest/scripts/base/frameworks/logging/disable-stream.bro
+++ b/testing/btest/scripts/base/frameworks/logging/disable-stream.bro
@@ -21,13 +21,12 @@ event bro_init()
 
 	Log::disable_stream(SSH::LOG);
 
-    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
 
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
-	
 }
 
diff --git a/testing/btest/scripts/base/frameworks/logging/enable-stream.bro b/testing/btest/scripts/base/frameworks/logging/enable-stream.bro
new file mode 100644
index 0000000000..0f525eced1
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/logging/enable-stream.bro
@@ -0,0 +1,33 @@
+#
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+module SSH;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Log: record {
+		t: time;
+		id: conn_id; # Will be rolled out into individual columns.
+		status: string &optional;
+		country: string &default="unknown";
+	} &log;
+}
+
+event bro_init()
+{
+	Log::create_stream(SSH::LOG, [$columns=Log]);
+
+	Log::disable_stream(SSH::LOG);
+
+	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
+	Log::enable_stream(SSH::LOG);
+	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
+}
+
diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro
index 6ac7a5efce..9c776fd974 100644
--- a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro
+++ b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster-error.bro
@@ -1,23 +1,27 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT"
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/wikipedia.trace %INPUT"
 # @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: btest-diff manager-1/reporter.log
+# @TEST-EXEC: cat manager-1/reporter.log | grep -v "reporter/" > manager-reporter.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-canonifier | grep -v ^# | $SCRIPTS/diff-sort" btest-diff manager-reporter.log
 
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
 };
 @TEST-END-FILE
 
-redef Log::default_rotation_interval = 0secs;
-
 @load base/protocols/conn
 
+@if ( Cluster::node == "worker-1" )
+redef exit_only_after_terminate = T;
+@endif
+
+redef Log::default_rotation_interval = 0secs;
+
 redef Log::default_scope_sep="_";
 
 type Extension: record {
@@ -39,11 +43,32 @@ redef Log::default_ext_func = add_extension;
 
 @endif
 
-event terminate_me() {
+event die()
+	{
 	terminate();
-}
+	}
 
-event remote_connection_closed(p: event_peer) {
-  schedule 1sec { terminate_me() };
-}
+event slow_death()
+	{
+	Broker::flush_logs();
+	schedule 2sec { die() };
+	}
 
+event kill_worker()
+	{
+	Broker::publish("death", slow_death);
+	}
+
+event bro_init()
+	{
+	if ( Cluster::node == "worker-1" )
+		Broker::subscribe("death");
+
+	if ( Cluster::node == "manager-1" )
+		schedule 13sec { kill_worker() };
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	schedule 2sec { die() };
+	}
diff --git a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro
index fb51251f8c..9ad0f526be 100644
--- a/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/logging/field-extension-cluster.bro
@@ -1,7 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT"
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/wikipedia.trace %INPUT"
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff manager-1/http.log
@@ -9,15 +8,19 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
 };
 @TEST-END-FILE
 
-redef Log::default_rotation_interval = 0secs;
-
 @load base/protocols/conn
 
+@if ( Cluster::node == "worker-1" )
+redef exit_only_after_terminate = T;
+@endif
+
+redef Log::default_rotation_interval = 0secs;
+
 redef Log::default_scope_sep="_";
 
 type Extension: record {
@@ -35,11 +38,35 @@ function add_extension(path: string): Extension
 
 redef Log::default_ext_func = add_extension;
 
-event terminate_me() {
+event die()
+	{
 	terminate();
-}
+	}
 
-event remote_connection_closed(p: event_peer) {
-  schedule 1sec { terminate_me() };
-}
+event slow_death()
+	{
+	Broker::flush_logs();
+	schedule 2sec { die() };
+	}
 
+event kill_worker()
+	{
+	Broker::publish("death", slow_death);
+	}
+
+event bro_init()
+	{
+	if ( Cluster::node == "worker-1" )
+		Broker::subscribe("death");
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	if ( Cluster::node == "manager-1" )
+		schedule 2sec { kill_worker() };
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	schedule 2sec { die() };
+	}
diff --git a/testing/btest/scripts/base/frameworks/logging/remote-config.bro b/testing/btest/scripts/base/frameworks/logging/remote-config.bro
deleted file mode 100644
index 9fd94acc7d..0000000000
--- a/testing/btest/scripts/base/frameworks/logging/remote-config.bro
+++ /dev/null
@@ -1,94 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-EXEC: btest-bg-run sender bro -b --pseudo-realtime %INPUT ../sender.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run receiver bro -b --pseudo-realtime %INPUT ../receiver.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-wait 15
-# @TEST-EXEC: btest-diff sender/test.log
-# @TEST-EXEC: btest-diff sender/test.failure.log
-# @TEST-EXEC: btest-diff sender/test.success.log
-# @TEST-EXEC: ( cd sender && for i in *.log; do cat $i | $SCRIPTS/diff-remove-timestamps >c.$i; done )
-# @TEST-EXEC: ( cd receiver && for i in *.log; do cat $i | $SCRIPTS/diff-remove-timestamps >c.$i; done )
-# @TEST-EXEC: cmp receiver/c.test.log sender/c.test.log
-# @TEST-EXEC: cmp receiver/c.test.failure.log sender/c.test.failure.log
-# @TEST-EXEC: cmp receiver/c.test.success.log sender/c.test.success.log
-
-# This is the common part loaded by both sender and receiver.
-module Test;
-
-export {
-	# Create a new ID for our log stream
-	redef enum Log::ID += { LOG };
-
-	# Define a record with all the columns the log file can have.
-	# (I'm using a subset of fields from ssh-ext for demonstration.)
-	type Log: record {
-		t: time;
-		id: conn_id; # Will be rolled out into individual columns.
-		status: string &optional;
-		country: string &default="unknown";
-	} &log;
-}
-
-event bro_init()
-{
-	Log::create_stream(Test::LOG, [$columns=Log]);
-	Log::add_filter(Test::LOG, [$name="f1", $path="test.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]);
-}
-
-#####
-
-@TEST-START-FILE sender.bro
-
-@load frameworks/communication/listen
-
-module Test;
-
-function fail(rec: Log): bool
-	{
-	return rec$status != "success";
-	}
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	local config: table[string] of string;
-	config["tsv"] = "T";
-	Log::add_filter(Test::LOG, [$name="f2", $path="test.failure", $pred=fail, $config=config]);
-
-	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
-
-	local r: Log = [$t=network_time(), $id=cid, $status="success"];
-
-	# Log something.
-	Log::write(Test::LOG, r);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
-	disconnect(p);
-	}
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE receiver.bro
-
-#####
-
-@load base/frameworks/communication
-
-redef Communication::nodes += {
-    ["foo"] = [$host = 127.0.0.1, $connect=T, $request_logs=T]
-};
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/scripts/base/frameworks/logging/remote-types.bro b/testing/btest/scripts/base/frameworks/logging/remote-types.bro
deleted file mode 100644
index b8425428d3..0000000000
--- a/testing/btest/scripts/base/frameworks/logging/remote-types.bro
+++ /dev/null
@@ -1,91 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-EXEC: btest-bg-run sender bro -B threading,logging --pseudo-realtime %INPUT ../sender.bro
-# @TEST-EXEC: btest-bg-run receiver bro -B threading,logging --pseudo-realtime %INPUT ../receiver.bro
-# @TEST-EXEC: btest-bg-wait -k 10
-# @TEST-EXEC: btest-diff receiver/test.log
-# @TEST-EXEC: cat receiver/test.log | egrep -v '#open|#close' >r.log
-# @TEST-EXEC: cat sender/test.log   | egrep -v '#open|#close' >s.log
-# @TEST-EXEC: cmp r.log s.log
-
-# Remote version testing all types.
-
-# This is the common part loaded by both sender and receiver.
-
-redef LogAscii::empty_field = "EMPTY";
-
-module Test;
-
-export {
-	# Create a new ID for our log stream
-	redef enum Log::ID += { LOG };
-
-	type Log: record {
-		b: bool;
-		i: int;
-		e: Log::ID;
-		c: count;
-		p: port;
-		sn: subnet;
-		a: addr;
-		d: double;
-		t: time;
-		iv: interval;
-		s: string;
-		sc: set[count];
-		ss: set[string];
-		se: set[string];
-		vc: vector of count;
-		ve: vector of string;
-	} &log;
-}
-
-event bro_init()
-{
-	Log::create_stream(Test::LOG, [$columns=Log]);
-}
-
-#####
-
-@TEST-START-FILE sender.bro
-
-module Test;
-
-@load frameworks/communication/listen
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	local empty_set: set[string];
-	local empty_vector: vector of string;
-
-	Log::write(Test::LOG, [
-		$b=T,
-		$i=-42,
-		$e=Test::LOG,
-		$c=21,
-		$p=123/tcp,
-		$sn=10.0.0.1/24,
-		$a=1.2.3.4,
-		$d=3.14,
-		$t=network_time(),
-		$iv=100secs,
-		$s="hurz",
-		$sc=set(1,2,3,4),
-		$ss=set("AA", "BB", "CC"),
-		$se=empty_set,
-		$vc=vector(10, 20, 30),
-		$ve=empty_vector
-		]);
-	disconnect(p);
-	}
-@TEST-END-FILE
-
-@TEST-START-FILE receiver.bro
-
-#####
-
-redef Communication::nodes += {
-    ["foo"] = [$host = 127.0.0.1, $connect=T, $request_logs=T]
-};
-
-@TEST-END-FILE
diff --git a/testing/btest/scripts/base/frameworks/logging/remote.bro b/testing/btest/scripts/base/frameworks/logging/remote.bro
deleted file mode 100644
index ba577cc92b..0000000000
--- a/testing/btest/scripts/base/frameworks/logging/remote.bro
+++ /dev/null
@@ -1,92 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-EXEC: btest-bg-run sender bro -b --pseudo-realtime %INPUT ../sender.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run receiver bro -b --pseudo-realtime %INPUT ../receiver.bro
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-wait 15
-# @TEST-EXEC: btest-diff sender/test.log
-# @TEST-EXEC: btest-diff sender/test.failure.log
-# @TEST-EXEC: btest-diff sender/test.success.log
-# @TEST-EXEC: ( cd sender && for i in *.log; do cat $i | $SCRIPTS/diff-remove-timestamps >c.$i; done )
-# @TEST-EXEC: ( cd receiver && for i in *.log; do cat $i | $SCRIPTS/diff-remove-timestamps >c.$i; done )
-# @TEST-EXEC: cmp receiver/c.test.log sender/c.test.log
-# @TEST-EXEC: cmp receiver/c.test.failure.log sender/c.test.failure.log
-# @TEST-EXEC: cmp receiver/c.test.success.log sender/c.test.success.log
-
-# This is the common part loaded by both sender and receiver.
-module Test;
-
-export {
-	# Create a new ID for our log stream
-	redef enum Log::ID += { LOG };
-
-	# Define a record with all the columns the log file can have.
-	# (I'm using a subset of fields from ssh-ext for demonstration.)
-	type Log: record {
-		t: time;
-		id: conn_id; # Will be rolled out into individual columns.
-		status: string &optional;
-		country: string &default="unknown";
-	} &log;
-}
-
-event bro_init()
-{
-	Log::create_stream(Test::LOG, [$columns=Log]);
-	Log::add_filter(Test::LOG, [$name="f1", $path="test.success", $pred=function(rec: Log): bool { return rec$status == "success"; }]);
-}
-
-#####
-
-@TEST-START-FILE sender.bro
-
-@load frameworks/communication/listen
-
-module Test;
-
-function fail(rec: Log): bool
-	{
-	return rec$status != "success";
-	}
-
-event remote_connection_handshake_done(p: event_peer)
-	{
-	Log::add_filter(Test::LOG, [$name="f2", $path="test.failure", $pred=fail]);
-
-	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
-
-	local r: Log = [$t=network_time(), $id=cid, $status="success"];
-
-	# Log something.
-	Log::write(Test::LOG, r);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="success", $country="BR"]);
-	Log::write(Test::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
-	disconnect(p);
-	}
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
-
-@TEST-START-FILE receiver.bro
-
-#####
-
-@load base/frameworks/communication
-
-redef Communication::nodes += {
-    ["foo"] = [$host = 127.0.0.1, $connect=T, $request_logs=T]
-};
-
-event remote_connection_closed(p: event_peer)
-	{
-	terminate();
-	}
-
-@TEST-END-FILE
diff --git a/testing/btest/scripts/base/frameworks/logging/remove.bro b/testing/btest/scripts/base/frameworks/logging/remove.bro
index bb7c302942..3b80d24e9f 100644
--- a/testing/btest/scripts/base/frameworks/logging/remove.bro
+++ b/testing/btest/scripts/base/frameworks/logging/remove.bro
@@ -2,6 +2,7 @@
 # @TEST-EXEC: bro -b -B logging %INPUT
 # @TEST-EXEC: btest-diff ssh.log
 # @TEST-EXEC: btest-diff ssh.failure.log
+# @TEST-EXEC: btest-diff .stdout
 
 module SSH;
 
@@ -24,11 +25,12 @@ event bro_init()
 	Log::create_stream(SSH::LOG, [$columns=Log]);
 	Log::add_filter(SSH::LOG, [$name="f1", $path="ssh.failure", $pred=function(rec: Log): bool { return rec$status == "failure"; }]);
 
-    local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
+	local cid = [$orig_h=1.2.3.4, $orig_p=1234/tcp, $resp_h=2.3.4.5, $resp_p=80/tcp];
 
 	# Log something.
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="US"]);
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="UK"]);
+	print Log::get_filter_names(SSH::LOG);
 
 	Log::remove_filter(SSH::LOG, "f1");
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="BR"]);
@@ -37,5 +39,6 @@ event bro_init()
 	Log::write(SSH::LOG, [$t=network_time(), $id=cid, $status="failure", $country="MX"]);
 
 	Log::remove_filter(SSH::LOG, "doesn-not-exist");
+	print Log::get_filter_names(SSH::LOG);
 }
 
diff --git a/testing/btest/scripts/base/frameworks/logging/rotate.bro b/testing/btest/scripts/base/frameworks/logging/rotate.bro
index 86f659c193..501c0db8ea 100644
--- a/testing/btest/scripts/base/frameworks/logging/rotate.bro
+++ b/testing/btest/scripts/base/frameworks/logging/rotate.bro
@@ -1,5 +1,6 @@
 #
-# @TEST-EXEC: bro -b -r ${TRACES}/rotation.trace %INPUT 2>&1 | grep "test" >out
+# @TEST-EXEC: bro -b -r ${TRACES}/rotation.trace %INPUT >bro.out 2>&1
+# @TEST-EXEC: grep "test" bro.out | sort >out
 # @TEST-EXEC: for i in `ls test.*.log | sort`; do printf '> %s\n' $i; cat $i; done >>out
 # @TEST-EXEC: btest-diff out
 
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro b/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro
index e131ec1dc0..a0ce9c44d6 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/acld-hook.bro
@@ -1,7 +1,6 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/tls/ecdhe.pcap --pseudo-realtime ../send.bro broker_port=$BROKER_PORT >send.out"
+# @TEST-SERIALIZE: comm
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/tls/ecdhe.pcap --pseudo-realtime ../send.bro >send.out"
 
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff recv/recv.out
@@ -11,30 +10,39 @@
 
 @load base/frameworks/netcontrol
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
+global have_peer = F;
+global did_init = F;
+
+event bro_init()
+	{
+	suspend_processing();
+	}
 
 event NetControl::init()
 	{
-	suspend_processing();
-	local netcontrol_acld = NetControl::create_acld(NetControl::AcldConfig($acld_host=127.0.0.1, $acld_port=broker_port, $acld_topic="bro/event/netcontroltest"));
+	local netcontrol_acld = NetControl::create_acld(NetControl::AcldConfig($acld_host=127.0.0.1, $acld_port=Broker::default_port, $acld_topic="bro/event/netcontroltest"));
 	NetControl::activate(netcontrol_acld, 0);
 	}
 
 event NetControl::init_done()
 	{
-	continue_processing();
+	did_init = T;
+
+	if ( did_init && have_peer )
+		continue_processing();
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established", peer_address, peer_port;
+	print "Broker peer added", endpoint$network;
+	have_peer = T;
+
+	if ( did_init && have_peer )
+		continue_processing();
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
@@ -86,36 +94,41 @@ event NetControl::rule_removed(r: NetControl::Rule, p: NetControl::PluginState,
 @load base/frameworks/netcontrol
 @load base/frameworks/broker
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
+event die()
+	{
+	terminate();
+	}
+
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/netcontroltest");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/event/netcontroltest");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established";
+	print "Broker peer added";
 	}
 
 event NetControl::acld_add_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
 	{
 	print "add_rule", id, r$entity, r$ty, ar;
 
-	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_added, id, r, ar$command));
+	Broker::publish("bro/event/netcontroltest", NetControl::acld_rule_added, id, r, ar$command);
 	}
 
 event NetControl::acld_remove_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
 	{
 	print "remove_rule", id, r$entity, r$ty, ar;
 
-	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_removed, id, r, ar$command));
+	Broker::publish("bro/event/netcontroltest", NetControl::acld_rule_removed, id, r, ar$command);
 
 	if ( r$cid == 4 )
-		terminate();
+		{
+		schedule 2sec { die() };
+		}
 	}
 
 @TEST-END-FILE
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/acld.bro b/testing/btest/scripts/base/frameworks/netcontrol/acld.bro
index 364624e90e..7593790013 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/acld.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/acld.bro
@@ -1,7 +1,6 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/tls/ecdhe.pcap --pseudo-realtime ../send.bro broker_port=$BROKER_PORT >send.out"
+# @TEST-SERIALIZE: comm
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/tls/ecdhe.pcap --pseudo-realtime ../send.bro >send.out"
 
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff send/netcontrol.log
@@ -12,30 +11,39 @@
 
 @load base/frameworks/netcontrol
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
+global have_peer = F;
+global did_init = F;
+
+event bro_init()
+	{
+	suspend_processing();
+	}
 
 event NetControl::init()
 	{
-	suspend_processing();
-	local netcontrol_acld = NetControl::create_acld(NetControl::AcldConfig($acld_host=127.0.0.1, $acld_port=broker_port, $acld_topic="bro/event/netcontroltest"));
+	local netcontrol_acld = NetControl::create_acld(NetControl::AcldConfig($acld_host=127.0.0.1, $acld_port=Broker::default_port, $acld_topic="bro/event/netcontroltest"));
 	NetControl::activate(netcontrol_acld, 0);
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established", peer_address, peer_port;
+	print "Broker peer added", endpoint$network;
+	have_peer = T;
+
+	if ( did_init && have_peer )
+		continue_processing();
 	}
 
 event NetControl::init_done()
 	{
-	continue_processing();
+	did_init = T;
+
+	if ( did_init && have_peer )
+		continue_processing();
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
@@ -79,6 +87,11 @@ event NetControl::rule_removed(r: NetControl::Rule, p: NetControl::PluginState,
 	print "rule removed", r$entity, r$ty;
 	}
 
+event NetControl::rule_error(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
+	{
+	print "rule error", r$entity, r$ty;
+	}
+
 @TEST-END-FILE
 
 @TEST-START-FILE recv.bro
@@ -86,19 +99,22 @@ event NetControl::rule_removed(r: NetControl::Rule, p: NetControl::PluginState,
 @load base/frameworks/netcontrol
 @load base/frameworks/broker
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
+event die()
+	{
+	terminate();
+	}
+
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/netcontroltest");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/event/netcontroltest");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established";
+	print "Broker peer added";
 	}
 
 event NetControl::acld_add_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
@@ -106,19 +122,24 @@ event NetControl::acld_add_rule(id: count, r: NetControl::Rule, ar: NetControl::
 	print "add_rule", id, r$entity, r$ty, ar;
 
 	if ( r$cid != 3 )
-		Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_added, id, r, ar$command));
+		Broker::publish("bro/event/netcontroltest", NetControl::acld_rule_added, id, r, ar$command);
 	else
-		Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_exists, id, r, ar$command));
+		Broker::publish("bro/event/netcontroltest", NetControl::acld_rule_exists, id, r, ar$command);
 	}
 
 event NetControl::acld_remove_rule(id: count, r: NetControl::Rule, ar: NetControl::AclRule)
 	{
 	print "remove_rule", id, r$entity, r$ty, ar;
 
-	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::acld_rule_removed, id, r, ar$command));
+	if ( r$cid != 2 )
+		Broker::publish("bro/event/netcontroltest", NetControl::acld_rule_removed, id, r, ar$command);
+	else
+		Broker::publish("bro/event/netcontroltest", NetControl::acld_rule_error, id, r, ar$command);
 
 	if ( r$cid == 4 )
-		terminate();
+		{
+		schedule 2sec { die() };
+		}
 	}
 
 @TEST-END-FILE
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro b/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro
index 9bbb3beb77..0193e780d4 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/basic-cluster.bro
@@ -1,9 +1,10 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT"
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
-# @TEST-EXEC: sleep 1
+
+# @TEST-EXEC: $SCRIPTS/wait-for-pid $(cat worker-1/.pid) 10 || (btest-bg-wait -k 1 && false)
+
 # @TEST-EXEC: btest-bg-run worker-2  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-2 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff worker-1/.stdout
@@ -11,7 +12,7 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
 	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth0"],
 };
@@ -28,7 +29,7 @@ event bro_init()
 	suspend_processing();
 	}
 
-event remote_connection_handshake_done(p: event_peer)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	continue_processing();
 	}
@@ -51,9 +52,15 @@ event terminate_me() {
 	terminate();
 }
 
-event remote_connection_closed(p: event_peer) {
-	schedule 1sec { terminate_me() };
-}
+global peers_lost = 0;
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	++peers_lost;
+
+	if ( peers_lost == 2 )
+		schedule 2sec { terminate_me() };
+	}
 
 event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, msg: string &default="")
 	{
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/broker.bro b/testing/btest/scripts/base/frameworks/netcontrol/broker.bro
index 4fd29c499d..9e8bb65476 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/broker.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/broker.bro
@@ -1,7 +1,6 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/smtp.trace --pseudo-realtime ../send.bro broker_port=$BROKER_PORT >send.out"
+# @TEST-SERIALIZE: comm
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/smtp.trace --pseudo-realtime ../send.bro >send.out"
 
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff send/netcontrol.log
@@ -12,30 +11,39 @@
 
 @load base/frameworks/netcontrol
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
+global have_peer = F;
+global did_init = F;
+
+event bro_init()
+	{
+	suspend_processing();
+	}
 
 event NetControl::init()
 	{
-	suspend_processing();
-	local netcontrol_broker = NetControl::create_broker(NetControl::BrokerConfig($host=127.0.0.1, $bport=broker_port, $topic="bro/event/netcontroltest"), T);
+	local netcontrol_broker = NetControl::create_broker(NetControl::BrokerConfig($host=127.0.0.1, $bport=Broker::default_port, $topic="bro/event/netcontroltest"), T);
 	NetControl::activate(netcontrol_broker, 0);
 	}
 
 event NetControl::init_done()
 	{
-	continue_processing();
+	did_init = T;
+
+	if ( did_init && have_peer )
+		continue_processing();
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established", peer_address, peer_port;
+	print "Broker peer added", endpoint$network;
+	have_peer = T;
+
+	if ( did_init && have_peer )
+		continue_processing();
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
@@ -75,19 +83,22 @@ event NetControl::rule_timeout(r: NetControl::Rule, i: NetControl::FlowInfo, p:
 @load base/frameworks/netcontrol
 @load base/frameworks/broker
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
+event die()
+	{
+	terminate();
+	}
+
 event bro_init()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/netcontroltest");
-	Broker::listen(broker_port, "127.0.0.1");
+	Broker::subscribe("bro/event/netcontroltest");
+	Broker::listen("127.0.0.1");
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::incoming_connection_established";
+	print "Broker peer added";
 	}
 
 event NetControl::broker_add_rule(id: count, r: NetControl::Rule)
@@ -95,22 +106,24 @@ event NetControl::broker_add_rule(id: count, r: NetControl::Rule)
 	print "add_rule", id, r$entity, r$ty;
 
 	if ( r$cid == 3 )
-		Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_added, id, r, ""));
+		Broker::publish("bro/event/netcontroltest", NetControl::broker_rule_added, id, r, "");
 	if ( r$cid == 2 )
-		Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_exists, id, r, ""));
+		Broker::publish("bro/event/netcontroltest", NetControl::broker_rule_exists, id, r, "");
 
 	if ( r$cid == 2 )
-		Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_timeout, id, r, NetControl::FlowInfo()));
+		Broker::publish("bro/event/netcontroltest", NetControl::broker_rule_timeout, id, r, NetControl::FlowInfo());
 	}
 
 event NetControl::broker_remove_rule(id: count, r: NetControl::Rule, reason: string)
 	{
 	print "remove_rule", id, r$entity, r$ty, reason;
 
-	Broker::send_event("bro/event/netcontroltest", Broker::event_args(NetControl::broker_rule_removed, id, r, ""));
+	Broker::publish("bro/event/netcontroltest", NetControl::broker_rule_removed, id, r, "");
 
 	if ( r$cid == 3 )
-		terminate();
+		{
+		schedule 2sec { die() };
+		}
 	}
 
 @TEST-END-FILE
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-cluster.bro b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-cluster.bro
deleted file mode 100644
index fd7de7e442..0000000000
--- a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release-cluster.bro
+++ /dev/null
@@ -1,132 +0,0 @@
-# @TEST-SERIALIZE: comm
-#
-# @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT"
-# @TEST-EXEC: sleep 1
-# @TEST-EXEC: btest-bg-run worker-1  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
-# @TEST-EXEC: btest-bg-run worker-2  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-2 bro --pseudo-realtime -C -r $TRACES/tls/ecdhe.pcap %INPUT"
-# @TEST-EXEC: btest-bg-wait 20
-# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-remove-timestamps' btest-diff manager-1/netcontrol.log
-# @TEST-EXEC: btest-diff manager-1/netcontrol_catch_release.log
-# @TEST-EXEC: btest-diff worker-2/.stdout
-
-@TEST-START-FILE cluster-layout.bro
-redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
-	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
-	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth0"],
-};
-@TEST-END-FILE
-
-redef exit_only_after_terminate = T;
-
-redef Log::default_rotation_interval = 0secs;
-
-@load base/frameworks/netcontrol
-redef NetControl::catch_release_warn_blocked_ip_encountered = T;
-
-global ready_for_data_1: event();
-global ready_for_data_2: event();
-redef Cluster::manager2worker_events += /^ready_for_data_(1|2)$/;
-
-@if ( Cluster::local_node_type() == Cluster::MANAGER )
-
-global peer_count = 0;
-event remote_connection_handshake_done(p: event_peer) &priority=-5
-	{
-	++peer_count;
-	print "remote_connection_handshake_done", peer_count;
-	if ( peer_count == 2 )
-		{
-		event ready_for_data_1();
-		schedule 1.5sec { ready_for_data_2() };
-		}
-	}
-
-@endif
-
-@if ( Cluster::local_node_type() == Cluster::WORKER )
-event bro_init()
-	{
-	print "Suspend", Cluster::node;
-	suspend_processing();
-	}
-
-event remote_connection_closed(p: event_peer) {
-	print "remote connection closed";
-	terminate();
-}
-@endif
-
-@if ( Cluster::node == "worker-1" )
-event ready_for_data_1()
-	{
-	print "Resume", Cluster::node;
-	continue_processing();
-	}
-@endif
-
-@if ( Cluster::node == "worker-2" )
-event ready_for_data_2()
-	{
-	print "Resume", Cluster::node;
-	continue_processing();
-	}
-@endif
-
-event NetControl::init()
-	{
-	local netcontrol_debug = NetControl::create_debug(T);
-	NetControl::activate(netcontrol_debug, 0);
-	}
-
-global i: count = 0;
-
-event connection_established(c: connection)
-	{
-	print "Connection established";
-	local id = c$id;
-	local info = NetControl::get_catch_release_info(id$orig_h);
-	print "Info", info;
-	NetControl::drop_address_catch_release(id$orig_h, cat("connection drop ", Cluster::node));
-	if ( info$current_block_id != "" )
-		{
-		NetControl::unblock_address_catch_release(id$orig_h, Cluster::node);
-		}
-	}
-
-@if ( Cluster::node == "worker-1" )
-event connection_established(c: connection)
-	{
-	NetControl::drop_address(8.8.8.8, 0.1secs, cat("direct drop ", Cluster::node));
-	NetControl::drop_address_catch_release(8.8.8.8, cat("direct cr ", Cluster::node));
-	}
-@endif
-
-@if ( Cluster::node == "worker-2" )
-event connection_established(c: connection)
-	{
-	NetControl::catch_release_seen(8.8.8.8);
-	}
-@endif
-
-event NetControl::catch_release_block_new(a: addr, b: NetControl::BlockInfo)
-	{
-	print "New block", a, b;
-	}
-
-event NetControl::catch_release_block_delete(a: addr)
-	{
-	print "Delete block", a;
-	}
-
-event terminate_me() {
-	terminate();
-}
-
-@if ( Cluster::local_node_type() == Cluster::MANAGER )
-event NetControl::rule_added(r: NetControl::Rule, p: NetControl::PluginState, msg: string)
-	{
-	print "Scheduling terminate";
-	schedule 3sec { terminate_me() };
-	}
-@endif
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro
index 4aaaaf6900..29c56c2535 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/catch-and-release.bro
@@ -1,5 +1,5 @@
 # @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT
-# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-sort' btest-diff netcontrol.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER='grep -v ^# | $SCRIPTS/diff-remove-timestamps' btest-diff netcontrol.log
 # @TEST-EXEC: btest-diff netcontrol_catch_release.log
 
 @load base/frameworks/netcontrol
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/delete-internal-state.bro b/testing/btest/scripts/base/frameworks/netcontrol/delete-internal-state.bro
index 9b8c995fac..29cb439a64 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/delete-internal-state.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/delete-internal-state.bro
@@ -43,10 +43,10 @@ event dump_info()
 event connection_established(c: connection)
 	{
 	local id = c$id;
-	rules[|rules|] = NetControl::shunt_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 0secs);
-	rules[|rules|] = NetControl::drop_address(id$orig_h, 0secs);
-	rules[|rules|] = NetControl::whitelist_address(id$orig_h, 0secs);
-	rules[|rules|] = NetControl::redirect_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 5, 0secs);
+	rules += NetControl::shunt_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 0secs);
+	rules += NetControl::drop_address(id$orig_h, 0secs);
+	rules += NetControl::whitelist_address(id$orig_h, 0secs);
+	rules += NetControl::redirect_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 5, 0secs);
 
 	schedule 1sec { remove_all() };
 	schedule 2sec { dump_info() };
diff --git a/testing/btest/scripts/base/frameworks/netcontrol/multiple.bro b/testing/btest/scripts/base/frameworks/netcontrol/multiple.bro
index 56a764f2e9..d56c8e2468 100644
--- a/testing/btest/scripts/base/frameworks/netcontrol/multiple.bro
+++ b/testing/btest/scripts/base/frameworks/netcontrol/multiple.bro
@@ -27,10 +27,10 @@ event remove_all()
 event connection_established(c: connection)
 	{
 	local id = c$id;
-	rules[|rules|] = NetControl::shunt_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 0secs);
-	rules[|rules|] = NetControl::drop_address(id$orig_h, 0secs);
-	rules[|rules|] = NetControl::whitelist_address(id$orig_h, 0secs);
-	rules[|rules|] = NetControl::redirect_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 5, 0secs);
+	rules += NetControl::shunt_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 0secs);
+	rules += NetControl::drop_address(id$orig_h, 0secs);
+	rules += NetControl::whitelist_address(id$orig_h, 0secs);
+	rules += NetControl::redirect_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 5, 0secs);
 
 	schedule 1sec { remove_all() };
 	}
diff --git a/testing/btest/scripts/base/frameworks/notice/cluster.bro b/testing/btest/scripts/base/frameworks/notice/cluster.bro
index 47932edb8e..9e04764d68 100644
--- a/testing/btest/scripts/base/frameworks/notice/cluster.bro
+++ b/testing/btest/scripts/base/frameworks/notice/cluster.bro
@@ -2,16 +2,15 @@
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
-# @TEST-EXEC: sleep 2
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff manager-1/notice.log
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=27757/tcp, $workers=set("worker-1")],
-	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=27758/tcp, $manager="manager-1", $workers=set("worker-1")],
-	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=27760/tcp, $manager="manager-1", $proxy="proxy-1", $interface="eth0"],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=27757/tcp],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=27758/tcp, $manager="manager-1"],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=27760/tcp, $manager="manager-1", $interface="eth0"],
 };
 @TEST-END-FILE
 
@@ -21,44 +20,37 @@ redef enum Notice::Type += {
 	Test_Notice,
 };
 
-event remote_connection_closed(p: event_peer)
+event Cluster::node_down(name: string, id: string)
 	{
 	terminate();
 	}
 
-global ready: event();
-
-redef Cluster::manager2worker_events += /ready/;
-
 event delayed_notice()
 	{
 	if ( Cluster::node == "worker-1" )
 		NOTICE([$note=Test_Notice, $msg="test notice!"]);
 	}
 
-@if ( Cluster::local_node_type() == Cluster::WORKER )
-
 event ready()
 	{
 	schedule 1secs { delayed_notice() };
 	}
 
-@endif
-
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
 
 global peer_count = 0;
 
-event remote_connection_handshake_done(p: event_peer)
+event Cluster::node_up(name: string, id: string)
 	{
 	peer_count = peer_count + 1;
+
 	if ( peer_count == 2 )
-		event ready();
+		Broker::publish(Cluster::worker_topic, ready);
 	}
 
 event Notice::log_notice(rec: Notice::Info)
 	{
-	terminate_communication();
+	terminate();
 	}
 
 @endif
diff --git a/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro b/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro
index 5010da82cc..a201c5f976 100644
--- a/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/notice/suppression-cluster.bro
@@ -2,7 +2,6 @@
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run proxy-1   BROPATH=$BROPATH:.. CLUSTER_NODE=proxy-1 bro %INPUT
-# @TEST-EXEC: sleep 2
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 20
@@ -10,10 +9,10 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=27757/tcp, $workers=set("worker-1", "worker-2")],
-	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=27758/tcp, $manager="manager-1", $workers=set("worker-1", "worker-2")],
-	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=27760/tcp, $manager="manager-1", $proxy="proxy-1"],
-	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=27761/tcp, $manager="manager-1", $proxy="proxy-1"],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=27757/tcp],
+	["proxy-1"] = [$node_type=Cluster::PROXY,     $ip=127.0.0.1, $p=27758/tcp, $manager="manager-1"],
+	["worker-1"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=27760/tcp, $manager="manager-1"],
+	["worker-2"] = [$node_type=Cluster::WORKER,   $ip=127.0.0.1, $p=27761/tcp, $manager="manager-1"],
 };
 @TEST-END-FILE
 
@@ -23,15 +22,11 @@ redef enum Notice::Type += {
 	Test_Notice,
 };
 
-event remote_connection_closed(p: event_peer)
+event Cluster::node_down(name: string, id: string)
 	{
 	terminate();
 	}
 
-global ready: event();
-
-redef Cluster::manager2worker_events += /ready/;
-
 event delayed_notice()
 	{
 	NOTICE([$note=Test_Notice,
@@ -39,8 +34,6 @@ event delayed_notice()
 	        $identifier="this identifier is static"]);
 	}
 
-@if ( Cluster::local_node_type() == Cluster::WORKER )
-
 event ready()
     {
 	if ( Cluster::node == "worker-1" )
@@ -52,20 +45,19 @@ event ready()
 event Notice::suppressed(n: Notice::Info)
 	{
 	if ( Cluster::node == "worker-1" )
-		terminate_communication();
+		terminate();
 	}
 
-@endif
-
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
 
 global peer_count = 0;
 
-event remote_connection_handshake_done(p: event_peer)
+event Cluster::node_up(name: string, id: string)
 	{
 	peer_count = peer_count + 1;
+
 	if ( peer_count == 3 )
-		event ready();
+		Broker::publish(Cluster::worker_topic, ready);
 	}
 
 @endif
diff --git a/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro b/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro
index 9250590013..83f83c15b4 100644
--- a/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro
+++ b/testing/btest/scripts/base/frameworks/openflow/broker-basic.bro
@@ -1,7 +1,6 @@
-# @TEST-SERIALIZE: brokercomm
-# @TEST-REQUIRES: grep -q ENABLE_BROKER:BOOL=true $BUILD/CMakeCache.txt
-# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
-# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/smtp.trace --pseudo-realtime ../send.bro broker_port=$BROKER_PORT >send.out"
+# @TEST-SERIALIZE: comm
+# @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro >recv.out"
+# @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/smtp.trace --pseudo-realtime ../send.bro >send.out"
 
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff recv/recv.out
@@ -12,7 +11,6 @@
 @load base/protocols/conn
 @load base/frameworks/openflow
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 global of_controller: OpenFlow::Controller;
@@ -20,14 +18,17 @@ global of_controller: OpenFlow::Controller;
 event bro_init()
 	{
 	suspend_processing();
-	of_controller = OpenFlow::broker_new("broker1", 127.0.0.1, broker_port, "bro/event/openflow", 42);
+	of_controller = OpenFlow::broker_new("broker1", 127.0.0.1, Broker::default_port, "bro/openflow", 42);
 	}
 
-event Broker::outgoing_connection_established(peer_address: string,
-                                            peer_port: port,
-                                            peer_name: string)
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
-	print "Broker::outgoing_connection_established", peer_address, peer_port;
+	print "Broker peer added", endpoint$network;
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
 	}
 
 event OpenFlow::controller_activated(name: string, controller: OpenFlow::Controller)
@@ -37,12 +38,6 @@ event OpenFlow::controller_activated(name: string, controller: OpenFlow::Control
 	OpenFlow::flow_mod(of_controller, [], [$cookie=OpenFlow::generate_cookie(1), $command=OpenFlow::OFPFC_ADD, $actions=[$out_ports=vector(3, 7)]]);
 	}
 
-event Broker::outgoing_connection_broken(peer_address: string,
-                                       peer_port: port)
-	{
-	terminate();
-	}
-
 event connection_established(c: connection)
 	{
 	print "connection established";
@@ -76,21 +71,29 @@ event OpenFlow::flow_mod_failure(name: string, match: OpenFlow::ofp_match, flow_
 
 @load base/frameworks/openflow
 
-const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 
 global msg_count: count = 0;
 
-event bro_init()
+event die()
 	{
-	Broker::enable();
-	Broker::subscribe_to_events("bro/event/openflow");
-	Broker::listen(broker_port, "127.0.0.1");
+	terminate();
 	}
 
-event Broker::incoming_connection_established(peer_name: string)
+event bro_init()
 	{
-	print "Broker::incoming_connection_established";
+	Broker::subscribe("bro/openflow");
+	Broker::listen("127.0.0.1");
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	print "Broker peer added";
+	}
+
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	terminate();
 	}
 
 function got_message()
@@ -98,14 +101,16 @@ function got_message()
 	++msg_count;
 
 	if ( msg_count >= 4 )
-		terminate();
+		{
+		schedule 2sec { die() };
+		}
 	}
 
 event OpenFlow::broker_flow_mod(name: string, dpid: count, match: OpenFlow::ofp_match, flow_mod: OpenFlow::ofp_flow_mod)
 	{
 	print "got flow_mod", dpid, match, flow_mod;
-	Broker::send_event("bro/event/openflow", Broker::event_args(OpenFlow::flow_mod_success, name, match, flow_mod, ""));
-	Broker::send_event("bro/event/openflow", Broker::event_args(OpenFlow::flow_mod_failure, name, match, flow_mod, ""));
+	Broker::publish("bro/openflow", OpenFlow::flow_mod_success, name, match, flow_mod, "");
+	Broker::publish("bro/openflow", OpenFlow::flow_mod_failure, name, match, flow_mod, "");
 	got_message();
 	}
 
@@ -115,6 +120,5 @@ event OpenFlow::broker_flow_clear(name: string, dpid: count)
 	got_message();
 	}
 
-
 @TEST-END-FILE
 
diff --git a/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro b/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro
index cccf60cf99..5742a49d1d 100644
--- a/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/openflow/log-cluster.bro
@@ -1,14 +1,13 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 "cp ../cluster-layout.bro . && CLUSTER_NODE=manager-1 bro %INPUT"
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  "cp ../cluster-layout.bro . && CLUSTER_NODE=worker-1 bro --pseudo-realtime -C -r $TRACES/smtp.trace %INPUT"
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff manager-1/openflow.log
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
 };
 @TEST-END-FILE
@@ -21,14 +20,39 @@ redef Log::default_rotation_interval = 0secs;
 
 global of_controller: OpenFlow::Controller;
 
+@if ( Cluster::local_node_type() == Cluster::WORKER )
+event bro_init()
+	{
+	suspend_processing();
+	}
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	continue_processing();
+	}
+@endif
+
 event bro_init()
 	{
 	of_controller = OpenFlow::log_new(42);
 	}
 
+event terminate_me()
+	{
+	terminate();
+	}
+
+global done = F;
+
 event connection_established(c: connection)
 	{
+	if ( done )
+		return;
+
+	done = T;
+
 	print "conn established";
+
 	local match = OpenFlow::match_conn(c$id);
 	local match_rev = OpenFlow::match_conn(c$id, T);
 
@@ -42,14 +66,11 @@ event connection_established(c: connection)
 	OpenFlow::flow_mod(of_controller, match, flow_mod);
 	OpenFlow::flow_mod(of_controller, match_rev, flow_mod);
 
-	terminate();
+	schedule 2sec { terminate_me() };
 	}
 
-event terminate_me() {
-	terminate();
-}
-
-event remote_connection_closed(p: event_peer) {
-	schedule 1sec { terminate_me() };
-}
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
+	{
+	schedule 2sec { terminate_me() };
+	}
 
diff --git a/testing/btest/scripts/base/frameworks/software/version-parsing.bro b/testing/btest/scripts/base/frameworks/software/version-parsing.bro
index f61e8a3a9e..9a54f3d966 100644
--- a/testing/btest/scripts/base/frameworks/software/version-parsing.bro
+++ b/testing/btest/scripts/base/frameworks/software/version-parsing.bro
@@ -40,6 +40,9 @@ global matched_software: table[string] of Software::Description = {
 		[$name="The Bat!", $version=[$major=2,$minor=0,$minor2=9,$addl="Personal"], $unparsed_version=""],
 	["Flash/10,2,153,1"] =
 		[$name="Flash", $version=[$major=10,$minor=2,$minor2=153,$minor3=1], $unparsed_version=""],
+	# The addl on the following entry isn't so great, but it'll do.
+	["Flash%20Player/26.0.0.137 CFNetwork/811.5.4 Darwin/16.6.0 (x86_64)"] =
+		[$name="Flash", $version=[$major=26,$minor=0,$minor2=0,$minor3=137,$addl="CFNetwork/811"], $unparsed_version=""],
 	["mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731"] = 
 		[$name="mt2", $version=[$major=1,$minor=2,$minor2=3,$minor3=967,$addl="Oct"], $unparsed_version=""],
 	["CacheFlyServe v26b"] =
@@ -110,6 +113,14 @@ global matched_software: table[string] of Software::Description = {
 		[$name="AdobeAIR", $version=[$major=1,$minor=0], $unparsed_version=""],
 	["Mozilla/5.0 (Windows; U; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0"] = 
 		[$name="AdobeAIR", $version=[$major=1,$minor=0], $unparsed_version=""],
+	["\\xe6\\xbc\\xab\\xe7\\x94\\xbb\\xe4\\xba\\xba 2.6.2 rv:1.2 (iPhone; iOS 10.3.2; en_US)"] =
+		[$name="\xe6\xbc\xab\xe7\x94\xbb\xe4\xba\xba", $version=[$major=2,$minor=6,$minor2=2,$addl="rv:1"], $unparsed_version=""],
+	["%E6%9C%89%E9%81%93%E8%AF%8D%E5%85%B8/128 CFNetwork/760.2.6 Darwin/15.3.0 (x86_64)"] =
+		[$name="\xe6\x9c\x89\xe9\x81\x93\xe8\xaf\x8d\xe5\x85\xb8", $version=[$major=128,$addl="CFNetwork/760"], $unparsed_version=""],
+	["QQ%E9%82%AE%E7%AE%B1/5.3.2.8 CFNetwork/811.5.4 Darwin/16.6.0"] =
+		[$name="QQ\xe9\x82\xae\xe7\xae\xb1", $version=[$major=5,$minor=3,$minor2=2,$minor3=8,$addl="CFNetwork/811"], $unparsed_version=""],
+	["Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Mobile Safari/537.36 Edge/15.15063"] =
+		[$name="Edge", $version=[$major=15,$minor=15063], $unparsed_version=""],
 };
 
 event bro_init()
diff --git a/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro
index d2fd592855..9f665ef960 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/basic-cluster.bro
@@ -1,7 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 15
@@ -10,7 +9,7 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
 	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
 };
@@ -37,13 +36,12 @@ event bro_init() &priority=5
 	                  	}]);
 	}
 
-event remote_connection_closed(p: event_peer)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
 
 global ready_for_data: event();
-redef Cluster::manager2worker_events += /^ready_for_data$/;
 
 event ready_for_data()
 	{
@@ -71,10 +69,17 @@ event ready_for_data()
 
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
 
+event bro_init() &priority=100
+	{
+	Broker::auto_publish(Cluster::worker_topic, ready_for_data);
+	}
+
 global peer_count = 0;
-event remote_connection_handshake_done(p: event_peer) &priority=-5
+
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	++peer_count;
+
 	if ( peer_count == 2 )
 		event ready_for_data();
 	}
diff --git a/testing/btest/scripts/base/frameworks/sumstats/basic.bro b/testing/btest/scripts/base/frameworks/sumstats/basic.bro
index d2cd51cc9e..40f269ab1a 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/basic.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/basic.bro
@@ -1,5 +1,5 @@
 # @TEST-EXEC: btest-bg-run standalone bro %INPUT
-# @TEST-EXEC: btest-bg-wait 5
+# @TEST-EXEC: btest-bg-wait 10
 # @TEST-EXEC: btest-diff standalone/.stdout
 
 redef exit_only_after_terminate=T;
diff --git a/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro b/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro
index 4fb6b817d3..5d8bff1e03 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/cluster-intermediate-update.bro
@@ -1,7 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
-# @TEST-EXEC: sleep 3
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT 
 # @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 20
@@ -9,7 +8,7 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
 	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
 };
@@ -43,7 +42,7 @@ event bro_init() &priority=5
 	                  	}]);
 	}
 
-event remote_connection_closed(p: event_peer)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
@@ -56,9 +55,9 @@ event do_stats(i: count)
 	SumStats::observe("test.metric", [$host=1.2.3.4], [$num=i]);
 	}
 
-event remote_connection_handshake_done(p: event_peer)
+event Cluster::node_up(name: string, id: string)
 	{
-	if ( p$descr == "manager-1" )
+	if ( name == "manager-1" )
 		{
 		if ( Cluster::node == "worker-1" )
 			{
@@ -69,5 +68,3 @@ event remote_connection_handshake_done(p: event_peer)
 			schedule 0.5sec { do_stats(40) };
 		}
 	}
-
-
diff --git a/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro
index 4e3e765500..14027f95ad 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/on-demand-cluster.bro
@@ -1,7 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 15
@@ -11,7 +10,7 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
 	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
 };
@@ -29,13 +28,17 @@ event bro_init() &priority=5
 	                  $reducers=set(r1)]);
 	}
 
-event remote_connection_closed(p: event_peer)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
 
 global ready_for_data: event();
-redef Cluster::manager2worker_events += /^ready_for_data$/;
+
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::worker_topic, ready_for_data);
+	}
 
 event on_demand()
 	{
@@ -72,8 +75,11 @@ event ready_for_data()
 	}
 
 global peer_count = 0;
-event remote_connection_handshake_done(p: event_peer) &priority=-5
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
+	if ( Cluster::node != "manager-1" )
+		return;
+
 	++peer_count;
 	if ( peer_count == 2 )
 		{
diff --git a/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro
index 1f2bab0229..811cad3b96 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/sample-cluster.bro
@@ -1,7 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 15
@@ -9,7 +8,7 @@
 
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
 	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
 };
@@ -29,7 +28,7 @@ event bro_init() &priority=5
 	                  	print fmt("Host: %s  Sampled observations: %d", key$host, r$sample_elements);
 	                  	local sample_nums: vector of count = vector();
 	                  	for ( sample in r$samples ) 
-	                  		sample_nums[|sample_nums|] =r$samples[sample]$num;
+	                  		sample_nums += r$samples[sample]$num;
 
 	                  	print fmt("    %s", sort(sample_nums));
 	                  	},
@@ -39,13 +38,18 @@ event bro_init() &priority=5
 	                  	}]);
 	}
 
-event remote_connection_closed(p: event_peer)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
 
 global ready_for_data: event();
-redef Cluster::manager2worker_events += /^ready_for_data$/;
+
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::worker_topic, ready_for_data);
+
+	}
 
 event ready_for_data()
 	{
@@ -101,7 +105,7 @@ event ready_for_data()
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
 
 global peer_count = 0;
-event remote_connection_handshake_done(p: event_peer) &priority=-5
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	++peer_count;
 	if ( peer_count == 2 )
diff --git a/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro b/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro
index d26cee4244..6f371ba815 100644
--- a/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro
+++ b/testing/btest/scripts/base/frameworks/sumstats/topk-cluster.bro
@@ -1,7 +1,6 @@
 # @TEST-SERIALIZE: comm
 #
 # @TEST-EXEC: btest-bg-run manager-1 BROPATH=$BROPATH:.. CLUSTER_NODE=manager-1 bro %INPUT
-# @TEST-EXEC: sleep 1
 # @TEST-EXEC: btest-bg-run worker-1  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-1 bro %INPUT
 # @TEST-EXEC: btest-bg-run worker-2  BROPATH=$BROPATH:.. CLUSTER_NODE=worker-2 bro %INPUT
 # @TEST-EXEC: btest-bg-wait 15
@@ -10,7 +9,7 @@
 #
 @TEST-START-FILE cluster-layout.bro
 redef Cluster::nodes = {
-	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp, $workers=set("worker-1", "worker-2")],
+	["manager-1"] = [$node_type=Cluster::MANAGER, $ip=127.0.0.1, $p=37757/tcp],
 	["worker-1"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37760/tcp, $manager="manager-1", $interface="eth0"],
 	["worker-2"]  = [$node_type=Cluster::WORKER,  $ip=127.0.0.1, $p=37761/tcp, $manager="manager-1", $interface="eth1"],
 };
@@ -45,13 +44,17 @@ event bro_init() &priority=5
 
 	}
 
-event remote_connection_closed(p: event_peer)
+event Broker::peer_lost(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	terminate();
 	}
 
 global ready_for_data: event();
-redef Cluster::manager2worker_events += /^ready_for_data$/;
+
+event bro_init()
+	{
+	Broker::auto_publish(Cluster::worker_topic, ready_for_data);
+	}
 
 event ready_for_data()
 	{
@@ -96,7 +99,7 @@ event ready_for_data()
 @if ( Cluster::local_node_type() == Cluster::MANAGER )
 
 global peer_count = 0;
-event remote_connection_handshake_done(p: event_peer) &priority=-5
+event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
 	{
 	++peer_count;
 	if ( peer_count == 2 )
diff --git a/testing/btest/scripts/base/misc/version.bro b/testing/btest/scripts/base/misc/version.bro
index cd19f0ee30..238003f10d 100644
--- a/testing/btest/scripts/base/misc/version.bro
+++ b/testing/btest/scripts/base/misc/version.bro
@@ -36,6 +36,6 @@ print "yup";
 print "yup";
 @endif
 
-@if ( Version::at_least("2.4") )
+@if ( Version::at_least("2.9") )
 print "no";
 @endif
diff --git a/testing/btest/scripts/base/protocols/arp/bad.test b/testing/btest/scripts/base/protocols/arp/bad.test
new file mode 100644
index 0000000000..efe9b1d15a
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/arp/bad.test
@@ -0,0 +1,17 @@
+# @TEST-EXEC: bro -r $TRACES/arp-leak.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print "REQ", mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print "REP", mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event bad_arp(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string)
+	{
+	print "BAD", SPA, SHA, TPA, THA, explanation;
+	}
diff --git a/testing/btest/scripts/base/protocols/arp/radiotap.test b/testing/btest/scripts/base/protocols/arp/radiotap.test
new file mode 100644
index 0000000000..95ce471532
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/arp/radiotap.test
@@ -0,0 +1,13 @@
+# @TEST-EXEC: bro -r $TRACES/arp-who-has-radiotap.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
diff --git a/testing/btest/scripts/base/protocols/arp/wlanmon.test b/testing/btest/scripts/base/protocols/arp/wlanmon.test
new file mode 100644
index 0000000000..7f909eac4f
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/arp/wlanmon.test
@@ -0,0 +1,13 @@
+# @TEST-EXEC: bro -r $TRACES/arp-who-has-wlanmon.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
diff --git a/testing/btest/scripts/base/protocols/dhcp/dhcp-ack-msg-types.btest b/testing/btest/scripts/base/protocols/dhcp/dhcp-ack-msg-types.btest
new file mode 100644
index 0000000000..8f192b7aa4
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dhcp/dhcp-ack-msg-types.btest
@@ -0,0 +1,6 @@
+# This tests that DHCP leases are logged in dhcp.log
+# The trace has a message of each DHCP message type,
+# but only one lease should show up in the logs.
+
+# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace %INPUT
+# @TEST-EXEC: btest-diff dhcp.log
diff --git a/testing/btest/scripts/base/protocols/dhcp/dhcp-discover-msg-types.btest b/testing/btest/scripts/base/protocols/dhcp/dhcp-discover-msg-types.btest
new file mode 100644
index 0000000000..1952682e61
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dhcp/dhcp-discover-msg-types.btest
@@ -0,0 +1,6 @@
+# This tests that DHCP leases are logged in dhcp.log
+# The trace has a message of each DHCP message type,
+# but only one lease should show up in the logs.
+
+# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp_discover_param_req_and_client_id.trace %INPUT
+# @TEST-EXEC: btest-diff dhcp.log
diff --git a/testing/btest/scripts/base/protocols/dhcp/dhcp-sub-opts.btest b/testing/btest/scripts/base/protocols/dhcp/dhcp-sub-opts.btest
new file mode 100644
index 0000000000..3bd37a996b
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dhcp/dhcp-sub-opts.btest
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp_ack_subscriber_id_and_agent_remote_id.trace %INPUT protocols/dhcp/sub-opts
+# @TEST-EXEC: btest-diff dhcp.log
diff --git a/testing/btest/scripts/base/protocols/dnp3/events.bro b/testing/btest/scripts/base/protocols/dnp3/events.bro
index fac00b5012..c5a853be61 100644
--- a/testing/btest/scripts/base/protocols/dnp3/events.bro
+++ b/testing/btest/scripts/base/protocols/dnp3/events.bro
@@ -27,9 +27,9 @@ event dnp3_object_prefix(c: connection, is_orig: bool, prefix_value: count)
 	print "dnp3_object_prefix", is_orig, prefix_value;
 	}
 
-event dnp3_header_block(c: connection, is_orig: bool, start: count, len: count, ctrl: count, dest_addr: count, src_addr: count)
+event dnp3_header_block(c: connection, is_orig: bool, len: count, ctrl: count, dest_addr: count, src_addr: count)
 	{
-	print "dnp3_header_block", is_orig, start, len, ctrl, dest_addr, src_addr;
+	print "dnp3_header_block", is_orig, len, ctrl, dest_addr, src_addr;
 	}
 
 event dnp3_response_data_object(c: connection, is_orig: bool, data_value: count)
diff --git a/testing/btest/scripts/base/protocols/http/101-switching-protocols.bro b/testing/btest/scripts/base/protocols/http/101-switching-protocols.bro
new file mode 100644
index 0000000000..b6aabb0de5
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/101-switching-protocols.bro
@@ -0,0 +1,13 @@
+# This tests that the HTTP analyzer does not generate a dpd error as a
+# result of seeing an upgraded connection.
+#
+# @TEST-EXEC: bro -r $TRACES/http/websocket.pcap %INPUT
+# @TEST-EXEC: test ! -f dpd.log
+# @TEST-EXEC: test ! -f weird.log
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff .stdout
+
+event http_connection_upgrade(c: connection, protocol: string)
+	{
+	print fmt("Connection upgraded to %s", protocol);
+	}
diff --git a/testing/btest/scripts/base/protocols/http/content-range-less-than-len.bro b/testing/btest/scripts/base/protocols/http/content-range-less-than-len.bro
new file mode 100644
index 0000000000..c95816b29f
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/content-range-less-than-len.bro
@@ -0,0 +1,3 @@
+# @TEST-EXEC: bro -r $TRACES/http/content-range-less-than-len.pcap
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff weird.log
diff --git a/testing/btest/scripts/base/protocols/http/fake-content-length.bro b/testing/btest/scripts/base/protocols/http/fake-content-length.bro
new file mode 100644
index 0000000000..5993b18ed1
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/fake-content-length.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -r $TRACES/http/fake-content-length.pcap
+# @TEST-EXEC: btest-diff http.log
diff --git a/testing/btest/scripts/base/protocols/http/percent-end-of-line.bro b/testing/btest/scripts/base/protocols/http/percent-end-of-line.bro
new file mode 100644
index 0000000000..a41dbab294
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/percent-end-of-line.bro
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -Cr $TRACES/http/percent-end-of-line.pcap %INPUT
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff weird.log
+
diff --git a/testing/btest/scripts/base/protocols/http/x-gzip.bro b/testing/btest/scripts/base/protocols/http/x-gzip.bro
new file mode 100644
index 0000000000..a73fc5f71f
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/x-gzip.bro
@@ -0,0 +1,2 @@
+# @TEST-EXEC: bro -r $TRACES/http/x-gzip.pcap
+# @TEST-EXEC: btest-diff http.log
diff --git a/testing/btest/scripts/base/protocols/irc/longline.test b/testing/btest/scripts/base/protocols/irc/longline.test
new file mode 100644
index 0000000000..0573494844
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/irc/longline.test
@@ -0,0 +1,6 @@
+# This tests that an excessively long line is truncated by the contentline
+# analyzer
+
+# @TEST-EXEC: bro -C -r $TRACES/contentline-irc-5k-line.pcap %INPUT
+# @TEST-EXEC: btest-diff weird.log
+
diff --git a/testing/btest/scripts/base/protocols/krb/smb2_krb.test b/testing/btest/scripts/base/protocols/krb/smb2_krb.test
new file mode 100644
index 0000000000..08c05d83f1
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/krb/smb2_krb.test
@@ -0,0 +1,21 @@
+# This test verifies that given the proper keytab file, the
+# Kerberos analyzer can open the AD ticket in the Negociate
+# Protocol Request and find the user.
+#
+# @TEST-REQUIRES: grep -q "#define USE_KRB5" $BUILD/bro-config.h
+#
+# @TEST-COPY-FILE: ${TRACES}/krb/smb2_krb.keytab
+# @TEST-EXEC: bro -b -C -r $TRACES/krb/smb2_krb.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+redef KRB::keytab = "smb2_krb.keytab";
+global monitor_ports: set[port] = { 445/tcp, 139/tcp } &redef;
+
+event bro_init() &priority=5{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, monitor_ports);
+}
+
+event krb_ap_request(c: connection, ticket: KRB::Ticket, opts:  KRB::AP_Options){
+   print ticket$authenticationinfo;
+}
+
diff --git a/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test b/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test
new file mode 100644
index 0000000000..0d2c68d142
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/krb/smb2_krb_nokeytab.test
@@ -0,0 +1,20 @@
+# This test verifies that without a keytab file no entries are
+# created and no errors happen.
+#
+# @TEST-REQUIRES: grep -q "#define USE_KRB5" $BUILD/bro-config.h
+#
+# @TEST-COPY-FILE: ${TRACES}/krb/smb2_krb.keytab
+# @TEST-EXEC: bro -C -r $TRACES/krb/smb2_krb.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff .stderr
+
+global monitor_ports: set[port] = { 445/tcp, 139/tcp } &redef;
+
+event bro_init() &priority=5{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, monitor_ports);
+}
+
+event krb_ap_request(c: connection, ticket: KRB::Ticket, opts:  KRB::AP_Options){
+   print ticket?$authenticationinfo;
+}
+
diff --git a/testing/btest/scripts/base/protocols/krb/smb_gssapi.test b/testing/btest/scripts/base/protocols/krb/smb_gssapi.test
new file mode 100644
index 0000000000..95e5660812
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/krb/smb_gssapi.test
@@ -0,0 +1,11 @@
+# This test verifies that GSSAPI is correctly passing events to
+#   the Kerberos analyzer.  The specific trace example is a
+#   SMB authentication event and therfore relies on the SMB
+#   analyzer as well.
+
+# @TEST-EXEC: bro -b -C -r $TRACES/krb/smb_gssapi.trace %INPUT
+# @TEST-EXEC: btest-diff kerberos.log
+# @TEST-EXEC: btest-diff-rst scripts.base.protocols.krb
+
+@load base/protocols/krb
+@load base/protocols/smb
diff --git a/testing/btest/scripts/base/protocols/modbus/length_mismatch.bro b/testing/btest/scripts/base/protocols/modbus/length_mismatch.bro
new file mode 100644
index 0000000000..35835e4b64
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/modbus/length_mismatch.bro
@@ -0,0 +1,15 @@
+# The parser generated by BinPAC needs to handle this pcap without crashing
+# or asserting.  Specifically, pasing Function Code 23,
+# ReadWriteMultipleRegistersRequest, has a field:
+#
+#     uint16[write_quantity] &length=write_byte_count;
+#
+# And the pcap has mismatching values for those quantities.
+# The use of &length on arrays previously caused array elements to
+# be treated as already having a bounds check in the parsing-loop, which
+# is problematic in the case where (write_quantity * 2) > write_byte_count
+# as that can cause reading from a location that exceeds the end of the
+# data buffer.
+
+# @TEST-EXEC: bro -r $TRACES/modbus/4SICS-GeekLounge-151022-min.pcap
+# @TEST-EXEC: btest-diff weird.log
diff --git a/testing/btest/scripts/base/protocols/mount/basic.test b/testing/btest/scripts/base/protocols/mount/basic.test
new file mode 100644
index 0000000000..8576874ce3
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/mount/basic.test
@@ -0,0 +1,31 @@
+# @TEST-EXEC: bro -b -r $TRACES/mount/mount_base.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+global mount_ports: set[port] = { 635/tcp, 635/udp, 20048/tcp, 20048/udp } &redef;
+redef ignore_checksums = T;
+
+event bro_init()
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_MOUNT, mount_ports);
+	Analyzer::enable_analyzer(Analyzer::ANALYZER_MOUNT);
+	}
+
+event mount_proc_mnt(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t, rep: MOUNT3::mnt_reply_t)
+	{
+	print(fmt("mount_proc_mnt: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event mount_proc_umnt(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t)
+	{
+	print(fmt("mount_proc_umnt: %s\n\t%s\n\t%s\n", c, info, req));
+	}
+
+event mount_proc_umnt_all(c: connection, info: MOUNT3::info_t, req: MOUNT3::dirmntargs_t)
+	{
+	print(fmt("mount_proc_umnt_all: %s\n\t%s\n\t%s\n", c, info, req));
+	}
+
+event mount_proc_not_implemented(c: connection, info: MOUNT3::info_t, proc: MOUNT3::proc_t)
+	{
+	print(fmt("mount_proc_not_implemented: %s\n\t%s\n\t%s\n", c, info, proc));
+	}
diff --git a/testing/btest/scripts/base/protocols/mysql/wireshark.test b/testing/btest/scripts/base/protocols/mysql/wireshark.test
index 64f4aacdda..55fe5be16c 100644
--- a/testing/btest/scripts/base/protocols/mysql/wireshark.test
+++ b/testing/btest/scripts/base/protocols/mysql/wireshark.test
@@ -1,6 +1,27 @@
 # This tests a PCAP with a few MySQL commands from the Wireshark samples.
 
-# @TEST-EXEC: bro -b -r $TRACES/mysql/mysql.trace %INPUT
+# @TEST-EXEC: bro -b -r $TRACES/mysql/mysql.trace %INPUT >out
+# @TEST-EXEC: btest-diff out
 # @TEST-EXEC: btest-diff mysql.log
 
-@load base/protocols/mysql
\ No newline at end of file
+@load base/protocols/mysql
+
+event mysql_ok(c: connection, affected_rows: count)
+	{
+	print "mysql ok", affected_rows;
+	}
+
+event mysql_result_row(c: connection, row: string_vec)
+	{
+	print "mysql result row", row;
+	}
+
+event mysql_error(c: connection, code: count, msg: string)
+	{
+	print "mysql error", code, msg;
+	}
+
+event mysql_command_request(c: connection, command: count, arg: string)
+	{
+	print "mysql request", command, arg;
+	}
diff --git a/testing/btest/scripts/base/protocols/ncp/event.bro b/testing/btest/scripts/base/protocols/ncp/event.bro
new file mode 100644
index 0000000000..acb4bf0a0c
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ncp/event.bro
@@ -0,0 +1,20 @@
+# @TEST-EXEC: bro -C -r $TRACES/ncp.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+redef likely_server_ports += { 524/tcp };
+
+event bro_init()
+	{
+	const ports = { 524/tcp };
+	Analyzer::register_for_ports(Analyzer::ANALYZER_NCP, ports);
+	}
+
+event ncp_request(c: connection, frame_type: count, length: count, func: count)
+	{
+	print "ncp request", frame_type, length, func;
+	}
+
+event ncp_reply(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count)
+	{
+	print "ncp reply", frame_type, length, req_frame, req_func, completion_code;
+	}
diff --git a/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro b/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro
new file mode 100644
index 0000000000..46ad87e752
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ncp/frame_size_tuning.bro
@@ -0,0 +1,20 @@
+# @TEST-EXEC: bro -C -r $TRACES/ncp.pcap %INPUT NCP::max_frame_size=150 >out
+# @TEST-EXEC: btest-diff out
+
+redef likely_server_ports += { 524/tcp };
+
+event bro_init()
+	{
+	const ports = { 524/tcp };
+	Analyzer::register_for_ports(Analyzer::ANALYZER_NCP, ports);
+	}
+
+event ncp_request(c: connection, frame_type: count, length: count, func: count)
+	{
+	print "ncp request", frame_type, length, func;
+	}
+
+event ncp_reply(c: connection, frame_type: count, length: count, req_frame: count, req_func: count, completion_code: count)
+	{
+	print "ncp reply", frame_type, length, req_frame, req_func, completion_code;
+	}
diff --git a/testing/btest/scripts/base/protocols/nfs/basic.test b/testing/btest/scripts/base/protocols/nfs/basic.test
new file mode 100755
index 0000000000..f2d2b1862a
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/nfs/basic.test
@@ -0,0 +1,82 @@
+# @TEST-EXEC: bro -b -r $TRACES/nfs/nfs_base.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+global nfs_ports: set[port] = { 2049/tcp, 2049/udp } &redef;
+redef ignore_checksums = T;
+
+event bro_init()
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_NFS, nfs_ports);
+	Analyzer::enable_analyzer(Analyzer::ANALYZER_NFS);
+	}
+
+event nfs_proc_lookup(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::lookup_reply_t )
+	{
+	print(fmt("nfs_proc_lookup: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_read(c: connection , info: NFS3::info_t , req: NFS3::readargs_t , rep: NFS3::read_reply_t )
+	{
+	print(fmt("nfs_proc_read: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_readlink(c: connection , info: NFS3::info_t , fh: string , rep: NFS3::readlink_reply_t )
+	{
+	print(fmt("nfs_proc_readlink: %s\n\t%s\n\t%s\n\t%s\n", c, info, fh, rep));
+	}
+
+event nfs_proc_write(c: connection , info: NFS3::info_t , req: NFS3::writeargs_t , rep: NFS3::write_reply_t )
+	{
+	print(fmt("nfs_proc_write: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_create(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::newobj_reply_t )
+	{
+	print(fmt("nfs_proc_create: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_mkdir(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::newobj_reply_t )
+	{
+	print(fmt("nfs_proc_mkdir: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_remove(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::delobj_reply_t )
+	{
+	print(fmt("nfs_proc_remove: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_rmdir(c: connection , info: NFS3::info_t , req: NFS3::diropargs_t , rep: NFS3::delobj_reply_t )
+	{
+	print(fmt("nfs_proc_rmdir: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_readdir(c: connection , info: NFS3::info_t , req: NFS3::readdirargs_t , rep: NFS3::readdir_reply_t )
+	{
+	print(fmt("nfs_proc_readdir: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_rename(c: connection , info: NFS3::info_t , req: NFS3::renameopargs_t , rep: NFS3::renameobj_reply_t )
+	{
+	print(fmt("nfs_proc_rename: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_sattr(c: connection, info: NFS3::info_t, req: NFS3::sattrargs_t, rep: NFS3::sattr_reply_t)
+	{
+	print(fmt("nfs_proc_sattr: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_link(c: connection, info: NFS3::info_t, req: NFS3::linkargs_t, rep: NFS3::link_reply_t)
+	{
+	print(fmt("nfs_proc_link: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_symlink(c: connection, info: NFS3::info_t, req: NFS3::symlinkargs_t, rep: NFS3::newobj_reply_t)
+	{
+	print(fmt("nfs_proc_symlink: %s\n\t%s\n\t%s\n\t%s\n", c, info, req, rep));
+	}
+
+event nfs_proc_not_implemented(c: connection , info: NFS3::info_t , proc: NFS3::proc_t )
+	{
+	print(fmt("nfs_proc_not_implemented: %s\n\t%s\n\t%s\n", c, info, proc));
+	}
+
diff --git a/testing/btest/scripts/base/protocols/radius/radius-multiple-attempts.test b/testing/btest/scripts/base/protocols/radius/radius-multiple-attempts.test
new file mode 100644
index 0000000000..473e492355
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/radius/radius-multiple-attempts.test
@@ -0,0 +1,6 @@
+# Test a more complicated radius session with multiple attempts
+
+# @TEST-EXEC: bro -b -C -r $TRACES/radius/radius_localhost.pcapng %INPUT
+# @TEST-EXEC: btest-diff radius.log
+
+@load base/protocols/radius
diff --git a/testing/btest/scripts/base/protocols/rdp/rdp-x509.bro b/testing/btest/scripts/base/protocols/rdp/rdp-x509.bro
index ae1eb8b542..2fed0d7d19 100644
--- a/testing/btest/scripts/base/protocols/rdp/rdp-x509.bro
+++ b/testing/btest/scripts/base/protocols/rdp/rdp-x509.bro
@@ -1,5 +1,5 @@
 # @TEST-EXEC: bro -r $TRACES/rdp/rdp-x509.pcap %INPUT
 # @TEST-EXEC: btest-diff rdp.log
-# @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-timestamps | $SCRIPTS/diff-remove-x509-key-info" btest-diff x509.log
 
 @load base/protocols/rdp
diff --git a/testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test b/testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test
index 7ac2789280..627e396517 100644
--- a/testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test
+++ b/testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test
@@ -1,7 +1,7 @@
 # @TEST-EXEC: bro -C -r $TRACES/smb/dssetup_DsRoleGetPrimaryDomainInformation_standalone_workstation.cap %INPUT
 # @TEST-EXEC: [ ! -f dce_rpc.log ]
 
-@load policy/protocols/smb
+@load base/protocols/smb
 
 # The DCE_RPC analyzer is a little weird since it's instantiated
 # by the SMB analyzer directly in some cases.  Care needs to be
diff --git a/testing/btest/scripts/base/protocols/smb/raw-ntlm.test b/testing/btest/scripts/base/protocols/smb/raw-ntlm.test
index 8d5f91b881..9cf9aa35c4 100644
--- a/testing/btest/scripts/base/protocols/smb/raw-ntlm.test
+++ b/testing/btest/scripts/base/protocols/smb/raw-ntlm.test
@@ -2,7 +2,7 @@
 #@TEST-EXEC: btest-diff .stdout
 
 @load base/protocols/ntlm
-@load policy/protocols/smb
+@load base/protocols/smb
 
 # Just verify that the session key is grabbed correctly from NTLM
 # carried raw over SMB.
diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction-dcerpc.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction-dcerpc.test
index 359b050670..52f05c57b4 100644
--- a/testing/btest/scripts/base/protocols/smb/smb1-transaction-dcerpc.test
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction-dcerpc.test
@@ -2,4 +2,4 @@
 # @TEST-EXEC: btest-diff dce_rpc.log
 
 @load base/protocols/dce-rpc
-@load policy/protocols/smb
+@load base/protocols/smb
diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction-request.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction-request.test
new file mode 100644
index 0000000000..1573eb93b8
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction-request.test
@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction_request.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load base/protocols/smb
+
+# Check that smb1_transaction requests are parsed correctly
+
+event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string)
+{
+	print fmt("smb1_transaction_request hdr: %s, name: %s, sub_cmd: %x, params: %s, data: %s", hdr, name, sub_cmd, parameters, data);
+}
diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test
new file mode 100644
index 0000000000..6e826445e9
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction-response.test
@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction_response.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load base/protocols/smb
+
+# Check that smb1_transaction_response requests are parsed correctly
+
+event smb1_transaction_response(c: connection, hdr: SMB1::Header, parameters: string, data: string)
+{
+	print fmt("smb1_transaction_response hdr: %s, params: %s, data: %s", hdr, parameters, data);
+}
diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction-secondary-request.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction-secondary-request.test
new file mode 100644
index 0000000000..e186ee7b22
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction-secondary-request.test
@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction_secondary_request.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load base/protocols/smb
+
+# Check that smb1_transaction_secondary requests are parsed correctly
+
+event smb1_transaction_secondary_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans_Sec_Args, parameters: string, data: string)
+{
+	print fmt("smb1_transaction_secondary_request hdr: %s, args: %s, params: %s, data: %s", hdr, args, parameters, data);
+}
diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction2-request.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction2-request.test
new file mode 100644
index 0000000000..d216d41c32
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction2-request.test
@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction2_request.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load base/protocols/smb
+
+# Check that smb1_transaction2 requests are parsed correctly
+
+event smb1_transaction2_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Args, sub_cmd: count)
+{
+	print fmt("smb1_transaction2_request hdr: %s, args: %s, sub_cmd: %x", hdr, args, sub_cmd);
+}
diff --git a/testing/btest/scripts/base/protocols/smb/smb1-transaction2-secondary-request.test b/testing/btest/scripts/base/protocols/smb/smb1-transaction2-secondary-request.test
new file mode 100644
index 0000000000..e8c462dd0d
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/smb1-transaction2-secondary-request.test
@@ -0,0 +1,12 @@
+#@TEST-EXEC: bro -b -C -r $TRACES/smb/smb1_transaction2_secondary_request.pcap %INPUT
+#@TEST-EXEC: btest-diff .stdout
+
+@load base/protocols/smb
+@load base/protocols/smb
+
+# Check that smb1_transaction2_secondary requests are parsed correctly
+
+event smb1_transaction2_secondary_request(c: connection, hdr: SMB1::Header, args: SMB1::Trans2_Sec_Args, parameters: string, data: string)
+{
+	print fmt("smb1_transaction2_secondary_request hdr: %s, args: %s, params: %s, data: %s", hdr, args, parameters, data);
+}
diff --git a/testing/btest/scripts/base/protocols/smb/smb1.test b/testing/btest/scripts/base/protocols/smb/smb1.test
index e151d48ada..61727754dc 100644
--- a/testing/btest/scripts/base/protocols/smb/smb1.test
+++ b/testing/btest/scripts/base/protocols/smb/smb1.test
@@ -1,4 +1,4 @@
 # @TEST-EXEC: bro -b -r $TRACES/smb/smb1.pcap %INPUT
 # @TEST-EXEC: btest-diff smb_files.log
 
-@load policy/protocols/smb
+@load base/protocols/smb
diff --git a/testing/btest/scripts/base/protocols/smb/smb2.test b/testing/btest/scripts/base/protocols/smb/smb2.test
index 1a1dc980ca..c4c6e78224 100644
--- a/testing/btest/scripts/base/protocols/smb/smb2.test
+++ b/testing/btest/scripts/base/protocols/smb/smb2.test
@@ -4,6 +4,23 @@
 # @TEST-EXEC: btest-diff files.log
 # @TEST-EXEC: test ! -f dpd.log
 # @TEST-EXEC: test ! -f weird.log
+# @TEST-EXEC: btest-diff .stdout
 
-@load policy/protocols/smb
+@load base/protocols/smb
 
+# Add some tests for SMB2 create request and response.
+event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest)
+	{
+	print fmt("smb2_create_request %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, request);
+	}
+
+event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::CreateResponse)
+	{
+	print fmt("smb2_create_response %s -> %s:%d %s", c$id$orig_h, c$id$resp_h, c$id$resp_p, response);
+	}
+
+event smb2_file_sattr(c: connection, hdr: SMB2::Header, file_id:
+                      SMB2::GUID, times: SMB::MACTimes, attrs: SMB2::FileAttrs)
+	{
+	print fmt("smb2_file_sattr %s -> %s:%d %s MACTimes:%s FileAttrs:%s", c$id$orig_h, c$id$resp_h, c$id$resp_p, file_id, times, attrs);
+	}
diff --git a/testing/btest/scripts/base/protocols/socks/socks-auth.bro b/testing/btest/scripts/base/protocols/socks/socks-auth.bro
index 2123dc1d45..d58e1b5801 100644
--- a/testing/btest/scripts/base/protocols/socks/socks-auth.bro
+++ b/testing/btest/scripts/base/protocols/socks/socks-auth.bro
@@ -3,3 +3,9 @@
 # @TEST-EXEC: btest-diff tunnel.log
 
 @load base/protocols/socks
+
+redef SOCKS::default_capture_password = T;
+
+@TEST-START-NEXT
+
+@load base/protocols/socks
diff --git a/testing/btest/scripts/base/protocols/ssh/curve25519_kex.test b/testing/btest/scripts/base/protocols/ssh/curve25519_kex.test
new file mode 100644
index 0000000000..64641fe4af
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssh/curve25519_kex.test
@@ -0,0 +1,6 @@
+# This tests a successful login with pubkey using curve25519 as the KEX algorithm
+
+# @TEST-EXEC: bro -b -r $TRACES/ssh/ssh_kex_curve25519.pcap %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+
+@load base/protocols/ssh
\ No newline at end of file
diff --git a/testing/btest/scripts/base/protocols/ssl/basic.test b/testing/btest/scripts/base/protocols/ssl/basic.test
index 05dad1dca7..51eacfd572 100644
--- a/testing/btest/scripts/base/protocols/ssl/basic.test
+++ b/testing/btest/scripts/base/protocols/ssl/basic.test
@@ -3,3 +3,4 @@
 # @TEST-EXEC: bro -r $TRACES/tls/tls-conn-with-extensions.trace %INPUT
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: test ! -f dpd.log
diff --git a/testing/btest/scripts/base/protocols/ssl/dpd.test b/testing/btest/scripts/base/protocols/ssl/dpd.test
index fd9d879bb4..7e85b4aaea 100644
--- a/testing/btest/scripts/base/protocols/ssl/dpd.test
+++ b/testing/btest/scripts/base/protocols/ssl/dpd.test
@@ -2,6 +2,7 @@
 # @TEST-EXEC: bro -b -r $TRACES/tls/ssl.v3.trace %INPUT
 # @TEST-EXEC: bro -b -r $TRACES/tls/tls1.2.trace %INPUT
 # @TEST-EXEC: bro -b -r $TRACES/tls/tls-early-alert.trace %INPUT
+# @TEST-EXEC: bro -b -r $TRACES/tls/tls-13draft19-early-data.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
 @load base/frameworks/dpd
diff --git a/testing/btest/scripts/base/protocols/ssl/dtls.test b/testing/btest/scripts/base/protocols/ssl/dtls.test
index 46b74d2b78..a1b2c74dd8 100644
--- a/testing/btest/scripts/base/protocols/ssl/dtls.test
+++ b/testing/btest/scripts/base/protocols/ssl/dtls.test
@@ -1,5 +1,10 @@
 # This tests a normal SSL connection and the log it outputs.
 
-# @TEST-EXEC: bro -r $TRACES/tls/dtls-openssl.pcap %INPUT
+# @TEST-EXEC: bro -r $TRACES/tls/dtls1_0.pcap %INPUT
 # @TEST-EXEC: btest-diff ssl.log
 # @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: bro -r $TRACES/tls/dtls1_2.pcap %INPUT
+# @TEST-EXEC: cp ssl.log ssl1_2.log
+# @TEST-EXEC: cp x509.log x5091_2.log
+# @TEST-EXEC: btest-diff ssl1_2.log
+# @TEST-EXEC: btest-diff x5091_2.log
diff --git a/testing/btest/scripts/base/protocols/ssl/keyexchange.test b/testing/btest/scripts/base/protocols/ssl/keyexchange.test
new file mode 100644
index 0000000000..f7ae714875
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/keyexchange.test
@@ -0,0 +1,126 @@
+# @TEST-EXEC: bro -r $TRACES/tls/dhe.pcap %INPUT
+# @TEST-EXEC: cat ssl.log > ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/ecdhe.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/ssl.v3.trace %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/tls1_1.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/dtls1_0.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/dtls1_2.pcap %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: btest-diff ssl-all.log
+
+# Test the new client and server key exchange events.
+
+@load base/protocols/ssl
+@load base/files/x509
+@load protocols/ssl/extract-certs-pem.bro
+
+module SSL;
+
+export {
+	redef record Info += {
+		# ClientHello
+		client_random: string &log &optional;
+		client_cipher_suites: string &log &optional;
+
+		# ServerHello
+		server_random: string &log &optional;
+
+		# ServerKeyExchange
+		server_dh_p: string &log &optional;
+		server_dh_q: string &log &optional;
+		server_dh_Ys: string &log &optional;
+		server_ecdh_point: string &log &optional;
+		server_signature_sig_alg: count &log &optional;
+		server_signature_hash_alg: count &log &optional;
+		server_signature: string &log &optional;
+
+		# ServerCertificate
+		server_cert_sha1: string &log &optional;
+
+		# ClientKeyExchange
+		client_rsa_pms: string &log &optional;
+		client_dh_Yc: string &log &optional;
+		client_ecdh_point: string &log &optional;
+	};
+
+	## Control if host certificates offered by the defined hosts
+	## will be written to the PEM certificates file.
+	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
+	redef extract_certs_pem = ALL_HOSTS;
+}
+
+event ssl_established(c: connection) &priority=5
+	{
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
+	     ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	c$ssl$server_cert_sha1 = c$ssl$cert_chain[0]$sha1;
+	}
+
+event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
+	{
+	set_session(c);
+	c$ssl$client_random = bytestring_to_hexstr(client_random);
+
+	local ciphers_str = "";
+	for (i in ciphers)
+		{
+			ciphers_str += cipher_desc[ciphers[i]];
+			if ( i != |ciphers|-1)
+				{
+					ciphers_str += ",";
+				}
+		}
+	c$ssl$client_cipher_suites = ciphers_str;
+	}
+
+event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
+	{
+	set_session(c);
+	c$ssl$server_random = bytestring_to_hexstr(server_random);
+	}
+
+event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$server_dh_p = bytestring_to_hexstr(p);
+	c$ssl$server_dh_q = bytestring_to_hexstr(q);
+	c$ssl$server_dh_Ys = bytestring_to_hexstr(Ys);
+	}
+
+event ssl_ecdh_server_params(c: connection, curve: count, point: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$server_ecdh_point = bytestring_to_hexstr(point);
+	}
+
+event ssl_server_signature(c: connection, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$server_signature_sig_alg = signature_and_hashalgorithm$SignatureAlgorithm;
+	c$ssl$server_signature_hash_alg = signature_and_hashalgorithm$HashAlgorithm;
+	c$ssl$server_signature = bytestring_to_hexstr(signature);
+	}
+
+event ssl_rsa_client_pms(c: connection, pms: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$client_rsa_pms = bytestring_to_hexstr(pms);
+	}
+
+event ssl_dh_client_params(c: connection, Yc: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$client_dh_Yc = bytestring_to_hexstr(Yc);
+	}
+
+event ssl_ecdh_client_params(c: connection, point: string) &priority=5
+	{
+	set_session(c);
+	c$ssl$client_ecdh_point = bytestring_to_hexstr(point);
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
new file mode 100644
index 0000000000..c8c8acc589
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
@@ -0,0 +1,43 @@
+# This tests a normal OCSP request sent through HTTP GET
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-http-get.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count)
+	{
+	print "request", version, "";
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
new file mode 100644
index 0000000000..05483717b0
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
@@ -0,0 +1,42 @@
+# This tests a OCSP request missing response
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-only.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count)
+	{
+	print "request", version, "";
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test
new file mode 100644
index 0000000000..b95203dfd8
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test
@@ -0,0 +1,43 @@
+# This tests a pair of normal OCSP request and response
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-response.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count)
+	{
+	print "request", version, "";
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test
new file mode 100644
index 0000000000..43dbf82583
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test
@@ -0,0 +1,43 @@
+# This tests a normal OCSP response missing request
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count)
+	{
+	print "request", version, "";
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
new file mode 100644
index 0000000000..e4378135ad
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
@@ -0,0 +1,43 @@
+# This tests OCSP response with revocation
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-revoked.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log
+# @TEST-EXEC: btest-diff .stdout
+
+@load files/x509/log-ocsp
+
+event bro_init()
+	{
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
+	Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
+	}
+
+event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
+	{
+	print "extension: ", ext, global_resp;
+	}
+
+event ocsp_request(f: fa_file, version: count)
+	{
+	print "request", version, "";
+	}
+
+event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
+	{
+	print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
+	}
+
+event ocsp_response_status(f: fa_file, status: string)
+	{
+	print "ocsp_response_status", status;
+	}
+
+event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
+	{
+	print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
+	}
+
+event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
+	{
+	print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
new file mode 100644
index 0000000000..7c7dc90e4c
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
@@ -0,0 +1,49 @@
+# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT
+#
+# The following file contains a tls 1.0 connection with a SCT in a TLS extension.
+# This is interesting because the digitally-signed struct in TLS 1.0 does not come
+# with a SignatureAndHashAlgorithm structure. The digitally-signed struct in the
+# SCT is, however, based on the TLS 1.2 RFC, no matter which version of TLS one
+# uses in the end. So this one does have a Signature/Hash alg, even if the protocol
+# itself does not carry it in the same struct.
+#
+# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp_tls1_0.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: test ! -f dpd.log
+
+export {
+	type LogInfo: record {
+		version: count;
+		logid: string;
+		timestamp: count;
+		sig_alg: count;
+		hash_alg: count;
+		signature: string;
+	};
+}
+
+redef record SSL::Info += {
+	ct_proofs: vector of LogInfo &default=vector();
+};
+
+event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string)
+	{
+	print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), signature_and_hashalgorithm;
+	c$ssl$ct_proofs[|c$ssl$ct_proofs|] = LogInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_and_hashalgorithm$SignatureAlgorithm, $hash_alg=signature_and_hashalgorithm$HashAlgorithm, $signature=signature);
+	}
+
+event ssl_established(c: connection)
+	{
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	local cert = c$ssl$cert_chain[0]$x509$handle;
+
+	for ( i in c$ssl$ct_proofs )
+		{
+		local log = c$ssl$ct_proofs[i];
+
+		print "Verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp, log$hash_alg);
+		print "Bad verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp+1, log$hash_alg);
+		}
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test b/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
index 261a698833..b8f3d42242 100644
--- a/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
+++ b/testing/btest/scripts/base/protocols/ssl/tls-extension-events.test
@@ -1,4 +1,5 @@
 # @TEST-EXEC: bro -C -r $TRACES/tls/chrome-34-google.trace %INPUT
+# @TEST-EXEC: bro -C -r $TRACES/tls/tls-13draft19-early-data.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
 event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec)
@@ -33,3 +34,17 @@ event ssl_extension_signature_algorithm(c: connection, is_orig: bool, signature_
 		print SSL::hash_algorithms[signature_algorithms[i]$HashAlgorithm], SSL::signature_algorithms[signature_algorithms[i]$SignatureAlgorithm];
 		}
 	}
+
+event ssl_extension_supported_versions(c: connection, is_orig: bool, versions: index_vec)
+	{
+	print "supported_versions(", c$id$orig_h, c$id$resp_h;
+	for ( i in versions )
+		print SSL::version_strings[versions[i]];
+	}
+
+event ssl_extension_psk_key_exchange_modes(c: connection, is_orig: bool, modes: index_vec)
+	{
+	print "psk_key_exchange_modes", c$id$orig_h, c$id$resp_h;
+	for ( i in modes )
+		print modes[i];
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/tls13-experiment.test b/testing/btest/scripts/base/protocols/ssl/tls13-experiment.test
new file mode 100644
index 0000000000..e074535692
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/tls13-experiment.test
@@ -0,0 +1,19 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/chrome-63.0.3211.0-canary-tls_experiment.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff .stdout
+
+# This is a trace that uses a completely non-standard way of establishing TLS 1.3; this seems
+# to be an undocumented extension where the TLS version is negotiated via the server sending back
+# an supported_versions extension (which, according to the RFC is strictly prohibited).
+#
+# This only seems to happen with Chrome talking to google servers. We do not recognize this as
+# TLS 1.3, but we do not abort when encountering traffic like this.
+#
+# In the meantime this way of establishing TLS 1.3 was standardized. Still keeping the test even
+# though we parse this correctly now.
+
+event ssl_extension(c: connection, is_orig: bool, code: count, val: string)
+	{
+	if ( ! is_orig && code == 43 )
+		print bytestring_to_hexstr(val);
+	}
diff --git a/testing/btest/scripts/base/protocols/ssl/tls13-version.test b/testing/btest/scripts/base/protocols/ssl/tls13-version.test
new file mode 100644
index 0000000000..9194c861e1
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/tls13-version.test
@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/tls13draft23-chrome67.0.3368.0-canary.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+
+# Test that we correctly parse the version out of the extension in an 1.3 connection
diff --git a/testing/btest/scripts/base/protocols/ssl/tls1_1.test b/testing/btest/scripts/base/protocols/ssl/tls1_1.test
new file mode 100644
index 0000000000..885a047ebe
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/tls1_1.test
@@ -0,0 +1,6 @@
+# This tests a normal SSL connection and the log it outputs.
+
+# @TEST-EXEC: bro -r $TRACES/tls/tls1_1.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: test ! -f dpd.log
diff --git a/testing/btest/scripts/base/protocols/ssl/x509-invalid-extension.test b/testing/btest/scripts/base/protocols/ssl/x509-invalid-extension.test
new file mode 100644
index 0000000000..de0dc9e59f
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/x509-invalid-extension.test
@@ -0,0 +1,11 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event x509_extension(f: fa_file, ext: X509::Extension)
+	{
+	if ( ext$oid != "1.3.6.1.5.5.7.1.12" )
+		return;
+
+	print ext$short_name;
+	print ext$value;
+	}
diff --git a/testing/btest/scripts/base/utils/active-http.test b/testing/btest/scripts/base/utils/active-http.test
index dbd3fbe141..97d06448ca 100644
--- a/testing/btest/scripts/base/utils/active-http.test
+++ b/testing/btest/scripts/base/utils/active-http.test
@@ -9,7 +9,6 @@
 # @TEST-EXEC: btest-diff output
 
 @load base/utils/active-http
-@load base/frameworks/communication # let network-time run. otherwise there are no heartbeats...
 redef exit_only_after_terminate = T;
 
 global c: count = 0;
diff --git a/testing/btest/scripts/base/utils/dir.test b/testing/btest/scripts/base/utils/dir.test
index aa9ee62315..76ec5d4fb5 100644
--- a/testing/btest/scripts/base/utils/dir.test
+++ b/testing/btest/scripts/base/utils/dir.test
@@ -5,7 +5,6 @@
 @TEST-START-FILE dirtest.bro
 
 @load base/utils/dir
-@load base/frameworks/communication # let network-time run. otherwise there are no heartbeats...
 redef exit_only_after_terminate = T;
 
 global c: count = 0;
diff --git a/testing/btest/scripts/base/utils/exec.test b/testing/btest/scripts/base/utils/exec.test
index 389527bcfc..0b926df402 100644
--- a/testing/btest/scripts/base/utils/exec.test
+++ b/testing/btest/scripts/base/utils/exec.test
@@ -5,7 +5,6 @@
 @TEST-START-FILE exectest.bro
 
 @load base/utils/exec
-@load base/frameworks/communication # let network-time run. otherwise there are no heartbeats...
 redef exit_only_after_terminate = T;
 
 global c: count = 0;
diff --git a/testing/btest/scripts/base/utils/hash_hrw.bro b/testing/btest/scripts/base/utils/hash_hrw.bro
new file mode 100644
index 0000000000..90f87f6f46
--- /dev/null
+++ b/testing/btest/scripts/base/utils/hash_hrw.bro
@@ -0,0 +1,57 @@
+# @TEST-EXEC: bro -b %INPUT > output
+# @TEST-EXEC: btest-diff output
+
+@load base/utils/hash_hrw
+
+local pool = HashHRW::Pool();
+local alice =   HashHRW::Site($id=0, $user_data="alice");
+local bob =     HashHRW::Site($id=1, $user_data="bob");
+local charlie = HashHRW::Site($id=2, $user_data="charlie");
+local dave =    HashHRW::Site($id=3, $user_data="dave");
+local eve =     HashHRW::Site($id=4, $user_data="eve");
+
+print HashHRW::add_site(pool, alice);
+print HashHRW::add_site(pool, alice);
+print HashHRW::add_site(pool, bob);
+print HashHRW::add_site(pool, charlie);
+print HashHRW::add_site(pool, dave);
+print HashHRW::add_site(pool, eve);
+print HashHRW::rem_site(pool, charlie);
+print HashHRW::rem_site(pool, charlie);
+
+print HashHRW::get_site(pool, "one");
+print HashHRW::get_site(pool, "two");
+print HashHRW::get_site(pool, "three");
+print HashHRW::get_site(pool, "four");
+print HashHRW::get_site(pool, "four");
+print HashHRW::get_site(pool, "five");
+print HashHRW::get_site(pool, "six");
+print HashHRW::get_site(pool, 1);
+print HashHRW::get_site(pool, 2);
+print HashHRW::get_site(pool, 3);
+
+print HashHRW::rem_site(pool, alice);
+
+print HashHRW::get_site(pool, "one");
+print HashHRW::get_site(pool, "two");
+print HashHRW::get_site(pool, "three");
+print HashHRW::get_site(pool, "four");
+print HashHRW::get_site(pool, "four");
+print HashHRW::get_site(pool, "five");
+print HashHRW::get_site(pool, "six");
+print HashHRW::get_site(pool, 1);
+print HashHRW::get_site(pool, 2);
+print HashHRW::get_site(pool, 3);
+
+print HashHRW::add_site(pool, alice);
+
+print HashHRW::get_site(pool, "one");
+print HashHRW::get_site(pool, "two");
+print HashHRW::get_site(pool, "three");
+print HashHRW::get_site(pool, "four");
+print HashHRW::get_site(pool, "four");
+print HashHRW::get_site(pool, "five");
+print HashHRW::get_site(pool, "six");
+print HashHRW::get_site(pool, 1);
+print HashHRW::get_site(pool, 2);
+print HashHRW::get_site(pool, 3);
diff --git a/testing/btest/scripts/base/utils/json.test b/testing/btest/scripts/base/utils/json.test
new file mode 100644
index 0000000000..264151136a
--- /dev/null
+++ b/testing/btest/scripts/base/utils/json.test
@@ -0,0 +1,122 @@
+# Test the to_json() function on every basic data type.  For container types,
+# test with no elements, with one element, and with more than one element.
+# Test that the "only_loggable" option works (output only record fields with
+# the &log attribute).
+# @TEST-EXEC: bro %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+type color: enum { Red, White, Blue };
+
+type myrec1: record {
+	c: count &optional;
+	s: string &log;
+};
+
+type myrec2: record {
+	m: myrec1 &log;
+};
+
+event bro_init()
+	{
+	# #####################################
+	# Test the basic (non-container) types:
+
+	local b: bool = T;
+	print to_json(b);
+
+	local c: count = 123;
+	print to_json(c);
+
+	local i: int = -999;
+	print to_json(i);
+
+	local d1: double = 3.14;
+	local d2: double = -1.23456789e308;
+	local d3: double = 9e-308;
+	print to_json(d1);
+	print to_json(d2);
+	print to_json(d3);
+
+	local t: time = double_to_time(1480788576.868945);
+	print to_json(t);
+
+	local ti: interval = -12hr;
+	print to_json(ti);
+
+	local s1: string = "hello";
+	local s2: string = "";
+	print to_json(s1);
+	print to_json(s2);
+
+	local p1: port = 65535/tcp;
+	local p2: port = 1/udp;
+	local p3: port = 123/icmp;
+	local p4: port = 0/unknown;
+	print to_json(p1);
+	print to_json(p2);
+	print to_json(p3);
+	print to_json(p4);
+
+	local a1: addr = 1.2.3.4;
+	local a2: addr = [ffff:1234::1];
+	local a3: addr = [::ffff:123.123.123.123];
+	print to_json(a1);
+	print to_json(a2);
+	print to_json(a3);
+
+	local su1: subnet = 192.0.0.0/8;
+	local su2: subnet = [fe80::]/64;
+	print to_json(su1);
+	print to_json(su2);
+
+	local e: color = Red;
+	print to_json(e);
+
+	# #########################
+	# Test the container types:
+
+	# Records
+	local re1 = myrec1($c=100, $s="test");
+	local re2 = myrec1($s="test");
+	local re3 = myrec2($m=myrec1($c=15, $s="test"));
+	print to_json(re1);
+	print to_json(re1, T);
+	print to_json(re2);
+	print to_json(re3, T);
+
+	# Vectors
+	local ve1: vector of count = vector();
+	local ve2: vector of count = vector(2, 1);
+	local ve3: vector of addr = vector(1.2.3.4);
+	local ve4: vector of set[bool] = vector(set(T, F));
+	local ve5: vector of myrec1 = vector(myrec1($s="test", $c=2));
+	print to_json(ve1);
+	print to_json(ve2);
+	print to_json(ve3);
+	print to_json(ve4);
+	print to_json(ve5, T);
+
+	# Sets
+	local st1: set[count] = set();
+	local st2: set[count] = set(2, 1);
+	local st3: set[addr] = set(1.2.3.4);
+	local st4: set[myrec1] = set(myrec1($s="test"));
+	local st5: set[myrec1] = set(myrec1($s="test", $c=2));
+	print to_json(st1);
+	print to_json(st2);
+	print to_json(st3);
+	print to_json(st4);
+	print to_json(st5, T);
+
+	# Tables
+	local ta1: table[count] of addr = table();
+	local ta2: table[count] of addr = {[1] = 10.1.1.1, [2] = 10.2.2.2};
+	local ta3: table[addr] of table[string] of count = {[10.1.1.1] = table(["a"] = 1), [10.2.2.2] = table(["b"] = 2)};
+	local ta4: table[addr] of vector of count = {[10.1.1.1] = vector(1, 2), [10.2.2.2] = vector(3, 5)};
+	local ta5: table[count] of myrec1 = {[1] = myrec1($s="test", $c=2)};
+	print to_json(ta1);
+	print to_json(ta2);
+	print to_json(ta3);
+	print to_json(ta4);
+	print to_json(ta5, T);
+	}
diff --git a/testing/btest/scripts/policy/frameworks/software/version-changes.bro b/testing/btest/scripts/policy/frameworks/software/version-changes.bro
new file mode 100644
index 0000000000..c6d2433236
--- /dev/null
+++ b/testing/btest/scripts/policy/frameworks/software/version-changes.bro
@@ -0,0 +1,40 @@
+# @TEST-EXEC: bro -b %INPUT
+# @TEST-EXEC: btest-diff software.log
+# @TEST-EXEC: btest-diff notice.log
+
+@load base/frameworks/software
+@load policy/frameworks/software/version-changes
+
+const fake_software_name = "my_fake_software";
+redef Software::asset_tracking = ALL_HOSTS;
+redef Software::interesting_version_changes += {fake_software_name};
+
+global versions: vector of string = vector("1.0.0", "1.1.0", "1.2.0", "1.0.0");
+global version_index = 0;
+global c = 0;
+
+event new_software()
+	{
+	local v = versions[version_index];
+	local cid = conn_id($orig_h = 127.0.0.1, $orig_p = 22/tcp,
+						$resp_h = 127.0.0.1, $resp_p = 22/tcp);
+	local si = Software::Info($name=fake_software_name,
+							  $unparsed_version=fmt("%s %s",
+							  						fake_software_name, v),
+							  $host=127.0.0.1);
+	Software::found(cid, si);
+
+	++version_index;
+	++c;
+
+	if ( version_index >= |versions| )
+		version_index = 0;
+
+	if ( c < 10 )
+		event new_software();
+	}
+
+event bro_init()
+	{
+	event new_software();
+	}
diff --git a/testing/btest/scripts/policy/protocols/dhcp/known-devices-and-hostnames/basic.test b/testing/btest/scripts/policy/protocols/dhcp/known-devices-and-hostnames/basic.test
deleted file mode 100644
index 1144ae1377..0000000000
--- a/testing/btest/scripts/policy/protocols/dhcp/known-devices-and-hostnames/basic.test
+++ /dev/null
@@ -1,8 +0,0 @@
-# This tests that the known_devices log is created,
-# that devices are logged by MAC address, and that
-# the DHCP hostname is added, if available.
-
-# @TEST-EXEC: bro -r $TRACES/dhcp/dhcp.trace -r $TRACES/dhcp/dhcp_inform.trace %INPUT
-# @TEST-EXEC: btest-diff known_devices.log
-
-@load policy/protocols/dhcp/known-devices-and-hostnames
diff --git a/testing/btest/scripts/policy/protocols/krb/ticket-logging.bro b/testing/btest/scripts/policy/protocols/krb/ticket-logging.bro
new file mode 100644
index 0000000000..0bc0a33d5d
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/krb/ticket-logging.bro
@@ -0,0 +1,6 @@
+# This test makes sure that krb ticket hashes are logged correctly.
+
+# @TEST-EXEC: bro -b -r $TRACES/krb/auth.trace %INPUT
+# @TEST-EXEC: btest-diff kerberos.log
+
+@load protocols/krb/ticket-logging
diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-sct.bro b/testing/btest/scripts/policy/protocols/ssl/validate-sct.bro
new file mode 100644
index 0000000000..0e6065f937
--- /dev/null
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-sct.bro
@@ -0,0 +1,21 @@
+# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap $SCRIPTS/external-ca-list.bro %INPUT
+# @TEST-EXEC: cat ssl.log > ssl-all.log
+# @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp-2.pcap $SCRIPTS/external-ca-list.bro %INPUT
+# @TEST-EXEC: cat ssl.log >> ssl-all.log
+# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-all.log
+
+@load protocols/ssl/validate-sct.bro
+
+module SSL;
+
+event ssl_established(c: connection)
+	{
+	print c$ssl$ct_proofs;
+	for ( i in c$ssl$ct_proofs )
+		{
+		local proof = c$ssl$ct_proofs[i];
+		local log = SSL::ct_logs[proof$logid];
+		print log$description, proof$valid;
+		}
+	}
diff --git a/testing/btest/signatures/eval-condition-no-return-value.bro b/testing/btest/signatures/eval-condition-no-return-value.bro
new file mode 100644
index 0000000000..b1a4f5781f
--- /dev/null
+++ b/testing/btest/signatures/eval-condition-no-return-value.bro
@@ -0,0 +1,20 @@
+# @TEST-EXEC: bro -r $TRACES/ftp/ipv4.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+# @TEST-EXEC: btest-diff .stderr
+
+@load-sigs blah.sig
+
+@TEST-START-FILE blah.sig
+signature blah
+	{
+	ip-proto == tcp
+	src-port == 21
+	payload /.*/
+	eval mark_conn
+	}
+@TEST-END-FILE
+
+function mark_conn(state: signature_state, data: string): bool
+	{
+	print "Called";
+	}
diff --git a/testing/coverage/Makefile b/testing/coverage/Makefile
new file mode 100644
index 0000000000..7f458a4f9c
--- /dev/null
+++ b/testing/coverage/Makefile
@@ -0,0 +1,12 @@
+coverage: cleanup
+	@./code_coverage.sh
+
+cleanup:
+	@rm -f coverage.log
+	@find ../../ -name "*.gcov" -exec rm {} \;
+
+distclean: cleanup
+	@find ../../ -name "*.gcno" -exec rm {} \;
+
+html:
+	@./lcov_html.sh $(COVERAGE_HTML_DIR)
diff --git a/testing/coverage/README b/testing/coverage/README
new file mode 100644
index 0000000000..d1352640f2
--- /dev/null
+++ b/testing/coverage/README
@@ -0,0 +1,21 @@
+On a Bro build configured with --enable-coverage, this script produces a code
+coverage report after Bro has been invoked. The intended application of this
+script is after the btest testsuite has run. This combination (btests first,
+coverage computation afterward) happens automatically when running "make" in
+the testing directory.  This script puts .gcov files (which are included in
+.gitignore) alongside the corresponding source files.
+
+This depends on gcov, which should come with your gcc. If gcov is not
+installed, the script will abort with an error message.
+
+After `make all` in the upper directory, use `make html` as make target in this
+directory to output the html files that lcov can create. By default, the html
+files will be contained in a directory named "coverage-html" in the base
+directory. To set a custom name, use `make html
+COVERAGE_HTML_DIR=custom-dir-name`.
+
+The script code_coverage.sh is triggered by `make coverage` (included in `make`
+in /testing), and its goal is to automate code coverage testing.
+
+The script lcov_html.sh is triggered by `make html`, and its goal is to create
+html files from the aforementioned coverage data.
diff --git a/testing/coverage/code_coverage.sh b/testing/coverage/code_coverage.sh
new file mode 100755
index 0000000000..758b2fa915
--- /dev/null
+++ b/testing/coverage/code_coverage.sh
@@ -0,0 +1,146 @@
+#!/usr/bin/env bash
+#
+# On a Bro build configured with --enable-coverage, this script
+# produces a code coverage report after Bro has been invoked. The
+# intended application of this script is after the btest testsuite has
+# run. This combination (btests first, coverage computation afterward)
+# happens automatically when running "make" in the testing directory.
+#
+# This depends on gcov, which should come with your gcc.
+#
+# AUTOMATES CODE COVERAGE TESTING
+#	1. Run test suite
+# 	2. Check for .gcda files existing.
+#	3a. Run gcov (-p to preserve path)
+#       3b. Prune .gcov files for objects outside of the Bro tree
+#	4a. Analyze .gcov files generated and create summary file
+#	4b. Send .gcov files to appropriate path
+#
+CURR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" # Location of script
+BASE="$( cd "$CURR" && cd ../../ && pwd )"
+TMP="${CURR}/tmp.$$"
+mkdir -p $TMP
+
+# DEFINE CLEANUP PROCESS
+function finish {
+	rm -rf $TMP
+}
+trap finish EXIT
+
+# DEFINE CRUCIAL FUNCTIONS FOR COVERAGE CHECKING
+function check_file_coverage {
+	GCOVDIR="$1"
+
+	for i in $GCOVDIR/*.gcov; do
+		# Effective # of lines: starts with a number (# of runs in line) or ##### (line never run)
+		TOTAL=$(cut -d: -f 1 "$i" | sed 's/ //g' | grep -v "^[[:alpha:]]" | grep -v "-" | wc -l)
+
+		# Count number of lines never run
+		UNRUN=$(grep "#####" "$i" | wc -l)
+
+		# Lines in code are either run or unrun
+		RUN=$(($TOTAL - $UNRUN))
+
+                # Avoid division-by-zero problems:
+                PERCENTAGE=0.000
+                [ $RUN -gt 0 ] && PERCENTAGE=$(bc <<< "scale=3; 100*$RUN/$TOTAL")
+
+		# Find correlation between % of lines run vs. "Runs"
+		echo -e "$PERCENTAGE\t$RUN\t$TOTAL\t$(grep "0:Runs" "$i" | sed 's/.*://')\t$i"
+	done
+}
+
+function check_group_coverage {
+	DATA="$1"	# FILE CONTAINING COVERAGE DATA
+	SRC_FOLDER="$2" # WHERE BRO WAS COMPILED
+	OUTPUT="$3"
+
+	# Prints all the relevant directories
+	DIRS=$(for i in $(cut -f 5 "$DATA"); do basename "$i" | sed 's/#[^#]*$//'; done \
+		| sort | uniq | sed 's/^.*'"${SRC_FOLDER}"'//' | grep "^#s\+" )
+	# "Generalize" folders unless it's from analyzers
+	DIRS=$(for i in $DIRS; do
+		if !(echo "$i" | grep "src#analyzer"); then
+			echo "$i" | cut -d "#" -f 1,2,3
+		fi
+	done | sort | uniq )
+
+	for i in $DIRS; do
+		# For elements in #src, we only care about the files direclty in the directory.
+		if [[ "$i" = "#src" ]]; then
+			RUN=$(echo $(grep "$i#[^#]\+$" $DATA | grep "$SRC_FOLDER$i\|build$i" | cut -f 2) | tr " " "+" | bc)
+			TOTAL=$(echo $(grep "$i#[^#]\+$" $DATA | grep "$SRC_FOLDER$i\|build$i" | cut -f 3) | tr " " "+" | bc)
+		else
+			RUN=$(echo $(grep "$i" $DATA | cut -f 2) | tr " " "+" | bc)
+			TOTAL=$(echo $(grep "$i" $DATA | cut -f 3) | tr " " "+" | bc)
+		fi
+
+		PERCENTAGE=$( echo "scale=3;100*$RUN/$TOTAL" | bc | tr "\n" " " )
+		printf "%-50s\t%12s\t%6s %%\n" "$i" "$RUN/$TOTAL" $PERCENTAGE \
+                       | sed 's|#|/|g' >>$OUTPUT
+	done
+}
+
+# 1. Run test suite
+# SHOULD HAVE ALREADY BEEN RUN BEFORE THIS SCRIPT (BASED ON MAKEFILE TARGETS)
+
+# 2. Check for .gcno and .gcda file presence
+echo -n "Checking for coverage files... "
+for pat in gcda gcno; do
+    if [ -z "$(find "$BASE" -name "*.$pat" 2>/dev/null)" ]; then
+        echo "no .$pat files, nothing to do"
+	exit 0
+    fi
+done
+echo "ok"
+
+# 3a. Run gcov (-p to preserve path) and move into tmp directory
+# ... if system does not have gcov installed, exit with message.
+echo -n "Creating coverage files... "
+if which gcov > /dev/null 2>&1; then
+	( cd "$TMP" && find "$BASE" -name "*.o" -exec gcov -p {} > /dev/null 2>&1 \; )
+	NUM_GCOVS=$(find "$TMP" -name *.gcov | wc -l)
+	if [ $NUM_GCOVS -eq 0 ]; then
+		echo "no gcov files produced, aborting"
+		exit 1
+	fi
+
+	# Account for '^' that occurs in macOS due to LLVM
+	# This character seems to be equivalent to ".." (up 1 dir)
+	for file in $(ls $TMP/*.gcov | grep '\^'); do
+		mv $file "$(sed 's/#[^#]*#\^//g' <<< "$file")"
+	done
+
+	echo "ok, $NUM_GCOVS coverage files"
+else
+	echo "gcov is not installed on system, aborting"
+	exit 1
+fi
+
+# 3b. Prune gcov files that fall outside of the Bro tree:
+# Look for files containing gcov's slash substitution character "#"
+# and remove any that don't contain the Bro path root.
+echo -n "Pruning out-of-tree coverage files... "
+PREFIX=$(echo "$BASE" | sed 's|/|#|g')
+for i in "$TMP"/*#*.gcov; do
+    if ! [[ "$i" = *$PREFIX* ]]; then
+        rm -f $i
+    fi
+done
+NUM_GCOVS=$(ls "$TMP"/*.gcov | wc -l)
+echo "ok, $NUM_GCOVS coverage files remain"
+
+# 4a. Analyze .gcov files generated and create summary file
+echo -n "Creating summary file... "
+DATA="${TMP}/data.txt"
+SUMMARY="$CURR/coverage.log"
+check_file_coverage "$TMP" > "$DATA"
+check_group_coverage "$DATA" ${BASE##*/} $SUMMARY
+echo "ok"
+
+# 4b. Send .gcov files to appropriate path
+echo -n "Sending coverage files to respective directories... "
+for i in "$TMP"/*#*.gcov; do
+    mv $i $(echo $(basename $i) | sed 's/#/\//g')
+done
+echo "ok"
diff --git a/testing/coverage/lcov_html.sh b/testing/coverage/lcov_html.sh
new file mode 100755
index 0000000000..c729b2145c
--- /dev/null
+++ b/testing/coverage/lcov_html.sh
@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+#
+# On a Bro build configured with --enable-coverage, this script
+# produces a code coverage report in HTML format after Bro has been invoked. The
+# intended application of this script is after the btest testsuite has run.
+
+# This depends on lcov to run.
+
+function die {
+	echo "$@"
+	exit 1
+}
+function finish {
+	rm -rf "$TMP"
+}
+function verify_run {
+	if bash -c "$1" > /dev/null 2>&1; then
+		echo ${2:-"ok"}
+	else
+		die ${3:-"error, abort"}
+	fi
+}
+trap finish EXIT 
+
+TMP=".tmp.$$"
+COVERAGE_FILE="./$TMP/coverage.info"
+COVERAGE_HTML_DIR="${1:-"coverage-html"}"
+REMOVE_TARGETS="*.yy *.ll *.y *.l */bro.dir/* *.bif"
+
+# 1. Move to base dir, create tmp dir
+cd ../../; 
+mkdir "$TMP"
+
+# 2. Check for .gcno and .gcda file presence
+echo -n "Checking for coverage files... "
+for pat in gcda gcno; do
+    if [ -z "$(find . -name "*.$pat" 2>/dev/null)" ]; then
+        echo "no .$pat files, nothing to do"
+	exit 0
+    fi
+done
+echo "ok"
+
+# 3. If lcov does not exist, abort process. 
+echo -n "Checking for lcov... "
+verify_run "which lcov" \
+	"lcov installed on system, continue" \
+	"lcov not installed, abort"
+
+# 4. Create a "tracefile" through lcov, which is necessary to create html files later on.
+echo -n "Creating tracefile for html generation... " 
+verify_run "lcov --no-external --capture --directory . --output-file $COVERAGE_FILE"
+
+for TARGET in $REMOVE_TARGETS; do
+	echo -n "Getting rid of $TARGET files from tracefile... "
+	verify_run "lcov --remove $COVERAGE_FILE $TARGET --output-file $COVERAGE_FILE"
+done
+
+# 5. Create HTML files. 
+echo -n "Creating HTML files... "
+verify_run "genhtml -o $COVERAGE_HTML_DIR $COVERAGE_FILE"
diff --git a/testing/external/scripts/diff-all b/testing/external/scripts/diff-all
index e84416c088..d51f3b294f 100755
--- a/testing/external/scripts/diff-all
+++ b/testing/external/scripts/diff-all
@@ -22,7 +22,7 @@ files_cwd=`ls $@`
 files_baseline=`cd $TEST_BASELINE && ls $@`
 
 for i in `echo $files_cwd $files_baseline | sort | uniq`; do
-    if [[ "$i" != "loaded_scripts.log" && "$i" != "prof.log" && "$i" != "debug.log" && "$i" != "stats.log" ]]; then
+    if [[ "$i" != "loaded_scripts.log" && "$i" != "prof.log" && "$i" != "debug.log" && "$i" != "stats.log" && "$i" != broker_*.log ]]; then
 
         if [[ "$i" == "reporter.log" ]]; then
             # Do not diff the reporter.log if it only complains about missing
diff --git a/testing/external/scripts/update-traces b/testing/external/scripts/update-traces
index 8dd8d09e9c..ebf2a93896 100755
--- a/testing/external/scripts/update-traces
+++ b/testing/external/scripts/update-traces
@@ -2,7 +2,7 @@
 #
 # Downloads all traces as specified in <cwd>/traces.cfg to directory $1.
 #
-# traces.cfg must consist of lines of the form "<url> <md5sum>"
+# traces.cfg must consist of lines of the form "<url> [<http-user>[:<http-password>]]"
 
 if [ "$1" == "" ]; then
     echo "usage: `basename $0` <traces-directory>"
@@ -45,11 +45,15 @@ cat $cfg | while read line; do
 
     if [ "$auth" != "" ]; then
         auth="-u $auth"
+        # Hide the hostname and directory names in output messages
+        safe_url=`echo $url | sed 's#/[A-Za-z].*/#/[hidden]/#'`
+    else
+        safe_url=$url
     fi
 
     # Get the fingerprint file.
     if ! eval "$proxy curl $auth -fsS --anyauth $url.md5sum -o $fp.tmp"; then
-        echo "Error: Could not get $url.md5sum, skipping download."
+        echo "Error: Could not get $safe_url.md5sum, skipping download."
         continue
     fi
 
@@ -64,7 +68,7 @@ cat $cfg | while read line; do
     fi
 
     if [ "$download" = "1" ]; then
-        echo Getting $url ...
+        echo Getting $safe_url ...
         echo
         eval "$proxy curl $auth -f --anyauth $url -o $file"
         echo
diff --git a/testing/external/subdir-btest.cfg b/testing/external/subdir-btest.cfg
index 4315ade850..39aaead17a 100644
--- a/testing/external/subdir-btest.cfg
+++ b/testing/external/subdir-btest.cfg
@@ -18,7 +18,7 @@ SCRIPTS=%(testbase)s/../scripts
 SCRIPTS_LOCAL=%(testbase)s/scripts
 DIST=%(testbase)s/../../..
 BUILD=%(testbase)s/../../../build
-BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage.XXXXXX
+BRO_PROFILER_FILE=%(testbase)s/.tmp/script-coverage/XXXXXX
 BRO_DNS_FAKE=1
 # For fedora 21 - they disable MD5 for certificate verification and need setting an environment variable to permit it.
 OPENSSL_ENABLE_MD5_VERIFY=1
diff --git a/testing/scripts/diff-remove-timestamps b/testing/scripts/diff-remove-timestamps
index 44422f6f55..770a181c59 100755
--- a/testing/scripts/diff-remove-timestamps
+++ b/testing/scripts/diff-remove-timestamps
@@ -9,6 +9,5 @@ else
    sed="sed -E"
 fi
 
-# The first sed uses a "basic" regexp, the 2nd a "modern:.
-sed 's/[0-9]\{10\}\.[0-9]\{2,8\}/XXXXXXXXXX.XXXXXX/g' | \
+$sed 's/(0\.000000)|([0-9]{10}\.[0-9]{2,8})/XXXXXXXXXX.XXXXXX/g' | \
 $sed 's/^ *#(open|close).(19|20)..-..-..-..-..-..$/#\1 XXXX-XX-XX-XX-XX-XX/g'
diff --git a/testing/scripts/diff-remove-x509-key-info b/testing/scripts/diff-remove-x509-key-info
new file mode 100755
index 0000000000..85404fb30d
--- /dev/null
+++ b/testing/scripts/diff-remove-x509-key-info
@@ -0,0 +1,55 @@
+#! /usr/bin/env bash
+#
+# A diff canonifier that removes all X.509 public key information
+# which, in the specific case of the RDP protocol's misuse of
+# md5WithRSAEncryption, seems that OpenSSL 1.0 is able to manually
+# workaround by setting to rsaEncryption, but OpenSSL 1.1 still fails
+# to extract the key, so the corresponding fields are always removed here.
+
+awk '
+BEGIN { FS="\t"; OFS="\t"; key_type_col = -1; key_length_col = -1; exponent_col = -1; curve_col = -1 }
+
+/^#/ {
+    if ( $1 == "#fields" )
+        {
+        for ( i = 2; i <= NF; ++i )
+            {
+            if ( $i == "certificate.key_type" )
+                key_type_col = i-1;
+            if ( $i == "certificate.key_length" )
+                key_length_col = i-1;
+            if ( $i == "certificate.exponent" )
+                exponent_col = i-1;
+            if ( $i == "certificate.curve" )
+                curve_col = i-1;
+            }
+        }
+
+    print;
+    next;
+}
+
+key_type_col > 0 {
+        # Mark it regardless of whether it is set.
+        $key_type_col = "x";
+}
+
+key_length_col > 0 {
+        # Mark it regardless of whether it is set.
+        $key_length_col = "x";
+}
+
+exponent_col > 0 {
+        # Mark it regardless of whether it is set.
+        $exponent_col = "x";
+}
+
+curve_col > 0 {
+        # Mark it regardless of whether it is set.
+        $curve_col = "x";
+}
+
+{
+    print;
+}
+'
diff --git a/testing/scripts/travis-job b/testing/scripts/travis-job
new file mode 100644
index 0000000000..01065900dd
--- /dev/null
+++ b/testing/scripts/travis-job
@@ -0,0 +1,317 @@
+#!/bin/sh
+#
+# This script (along with the .travis.yml file) is used by Travis CI to
+# build Bro and run the tests.
+#
+# This script can also be used outside of Travis (the "all" build step is
+# especially convenient in this case).  Note that if you use this script
+# outside of Travis then you will need to fetch the private tests manually
+# (if you don't, then the private tests will be skipped).
+
+usage() {
+    echo "usage: $0 CMD DISTRO"
+    echo "  CMD is a build step:"
+    echo "    install: install prereqs"
+    echo "    build: build bro"
+    echo "    run: run the tests"
+    echo "    all: do all of the above"
+    echo "  DISTRO is a Linux distro, 'travis' to run without docker, or 'coverity' to run a coverity scan"
+}
+
+if [ $# -ne 2 ]; then
+    usage
+    exit 1
+fi
+
+step=$1
+distro=$2
+
+case $step in
+    install) ;;
+    build) ;;
+    run) ;;
+    all) ;;
+    *) echo "Error: unknown build step: $step"; usage; exit 1 ;;
+esac
+
+
+# Install the coverity tools.
+install_coverity() {
+    rm -rf coverity_tool.tgz coverity-tools cov-analysis*
+
+    echo "Downloading coverity tools..."
+    wget -nv https://scan.coverity.com/download/cxx/linux64 --post-data "token=${COV_TOKEN}&project=Bro" -O coverity_tool.tgz
+    tar xzf coverity_tool.tgz
+    rm coverity_tool.tgz
+    mv cov-analysis* coverity-tools
+}
+
+
+# Build Bro with the coverity tools.
+build_coverity() {
+    # Cleanup any previous build (this is really only necessary if running this
+    # outside of Travis).
+    make distclean > /dev/null
+
+    ./configure --prefix=`pwd`/build/root --enable-debug --disable-perftools --disable-broker-tests --disable-python --disable-broctl
+
+    export PATH=`pwd`/coverity-tools/bin:$PATH
+    cd build
+    cov-build --dir cov-int make -j 4
+    cd ..
+}
+
+
+# Create a tar file and send it to coverity.
+run_coverity() {
+    EMAIL=bro-commits-internal@bro.org
+    FILE=myproject.tgz
+    VER=`cat VERSION`
+    DESC=`git rev-parse HEAD`
+
+    cd build
+    echo "Creating tar file and sending to coverity..."
+    tar czf ${FILE} cov-int
+    curl --form token=${COV_TOKEN} --form email=${EMAIL} --form file=@${FILE} --form "version=${VER}" --form "description=${DESC}" https://scan.coverity.com/builds?project=Bro
+}
+
+
+# Create a docker container, and install all packages needed to build Bro.
+install_in_docker() {
+    case $distro in
+        centos_7)
+        distro_cmds="yum -y install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel git openssl which"
+        ;;
+        debian_9)
+        distro_cmds="apt-get update; apt-get -y install cmake make gcc g++ flex bison python libpcap-dev libssl-dev zlib1g-dev git sqlite3 curl bsdmainutils"
+        ;;
+        fedora_28)
+        distro_cmds="yum -y install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel git sqlite findutils which; ln -s /usr/bin/python3 /usr/local/bin/python"
+        ;;
+        ubuntu_16.04)
+        distro_cmds="apt-get update; apt-get -y install cmake make gcc g++ flex bison python libpcap-dev libssl-dev zlib1g-dev git sqlite3 curl bsdmainutils"
+        ;;
+        ubuntu_18.04)
+        distro_cmds="apt-get update; apt-get -y install cmake make gcc g++ flex bison python3 libpcap-dev libssl-dev zlib1g-dev git sqlite3 curl bsdmainutils; ln -s /usr/bin/python3 /usr/local/bin/python"
+        ;;
+        *)
+        echo "Error: distro ${distro} is not recognized by this script"
+        exit 1
+        ;;
+    esac
+
+    docker_image=`echo $distro | tr '_' ':'`
+    docker run --name brotest -id -v "`pwd`:/bro" -w /bro ${docker_image} sh
+    docker exec brotest sh -c "${distro_cmds}"
+}
+
+
+# Build bro in a docker container.
+build_in_docker() {
+    docker exec brotest sh testing/scripts/travis-job build travis
+}
+
+
+# Run Bro tests in a docker container.
+run_in_docker() {
+    prepare_env
+    docker exec -t -e TRAVIS -e TRAVIS_PULL_REQUEST -e trav_key -e trav_iv brotest sh testing/scripts/travis-job run travis
+}
+
+
+# Build Bro.
+build() {
+    # Cleanup any previous build (this is really only necessary if running this
+    # outside of Travis).
+    make distclean > /dev/null
+
+    # Skip building broker tests, python bindings, and broctl, as these are
+    # not needed by the bro tests.
+    ./configure --build-type=Release --disable-broker-tests --disable-python --disable-broctl && make -j 2
+}
+
+
+# Rename the encrypted environment variables to avoid having the hash value
+# hard-coded multiple times in this script.
+prepare_env() {
+    if [ -z "$trav_key" ]; then
+        # This hash value is found by logging into the Travis CI website,
+        # and looking at the settings in the bro repo (look in the
+        # "Environment Variables" section).
+        hash=6a6fe747ff7b
+        eval "trav_key=\$encrypted_${hash}_key"
+        eval "trav_iv=\$encrypted_${hash}_iv"
+        # Export so they are visible in docker containers.
+        export trav_key
+        export trav_iv
+    fi
+}
+
+
+# Get the private tests.
+get_private_tests() {
+    prepare_env
+
+    if [ "${TRAVIS}" != "true" ]; then
+        # When not running in the Travis environment, just skip trying to get
+        # the private tests.
+        echo "Note: skipping private tests (to run them, do a git clone of the private testing repo in the 'testing/external' directory before running this script)."
+    elif [ -n "$trav_key" ] && [ -n "$trav_iv" ]; then
+        curl https://www.bro.org/static/travis-ci/travis_key.enc -o travis_key.enc
+        openssl aes-256-cbc -K $trav_key -iv $trav_iv -in travis_key.enc -out travis_key -d
+        chmod 600 travis_key
+        mkdir -p ~/.ssh
+        mv travis_key ~/.ssh/id_rsa
+        echo "git.bro.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmlu+EaJfPKTVqoEUzb5JBEdvNiFxO2wm7Vl61dGBl57avakFl8YnRujbA2yxlpC2xnEKD5y++hXxtxRLefyCM=" >> ~/.ssh/known_hosts
+        git clone ssh://git@git.bro.org/bro-testing-private
+        rm ~/.ssh/id_rsa
+    elif [ -n "${TRAVIS_PULL_REQUEST}" ] && [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then
+        # For pull request builds, the private key is not available, so skip
+        # the private tests to avoid failing.
+        echo "Note: skipping private tests because encrypted env. variables are not available in pull request builds."
+    else
+        echo "Error: cannot get private tests because encrypted env. variables are not defined."
+        exit 1
+    fi
+}
+
+
+# Run Bro tests.
+run() {
+    echo
+    echo "Running unit tests ##################################################"
+    echo
+    cd testing/btest
+
+    set +e
+    # Must specify a value for "-j" option, otherwise Travis uses a huge value.
+    ../../aux/btest/btest -j 4 -d
+    ret=$?
+    set -e
+
+    echo
+    echo "Getting external tests ##############################################"
+    echo
+    cd ../external
+
+    if [ ! -d bro-testing ]; then
+        make init
+    fi
+
+    if [ ! -d bro-testing-private ]; then
+        get_private_tests
+    fi
+
+    echo
+    echo "Running external tests ##############################################"
+    echo
+    make || showdiag
+
+    # If we get here, then external tests were successful.
+    exit $ret
+}
+
+# Show failed tests (not skipped tests) from diag.log when a test fails.
+showdiag() {
+    f=bro-testing/diag.log
+
+    grep -qs '... failed$' $f && \
+      echo && \
+      echo "Output of failed external tests #####################################" && \
+      echo && \
+      grep -v "... not available, skipped" $f
+
+    exit 1
+}
+
+# Remove the docker container.
+remove_container() {
+    echo "Removing the docker container..."
+    docker rm -f brotest > /dev/null
+}
+
+
+if [ ! -f testing/scripts/travis-job ]; then
+    echo "Error: must change directory to root of bro source tree before running this script."
+    exit 1
+fi
+
+set -e
+
+if [ "${TRAVIS_EVENT_TYPE}" = "cron" ]; then
+    # This is a Travis CI cron job, so check the job number.
+
+    # Extract second component of the job number.
+    if [ -z "${TRAVIS_JOB_NUMBER}" ]; then
+        echo "Error: TRAVIS_JOB_NUMBER is not defined (it should be defined by Travis CI)"
+        exit 1
+    fi
+    job=`echo ${TRAVIS_JOB_NUMBER} | cut -d . -f 2`
+
+    # If this isn't the first job in a Travis CI build, then just output a
+    # message and exit (this is not an error).
+    if [ "$job" != "1" ]; then
+        echo "Coverity scan is performed only in the first job of this build"
+        exit 0
+    fi
+fi
+
+
+if [ "${TRAVIS_EVENT_TYPE}" = "cron" ] || [ "$distro" = "coverity" ]; then
+    # Run coverity scan when this script is run from a Travis cron job, or
+    # if the user specifies the "coverity" distro.
+
+    # Check if the project token is available (this is a secret value and
+    # should not be hard-coded in this script).  This value can be found by
+    # logging into the coverity scan web site and looking in the project
+    # settings.
+    if [ -z "${COV_TOKEN}" ]; then
+        echo "Error: COV_TOKEN is not defined (should be defined in environment variables section of Travis settings for this repo)"
+        exit 1
+    fi
+
+    # The "build" and "run" steps are split up into separate steps because the
+    # build outputs thousands of lines (which are conveniently collapsed into
+    # a single line when viewing the "Job log" on the Travis CI web site).
+    if [ "$step" = "install" ]; then
+        install_coverity
+    elif [ "$step" = "build" ]; then
+        build_coverity
+    elif [ "$step" = "run" ]; then
+        run_coverity
+    elif [ "$step" = "all" ]; then
+        install_coverity
+        build_coverity
+        run_coverity
+    fi
+elif [ "$distro" = "travis" ]; then
+    # Build bro and run tests.
+
+    # The "build" and "run" steps are split up into separate steps because the
+    # build outputs thousands of lines (which are conveniently collapsed into
+    # a single line when viewing the "Job log" on the Travis CI web site).
+    if [ "$step" = "build" ]; then
+        build
+    elif [ "$step" = "run" ]; then
+        run
+    elif [ "$step" = "all" ]; then
+        build
+        run
+    fi
+else
+    # Build bro and run tests in a docker container.
+
+    if [ "$step" = "install" ]; then
+        install_in_docker
+    elif [ "$step" = "build" ]; then
+        build_in_docker
+    elif [ "$step" = "run" ]; then
+        run_in_docker
+    elif [ "$step" = "all" ]; then
+        install_in_docker
+        build_in_docker
+        run_in_docker
+        # If all tests pass, then remove the docker container.
+        remove_container
+    fi
+fi
diff --git a/testing/scripts/wait-for-file b/testing/scripts/wait-for-file
new file mode 100755
index 0000000000..7a0a6f6874
--- /dev/null
+++ b/testing/scripts/wait-for-file
@@ -0,0 +1,24 @@
+#! /usr/bin/env bash
+
+# Sleeps until a file comes into existence.
+
+if [[ $# -ne 2 ]]; then
+  >&2 echo "usage: $0 <file to wait for> <max secs to wait>"
+  exit 1
+fi
+
+wait_file=$1
+max_wait=$2
+wait_count=0
+
+while [[ ! -e $wait_file ]]; do
+  let "wait_count += 1"
+
+  if [[ $wait_count -ge $max_wait ]]; then
+    >&2 echo "error: file '$wait_file' does not exist after $max_wait seconds"
+    exit 1
+  fi
+
+  sleep 1
+done
+
diff --git a/testing/scripts/wait-for-pid b/testing/scripts/wait-for-pid
new file mode 100755
index 0000000000..7aa0a927fe
--- /dev/null
+++ b/testing/scripts/wait-for-pid
@@ -0,0 +1,24 @@
+#! /usr/bin/env bash
+
+# Sleeps until a process id no longer exists.
+
+if [[ $# -ne 2 ]]; then
+  >&2 echo "usage: $0 <pid to wait for> <max secs to wait>"
+  exit 1
+fi
+
+wait_pid=$1
+max_wait=$2
+wait_count=0
+
+while kill -0 $wait_pid &> /dev/null; do
+  let "wait_count += 1"
+
+  if [[ $wait_count -ge $max_wait ]]; then
+    >&2 echo "error: process $wait_pid still exists after $max_wait seconds"
+    exit 1
+  fi
+
+  sleep 1
+done
+